I'm thinking about whether to write some posts on my recommendations for logging, monitoring and alerting.

Much as I hate to suggest you need more monitoring, web sites and web applications shouldn't be left alone. So I'll write more about this in the new year.

In the meantime, here's my seasonal card—even Christmas trees have CCTV cameras in them now:

Seen in a London shopping centre, early December 2008.

E-consultancy.com has many excellent online marketing and e-commerce resources, and I read the blogs and forums regularly. The following posting appeared on the forum a couple of days ago:

This cry for help worried me. Although the forum replies were helpful, it did make me wonder how many other web site owners have no idea where their web site is hosted.

If this is really the case here, it probably means the owner doesn't have all the resources to rebuild the site elsewhere and possibly is without back-ups of the data. And what about the intellectual property ownership? It's something which all developers should be discussing with their customers. My first suggestion would have been to contact the development company. A cursory examination of the source code reveals:

This company even showcases the site:

Now, we have no idea of the background and cannot guess if there is anything amiss. But the site is a card payment enabled e-commerce site, and surely the owner has had to comply with the Payment Card Industry (PCI) Security Standards Council's Data Security Standard (DSS)? Knowing where your web site is hosted would be one of the earlier things to discover.

Let's hope it's sorted soon.

Last week's Open Web Application Security Project (OWASP) summit in Portugal was a great success. The summit pages will be updated with the presentation materials and working session outcomes over the next few days.

OWASP has the most comprehensive range of information and tools to help development, testing and operation of secure web applications. It's open to everyone and everything is available free of charge. The active contributors to the Summer of Code 2008 Projects were invited to the EU Summit 08 to participate in sharing of information, discussion of issues, development of ideas for solutions and creation of suggested objectives for the organisation next year.

I managed to attend many of the project briefings and the OWASP Documentation Projects, OWASP Testing Guide, OWASP Intra Governmental Affairs, OWASP Live CD and Live DVD, OWASP Certification and OWASP Strategic Planning for 2009 working sessions. I am looking forward to working on providing official OWASP input into draft standards, guidelines and legislation, along with the other people who attended the OWASP Intra Governmental Affairs working session.

Look out for the new version (3) of the OWASP Testing Guide, available within a week. Version 2 was such an impressive piece of work, and it has been completely reviewed and extended.

I'd recommend anyone involved with the specification, development, testing, operation and management of web applications to have a look at OWASP's key resources like the Top 10, Development Guide, Code Review Guide and Testing Guide, view some of the many presentations and go along to local meetings.

Whilst we may not yet have laws forcing the disclosure of personal data security breaches, it is worth keeping an eye on what is being reported elsewhere to see the types of issues that arise.

This week's news story about the purchase of a server from eBay containing more than a million NatWest, American Express and Royal Bank of Scotland customers reminded me of the type of bad publicity organisations can expect to receive if data breach legislation is brought in this country. The data included bank account numbers, sort codes, credit card numbers, names, addresses, mobile phone numbers, mothers' maiden names and signatures - all the types of useful data for identity fraud.

Due to legislation there, many incidents are reported from the United States, but the DataLossDB from the Open Security Foundation, Breach Blog from FRSecure and the Attrition.org Data Loss Archive and Database describe worldwide data breaches. Remember that data breaches occur via non-electronic media too - including on discarded paper.

Marketing and public relations managers should think about reports like this since they can wreak havoc on reputations built up over many years. Although it's best to try to avoid these type of events occurring, do plan what to do when they occur, as they eventually will. I'm not sure that saying it was an "honest mistake" will be good enough in the future.

If you can avoid collecting data in the first place, or dispose of it in a timely manner after the required retention period, this will reduce the risk, and the amount of data that might be compromised.

Update 28th November 2008: The UK's Ministry of Justice has indicated the government has no desire to introduce data breach notification legislation in their report on Response to the Data Sharing Review Report issued on 24th November 2008.