In Scotland and northern England, a "waff" is a gust or puff of air, or a passing glimpse. It is also a verb meaning to flutter or cause to flutter. In this post I want to avoid hot air, waffle and waggish comments to highlight guidance on the deployment and use of web application firewalls (WAFs).

WAFs can be controversial in that they can be a blunt instrument to add some protection to web applications, may not be well understood, are often not configured well, can be expensive to acquire, require an ongoing resource commitment, may cause problems with valid business functionality, could lead to the delegation of responsibility for application security primarily to operations, and if not integrated with other software assurance activities, can lead to the mistaken assumption that applications are secure. These issues need to be considered, but WAFs are a valid tool to have in your arsenal of defences.

Some more recent, and older long-standing, viewpoints and uses are described in the sources listed in alphabetical order below:

• Defending Against Denial of Service Attacks
  Securosis, November 2012
  The applicability of WAFs as a measure to contribute to the defence of applications against denial of service attacks
• Effectiveness of Web Application Firewalls
  Larry Suto, November 2011
  An evaluation of some commercial and open source web application firewalls
• ModSecurity Blog
  Trustwave
  Interesting articles on techniques that can be implemented using a WAF such as this, this and this
• Pragmatic WAF Management: Giving Web Apps a Fighting Chance
  Securosis, September 2012
  Issues, WAF management process, policy management, application lifecycle integration and protecting WAFs
• Protocol-Level Evasion of Web Application Firewalls
  Ivan Ristic, July 2012
  Discussion of the challenges of implementing WAFs and the types of evasion issues seen in production WAFs
• Use of Web Application Firewalls
  OWASP Germany local chapter, September 2008
  Characteristics, benefits, risks, selection criteria and best practices
• Web Application Firewall Evaluation Criteria
  WASC, January 2006
  A solid resource due to be updated in conjunction with OWASP

If you have, or are thinking of using WAFs, do read all of the above and subsequent discussions about some of those papers, as well as listening to suppliers/vendors. Then make up your own mind.

Another recent paper from Securosis addresses defending against denial of service (DoS) attacks.

Defending Against Denial of Service Attacks examines the types of attacks prevalent currently, and methods to maintain availability and minimise the adverse economic effect. The paper begins by identifying the threats‐protection racketeers, hacktivists, cyber war, exfiltrators, competitors, and business success itself.

The types of attack are described and defences for networks and applications are described. For applications, building security into the software development life cycle, web application firewalls (WAFs), anti-DoS devices and service providers, content delivery networks (CDN) are described. The need for a multi-faceted approach to application DoS protection is recommended in the paper.

I think some applications will just be more problematic than others and avoiding security vulnerabilities, minimising the attack surface and building in application-specific attack detection and response will help here too.

The paper includes links to further insightful sources of information, and recommends that to be effective, the process for defending against denial of service attacks needs to include activities before, during and after an attack.

In October Securosis published a free paper concerning the security of "big data" systems.

Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments focuses on the security aspects relating to the specifics of "big data" that are different architecturally and operationally to other environments rather than the, also important, security of the applications themselves. Thus, consideration of how nodes and client applications are vetted before joining the cluster, how data at rest is protected from unwanted inspection, the privacy of network communications, and how nodes are managed are covered.

The paper discusses what "big data" means, and the particular architectural and operational security issues that arise. It then presents six recommendations.

There's an intriguing new project aiming to raise awareness and increase understanding of information security.

The Analogies Project plans a series of initiatives to communicate contribution of information security to society. The first initiative will be a book showing the relationship between life, information and information security.

The founder Bruce Hallas will be speaking about the project at the next meeting of white-hats.co.uk tomorrow morning. Booking required.

The Digital Policy Alliance (formerly EURIM) has released a study into eCrime in the UK, written by Professors Michael Levi and Matthew Williams from the Cardiff University School of Social Sciences. The Rt Hon Alun Michael MP wrote the preface.

eCrime Reduction Partnership Mapping Study comprehensively covers eCrime cost data, perceptions of the subject, and discusses options to tackle eCrime. The recommended approach is to form an industry-led eCrime Reduction Partnership, with top-level central government backing, which includes representatives from law enforcement, business, academia, the voluntary sector, local government, civil society groups, parliament and central government and agencies.

See also the related Systematic Study of the Costs of Cybercrime.

Do you have questions about password hashing, storage and cracking? What is current best practice?

There have been a number of thought-stimulating articles in recent weeks about password cracking. If you have not read these, I would recommend taking a look. Each is fairly short.

• Why Passwords Have Never Been Weaker — And Crackers Have Never Been Stronger (Ars Technica) on the current issues around use of passwords and the status of cracking
• Password Cracking, Part I: How Much Has Cracking Improved? (Joseph Bonneau) on why you need to measure both power and efficiency to quantify advances in cracking
• Password Cracking, Part II: When Does Password Cracking Matter? (Joseph Bonneau) on why password cracking threats are often different for real world administrators
• Common Misconceptions of Password Cracking (Robert David Graham) on what matters when you are deciding how to hash passwords

What should you do in practice? Keep an eye on this draft cheat sheet on password storage from OWASP.

Summer must be the time to publish consultations before everyone goes away on holiday. the European Commission (how the EU works) has published a consultation regarding information risk assessment and breach notification.

The public consultation briefing describes how the European Commission is seeking to adopt a joint strategy with the High Representative of the Union for Foreign Affairs and Security Policy, that will ensure a secure and trustworthy digital environment, while protecting fundamental rights and EU core values. It is considering three approaches:

• Voluntary cooperation and information exchange between member states, the public and private sectors as happens currently
• Taking up minimum capabilities at a national level and promote a more structured approach to cooperation and information exchange
• Legislation to define minimum network and information security (NIS) capabilities for member states, a dedicated network for cooperation and information exchange, and most interestingly requirements for the private sector to adopt "NIS enhancing actions"

Within the last option, the Commission is considering a requirement to adopt risk management practices and to report security breaches to networks and information systems "that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking)".

The Commission has prepared a response form (web form, PDF) that asks a series of wide-ranging questions of governments, businesses and citizens, and there is scope for long answers and for submitting additional documents. The responses will be used to identify strategic actions and contribute to its impact assessment of the proposals. If your trade organisation or professional association is not planning a response, chase them up now.

The consultation runs until mid October 2012 (the 12th or 15th depending upon which document you believe).

After the successful training courses, OWASP chapters workshop and University Challenge, the first day of the AppSec EU conference began on Thursday 12th July with a welcome by Konstantinos Papapanagiotou on behalf of the local Greek conference organising committee, who thanked all those involved with making the conference a reality including the host Athens University, the committee, OWASP staff, sponsors, and the trainers, speakers and volunteers. He also apologised for what the British would call "fantastic weather".

The conference's first session was given by the board from the Open Web Application Security Project.

The OWASP Board provided an introduction for those less familiar with the organisation, and an overview of successes in the past year since AppSec EU 2011 in Dublin. The current number of local chapters is 193 in 76 countries. The board outlined current strategies and plans for the coming year, including the upcoming vote for board members.

Jacob West gave the first keynote, discussing the growth of the smartphone market and how mobile is an emerging point of purchase. He discussed the reasons why some mobile users are not keen to use their phones for payments with a survey showing that some users prefer their desktops/laptops for such activity, but there are a significant number who don't feel secure or find it too complicated. He gave an overview of the mobile landscape and how it introduces additional trust boundaries that other applications do not necessarily have to deal with. He explained that it is not always clear to users who is responsible for security — device manufacturers, or application owners, or application developers, or operating system providers, or network providers, or even the user themselves. He discussed some of the most common security issues with Android applications and provided recommendations on what organisations need to consider when about to develop for, or acquire in, the mobile space.

The conference split into three tracks (Builders, Breakers and Defenders). Justin Clarke spoke about using the open source Java source code scanner tool PMD to perform security static analysis. He described how the approach for security checking needs to target insecure patterns, but minimise false negatives even if there are false positives, and how it is necessary to investigate the context of a rule violation. This is in contrast to normal PMD usage where the intent is to find buggy code patterns, but to minimise false positives even if there are high false negatives. PMD is used extensively by Java developers, is highly extensible, has good documentation, is well supported and integrates with many IDEs and build tools. He described and demonstrated how he has developed and integrated a number of test security rules. He went on to discuss challenges of the approach, and ways to mitigate some of these. Currently the demonstrated code only works with PMD v4, but it is in ongoing development.

Immediately afterwards, Dave Wichers provided an introduction to DOM-based cross-site scripting (XSS) and identified a number of public information resources on this topic. He explained why he finds the current naming conventions for types of XSS (reflected, stored and DOM-based) confusing and proposes using the terms "client XSS" and "server XSS" based upon where the code is built, both of which can be reflected or stored. He went on to describe the extensive problem with client XSS due to much less awareness in development teams, lack of comprehensive guidance on avoiding client XSS issues and how to fix it, inherent issues in commonly-used JavaScript libraries/APIs, and also because detectability is lower. He showed some research he has been undertaking with other experts in the field to try to enumerate dangerous functions in some of these libraries. He especially recommended looking at the DOMXSS Wiki. He also discussed some encoding libraries available, and tools that target this class of security weakness.

The next keynote of the day was provided by Duncan Harris who described how Oracle started its own secure software development lifecycle (Oracle Software Security Assurance) after its first public vulnerability named EasySQL. This was a serious design failure that affected all versions on all platforms that did not have a workaround and there were no mitigations. Now there is a major programme that encompasses secure development standards, secure coding standards, secure coding training, definition of security requirements throughout all phases, security-vetted core modules, and pro-active, destructive & ethical hacking security testing. He also described the management structure of their software assurance personnel, the difficulties of managing over 3,000 products and the processes undertaken for the large number of product acquisitions that occur.

A break for lunch allowed delegates to network and visit the vendor booths. It also provided time to progress with Capture The Flag challenges.

Ben Livshits continued in the main auditorium with a keynote describing how Bing identifies sites that are hosting malware so they can be excluded from its index. He outlined research concepts, the migration of those into real-word products and introduced the Nozzle and Zozzle tools that detect heap spraying and other types of JavaScript attacks at scale. They identify thousands of malicious sites daily with a false positive identification rate of about one in a million.

In Tricolour Alphanumerical Spaghetti I spoke about vulnerability severity ranking systems, differences in vocabulary, the lack of consideration of environmental and business contexts in many cases, drivers such as PCIDSS, and how it is difficult to compare and aggregate results. I explained issues using Common Vulnerability Scoring System (CVSS) for application weaknesses, briefly mentioned Common Configuration Scoring System (CCSS) and the nascent Common Misuse Scoring System (CMSS) (see previous blog post), and discussed the use of Common Weakness Scoring System (CWSS) with the Common Weakness Risk Analysis Framework (CWRAF). I provided some pointers for those generating and consuming vulnerability data and outlined an approach for organisations developing their own vulnerability risk ranking systems.

Adrian Winckles described Anglia Ruskin University's approach to developing a sustainable virtual training environment for a large number of remote students. He described the necessary properties for providing application security distance learning where the environments need to be able to support a number of network components, host multiple applications and tools, prevent students from being able to "find the answers", be able to take snapshots and track students' progress and protect the network from malicious activity.

The presentations will be available on the OWASP web site in due course.

The conference finished with a PCI Panel introduced by Jeremy King, European Director at PCI Security Standards Council. He set the scene describing the current industry status, types of crime and described the ongoing work of the PCI SSC.

John Yeo acted as moderator for the five panel members (left to right above) Jeremy King, Valentim Oliveira, Josef Nedstam, Pravir Chandra and John Wilander. They were challenged to a series of questions about payment cards, the PCI SSC, compliance vs. security, application security and the use of web application firewalls (WAFs) to meet Requirement 6.6 of PCI DSS.

In the evening all conference delegates were invited to a special cocktail reception in the beautiful rooms of the Kostis Palamas building in the main university campus.

Continued in Part 2.

In another consultation, the UK's Department for Energy and Climate Change (DECC) is asking for views on the draft licence conditions relating to security risk assessments and audits for the UK's smart meter implementation programme.

The licence conditions will run through to when the planned Data and Communications Company (DCC) becomes responsible for the provision of services. 55 million smart meters will be rolled out to consumers from 2014 through to 2019. The consultation is important in that it sets the precedent for the security of "end-to-end smart metering systems" in the UK. This includes equipment located at consumers' premises, the communications network between the consumers' premises and the energy suppliers, and the the energy suppliers' head end system — and all business procedures associated with the installation, operation and support of the system. The scope is all-encompassing. Additionally the government wants to ensure security is embedded into the design of the systems and that they continue to be for for purpose as risks, technologies and requirements evolve.

The consultation document includes the draft energy supplier licence conditions (in Annex A), and the consultation asks three questions:

• "Do you consider that the draft licence conditions deliver the policy intention outlined in this document? Please provide comments on where the drafting could be amended or clarified.
• Do you have any comments on the proposed approach that suppliers should carry out a number of good practice security disciplines and procedures as is set out in this document?
• Do you have any further comments with regard to the issues raised in this document? We also welcome general comments around the approach to small suppliers, the processes expected of suppliers in general, and any related costs."

The draft conditions include requirements for carrying out a comprehensive risk assessment and for securing the system to an "appropriate standard" which is a "high level of security that is in accordance with industry good practice" and "capable of being verified" independently. Licensees would have to "take all reasonable steps to ensure that it is able to comply" to comply with ISO 27001:2005 and "any equivalent standard of the ISO that updates, replaces or supersedes that standard". I am slightly concerned about the term "good practice" and would prefer "appropriate measures based on the risk assessment". Additionally it is not clear which entities the risks will be assessed for — apart from the energy companies, I would like that to include consumers and society at large, since security incidents may have wider impacts than on the ability for energy suppliers to conduct their business.

Surprisingly, there is no mention of work from other countries such as NIST Interagency Report (IR) 7628 Guidelines for Smart Grid Cyber Security, published in 2010.

The term "supplier end-to-end system" is defined in paragraph Z.5 of the appendix such that "equipment" includes "any associated software and ancillary devices". Paragraph Z.6 then goes on to provide a definition of "secure". The Supplier End-to-End System is secure if "both the System and each individual element of it is designed and operated to ensure, to the Appropriate Standard, that it is not subject to interference or misuse that (whether directly or indirectly):

• causes any loss, theft or corruption of data;
• results in any other unauthorised access to data; or
• gives rise to any loss or interruption of [electricity/gas] supply or to any other interference with the service provided to a Customer at any premises."

So, clearly protection of data and availability of service to customers. But these types of system misuse have not been mentioned:

• Use of the communications network for unauthorised purposes
• Collection or processing of unauthorised data by the software
• Use of the application to undertake unauthorised activity
• The presence of unapproved or malicious code within the authorised software
• Installation of unapproved software on any device
• Use of any part of the system to attack other systems

Surely a system would not be "secure" if any of the above occurred? Remember this includes software on the smart meters and all the business processes for support and operation. And finally, perhaps there ought to be some statement in the definition of "secure" about hardening and patching, although these might be derived from the policy. Similarly monitoring of suspicious and malicious use.

Responses to the consultation have to be sent to smartmetering@decc.gsi.gov.uk by 27 July 2012.

I am looking forward to the upcoming OWASP AppSec Research 2012 in Athens from 10th-13th July. The organising team have put on a great programme.

My main participation in the four days of activities will be:

• Delivering a one-day training course Application Attack Detection & Response — A Hands-on Planning Workshop which will train you how to plan the implementation of application-layer intrusion detection through a series of team-based exercises
• Presenting a talk entitled Tricolour Alphanumerical Spaghetti which will describe how weaknesses in applications can be classified, common practices and what you should really do
• Hosting a networking event on behalf of the OWASP Global Industry Committee to discuss and share information concerning good application security amongst business managers in a vendor-free environment

I hope you are attending both the training programme and three-track conference, so please flag me down and say hello. Registration is open, and there are conference discounts for OWASP, ISACA and ISC2 members, and also for students.