My previous mention of the Financial Services Authority (FSA) had suggested they would survive the new government in the UK. This is no longer the case as the FSA is to be broken up by 2012.

But regulation continues for the moment and, following a review undertaken in February, the FSA has published a new update on Financial Promotions Using New Media. New media communication channels include "social networking websites (Twitter and Facebook), forums, blogs and i-phone applications". So presumably any web site or mobile phone application where a regulated firm communicates.

The guidance explains the rules relating to the content of communications (e.g. stand-alone compliance and communication rules contained in COBS 4, BCOBS 2, ICOBS 2 and MCOB 3) are no different than for other media, and includes non-promotional communication such as directly with existing clients.

So what extra guidance for new media is there? The document highlights:

• regular reviews are required to ensure information is up-to-date
• some channels may be inappropriate for the particular communication to ensure it is balanced and provides sufficient information (e.g. Twitter where the length of each message is very restricted)
• consideration as to how risk information can be highlighted varies across the channels.

The FSA notes that most new media communications does not benefit from the exemptions for image advertising.

Last night, after the first day of the OWASP AppSec Research 2010 conference, we had the pleasure of attending the conference gala dinner at the lavishly decorated Stockholm City Hall, also used for the annual Nobel Prize award ceremony.

Steve Lipner (Microsoft) gave the keynote speech today. He described the early step, creation and evolution of Microsoft's Security Development Lifecycle (SDL). This began in early 2002 which included team-wide security training, the introduction of early threat modelling, code review, use of some tools, undertaking security testing and modifying software defaults to make them more secure. These were seen as quick wins but were immature and ad-hoc processes. They then worked on the security "science" and "security audit" to build a more robust and repeatable program leading to the first edition of the SDL in 2004. It is regularly reviewed and updated and version 5.0 was released this year and 5.1 is due in October 2010. Whilst the SDL is based on Microsoft's own experiences and culture, he said it can be applied to non-Windows development, it does not rely on Windows tools and is not just for shrink-wrapped software development. Neither is it only suitable for waterfall or spiral development methodologies; the application of SDL to agile processes has been described recently. But the most important point he made is that SDL at Microsoft is not necessarily what will work in other software development teams—it is a very helpful starting point, but requires commitment and time to create processes and apply these consistently.

Immediately following the keynote speech, Pravir Chandra (Fortify and OWASP SAMM Project Leader) outlined the Software Assurance Maturity Model (SAMM) and lessons learned in its application to real software development programs. He emphasised the need to identify and classify all applications by risk, to determine what security activities are undertaken. He described that the argument for secure software development must be a business argument based on risk, that it has a real return on investment (ROI), and starting with a single development process and enhancing that can be a good way to introduce secure development practices. The activities undertaken need to be mapped to preventative, detective and corrective controls, and that the tasks need to specify roles, responsibilities and mappings to process flows. Also, he said that security knowledge needs to be spread widely with champions and experts, not just kept by a single specialist or group. He believes SAMM has a large proportion of overlap with Microsoft SDL and BSIMM, and is in the process of mapping SAMM's activities to the latter.

David Rajchenbach-Teller (MLState) described a new programming language for web applications called OPA. It has been designed from a clean start to avoid legacy concepts from the 1970s and 80s and is based on formal methods, is safe from the bottom up, using a single language for the whole application and is based on the distributed system model where not all principals are trusted, communications use web standards and security is mostly automatic. He showed some example code and described real applications in use today. He then described how it prevents a number of issues in the OWASP Top Ten 2010 but that is still under development, and for example, they are working on cross-site request forgery (CSRF) prevention mechanisms and extending the security policy feature set.

Cassio Goldschmidt (Symantec and SAFECode) presented an engaging explanation of how we are all responsible to a certain extent for the creation of software flaws. Whilst software manufacturers may be increasingly applying secure development practices, software is very complex, there are multiple layers of software on top of software and there is no effective way to prove software correctness. Adopters (e.g. home and corporate users) desire feature-rich software and security is not always visible. The environment affects purchasing decisions and home users in particular may not keep software patched. He said purchasing decisions in corporate entities may be made by different people than the users leading to a disconnect, and even patching can be delayed due to corporate cycles. Security researchers also have a part to play where the motivation and consequences of actions are not always transparent. Similarly governments find it difficult to make good law and the timescales cannot keep up with the fast pace of developments. They may provide incentives or require higher standards, but these can be blunt instruments. In summary he proposed that economics plays a larger part than technical solutions to the risks and impacts, even thought industry is moving in the right direction.

During and after lunch, OWASP board members and leaders discussed opportunities, issues and proposals to assist end-users find organisations who are providing products and services based on OWASP's knowledgebase.

Nick Nikiforakis (KU Leuven) described their analysis of eight file sharing services that are cloud-based, provide "one-click hosting" and are mostly anonymous. They found that although the services tended to offer both private distribution (e.g. by email link or instant messaging) and public distribution (e.g. links added to forums, blogs, etc) most of the services were relying on obscurity through obscurity. In many cases the URL token was predicable and even if the source filename was included, this was often not required. Given the predictability of tokens, they were able to obtain details of many different files on the file sharing systems, and tried to identify which were of the private or public type by an examination of whether the source filename could be found elsewhere using Yahoo. The remaining non-binary types were downloaded and examined to find a wide variety of data including bank statements, company budgets & salaries, personal data, documents with admin credentials, doctors notes and even a death certificate. Their advice, choose file sharing systems that have unpredictable tokens, encrypt the files and remove from the store as soon as possible.

The conference closed with thanks being given to the organisers, Kate Hartmann (OWASP Operations Director), OWASP board, helpers from the university, the sponsors, the sound and video teams, the caterers and the attendees. Prizes from various sponsor competitions and the capture the flag event were given. John Wilander reminded attendees about the upcoming AppSec US 2010 in September and announced that next year's AppSec EU would be help in Trinity College, Dublin, Ireland, and in Athens the year after.

Congratulations to the team from Sweden, Norway and Denmark for such a well-organised, and excellent appsec conference!

The Open Web Application Security Project (OWASP) AppSec Research 2010 conference started this morning following the previous two days of application security training. The conference began with a welcome and introduction from the primary organiser and OWASP Sweden chapter leader, John Wilander, and the OWASP Board.

This was immediately followed by the keynote address on Cross-Domain Theft and the Future of Browser Security by Chris Evans and Ian Fette (Google). They described how attacks are increasingly targetting the browser, and nowadays this may may mean its plug-ins rather than the browser itself. Browsers are generally moving to being sandboxed but it is harder to sandbox the plug-ins and it is operating system, as well as browser, specific. Chris described future softspots and the possible growth of multi-payload malware that tries to exploit two vulnerabilities e.g. to exploit code and then escape a sandbox. Ian described the large proportion of search engine results that seem to be phishing or malware sites and how blacklisting can help defend users. Interestingly he mentioned Google actually visits suspicious websites in a virtual machine to check whether malware exists.

The remainder of the day was split into three parallel tracks.

After the keynote, I attended the presentation by Lieven Desmet (KU Leuven) on client-side cross-site request forgery defence measures and their own CsFire Firefox extension. It builds upon previous efforts, particularly RequestRodeo (Martin Johns, 2006) but aims to provide a much more usable experience with very little user involvement. The extension is available to download and the team are looking for feedback, especially with problems caused with particular websites. They believe a combination of server and local policies may overcome these issues, such as sites spanning multiple domains.

Ivan Ristic presented the main threats against SSL (implementation flaws, rogue certification authority certificates, rogue certification authorities, usability issues, and application & configuration vulnerabilities. He then went on to describe the principal SSL deployment mistakes—these are very important considerations to take into account, especially in the design of a new website. His recommendation: create the site completely SSL-only from the start. And, use the free information and tools at SSL Labs.

The problem of using static code analysis tools with source code built using open source, proprietary and home-grown frameworks was described by Christain Hang (Armorize Technologies). He described how reflection, invocation sequence and cross-content propagation can lead to false positive and false negative results. For example, in the Struts framework for Java he showed how detailed knowledge of the configuration XML file is needed. He suggested that asking users to hard-code the analysis tool's configuration, or for the tool's developers to build support for each framework are unsustainable. His recommendation was to dynamically translate the framework logic into the source code, so the two are stitched together before the analysis is undertaken. He says it is not perfect, but it is easily extendible and equally applicable to home-grown frameworks.

After lunch, Mike Samuel and Jasvir Nagra (Google) described the Caja project and how it can help (in particular larger, more mature social networking sites), where the same origin policy is not sufficient, and policies need to change quickly to meet new demands and threats. The technique uses the concept of virtualisation to isolate and control the flow of third party HTML, JavaScript and CSS to the end user.

Johan Lindfors and Dag Konig (Microsoft) outlined the variety of security tools available for .NET development and testing. These included demonstrations of Team Foundation Server, Threat Modelling Tool, and an overview of FxCop, CAT.NET, Pex, Moles and the Web Application Configuration Editor. They also described the concepts behind code contracts. There is more about these on the security tools blog.

David Byrne and Charles Henderson (Trustwave), outlined the pros and cons of manual and automated testing. They moved onto examples that only manual testing would fine, and reminded the audience to to remember that vulnerabilities also come from (product/organisation) acquisitions, old/dead code and in third party libraries.

The day closed with a panel discussion about whether application security is fighting a losing battle.

The research papers, presentations, demonstrations from all three tracks are listed on the conference website, where the presentations, and recorded videos, will be available in due course.

I read the Following the White Rabbit blog which had a special series on web application security whoops in April. I've had too much else to write about, so only just got round to mentioning it here.

If you haven't read all thirty of the month-long "Whoops" series, I'd recommend them to you. Many things can go wrong designing, developing, testing and verifying web applications, but my personal favourite whoops are:

• Episode 7 - "The Spider That Ate My Site!"
• Episode 10 - "Just Another File-Upload Bu...whoa"
• Episode 17 - "1 Million Emails"
• Episode 18 - "Loyalty, Free"
• Episode 30 - "But wait! there's more!"

Keep up-to-date with more web application incidents by subscribing to the Web Hacking Incident Database (WHID) RSS feed from the Web Application Security Consortium.

We can all learn from by sharing incident data.

A special web application security meeting is being held at the School of Applied Sciences, Northumbria University in Newcastle upon Tyne on Wednesday 16th June.

In March Northumbria University became OWASP's first (and so far only) educational supporter in the UK, and joins a number of highly respected academic institutions around the world. This is perhaps not entirely unexpected due to the region's entrepreneurial culture, its digital renaissance in recent years, the area's highly skilled technical workforce and Northumbria University's proactive efforts to improve information security such as its innovative program for SMEs. Oh, and its a great area to live in.

The region has a well-developed support infrastructure for the digital industry including Codeworks Connect, AppNorth, Design Network North, Sunderland Software City, the Institute of Digital Innovation at Teesside University and One North East. Now, the Leeds/North chapter of the The Open Web Application Security Project (OWASP) is holding its first event in north east England hosted by Northumbria University.

There will be four talks on ENISA Common Assurance Maturity Model, Open Source Software Myths, SSL/TLS - Just When You Thought it was Safe to Return and OWASP AppSensor - The Self-Aware Web Application. I am presenting the first and last talks. The talks span compliance, network communication, configuration, verification and building security in. They will be of interest to digital entrepreneurs, owners of software start-up companies, computing and design students, as well as software architects, designers, developers, testers and information system auditors.

The event is free but you need to register to attend.

A recent High Court ruling has reconfirmed the situation that pre or post moderation of user-submitted content may make a site owner liable for the material.

Whether user-generated content is unlawful, offensive or inappropriate such as comment spam (i.e. a danger to the web site, its users or their computer equipment), the advice appears to be not to do anything until a complaint is received, and then block or remove the content expeditiously. Although the meaning of content may still be an issue, the ability for users to submit links and other formatting should certainly be automatically prevented in most cases. That "just" leaves the unlawful and offensive content to deal with. Use of user registration, identity verification, logging and CAPTCHAs can help, but cannot prevent such content being added. It's still a big issue.

Most web site owners will not contemplate unmoderated user-generated content and this means that technical controls are not sufficient. The moderators need training, guidance and escalation procedures with good legal advice backup to ensure the content is suitable, appropriate and lawful. Users of the web site should understand what is acceptable and opt in to appropriate terms of use.

A full description and analysis was posted on the IT and e-commerce legal advice web site Out Law.

The OWASP Top Ten - 2010 has just been released (see here, here, here, here, here, here, here, ...). The document, from the Open Web Application Security Project, is aimed at developers and describes the 10 most critical web application security risks, and since it is referenced by the Payment Card Industry Security Standards Council (PCI SCC) Data Security Standard (DSS), this now has an immediate compliance effect on organisations with web-enabled payment systems.

OWASP Top Ten - 2010 (mirror site) was issued as a release candidate (RC) in November 2009 at OWASP's Washington DC AppSec Conference. This Top Ten has assessed and ranked the risks based on technical impact—the document points out that each organisation needs to assess its own threats and where possible determine not just the technical impact, but the business impact, and recommends the Risk Rating Methodology from the OWASP Testing Guide.

Since November, there has been a wide-ranging discussion of the ranking and advice provided, and this has lead to some minor changes to the final document. I contributed to the OWASP Top Ten Project as a document reviewer. But now the Top Ten for 2010 is issued. As the document points out, this is only the first ten risks, and they may be different for an organisation's own information systems and business processes.

OWASP recognises the titles are not all risks (e.g. some are names of vulnerabilities) but this has been done to use the most commonly recognisable terminology. Each item in the Top Ten includes a description, how the risk can occur, how to detect if your application is vulnerable, example attack scenarios, how to prevent exploitation and detailed references for further information from a wide-range of sources. Of particular help are the various OWASP Cheat Sheets:

• SQL Injection Prevention Cheat Sheet
• XSS (Cross Site Scripting) Prevention Cheat Sheet
• Authentication Cheat Sheet
• Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
• Transport Layer Protection Cheat Sheet

For those who want to go beyond the Top Ten, the document provides guidance for developers, verifiers and organisations about what they can do next. It encourages organisations to consider an application risk management program, not just awareness training, application testing and remediation. It is a great starting point for developers with less knowledge about application security and is now also a handy reference for more-experienced teams. For example, the November RC1 version was used as the basis for over three hours of discussion on web application security at last Friday's OWASP London Free Training event.

The 2010 edition supersedes the previous 2007 edition. It is distributed under a Creative Commons (CC) Attribution Share-Alike licence and can be downloaded for free from the OWASP website or purchased as a printed book, at cost. The screen captures above are subject to this licence.

Security Development Lifecycle for Agile Development has now been added into the latest release of Microsoft's Security Development Lifecycle (SDL) Process Guidance.

SDLv5, issued on 31 March 2010, includes the Agile guidance first published in November 2009. This provides advice on applying lightweight software security practices when using Agile software development methods, such as Extreme Programming (XP) and Scrum.

Additional changes particularly relevant to web applications include:

• Use ViewStateUserKey or ValidateAntiForgeryTokenAttribute to add a layer of defense against Cross-Site Request Forgery (XSRF) attacks.
• Conduct an integration-points security design review with dependent product teams across your end-to-end scenarios.
• Strong log-out and session management. Proper session handling is one of the most important parts of Web application security.
• Include third-party code licensing security requirements in all new contracts.
• Use secure methods to access databases. Creating dynamic queries using string concatenation potentially allows an attacker to execute an arbitrary query through the application.
• All HTTP-based applications that use cookies must specify HttpOnly in the cookie definition for all cookies not explicitly required by legitimate scripts in the Web page.
• Internet Explorer 8 MIME handling: Sniffing OPT-OUT. This recommendation addresses functionality new in Internet Explorer 8 that may have security implications in some cases. It is recommended that for each HTTP response that could contain user controllable content, you utilize the HTTP Header X-Content-Type-Options:nosniff.
• Identify any ActiveX controls, new and existing, that can be locked to a preselected set of domains, and incorporate the SiteLock 1.15 Template for ActiveX Controls during implementation to lock each control to that set of domains.
• ClickJacking defense. For each page that could contain user controllable content, you should use a "frame-breaker" script and include the HTTP response header named X-FRAME-OPTIONS in each authenticated page.
• Use a passive security auditor. Use Watcher and Fiddler to detect vulnerabilities.

There's plenty more to read though.

Having just mentioned the Home Office Cyber Crime Strategy, it's interesting to note the resurfacing of the "dispute" this week between Facebook and the UK's Child Exploitation and Online Protection Centre (CEOP).

Following further discussions in which CEOP flew to Washington DC to meet Facebook representatives, Facebook has continued to reject putting the CEOP Report "button" on user profile pages. It just seems strange that CEOP seem to be making this such a deal-breaking issue. CEOP's work is very important and should be supported; the media however seem to have identified that the "button" will solve all the internet's ills, and CEOP don't seem to be disagreeing with this idea.

After all, Bebo has been displaying the button for some time, but there doesn't seem to be any reference to CEOP at all on Bebo's safety pages, nor on the home page, sign-up pages or privacy statement. And you have to strain your eyes to spot it on other pages:

If the button's design and text have any meaning, rendering them so small they are illegible is pointless, and undermines the effort. Even CEOP's own page on Bebo has the same tiny button and no larger version.

Children and other people need consistency to identify its purpose. The CEOP buttons on various sites link to different sub-domains (ceop.police.uk, www.ceop.police.uk and www.ceop.gov.uk). Good practice would be only to use a single consistent domain and to enforce SSL to confirm the identity of the CEOP site and to ensure the information received hasn't been modified in transit.

The button's design seems to have changed since first introduced at the end of 2009. Is it "Report Abuse", "Click CEOP", "CEOP Report" or something else? This is the button on Childline:

and on Bully Aware:

Even Childline doesn't have the button on many pages. Facebook does seem to be trying, and it is perhaps its market leading position that has attracted all this intense interest from CEOP. I'm all for educating people, especially children and new users, about internet privacy, security and personal safety (and the CEOP advice is great), but is putting a highly-branded button on every page the right answer? I can foresee news stories "I thought it was safe because there was a CEOP Report logo on the page". Organisations should be judged on what they achieve, not whether they support every initiative by others in every country they operate. If Facebook get it wrong, they deserve to get into trouble. Apparent brand pushing doesn't help.

Let's get good advice into privacy notices, help pages and terms of use. And make sure it's easy for users to report possible problems and threats (personal or otherwise). And let's avoid the sort of legal mumbo-jumbo CEOP include in their sign-up form (yes, the form and submission really weren't over SSL, unbelievable) for organisations that want to use the CEOP Report logos, as opposed to those who might add them from copies elsewhere or to tempt people to web sites hosting malware or dubious goods and services. "Help I've been bullied" might otherwise quickly turn into "help my computer's been taken over and I've lost all my pocket money".

The UK's Cyber Crime Strategy was published by the Home Office at the end of March. The foreward explains why cyber crime is such an important issue:

The Cyber Crime Strategy sets out the Home Office's plans for coordinating and delivering the UK Cyber Security Strategy which identified criminal use of cyber space as one of the principal threats to cyber security along with state and terrorist use. The Home Office is the lead department for developing policies to counter cyber crime and its impact on UK interests and specifically the citizen.

How does this affect UK organisations operating websites? The government believes it is promotion of the free flow of ideas, innovation of new products and services, strengthening of democratic ideals and greater economic benefits. The Home Office strategy does not duplicate work in other areas such as regulation of the internet and internet content, but it supports the conclusions in last year's Digital Britain report which highlighted the need for the UK to be a safe place for business and consumers:

A robust and growing digital economy brings significant benefits to the UK, but is also attracting increased fraud. The Home Office believes it is necessary to promote good security and good security practices—but not simply through technical solutions, since many incidents are the result of poor practices or carelessness.

When considering web-enabled information systems, it is right to consider what the opportunities are for financial-based crime (e.g. online fraud, identity theft) and non-financial crimes such as threats to children, hate crimes, harassment and political extremism. When considering how to build privacy and security into business processes and information systems, consider all ways personal data and other information have value.

The strategy sets out fraud, data security and intellectual property theft as key threats to businesses. Takes these into account in your own risk assessments—the government thinks it will be good for your business. They may well be right.