As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

Following the success of similar events in Latin America, a rolling tour of events with OWASP speakers will be occurring in European Countries, beginning with Cambridge this month.

This first event of the tour has been organised in conjunction with Anglia Ruskin University's Department of Computing and Technology for Monday 13 May 2013.

The agenda lists all the speakers:

• Adrian Winckles, OWASP Cambridge Chapter Leader & Senior Lecturer
• Ross Anderson, Cambridge University Computer Laboratory
• DI Stewart Garrick, Metropolitan Police ECrime Unit
• Justin Clarke, OWASP London Chapter Leader
• Eoin Keary, OWASP Board Member
• Steven van der Baan, OWASP Cambridge Chapter Leader
• ... and myself.

I will be speaking about application security vulnerability severity ranking and prioritisation. This will be of use if you have to create or consume vulnerability assessments and penetration test reports, or are involved in patch management or PCIDSS compliance.

Thank you to Fabio Cerullo and the OWASP team who made this tour happen.

The event runs from 11:00 to 17:15 hrs and is located in LAB 002, Lord Ashcroft Building, Anglia Ruskin University, Cambridge. It is free to attend, but advance registration is required.

Last week the UK's Department for Business Innovation & Skills published the 2013 Information Security Breaches Survey, created in conjunction with PwC.

The report presents the results of the survey and breaks the findings down for larger (>250 staff), medium and smaller (<50 staff) organisations. The term "cyber" appears 15 times and "APT" only once, so is generally hyperbole-free.

The most interesting data points for me are:

• 18% of "worst breaches" related to websites and internet gateways, and 4% to breach of laws/regulations
• For all breaches, operation disruption typically lasts a week, with 2-4weeks FTE effort responding to the incident, and a quarter of incidents leading to lost business
• Reputation losses were estimated to be between £10,000 and £100,000.

The report is available to download in full free of charge without registration.

Three regional OWASP application security conferences are planned for later this year.

OWASP runs the most comprehensive application security conferences with a very high standard of training courses, speakers and delegates to network with. The next three conferences are:

• August 20-23: AppSec EU Research 2013, Hamburg, Germany
• October 1-4: AppSec Latam 2013, Lima, Peru
• November 18-21: AppSec USA 2013, New York, USA

The calls for training and papers are open for AppSec EU and AppSec USA. I hope to attend both of these. AppSec Asia will occur again in spring 2014.

On Wednesday this week, Trustwave has published the full version of its latest global information security report. It is comprehensive, information-rich, and well designed.

2013 Trustwave Global Security Report (registration required) provides information from their incident investigations, updates from law enforcement agencies around the world (including SOCA), threat intelligence (attack sources, motivations, emerging techniques, attacks and defences), and some international perspective viewpoints. The sources used to aggregate data and draw conclusions from include their vulnerability scanning, penetration testing and incident response investigation services, publicly disclosed data breaches, email sources, published vulnerabilities, and analysis of malicious web sites. Even this cannot be said to be completely representative, but it is amongst the better data available.

Based on the incident investigation information, payment cardholder data was the primary target because it is highly saleable for subsequent use in fraudulent transactions. Secondly personal data is noted as having some monetary data. The primary targets were retail, food & beverage and the hospitality sector via their e-commerce and retail channels (web sites and point of sale/payment processing). These of course reflect organisations that are required to, or felt the need to, engage a company like Trustwave to perform incident investigation. Thus there will be a bias towards medium and larger organisations with personal, credit and debit card data.

Where large quantities of data were compromised, the incident investigations identified weak administrative credentials, SQL injection and remote file inclusion as the primary vulnerabilities, with data being exfiltrated using HTTP and HTTP over TLS, RDP, SMTP and SMB protocols due to missing egress firewall controls. The report recommends building a defence in depth strategy with multiple layers of security. In terms of important applications, a holistic approach that builds security in throughout the development and operation is required. In the section on international perspectives for EMEA, the report notes there is an increasing trend of medium-sized and non-banking organisations developing strategic application security programmes, where assurance activities are based on the business risk each application presents.

Information points from the WASC Web Hacking Incident Database are also presented. These relate to publicly reported incidents of web applications during 2012 that have an identified outcome. This does not pretend to be fully representative of all web application attacks, but it does represent many significant events. The most common attack methods were denial of service followed by SQL injection.

The top 10 application vulnerabilities (I believe the label on the table on page 50 possibly mistakenly includes the word "mobile") highlights how common cross-site scripting (XSS) and cross-site request forgery (CSRF) are, based on a sample of application penetration tests. Separate information is also presented for mobile application penetration tests, comparing the findings to the OWASP Mobile Top 10.

The other part of the report of interest to application software designers and architects is the statistical analysis of nearly 3.1 million encrypted passwords from Active Directory servers. In order of number of occurrences "Welcome1" is the most common password, followed by "STORE123", "Password1", "password", "Hello123", and "12345678". "training" and "Welcome2". "STORE123" sounds very like point of sale (POS) systems. These results and analysis of password composition and markup will be useful where there is a desire to limit the use of common passwords and formats.

Definitely worthwhile reading.

I have posted a new message to the Software Assurance Maturity Model (SAMM) blog regarding scorecard charts.

Like the previously created roadmaps, the scorecard charts use a transformation from an XML file to create an SVG image. They illustrate a team, project or organisation's maturity level, scored against SAMM, at a single point in time (the scorecard charts in the SAMM document compare scores at two points in time).

The XML template, schema and transformation files are available to download without charge or registration.

Software development industry body Software Assurance Forum for Excellence in Code (SAFECode) has announced a new publication to complement their existing guidance on software assurance, secure software development and software supply chain integrity.

In Practical Security Stories and Security Tasks for Agile Development Environments provides guidance on incorporating secure-related activities into an Agile software development life cycle (S-SDLC) with specific guidance relating to fundamental secure coding practices. The advice was developed relates to the most common security issues SAFECode members see in their own environments, combined with input from the CWE/SANS Top 25 Most Dangerous Software Errors, including the 16 weaknesses in the on the cusp list, and the OWASP Top 10 Risks.

The document is aimed at those who already understand Agile practices, whether they are already adopters or planning to use the approach. The guidance provides:

• 36 security-focused stories and related security tasks
• 17 operational security tasks that Agile practitioners should consider conducting on an ongoing basis
• 12 advanced security tasks that typically require guidance from software security experts (in-house or consultants) for the first few iterations or in an ongoing manner.

I am very pleased to see such a document. Agile can be seen as a security blocker, and this provides evidence of tasks that are being incorporated into real-world Agile development processes. It is written in a way that will be immediately understandable by development teams, rather than being aimed at an information-security audience. So, for example, measures to prevent SQL injection vulnerabilities are phrased in a story like "As an architect/ developer I want to ensure AND as QA I want to verify that database queries function as expected by separating the data from the query", and the related backlog tasks include "Use prepared statements with bind variables (parameterized queries) that automatically enforce the separation between data and code.", "Deploy the database user accounts with minimal access rights (least privilege) required to perform the database action. Use separate accounts for different access roles (read only, read and update, etc.).", and "Comparable techniques apply also to XPath, NoSQL and other database queries". Great stuff.

Operational security tasks include activities such as "Configure bug tracking to track security vulnerabilities", "Resolve critical and high severity issues identified by static code analysis tools", "Perform stricter code review of 'risky' code", and so on. The 12 tasks listed as requiring the help of security experts include "Software security training (secure coding and secure testing)", "Performing threat modeling for new/enhanced features" and "Conduct penetration tests on the software around beta stage".

The cross-referencing to Common Weakness Enumeration (CWE) identifiers, SAFECode's own Fundamental Practices and other materials such as OWASP ESAPI, ensure this is not an island of information isolated from the wider application security knowledge base.

ENISA has released a report on its recent study of the cyber insurance market.

The report Incentives and Barriers to the Cyber Insurance Market in Europe attempts to define cyber insurance, why cyber insurance could be an attractive measure for transferring financial risk, and describes current market offerings.

The report goes on to discuss barriers to the development of an effective cyber insurance market including:

• Uncertainty about the extent of risk and lack of robust actuarial data
• Uncertainty about what risk is being insured
• Ongoing technological evolution
• Lack of visibility on what constitutes effective protection measures
• The absence of an insurer of last resort to re-insure catastrophic risks
• Perception that existing insurance already covers cyber risks

The report provides recommendations to address the issues. At first glance you might consider the report is primarily of use to those within the insurance industry but I think it should have a much wider audience since it addresses many of the issues industry has in quantifying risks and justifying spending on security. Of course if your organisation is considering buying cyber insurance, or even believes it already has such insurance (possibly in error), the report will provide useful matter for consideration.

See also my recent post about Systematic Study of the Costs of Cybercrime and a 2009 post on E-Commerce and Insurance - The Definitive Guide.

I am looking forward to the upcoming OWASP AppSec Research 2012 in Athens from 10th-13th July. The organising team have put on a great programme.

My main participation in the four days of activities will be:

• Delivering a one-day training course Application Attack Detection & Response — A Hands-on Planning Workshop which will train you how to plan the implementation of application-layer intrusion detection through a series of team-based exercises
• Presenting a talk entitled Tricolour Alphanumerical Spaghetti which will describe how weaknesses in applications can be classified, common practices and what you should really do
• Hosting a networking event on behalf of the OWASP Global Industry Committee to discuss and share information concerning good application security amongst business managers in a vendor-free environment

I hope you are attending both the training programme and three-track conference, so please flag me down and say hello. Registration is open, and there are conference discounts for OWASP, ISACA and ISC2 members, and also for students.

In previous posts, I have mentioned labelling in A Software Security Kitemark?, Trust and E-commerce Trustmarks, Privacy Labelling, Trust .UK, Security Labelling, and Software Assurance Labelling. There are some impressive developments in ideas for privacy and terms of use labelling.

In Coming to Terms on the Project VRM blog describes the work at StandardLabel.org, CommonTerms and BiggestLie.

There are some great insights into rights, user behaviour and clarity of expression, which could contribute to formulating better, more understandable, descriptions of software security quality for users. Could security be meaningfully summed up in a single statement, or even just a small number of icons?

It's a challenging problem to produce something of value to a consumer, that takes a minimal amount of effort to digest. I like the approach of the OWASP Application Security Verification Standard, but even this has a degree of complexity of manual vs. automated testing, and I am not sure software security (from the end user's viewpoint) can be entirely divorced from the security of the underlying infrastructure.

Any thoughts?