In October Securosis published a free paper concerning the security of "big data" systems.

Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments focuses on the security aspects relating to the specifics of "big data" that are different architecturally and operationally to other environments rather than the, also important, security of the applications themselves. Thus, consideration of how nodes and client applications are vetted before joining the cluster, how data at rest is protected from unwanted inspection, the privacy of network communications, and how nodes are managed are covered.

The paper discusses what "big data" means, and the particular architectural and operational security issues that arise. It then presents six recommendations.

There's an intriguing new project aiming to raise awareness and increase understanding of information security.

The Analogies Project plans a series of initiatives to communicate contribution of information security to society. The first initiative will be a book showing the relationship between life, information and information security.

The founder Bruce Hallas will be speaking about the project at the next meeting of white-hats.co.uk tomorrow morning. Booking required.

The Digital Policy Alliance (formerly EURIM) has released a study into eCrime in the UK, written by Professors Michael Levi and Matthew Williams from the Cardiff University School of Social Sciences. The Rt Hon Alun Michael MP wrote the preface.

eCrime Reduction Partnership Mapping Study comprehensively covers eCrime cost data, perceptions of the subject, and discusses options to tackle eCrime. The recommended approach is to form an industry-led eCrime Reduction Partnership, with top-level central government backing, which includes representatives from law enforcement, business, academia, the voluntary sector, local government, civil society groups, parliament and central government and agencies.

See also the related Systematic Study of the Costs of Cybercrime.

Summer must be the time to publish consultations before everyone goes away on holiday. the European Commission (how the EU works) has published a consultation regarding information risk assessment and breach notification.

The public consultation briefing describes how the European Commission is seeking to adopt a joint strategy with the High Representative of the Union for Foreign Affairs and Security Policy, that will ensure a secure and trustworthy digital environment, while protecting fundamental rights and EU core values. It is considering three approaches:

• Voluntary cooperation and information exchange between member states, the public and private sectors as happens currently
• Taking up minimum capabilities at a national level and promote a more structured approach to cooperation and information exchange
• Legislation to define minimum network and information security (NIS) capabilities for member states, a dedicated network for cooperation and information exchange, and most interestingly requirements for the private sector to adopt "NIS enhancing actions"

Within the last option, the Commission is considering a requirement to adopt risk management practices and to report security breaches to networks and information systems "that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking)".

The Commission has prepared a response form (web form, PDF) that asks a series of wide-ranging questions of governments, businesses and citizens, and there is scope for long answers and for submitting additional documents. The responses will be used to identify strategic actions and contribute to its impact assessment of the proposals. If your trade organisation or professional association is not planning a response, chase them up now.

The consultation runs until mid October 2012 (the 12th or 15th depending upon which document you believe).

After the successful training courses, OWASP chapters workshop and University Challenge, the first day of the AppSec EU conference began on Thursday 12th July with a welcome by Konstantinos Papapanagiotou on behalf of the local Greek conference organising committee, who thanked all those involved with making the conference a reality including the host Athens University, the committee, OWASP staff, sponsors, and the trainers, speakers and volunteers. He also apologised for what the British would call "fantastic weather".

The conference's first session was given by the board from the Open Web Application Security Project.

The OWASP Board provided an introduction for those less familiar with the organisation, and an overview of successes in the past year since AppSec EU 2011 in Dublin. The current number of local chapters is 193 in 76 countries. The board outlined current strategies and plans for the coming year, including the upcoming vote for board members.

Jacob West gave the first keynote, discussing the growth of the smartphone market and how mobile is an emerging point of purchase. He discussed the reasons why some mobile users are not keen to use their phones for payments with a survey showing that some users prefer their desktops/laptops for such activity, but there are a significant number who don't feel secure or find it too complicated. He gave an overview of the mobile landscape and how it introduces additional trust boundaries that other applications do not necessarily have to deal with. He explained that it is not always clear to users who is responsible for security — device manufacturers, or application owners, or application developers, or operating system providers, or network providers, or even the user themselves. He discussed some of the most common security issues with Android applications and provided recommendations on what organisations need to consider when about to develop for, or acquire in, the mobile space.

The conference split into three tracks (Builders, Breakers and Defenders). Justin Clarke spoke about using the open source Java source code scanner tool PMD to perform security static analysis. He described how the approach for security checking needs to target insecure patterns, but minimise false negatives even if there are false positives, and how it is necessary to investigate the context of a rule violation. This is in contrast to normal PMD usage where the intent is to find buggy code patterns, but to minimise false positives even if there are high false negatives. PMD is used extensively by Java developers, is highly extensible, has good documentation, is well supported and integrates with many IDEs and build tools. He described and demonstrated how he has developed and integrated a number of test security rules. He went on to discuss challenges of the approach, and ways to mitigate some of these. Currently the demonstrated code only works with PMD v4, but it is in ongoing development.

Immediately afterwards, Dave Wichers provided an introduction to DOM-based cross-site scripting (XSS) and identified a number of public information resources on this topic. He explained why he finds the current naming conventions for types of XSS (reflected, stored and DOM-based) confusing and proposes using the terms "client XSS" and "server XSS" based upon where the code is built, both of which can be reflected or stored. He went on to describe the extensive problem with client XSS due to much less awareness in development teams, lack of comprehensive guidance on avoiding client XSS issues and how to fix it, inherent issues in commonly-used JavaScript libraries/APIs, and also because detectability is lower. He showed some research he has been undertaking with other experts in the field to try to enumerate dangerous functions in some of these libraries. He especially recommended looking at the DOMXSS Wiki. He also discussed some encoding libraries available, and tools that target this class of security weakness.

The next keynote of the day was provided by Duncan Harris who described how Oracle started its own secure software development lifecycle (Oracle Software Security Assurance) after its first public vulnerability named EasySQL. This was a serious design failure that affected all versions on all platforms that did not have a workaround and there were no mitigations. Now there is a major programme that encompasses secure development standards, secure coding standards, secure coding training, definition of security requirements throughout all phases, security-vetted core modules, and pro-active, destructive & ethical hacking security testing. He also described the management structure of their software assurance personnel, the difficulties of managing over 3,000 products and the processes undertaken for the large number of product acquisitions that occur.

A break for lunch allowed delegates to network and visit the vendor booths. It also provided time to progress with Capture The Flag challenges.

Ben Livshits continued in the main auditorium with a keynote describing how Bing identifies sites that are hosting malware so they can be excluded from its index. He outlined research concepts, the migration of those into real-word products and introduced the Nozzle and Zozzle tools that detect heap spraying and other types of JavaScript attacks at scale. They identify thousands of malicious sites daily with a false positive identification rate of about one in a million.

In Tricolour Alphanumerical Spaghetti I spoke about vulnerability severity ranking systems, differences in vocabulary, the lack of consideration of environmental and business contexts in many cases, drivers such as PCIDSS, and how it is difficult to compare and aggregate results. I explained issues using Common Vulnerability Scoring System (CVSS) for application weaknesses, briefly mentioned Common Configuration Scoring System (CCSS) and the nascent Common Misuse Scoring System (CMSS) (see previous blog post), and discussed the use of Common Weakness Scoring System (CWSS) with the Common Weakness Risk Analysis Framework (CWRAF). I provided some pointers for those generating and consuming vulnerability data and outlined an approach for organisations developing their own vulnerability risk ranking systems.

Adrian Winckles described Anglia Ruskin University's approach to developing a sustainable virtual training environment for a large number of remote students. He described the necessary properties for providing application security distance learning where the environments need to be able to support a number of network components, host multiple applications and tools, prevent students from being able to "find the answers", be able to take snapshots and track students' progress and protect the network from malicious activity.

The presentations will be available on the OWASP web site in due course.

The conference finished with a PCI Panel introduced by Jeremy King, European Director at PCI Security Standards Council. He set the scene describing the current industry status, types of crime and described the ongoing work of the PCI SSC.

John Yeo acted as moderator for the five panel members (left to right above) Jeremy King, Valentim Oliveira, Josef Nedstam, Pravir Chandra and John Wilander. They were challenged to a series of questions about payment cards, the PCI SSC, compliance vs. security, application security and the use of web application firewalls (WAFs) to meet Requirement 6.6 of PCI DSS.

In the evening all conference delegates were invited to a special cocktail reception in the beautiful rooms of the Kostis Palamas building in the main university campus.

Continued in Part 2.

In another consultation, the UK's Department for Energy and Climate Change (DECC) is asking for views on the draft licence conditions relating to security risk assessments and audits for the UK's smart meter implementation programme.

The licence conditions will run through to when the planned Data and Communications Company (DCC) becomes responsible for the provision of services. 55 million smart meters will be rolled out to consumers from 2014 through to 2019. The consultation is important in that it sets the precedent for the security of "end-to-end smart metering systems" in the UK. This includes equipment located at consumers' premises, the communications network between the consumers' premises and the energy suppliers, and the the energy suppliers' head end system — and all business procedures associated with the installation, operation and support of the system. The scope is all-encompassing. Additionally the government wants to ensure security is embedded into the design of the systems and that they continue to be for for purpose as risks, technologies and requirements evolve.

The consultation document includes the draft energy supplier licence conditions (in Annex A), and the consultation asks three questions:

• "Do you consider that the draft licence conditions deliver the policy intention outlined in this document? Please provide comments on where the drafting could be amended or clarified.
• Do you have any comments on the proposed approach that suppliers should carry out a number of good practice security disciplines and procedures as is set out in this document?
• Do you have any further comments with regard to the issues raised in this document? We also welcome general comments around the approach to small suppliers, the processes expected of suppliers in general, and any related costs."

The draft conditions include requirements for carrying out a comprehensive risk assessment and for securing the system to an "appropriate standard" which is a "high level of security that is in accordance with industry good practice" and "capable of being verified" independently. Licensees would have to "take all reasonable steps to ensure that it is able to comply" to comply with ISO 27001:2005 and "any equivalent standard of the ISO that updates, replaces or supersedes that standard". I am slightly concerned about the term "good practice" and would prefer "appropriate measures based on the risk assessment". Additionally it is not clear which entities the risks will be assessed for — apart from the energy companies, I would like that to include consumers and society at large, since security incidents may have wider impacts than on the ability for energy suppliers to conduct their business.

Surprisingly, there is no mention of work from other countries such as NIST Interagency Report (IR) 7628 Guidelines for Smart Grid Cyber Security, published in 2010.

The term "supplier end-to-end system" is defined in paragraph Z.5 of the appendix such that "equipment" includes "any associated software and ancillary devices". Paragraph Z.6 then goes on to provide a definition of "secure". The Supplier End-to-End System is secure if "both the System and each individual element of it is designed and operated to ensure, to the Appropriate Standard, that it is not subject to interference or misuse that (whether directly or indirectly):

• causes any loss, theft or corruption of data;
• results in any other unauthorised access to data; or
• gives rise to any loss or interruption of [electricity/gas] supply or to any other interference with the service provided to a Customer at any premises."

So, clearly protection of data and availability of service to customers. But these types of system misuse have not been mentioned:

• Use of the communications network for unauthorised purposes
• Collection or processing of unauthorised data by the software
• Use of the application to undertake unauthorised activity
• The presence of unapproved or malicious code within the authorised software
• Installation of unapproved software on any device
• Use of any part of the system to attack other systems

Surely a system would not be "secure" if any of the above occurred? Remember this includes software on the smart meters and all the business processes for support and operation. And finally, perhaps there ought to be some statement in the definition of "secure" about hardening and patching, although these might be derived from the policy. Similarly monitoring of suspicious and malicious use.

Responses to the consultation have to be sent to smartmetering@decc.gsi.gov.uk by 27 July 2012.

I am looking forward to the upcoming OWASP AppSec Research 2012 in Athens from 10th-13th July. The organising team have put on a great programme.

My main participation in the four days of activities will be:

• Delivering a one-day training course Application Attack Detection & Response — A Hands-on Planning Workshop which will train you how to plan the implementation of application-layer intrusion detection through a series of team-based exercises
• Presenting a talk entitled Tricolour Alphanumerical Spaghetti which will describe how weaknesses in applications can be classified, common practices and what you should really do
• Hosting a networking event on behalf of the OWASP Global Industry Committee to discuss and share information concerning good application security amongst business managers in a vendor-free environment

I hope you are attending both the training programme and three-track conference, so please flag me down and say hello. Registration is open, and there are conference discounts for OWASP, ISACA and ISC2 members, and also for students.

Earlier this week I heard that my talk about vulnerability severity ratings has been accepted for OWASP AppSec Research 2012 in Athens in July. The title of the presentation is "Tricolour Alphanumerical Spaghetti" which I need to explain.

Do you know your "A, B, Cs" from your "1, 2, 3s"? Is "red" much worse than "orange", and why is "yellow" used instead of "green"? Just what is a "critical" vulnerability? Is "critical" the same as "very high"? How do PCI DSS "level 4 and 5" security scanning vulnerabilities relate to application weaknesses? Does a "tick" mean you passed? Are you using CWE and CVSS? Is a "medium" network vulnerability as dangerous as a "medium" application vulnerability? Can CWSS help? What is FIPS PUB 199? Does risk ranking equate to prioritisation? What is "one" vulnerability?

Are you drowning in a mess of unrelated classifications, terminology and abbreviations? If you are a security verifier and want to know more about ranking your findings more meaningfully, or receive test reports and want to better understand the results, or are just new to ranking weaknesses/vulnerabilities and want an overview, come along to this presentation. It will also explain why the unranked information-only ("grey" or "blue"?) findings might contain some of the best value information.

In the presentation, I will outline techniques commonly used, or referenced, to rank application security weaknesses including:

• Common Vulnerability Scoring System (CVSS)
• Common Weakness Scoring System (CWSS)
• Guide for Conducting Risk Assessments (NIST SP 800-30 Rev. 1 DRAFT)
• Microsoft's STRIDE and DREAD
• OWASP Risk Rating Methodology
• OWASP Top Ten
• PCI DSS Security Scanning Procedure vulnerability classification
• Software Engineering Institute (SEI) OCTAVE
• Standard for Security Categorization of Federal Information Systems (FIPS PUB 199)
• Custom methods (and tester's experience)

The relevance to application security, advantages and disadvantages of each will be compared. The relatively new Common Weakness Scoring System (CWSS), co-sponsored by the Software Assurance Program in the National Cyber Security Division (NCSD) of the US Department of Homeland Security (DHS), will be described in some detail. This will include an explanation of the Common Weakness Risk Analysis Framework (CWRAF).

The presentation will also examine how impact is calculated and discuss why the direct business impact may not be the only thing you need to worry about. In this part, the counting of weaknesses will be discussed and why all of this is important from a compliance perspective. Five contrasting issues (system information leakage, personal data exposure, cross-site scripting, SQL injection and a non-security PCI DSS compliance issue) will be used to calculate example rankings using the OWASP Risk Rating Methodology, CVSS and CWSS. The methods and results will be compared and contrasted for different types of applications (website, web service and mobile app) in different business contexts. Finally the presentation will provide a list of issues to check before you commission assessments to make sure the results are meaningful.

Conference and training registration is now open. AppSec Research 2012 is being held at the Department of Informatics and Telecommunications at the University of Athens. The nearest metro station is Evangelismos.

Last month I discussed application logging from an implementation viewpoint. Rafal Los (Wh1t3Rabbit) has published a helpful series of posts on his Following the White Rabbit blog regarding the drivers, motivation and strategic considerations when undertaking application logging.

The four posts are:

• Logging: Opening Pandora's Box - Part 1 (Anxiety)
• Logging: Opening Pandora's Box - Part 2 (Elation)
• Logging: Opening Pandora's Box - Part 3 (Paralysis)
• Logging: Opening Pandora's Box - Part 4 (Awareness)

My own implementation notes are written up in the OWASP Application [Security] Logging Cheat Sheet.

Application logging, and in particular, application security logging may not sound the most exciting of subjects, but it really can be a very useful tool that helps during development and operation.

If you remember, I have written about application security logging a number of times before. I have now consolidated all that information, and more, into a new document for the OWASP cheat sheet series about application logging that explains the benefits and details:

• Design, implementation and testing
  • Event data sources
  • Where to record event data
  • Which events to log
  • Event attributes
  • Data to exclude
  • Customisable logging
  • Event collection
  • Testing
• Deployment and operation
  • Release
  • Operation
  • Protection
  • Monitoring of events
  • Disposal of logs

The cheat sheet guide is a wiki page, so if you have any contributions, please add them. If you know any other good reference articles, I would like to hear about them.

This week I will be at Security B-Sides London, which my company is co-sponsoring. If you are there too on Wednesday, say hello.