At this time of the year, gardeners have usually seen the best of their summer displays, and thoughts turn to tidying up the garden before the winter.

The publication of a new report from the Ponemon Institute on Data Security in Development & Testing is a timely reminder that like gardens, our web site and web application development and test systems need periodic attention, otherwise they can go wild too. The report describes the findings from a survey of IT practitioners in the United Kingdom and United States on the adequacy of their policies and technologies in place to protect real data used in development and testing. The survey is included in the report, so you can compare your own organisation.

Take some time to identify how real data are being used in your development and test systems, and determine what sensitive data is being used, stored, transmitted and how it is deleted. Are you allowed to sue the data for development and testing? Check who has access to the data, from where, and what the risks are.

If you undertake some form of masking or other anonymisation technique, do read and take into account a new summary of research and discussion by Paul Ohm in his paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.

Put plans in place now, that will make next year easier. No manure required.

Do You Have SSL Configured Correctly? Let me start by saying that "correctly" means "best for you". There isn't a single correct answer, although there are certainly some "don'ts" that apply in every situation.

This information is not about whether to use SSL, and is mainly for your systems folk (or hosting company), but do read on and perhaps gain a better understanding.

Ivan Ristić recently announced the SSL Server Rating Guide (draft 10, 21 July 2009) and an associated online assessment tool called the Public SSL Server Database. These had reminded me to post my comments last Tuesday about the slightly related Colour Overload with IE8 Tab Grouping.

The SSL Labs' resources describe, and allow you to check, the SSL configuration of your own, or any other public site that has SSL enabled. The checks span the certificate and three categories of web server configuration settings. Previously, it needed more specialist tools that most people wouldn't have the time or inclination to use.

The rating guide contains much useful information, but will be too detailed for many people. However, do read the "Minimal Configuration Requirements" and pass these on to appropriate person responsible for the configuration and operation of your own web sites. Not every site needs an overall rating of 73 or 85 or whatever. You'll see in Table 6 of the guide, an idea of what might be suitable for a range of web site types.

After all, your competitors, and some customers, have probably already checked your site.

Last night, I spoke at OWASP Ireland's meeting in Dublin about the previously discussed Software (Security) Assurance Maturity Model (SAMM).

My presentation defined what software assurance, and in particular software security assurance, are, and why they are needed for complex software quality aspects. I also discussed what a maturity model is and how SAMM fits in with other business, project management, IT and software development maturity models. Moving onto SAMM, we reviewed the structure and how it may be used in software development teams and businesses to measure the current capability, act as a benchmark and help in building out a software security assurance programme.

There's been some discussion about applying SAMM on the SAMM mailing list, but it was good to chat with other people about their experiences and ideas to help organisations build better (more secure) software. The evening continued with an interesting talk on Niall Jordan on "Evading SQL Injection Detection Through Encoding", and then off to the nearest (almost adjacent) pub for further lively discussion and debate.

Oh, and a reminder... the Ireland chapter have organised OWASP Ireland AppSec 2009 Conference on 10 September 2009. With two tracks of application security related presentations from excellent speakers, I think it's going to be well worth attending.

It can be hard to justify business spending when web sites are often viewed as low-value assets. The fact that so much Internet content and services are free, and you can buy a web site for less than the cost of a colour TV licence in the UK reinforces this idea in many small and medium enterprises (SMEs).

Much of my work is related to dealing with security incidents, such as web sites which have been hacked, or where an organisation is having security requirements imposed by their own customers and clients. Often these activities are undertaken late in the project and are therefore less effective, and more costly, than they might need to be.

I adhere to the principle "prevention is better than cure", and encourage the early consideration of security and privacy matters—just like any other business process requirement. It was encouraging to read the useful guidance and pointers on Business Cases For Software Security Initiatives but for many organisations, the issues are too complex and they don't have any supporting data. For those I recommend, as a starting point, concentrating on four types of issue:

1. mandatory compliance issues (e.g. legislative and contractual)
2. problems which can assist theft or fraud
3. security events which would be severely disruptive and possibly put the organisation out of business
4. issues for customer trust and ongoing reputation

It's always organisation specific though. As organisations mature, they can be encouraged to look at wider security issues—but, let's get the basics right first.

Old, backup, "secret" and test pages, scripts and other files shouldn't be left on live web sites. The Visit Britain web site should be a showcase for Britain, but I was trying to find a particular page and looked at their 97-page long full sitemap.

Oops, the 4th, 6th, 7th and 8th links were all test or old pages. I couldn't believe this prominent web site didn't have procedures in place to manage draft and test content, or even that they were making such pages live on their web site. The result test-script worried me most but fortunately all four of these returned were not found when clicked.

I wonder what the page "Delete" does though?

People use search engines such as Google to find hidden information on website (aka Google Hacking), but it's uncommon for web sites to clearly list it on their own site map. Rather than ploughing my way through the impenetrable site map, I switched to Google to see what it had found using the search query "site:www.visitbritain.co.uk test". Skipping the results about cricket test matches and testing your handicap, revealed more links to more test pages:

My favourite must be the page with the parent page labelled "Food & Drink - to be deleted EVENTUALLY" in the breadcrumb trail:

These types of practices don't instill any confidence in the management of the web site. Old, backup and test files may contain sensitive data, allow access to the application or functions otherwise restricted, or contain faults that have been fixed in the current version. And, if you actually list them, it looks terrible! Web sites and web applications, don't just look after themselves—you need clear policies, a well-designed specification, a robust development contract, good management, skilled staff, verification processes and be willing to learn from good practices elsewhere.

Today's message: read Testing for Old, Backup and Unreferenced Files.

The new British Standard 10012:2009, Data Protection - Specification for a Personal Information Management System, has been published.

British Standard 10012:2009 was the subject of an earlier draft for public comment (DPC) and I worked with the OWASP Industry Committee on a response.

BS 10012 is not an alternative to the excellent guidance for organisations now produced by the UK's Information Commissioner's Office, but instead is a specification for a personal information management system (PIMS). A PIMS is a governance process for all types of personal information within a company but could also be used for other types of sensitive data. BSI's slant on this is that a PIMS, and therefore BS 10012, could help maintain and improve compliance with the Data Protection Act (DPA) 1998.

A good start and one to watch.

Hardening the underlying server operating system is an important fundamental task to help protect your web applications.

For example, the Payment Card Industry Data Security Standard (PCIDSS) requirement 2.2 states:

Two United States organisations producing guidance in this field are:

• Security Configuration Benchmarks from the Center for Internet Security (CIS)
• Security Content Automation Protocol (SCAP) Checklists from the National Institute of Standards and Technology (NIST) Computer Security Division (CSD)

These are detailed documents and all the recommendations may not be appropriate for your own situation.

"Can An Accessible Web Application Be Secure" was the title of my presentation at OWASP AppSec EU09 last week in Kraków, Poland.

Kraków is a beautiful, friendly and safe city, and was an excellent location for the well-organised conference which attracted delegates from all over Europe. The Open Web Application Security Project (OWASP) has the best resources, documents and tools on web application security, and it's all freely available, under an open source licence. All the presentation slides are now uploaded to the conference website for 13th May and 14th May, and video recordings will be added in due course. Most of the speakers were also interviewed for the OWASP Podcast.

In my presentation I discuss how compliance requirements can lead to additional complexity and thus an increased likelihood of vulnerabilities. In the presentation I focus on accessibility, which has become an accepted part of many web site and web application development projects, especially those aimed at consumers or that belong to governmental organisations. The key standard in this area is the Web Content Accessibility Guidelines 2.0 which became a W3C recommendation in December 2008. I identified eight classes of security issues that people involved with specification, design and verification should be aware of. In particular, I examine 'alternative forms of CAPTCHA', 'flexible session timeouts' and 're-authentication recovery'. In conclusion, accessible web applications can be secure, but it adds complexity to the problem of securing the application.

The presentation slides and additional resources are available on the OWASP web site:

• Can An Accessible Web Application Be Secure? Assessment Issues for Security Testers, Developers and Auditors
• Mapping of WCAG 2.0 Principles, Success Criteria and Conformance Levels to Security Issues
• Mapping of WCAG 2.0 Sufficient Techniques to Security Issues

See also my related posts on Security Implications of WCAG 2.0 and What's the Scope for Accessibility Testing?.

Reminder: The OWASP London chapter meeting is this Thursday (21st May). It's free to attend, but prior registration is required for access to the venue (see the previous link for details).

Update 21st May 2009: Matt Tesauro, leader for the OWASP Live CD Project, has kindly given my presentation his "winner of my unexpected security problem of the conference" award in his posting Talks of Interest - Some Personal Notables from AppSecEU 2009 on the new AppSecLive.org blog.

Update 5th June 2009: The presentation video is now available on owasp.blip.tv.

The Software Assurance Maturity Model version 1.0 was released on Wednesday after a recent period of review and updating.

The Software Assurance Maturity Model (SAMM) describes a reasonable and practical approach to building security into the software development lifecycle, for organisations of all sizes. The model, available as a free PDF download, can be used with a particular software project, software development team or a whole software development company.

SAMM specifies four business functions (governance, construction, verification and deployment) critical to building security in, each with three security practices. Within the twelve security practices SAMM defines three maturity levels as objectives, each with more stringent success metrics than the previous level. The security practices can be improved independently, giving a maturity fingerprint snapshot across the business functions.

One of the best uses will be to compare existing practices against the framework—and then choosing activities to improve which suit the particular organisation's culture and needs. SAMM is not prescriptive in how it can be used.

Additionally, the document is extremely well-designed making the content much more accessible than many others. Join the project mailing list if you want to contribute to its continuing development.

I will be speaking later this morning at the IT Governance Watch event in London.

IT Governance Watch is a joint initiative of the Cyber Security Knowledge Transfer Network and The National Computing Centre. The day's programme is intended to be a combination of seminars and workshops; IT Governance Watch is proposed as a new observatory of standards and good practice in governance, security, risk, and information assurance of information systems.

Update 26th March 2009: David Lacey, an attendee at IT Governance Watch on Tuesday, has posted his views on the event in Better Standards for Standards Please.