Last week, the European Network and Information Security Agency (ENISA) announced the publication of two guidance documents relating to Article 13a of the new telecommunications legislation (Directive 2009/140/EC) regarding security incidents and security controls.

I don't often quote legislation here, but I thought it was relatively short and provides the intent behind ENISA's guidance. ENISA has published two documents.

Technical Guideline on Incident Reporting provides guidance on the annual summary of significant issues and the notification of cross-border incidents. While most (all?) readers of this blog won't necessarily work in the telecommunications sector, I think the document is useful more widely for two aspects. It demonstrates the type of reporting which could be required if breach notification becomes a requirement for other sector or types of data (e.g. personal data)in the future. Also, the Section 5 on impact parameters and thresholds provides some insight into the continental and national viewpoint on the effects of security incidents.

The second document Technical Guideline on Minimum Security Measures defines the security controls national regulators need to consider when evaluating public communications networks. These are relatively high-level and are grouped into governance/risk management, human resources security, security of systems and facilities, operations management, incident management, business continuity management, and monitoring, auditing and testing. So a clear mapping to ISO27001/2/5 for information security and risk management, and BS 25999 for business continuity.

This week, the Cloud Security Alliance has announced its new repository of security control self -assessments for cloud computing providers.

The CSA Security, Trust and Assurance Registry (STAR) lists providers who have completed and submitted a Consensus Assessments Initiative Questionnaire (CAIQ) or Cloud Controls Matrix (CCM) response to indicate their compliance with CSA best practices.

Currently only two providers are listed, but more are in progress. This will be a very helpful resource for those seeking assurance about controls from suppliers, and potentially standardise the way cloud providers publish information about their security practices, simplifying procurement processes. If you are an IaaS, PaaS or SaaS provider, the existing submissions may help your own controls development or completion of an assessment.

There is more information in the detailed FAQ and LinkedIn forum.

The first keynote speech at AppSec USA 2011 was given by Mark Curphey, a founder of OWASP.

He described OWASP's beginnings in 2001, how the organisation has grown and become the success story it is today. And that success is completely about the people and its open principles. Despite having contributions from all round the world, he described that connecting people in person together, face-to-face, is critical and thus how important the local chapters, local events and regional conferences are. He included a compilation of short videos from chapters around the world. He also saluted many of the exceptional people involved over ten years, and how he believes the application security community needs to keep instead with the trends in the developer community.

The talks were spread over four parallel tracks. Following the morning break, I attended a talk by Andres Riancho on web application security testing payloads. Andres described the lack of post exploitation techniques available in web penetration testing tools. If these do exist, they are mainly in the area of buffer overflows rather than for web exploits where there is often much reduced capability. He showed how W3AF has been extended to build a number of post exploitation payloads, mainly in Linux/Apache HTTP space. He also demonstrated how a custom payload could be used to download an web site's source code where there is a file read vulnerability, and then with a proof-of-concept static code analysis tool, examine that code to look for additional vulnerabilities that may be exploitable to achieve file write capabilities, and thus file execution. This combination of blackbox penetration testing and static-code analysis is a fascinating and useful concept.

I then attended a presentation on the mobile track by Ryan Smith about a distributed framework for performing large-scale android application security analysis called STAAF (Scalable Tailored App Analysis Framework). He described how there are many Android app analysis tools, but these are mostly designed to analyse a single app at a time. STAAF uses these as modules but has additional efficiency, scalability and data analysis capabilities. Ryan described the low barrier to entry for Android developers and the problem with third-party market places from where some users will download and install apps. The mobile devices treat all the apps the same. For users there is no distinction between core apps and third party applications and they can only make decisions based on trust of the source and the permissions requested. In practice this means malicious apps are widely available and downloaded by unsuspecting users. STAAF was built to scale across multiple servers to process scanning requests with centralised long-term storage and results reporting. Modules include extraction of permission requirements, libraries used, referenced static URLs, methods, manifest and Dex bytecode. Efficiencies are obtained by caching intermediate results, data conversion to ASCII, Smali & Java and storing the control flow graph from the Dex. Additionally common libraries and shared resources are not re-processed every time. The framework is bound by CPU power due to database activity, but it appears to have the potential to scan 50,000 apps in less than 8 hours with a relatively small number of nodes.

Next I listed to Scott Matsumoto's presentation on threat modelling for cloud-based services and applications. Threat modelling can be complex, and therefore I am always interested to hear about different approaches. Scott used the NIST Cloud Definition Framework to describe how Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) affect application design, deployment and operation. He discussed the use of Amazon Web Services (AWS) S3 as an example change to an application's architecture to identify the assets, threats and risks of using a cloud-based approach. He described the risks unique to cloud-based applications as well as those that are often very relevant, but are common to other architectures too. There is a related presentation tomorrow, by one of Scott's colleagues, on simplifying threat modelling.

During lunch the OWASP Board described the current healthy status of participation, membership and supporters, chapters, conferences and project activity. Michael Coates is now the new OWASP chair as Jeff Williams steps down after 8 years. The board also announced awards for people who had made special efforts during the previous year,and Michael Coates thanked Jeff Williams for his previous tenure.

After lunch, Dan Cornell described a technique to reduce the exposure time between vulnerability identification to short-term remediation. He explained that when code changes occur, this can lead to vulnerabilities where potential solutions might include web application firewalls, finding all the vulnerabilities and fixing before deployment, or avoiding vulnerabilities in the first place. These all have challenges and problems. His suggested approach for some classes of vulnerability such as injection, is to implement a process to automatically identify new code (e.g. change control processes, file system and network monitoring), analyse this code for vulnerabilities (e.g. using normalised data from manual and automated code review and vulnerability scanning tools) and automatically block traffic that is being targeted to exploit these using virtual patching using IDS/IPS/WAF systems. Once the rules are created, the alerts can be mapped back to the vulnerabilities to provide insight into what attackers have discovered and what they are interested in. These techniques may be of use where you have little or no control over the deployed code, or where it takes a,long time to create and deploy security fixes.

I returned to the mobile track to listen to Kevin Stadmeyer and Garret Held give an information-rich presentation on the security issues relating to iPhone applications, and how to develop these applications more securely. They described the secure storage of credentials and other data, inadvertent local storage, caching, and client-side sanitisation. Following a description of the most common issues, Kevin and Garret defined some secure coding practices to protect against buffer overflows, format string attacks, race conditions, and measures to take server side and to secure communications.

Jon McCoy demonstrated the use of tools and methodologies to verify security in C# .NET applications based on legacy tools and his own research. He used his tool GrayWolf to decompile demonstration executables & DLLs and GrayDragon to attack a test application while running, by modifying the memory. He described that once you have access to the source code, you can examine the protection measures and have much more ability to identify vulnerabilities and thus validate information assurance of deployed code. It is also possible to modify the code or insert calls to your own procedures. For example, he described a range of methods he has used to circumvent cryptographic controls using these tools. He went on to describe measures such as code signing, package encryptors and obfuscation which are used to prevent this reverse engineering, but also described how these techniques can be ineffective or lead to additional vulnerabilities.

The talks continue tomorrow. All presentations will be available on the OWASP AppSec USA web page.

Do you remember Lush Cosmetics' rather public payment card data and personal data loss announced in January 2011? After 4 months of being compromised, the problem was recognised, customers were notified and the web site was shutdown.

Lush had allowed people's data to be stolen via its own web site. We still await to hear what the fines and other penalties will be levied under the Payment Card Industry Security Standards Council (PCI SSC) Data Security Standard (DSS) if they are found to have been non-compliant at the time. However the UK's Information Commissioner's Office (ICO) became involved due to the related loss of 5,000 individual's personal data and confirmed in a press release on Wednesday this week that Lush Cosmetics had also breached the Data Protection Act 1998. Formed in 1994-1995, Lush Cosmetics has been a registered data controller (No. Z8189523) since late 2003.

As expected, no enforcement notice or monetary penalty has been issued, but Lush Cosmetics Limited's Managing Director, Mark Constantine, has signed an undertaking to ensure that personal data are processed in accordance with the seventh data protection principle concerning security, and in particular take the following measures to improve the protection of personal, and cardholder data:

1. Appropriate technical and organisational measures are employed, and maintained, to prevent the unlawful processing of customer data, particularly within web based systems;
2. Only the minimum amount of customer personal data is stored and that this is retained only for as long as a relevant business need exists;
3. Computer systems storing customer personal data must be subject of regular penetration testing , with activity logs retained for an appropriate period of time and frequently interrogated for evidence of malicious attack;
4. The processing of customer credit card data is conducted by a PCI compliant external service provider;
5. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

...as long as the Data Protection Act, or succeeding legislation are in force. So correctly a focus on Lush's web systems, including penetration testing of systems holding personal data. But also other appropriate security measures as necessary. Let's hope Lush aren't left thinking penetration testing is the answer — security needs to be considered at all stages of acquisition, development, deployment and operation.

And yes, that's right, the ICO is insisting on compliance with PCI DSS. The ICO made it clear in the press release of its expectations for PCI DSS compliance by other online retailers, that will otherwise risk enforcement action by the ICO.

This seems to be a valid approach, since fines, investigation costs, etc may still be levied for lack of PCI DSS compliance too. But I have some concerns with how Lush are portraying their squeaky-clean new status in the web site's terms and conditions:

I'm not entirely sure that moving all cardholder data off-site to a PCI DSS compliant third party processor necessarily means much about the security of other data on the Lush web site and elsewhere at Lush, or much about systems outside the cardholder data environment. Is this just meaningless bubbly rhetoric to provide false assurance, or maybe Lush still does not understand what they are doing? Complying with regulatory and contractual mandates isn't the same as believing in "filling the world with perfume and in the right to make mistakes, lose everything and start again". Some of that "honest meaning" mentioned by Lush would be welcome here too.

Personally I think the PCI SSC should be a bit more strict about how their name can be used to endorse systems. Hey, clerkendweller.com meets PCI DSS compliance criteria too! There's no cardholder data to begin with...

Last year I provided help with the definition of information assurance objectives and controls for the systems acquisition and development domain in the Common Assurance Maturity Model (CAMM), a joint-initiative originally created by originally created by European Network and Information Security Agency (ENISA) and the Cloud Security Alliance (CSA).

My contribution was on behalf of OWASP who were among the many organisations, groups and companies supporting the CAMM initiative. Well, the project has come a long way, and is now a key contributor to the plans to create a global repository of assessments for assurance of the IT supply chain.

At the end of last week, a paper Business Assurance for the 21st Century was published defining the common vision of a single approach for assessments (either self-assessed or independently verified) to make it simpler for organisations to select suppliers and partners based on the coverage and maturity of their information assurance practices. The concept is that the global repository, or "Third Party Assurance Centre", would support a number of assurance frameworks and allow vendors to publish information in a single open format, reducing the need for numerous separate assessments for each potential customer.

All the major assurance frameworks seem to be on board, so this could well achieve a step-forward in transparency, whilst at the same time introducing cost reductions into the market.

Whilst on the theme of the privacy protection, this afternoon I attended the launch of the Information Commissioner's Office (ICO) Data Sharing Code of Practice, at the House of Commons.

If you remember there was a public consultation at the end of 2010, and the final document is now complete. I contributed to my company's written response, as well as to a response by OWASP on the security aspects of data sharing.

The event was sponsored by John Leech MP, Alun Michael MP and Dominic Raab MP, and the new code of practice was introduced eloquently by the Information Commissioner, Christopher Graham. He made the important point that the ICO is about enabling safe use of personal data, and that blocking the use of personal data is not its role. In fact, consumers and citizens can benefit from transfers and sharing of their data — it just has to be done legally. He described the guidance as "making sense on paper, and in the real world".

Note this is statutory guidance which has therefore been approved by the Secretary of State and laid before Parliament. It does not impose new legal obligations nor is an authoritative statement of the law. But both courts and the Information Commissioner must take into account the contents of the code when determining any question arising from proceedings, or functions being performed by the ICO under the Data Protection Act (DPA).

It applies to all sectors — public and private — although there is some sector-specific guidance included. Importantly it applies to both routine systematic data sharing as well as one-off data sharing tasks. The guidance notes data protection principles also apply to the sharing of information within an organisation, such as between divisions, departments and teams. Examples and case studies used in the document include "a retailer providing customer details to a payment processing company", "a mobile phone company intends to share details of customer accounts with a credit reference agency" and "a marketing company wants to share data with a fulfilment company so it can send out free samples". Practical, yes.

I was interested to read the new document to see what changes had been made in the period since the consultation. The draft document was quite good, but the final guidance is an order of magnitude better. It looks as though considerable re-writing, greater explanation, and addition of a glossary and quick-reference checklist have improved its content and usability. Additionally, I am pleased to see many more practical private-sector examples have been included throughout the main body, and in the case studies in Annex 3.

In terms of information security, the primary aspects are detailed in Section 7, which lists good practice to take in respect of information shared with other organisations, highlights the need for building a security-aware culture, identifies the need to take reasonable steps to ensure the receiving organisation understands the nature and sensitivity of the information, the need to consider all modes of transmission, and provides two short lists of physical and technical security measures to be considered. One which stands out in particular is:

Well, that's quite specific! And, good advice.

So, data controllers take note. If you are involved with specifying or designing online (or other) business systems, read the whole document — it really will help. The code of practice does not itself have the force of law (the DPA does), but it describes good practice, and the ICO can only take enforcement over breaches of the DPA. But as the guidance says doing nothing, risks breaking the law.

The whole structure of the document is:

1. Information Commissioner's Foreward
2. About this code
3. What do we mean by "data sharing"?
4. Data sharing and the law
5. Deciding to share personal data
6. Fairness and transparency
7. Security
8. Governance
9. Individual's rights
10. Things to avoid
11. The ICO's powers and penalties
12. Notification
13. Freedom of Information
14. Data sharing agreements
15. Data sharing checklists

The annexes are:

1. The Data Protection principles
2. Glossary
3. Case studies

Coincidentally today a potential £200,000 penalty was imposed by the ICO for a recent web site personal data loss, and the full amount was only avoided because the sole trader had already ceased trading.

The code of practice has not yet been published on the ICO web site. I will check again tomorrow morning.

Update 11th May 2011: The ICO has now announced and published the Data Sharing Code of Practice and checklists on their web site.

Perhaps you have some time at the moment to catch up with the backlog of reading? Here's a quick one to review. The Cloud Security Alliance has published an update to its Cloud Controls Matrix.

The Version 1.1 spreadsheet helpfully includes details of the revisions implemented, although it might have been clearer if the previous text were striked out to make it clearer which is the current version of the control. The changes are mainly clarifications or improved wording.

See also the related resources mentioned in my posts:

• Cloud Computing Risks, 27 November 2009
• Cloud Computing Security, 18 December 2009
• Secure Cloud 2010, 16 March 2010
• Web Application Security in the Cloud - Part 1, 17 April 2009
• Web Application Security in the Cloud - Part 2, 21 April 2009
• Seven Information Security Reports, 14 May 2010

... and perhaps the slightly related Trust .UK — happy reading!

On the last working day before Christmas, the UK is looking very festive due to an early start to the cold and icy weather. Smartphones may be the gift of choice for Christmas, and increasingly organisations are looking to develop mobile applications.

If you're using or developing for smartphones, two new guidance documents will help you begin the right way:

• W3C Mobile Web Application Best Practices, 14 December 2010
• Veracode Mobile App [Security] Top 10 List, 13 December 2010

There's also a new project on Mobile Security being launched at the OWASP Global Summit 2011 in Portugal. The summit will gather together the most influential information security leaders from around the world to discuss the future of application security. If you want to participate in the discussion, debate and work, do come along.

If you are giving someone (or your staff!) a smartphone for Christmas, you may want to provide them with some guidance on security. ENISA published a guide on Smartphones: Information Security Risks, Opportunities and Recommendations for Users earlier this month, but see also Protect Mobile Phones from Get Safe Online and What Can Go Wrong - Mobiles (for 11-16 year olds) from Think You Know. The latter web site also has advice for other age groups, as well as parents and teachers.

Have a great holiday!

Last Friday, I was going to travel to Oxford by express coach, but there had been a road traffic accident which had caused delays to the normally frequent service. After standing in a very long queue at Marble Arch for 10 minutes, and seeing one full coach go past, I decided to catch the train from Paddington instead.

The earliest "off peak" train was at 19:17 hrs and I was intrigued to see on the display boards "TV Entertainment in coach D". Fearing having to watch a football match for the whole journey, I boarded the train just after coach F, expecting that to be coach E. But no, it was coach D. Rather than some sort of large screen at the end of the carriage, I was surprised to see airline-style back-of-seat type displays, and sat down before the rest of the crowd arrived.

I thought a description of the user interface might be of interest to some readers of this blog, especially considering that apart from headset jacks, a screen power button, volume and brightness controls, all interaction is using the touch screen. The interface constraints, need to allow for train vibration and use by untrained public users affect what's possible.

The video on-demand in-train entertainment system is provided by Volo who suggest on their website the mobile payments are integrated by RingGo. I had a look at the safety video which had stop, start and pause buttons available like a conventional media player. The "try me" button let you navigate the juke-box of television shows categorised by genre. The interface felt like "CD multi-media" rather than "web browser". After a while the nag dialogue box popped up in a couple of permutations.

The adjacent passenger seemed to want to go further, but without a valid payment code, their attempt to "log in" was rejected.

The code entry field indicated the required format with underscores and hyphens once touched, and a backspace key appeared once the first character was entered. It did not seem to be possible to enter longer codes than required.

Entry of an invalid "login" code, led to a 20s delay (see countdown timer bottom right) before another attempt could be made, but there did not seem to be any limit on the number of attempts allowed. It is possible the payment code activation period is time limited as well as being for a fixed duration, and they might even be train-specific. Therefore the 20s delay could have been deemed sufficient to protect against guessing unused codes (brute force attack). I would be intrigued to see the risk assessment for the system. The codes could theoretically be tied to seat numbers, but the "special offer" at the cafe didn't seem to suggest you needed to know your own seat number, and that might put off people going for a day's duration to cover their outward and return journeys.

Presumably codes are issued in real time, rather than from prepared lists, so the system will rely upon a semi-continuous communication connection. But it is nice to know if you have a problem, they have "controllers" rather than "helpdesk staff". The code entry screen also reverted back to the main welcome screen after 60s of inactivity.

Without logging in, not much else seemed to be available to the adjacent passenger, but they did manage to get another slightly amusingly worded message screen when randomly tapping on the screen just after starting to watch the safety video once more.

So some interesting constraints on authentication and access control to deal with. Spelling aside, the resolution and related font size does make some screens a little cramped. Having an on-screen keyboard which is only numerical plus A-F does feel a bit techie, and maybe old-fashioned when people are used to much greater flexibility with touch devices. It might indicate the range of values for each code character, and thus reveal something about how it is generated? The touch screen appears to be the only method of user input—perhaps no other way to increase accessibility. Will it be a success? Hard to tell, but very few early-evening commuters seemed to be interested—many had smartphones, game consoles, netbooks, laptops and e-readers to hand, or were asleep.

Perhaps that is why there apparently weren't any power sockets available at the seats.

On the short journey, maybe passengers would be more tempted by live news, travel and weather, or even web browsing if mobile reception was poor, rather than old television shows. But on longer routes it will have greater appeal.

PricewaterhouseCoopers (PwC), in association with CIO Magazine and CSO Magazine, has released its 2011 Global State of Information Security Survey report.

The report is based on data collected in early Spring 2010 from almost 13,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security in 135 countries. It analyses trends and drivers in strategic security spending.

The data on adoption of certain security and privacy protection capabilities in place is interesting. The capabilities listed include some governance and human-related matters such as checks and training, but apart from "established security baselines for external partners, customers, suppliers and vendors", the remaining capabilities appear to be post-implementation activities such as monitoring, centralised information management and event correlation.

There is no mention of practices meant to build security in to business process development and acquisition (e.g. such as those described in the Software Assurance Maturity Model), or about maintaining and checking the accuracy of information. Perhaps there were not any questions in the survey about these aspects?

However, I am sure the high-level data will be useful for executives developing business cases for investment in security, especially helping judge what their colleagues' interests and concerns might be. The data is also broken down regionally.

Chris Potter, a PwC Partner, is speaking at ISACA London's chapter meeting next week on "Latest Trends in Security Breaches and the Implications for IT Governance and IT Assurance". I expect we will hear more information about this report and have the opportunity to ask further questions.