As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

Cornucopia Ecommerce Website Edition v1.00 was uploaded to the OWASP website in February and has now been upgraded to a full OWASP project.

Today, I have completed the new OWASP Cornucopia Project pages which include:

• Description and objectives
• Presentation given at OWASP Netherlands in March
• Links to all the references files, including a new security coding practice requirement identities, created last week
• Instructions on how to play
• Frequently asked questions
• Acknowledgements
• Road map and how to get involved
• Link to the PCISSC information supplement for PCIDSS referencing Cornucopia

Please let me know if you think I can add anything of use to the project pages.

I am also working on some minor updates to the ecommerce website edition's documentation and deck. I will be presenting the project at an event in London shortly.

Following the success of similar events in Latin America, a rolling tour of events with OWASP speakers will be occurring in European Countries, beginning with Cambridge this month.

This first event of the tour has been organised in conjunction with Anglia Ruskin University's Department of Computing and Technology for Monday 13 May 2013.

The agenda lists all the speakers:

• Adrian Winckles, OWASP Cambridge Chapter Leader & Senior Lecturer
• Ross Anderson, Cambridge University Computer Laboratory
• DI Stewart Garrick, Metropolitan Police ECrime Unit
• Justin Clarke, OWASP London Chapter Leader
• Eoin Keary, OWASP Board Member
• Steven van der Baan, OWASP Cambridge Chapter Leader
• ... and myself.

I will be speaking about application security vulnerability severity ranking and prioritisation. This will be of use if you have to create or consume vulnerability assessments and penetration test reports, or are involved in patch management or PCIDSS compliance.

Thank you to Fabio Cerullo and the OWASP team who made this tour happen.

The event runs from 11:00 to 17:15 hrs and is located in LAB 002, Lord Ashcroft Building, Anglia Ruskin University, Cambridge. It is free to attend, but advance registration is required.

Light Blue Touchpaper is one of my regular places to read robustly researched and argued views around information security and privacy.

This week, the second part of a series on current issues in payments was published:

• Current Issues in Payments Part 1, March 28th 2013
• Current Issues in Payments, Part 2, 15th April 2013

Bernardo Bátiz-Lazo and Laurent Simon describe their impressions and thoughts while attending the retail electronic payment forum Tomorrow's Transactions in March, and the International Payments Summit in April, both held in London.

This is a fascinating summary and well-worth spending time browsing through the narrative and links.

McAfee Labs has announced finding about malware that targets payment terminals.

The malware called vSkimmer can detect the card readers,steal information from the Windows machines attached to these readers, and send the data to a control server. It builds upon the previously found Dexter malware.

There's a nice summary on the PCI Guru blog as to why retailers should already have defences in place to prevent the attack and exploitation.

I will be travelling to Nijmegen on Wednesday 13th March having been invited to speak at the OWASP Netherlands local chapter.

At the meeting in the Radboud Universiteit Nijmegen, I will present two brand new talks.

• "Record It!" — Do you know security event information should be recorded by an application? The presentation will outline which event properties are useful, what should be avoided and how logging can be implemented. In this short presentation, the benefits of good application logging will also be described. The content is drawn from the OWASP (Application Security) Logging Cheat Sheet
• "OWASP Cornucopia" — Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. The PCI DSS referenced OWASP Cornucopia - Ecommerce Web Application Edition will be presented and used to demonstrate how it can help developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide.

OWASP board member Jim Manico is also presenting on the subject of "Access Control Design Best Practices". Jim is a great speaker and I am looking forward to this.

The venue is the Beta-faculty, Huygensgebouw, at Heyendaalseweg 135, Nijmegen, Parkeergarage P11. Registration and pizza will occur from 18:30 hrs until 19:15 hrs when my first talk commences. The presentations will end at 21:00 hrs followed by a period for further networking. Registration is free but necessary.

On Wednesday this week, Trustwave has published the full version of its latest global information security report. It is comprehensive, information-rich, and well designed.

2013 Trustwave Global Security Report (registration required) provides information from their incident investigations, updates from law enforcement agencies around the world (including SOCA), threat intelligence (attack sources, motivations, emerging techniques, attacks and defences), and some international perspective viewpoints. The sources used to aggregate data and draw conclusions from include their vulnerability scanning, penetration testing and incident response investigation services, publicly disclosed data breaches, email sources, published vulnerabilities, and analysis of malicious web sites. Even this cannot be said to be completely representative, but it is amongst the better data available.

Based on the incident investigation information, payment cardholder data was the primary target because it is highly saleable for subsequent use in fraudulent transactions. Secondly personal data is noted as having some monetary data. The primary targets were retail, food & beverage and the hospitality sector via their e-commerce and retail channels (web sites and point of sale/payment processing). These of course reflect organisations that are required to, or felt the need to, engage a company like Trustwave to perform incident investigation. Thus there will be a bias towards medium and larger organisations with personal, credit and debit card data.

Where large quantities of data were compromised, the incident investigations identified weak administrative credentials, SQL injection and remote file inclusion as the primary vulnerabilities, with data being exfiltrated using HTTP and HTTP over TLS, RDP, SMTP and SMB protocols due to missing egress firewall controls. The report recommends building a defence in depth strategy with multiple layers of security. In terms of important applications, a holistic approach that builds security in throughout the development and operation is required. In the section on international perspectives for EMEA, the report notes there is an increasing trend of medium-sized and non-banking organisations developing strategic application security programmes, where assurance activities are based on the business risk each application presents.

Information points from the WASC Web Hacking Incident Database are also presented. These relate to publicly reported incidents of web applications during 2012 that have an identified outcome. This does not pretend to be fully representative of all web application attacks, but it does represent many significant events. The most common attack methods were denial of service followed by SQL injection.

The top 10 application vulnerabilities (I believe the label on the table on page 50 possibly mistakenly includes the word "mobile") highlights how common cross-site scripting (XSS) and cross-site request forgery (CSRF) are, based on a sample of application penetration tests. Separate information is also presented for mobile application penetration tests, comparing the findings to the OWASP Mobile Top 10.

The other part of the report of interest to application software designers and architects is the statistical analysis of nearly 3.1 million encrypted passwords from Active Directory servers. In order of number of occurrences "Welcome1" is the most common password, followed by "STORE123", "Password1", "password", "Hello123", and "12345678". "training" and "Welcome2". "STORE123" sounds very like point of sale (POS) systems. These results and analysis of password composition and markup will be useful where there is a desire to limit the use of common passwords and formats.

Definitely worthwhile reading.

A draft of the next edition of the OWASP Top 10 is available for review and comment.

OWASP Top 10 - 2013 Release Candidate includes some changes to the current 2010 edition:

• A1 Injection
• A2 Broken Authentication and Session Management (was formerly A3)
• A3 Cross-Site Scripting (XSS) (was formerly A2)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration (was formerly A6)
• A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
• A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
• A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
• A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
• A10 Unvalidated Redirects and Forwards

OWASP plans to issue the final public release of the OWASP Top 10 - 2013 in April or May after a public comment period ending 30th March 2013. The alternative methods for submitting comments are described on the first page of the draft document. There are discussions already on the OWASP Top Ten Project's mailing list.

An updated information supplement on Payment Card Industry Data Security Standard (PCI DSS) E-Commerce Guidelines has been released by the PCI Security Standards Council (PCISSC).

PCI DSS E-commerce Guidelines v2 is the result of work by the PCISSC's E-commerce Special Interest Group, and provides guidance for business that sell goods and services over the internet.

The guidance includes an overview of e-commerce terminology and architectures, roles and responsibilities, and summarises common vulnerabilities in e-commerce environments (injection flaws, cross-site scripting, cross-site request forgery, buffer overflows, weak authentication and/or session credentials), and common security "misconfigurations". The latter is not all about configuration and includes for example "Using secure software development and coding practices for websites" (PCI DSS Requirements 6.3-6.5).

The document also lists eight key recommendations, and also includes two appendices — one is a cross-reference between identified PCI DSS requirements and the corresponding e-commerce guidance, and the second provides a checklist to help identify and assign responsibilities between the merchant and third party service providers.

A list of additional resources to help identify "industry-accepted best practices and guidelines" is provided referring to OWASP, SANS Institute, CERT Coordination Centre, the Centre for Internet Security and ISACA. It is a pity OWASP Cheat Sheets are not directly referenced. However, I am pleased to see that my own Cornucopia E-commerce Web Site Edition, a card game to help developers enumerate and discuss potential application security requirements using data from the OWASP Secure Coding Practices - Quick Reference Guide, is referenced in the section about OWASP.

There is news coverage elsewhere here, here, here and here.

A recent blog post about cardholder-not-present (CNP) fraud, reminded me to mention UK statistics for payment card fraud in the UK.

Fraud The Facts 2012 (PDF version) published by UK Payments Administration, describes the state of fraud in the UK payment industry. Information in the section on plastic card fraud includes data on the scale of fraud and trends, with additional details about CNP fraud, counterfeit card fraud, lost & stolen card fraud, card ID theft, and mail non-receipt fraud. The measures being taken by the UK payments industry are also described briefly.

The section on online and phone banking fraud describes losses over the last seven years, the most common scams (phishing, malware and money mules), and the steps being taken by the industry to prevent online and telephone fraud.

The document also includes information on cheque fraud, and fraud prevention advice for cardholders.