http://www.clerkendweller.com A blog about security issues for web site designers, developers and owners. en-gb Wed, 19 Jun 2013 20:14:52 +0100 Tue, 18 Jun 2013 18:17:00 +0100 http://www.clerkendweller.com/2013/6/18/Website-Security-Statistics-Report-2013 <p>WhiteHat Security in the United States has <a href="https://www.whitehatsec.com/news/13pressarchives/PR_050213_statsreport.html">published</a> another edition of its Website Security Statistics Report. This would seem to be the 13th edition, although the numbering label appears to have been dropped.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/appsec-scorecard-1.jpg" width="500" height="350" alt="Partial image of one of the industry scorecards from the WhiteHat Website Security Statistics Report 2013" /> <p>Like previous editions, <a href="https://www.whitehatsec.com/resource/stats.html">the 2013 report</a> contains a wealth of valuable information about the prevalence of web site security vulnerabilities, the time required to resolve them, the drivers for application security, accountabilities for system/data breaches, and what type of security activities are being undertaken in the software development processes to prevent vulnerabilities occurring in production releases.</p> <p>Information leakage and cross-site scripting continue to be the most prevalent issues found. SQL injection is still notable, although its prevalence has reduced slightly over the last eight years, but it is certainly not yet extinct. The most common drivers for security are reported to be compliance and risk reduction.</p> <p>But I am most excited about the industry-sector scorecards included for banking, financial services, healthcare, retail and technology industry. These summarise the report's data for each sector in an easily comprehensible manner. They are ideal templates for an organisation's own high-level web site security metrics dashboards.</p> <p>As <a href="https://www.clerkendweller.com/2012/7/17/Website-Vulnerability-Statistics-Summer-2012">mentioned before</a>, the definition of "serious vulnerabilities" in previous versions of this report included only those with a High, Critical or Urgent severity as defined by PCI DSS naming conventions, exploitation of which "could lead to server breach, user account take-over, data loss or compliance failure". The current edition seems to have changed this to "those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news". So somewhat wider, but it would be good to know more about this definition.</p> <p>Registration is required to download the report at the link provided above.</p> <p><a href='http://www.clerkendweller.com/2013/6/18/Website-Security-Statistics-Report-2013' style='display:none;'>Website Security Statistics Report 2013</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> metrics SQL maturity vulnerabilities leakage technical SDLC information assurance testing XSS Tue, 18 Jun 2013 18:17:00 +0100 http://www.clerkendweller.com/2013/6/18/Website-Security-Statistics-Report-2013 http://www.clerkendweller.com/2013/6/15/Enterprise-Application-Usage <p>Have you ever wondered what applications are typically being used in enterprise-scale organisations and what the risks are? A report by Palo Alto Networks has analysed over 3,000 worldwide traffic assessments to produce an aggregated summary report.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/applications-threats-1.jpg" width="500" height="350" alt="Partial screen capture showing the interactive tool published to allow the data to be examined dynamically" /> <p>This is the first of three posts relating to publications that came out some time ago &mdash; I am just catching up, but hopefully they are worth mentioning. This first post relates to the oldest, a <a href="http://www.paloaltonetworks.com/news/press/2013/application-usage-and-threat-report-0213.html">report published in February</a>.</p> <p><a href="http://www.paloaltonetworks.com/literature/whitepapers/aur-report.html">The Application Usage and Threat Report, 10th Edition</a> provides regional data on the use of personal, business and custom/other applications on enterprise networks. The last category relates to 8-10% traffic that does not match any known application such as a custom internal application or a commercial application not yet identified in the assessment, and could include malware. The report provides data on:</p> <ul> <li>Usage of applications by category (e.g. social networking, file sharing, photo, video)</li> <li>Application functionality overlap</li> <li>Bandwidth usage by category</li> <li>Malware and exploit prevalence</li> <li>Use of transport layer security.</li> </ul> <p>The conclusions include that social networking, file sharing and video applications are not the most common threat vectors; attackers are masking their activities through custom or encrypted applications. The report's data can be analysed dynamically using a well-designed <a href="http://researchcenter.paloaltonetworks.com/app-usage-risk-report-visualization/#">online tool</a> where the data point information is viewable for each chart element.</p> <p><a href='http://www.clerkendweller.com/2013/6/15/Enterprise-Application-Usage' style='display:none;'>Enterprise Application Usage</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> detective policies threats operation technical risks Sat, 15 Jun 2013 10:30:00 +0100 http://www.clerkendweller.com/2013/6/15/Enterprise-Application-Usage http://www.clerkendweller.com/2013/6/11/Wish-List-for-Security-of-Outsourced-Payment-Card-Forms-Pages <p>The <a href="http://www.clerkendweller.com/2013/2/6/PCI-DSS-ECommerce-Guidelines">PCI DSS E-commerce Guidelines v2</a> were a welcome update to the previous version of the document.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/grid-box-1.jpg" width="500" height="213" alt="Photograph taken during Muse's performance at Arsenal's Emirates Stadium in June 2013 showing the projected backdrop" /> <p>One of the new aspects included in the revised guidance was a discussion of the most common e-commerce implementation models (section 3.4) and what responsibilities the merchant and other parties have (section 3.5) under <a href="https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0">PCI DSS</a>. The models discussed are:</p> <ul> <li>Merchant-managed e-commerce implementations <ul style="margin: 0.3em 0 1em 0;"> <li>Proprietary/custom (bespoke) developed shopping cart/payment application</li> <li>Commercial shopping cart/payment application (typically PA-DSS validated)</li> </ul> </li> <li>Shared-management e-commerce implementations <ul style="margin: 0.3em 0 1em 0;"> <li>Third-party embedded application programming interfaces (APIs) with direct post</li> <li>An inline frame (or "iFrame") that allows a payment form hosted by a third party to be visually embedded within the merchant's page(s), sometimes also including other intermediaries</li> <li>Customer redirection to a third-party hosted page for payment entry</li> </ul> </li> <li>Wholly outsourced e-commerce implementations.</li> </ul> <p>While some merchants believe they are "wholly outsourced" already, the definitions should be read. The guidance reminds merchants they still have primary responsibility for particular PCI DSS requirements. In the case of inline frame and hosted payment page approaches, this includes for example securing the web page(s) containing the iFrame code and redirection code and/or function(s) respectively.</p> <p>During a recent exercise I was involved with, to identify security requirements using the <a href="https://www.owasp.org/index.php/OWASP_Cornucopia">OWASP Cornucopia Ecommerce Website Edition</a> card game, a merchant's payment page hosted by a payment services provider was assessed. The process highlighted additional information security risks than those already mentioned in the PCI DSS information supplement. These related to aspects the merchant still has control over despite the outsourcing &mdash; in the exercise it was identified the merchant could customise the template of the payment service provider's page and include self-hosted (by the merchant) content referenced by the template (logo, card brand images, style sheet, and a JavaScript file). I am not sure the existing guidance is explicit enough on this aspect, and some merchants may therefore have a false sense of security, and their own risks, regarding the protection of payment cardholder data in these "semi-outsourced" (i.e. shared responsibility) situations.</p> <p>If a website security assessment identified any third-party hosted content on authentication, account management or payment web pages &mdash; even JavaScript library files and web analytics code &mdash; this would normally be worthy of mention. Therefore, I think we should also take note of this merchant-controlled content appearing on payment pages/forms elsewhere, especially if the level of security assurance is different between the two (as is often the case). Merchants can outsource in an attempt to de-scope for PCI DSS and reduce the number of applicable requirements (e.g. to use <a href="https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs#leadgendiv">SAQ A</a> for such an online-only merchant). This may not be adequate if the merchant (its employees, contractors, systems, partners, suppliers etc) still has some control over the partially/wholly outsourced (e.g. payment service provider) hosted page/form.</p> <p>Merchants should include security review and verification activities during template change processes. But regardless of PCI DSS compliance, what other technical security controls could be considered when selecting an outsourced online payment page or form? If I was a merchant, I would prefer to choose one that enables and enforces the following web application security wish list, in addition to the outsourcer's own existing PCI DSS compliance requirements:</p> <ul> <li>Page template administration <ul style="margin: 0.3em 0 1em 0;"> <li>Each user (e.g. each designated merchant employee) with the ability to upload or edit templates to have a unique identity, and no use of shared accounts</li> <li>Two factor authentication for all access to the outsourcer's systems (e.g. file transfers, web administrative interfaces, web services)</li> <li>User account access limited to a small set of merchant IP addresses</li> <li>Encrypted connections for authentication and template upload/edit</li> <li>Event alert to nominated address/system on template change</li> <li>Automatic stripping of any other party hosted (i.e. non outsourcer and non merchant) content from the template with related event alerting</li> <li>Accessible audit trail of changes</li> </ul> </li> <li>Payment form/page hosting <ul style="margin: 0.3em 0 1em 0;"> <li>Only available using Transport Layer Security</li> <li>No other party (i.e. non outsourcer and non merchant) content</li> <li>No use or reliance on any merchant, outsourcer or other party HTTP cookies</li> <li>X-Frame-Options HTTP header, with the value "DENY" for a page that is not framed, else with a value "ALLOW-FROM ..." that (supporting web browsers) only permits the particular form to be framed by the specific individual merchant's whitelist hostnames</li> <li>HTTP Strict Transport Security Header</li> <li>X-Content-Security-Policy/X-WebKit-CSP/Content-Security-Policy header with a strict policy that does not allow any content from other parties (or perhaps just some types of content from the merchant's selected hostnames</li> <li>MIME type and character set HTTP headers correctly defined</li> <li>Strong anti-caching HTTP headers</li> </ul> </li> <li>Payment form submission <ul style="margin: 0.3em 0 1em 0;"> <li>HTTP method POST enforced, and no other method permitted</li> <li>Only possible using Transport Layer Security.</li> </ul> </li> </ul> <p>This is a somewhat long list, but it would be interesting to know which commonly used payment outsourcers can provide this level of assistance to ecommerce merchants.</p> <p><a href='http://www.clerkendweller.com/2013/6/11/Wish-List-for-Security-of-Outsourced-Payment-Card-Forms-Pages' style='display:none;'>Wish List for Security of Outsourced Payment Card Forms/Pages</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> operation administrative preventative technical SDLC PCIDSS physical specification maturity detective information assurance Tue, 11 Jun 2013 17:34:00 +0100 http://www.clerkendweller.com/2013/6/11/Wish-List-for-Security-of-Outsourced-Payment-Card-Forms-Pages http://www.clerkendweller.com/2013/6/7/User-Profiling-and-Significant-Impact <p>Do you profile your customers, clients and citizens with data from your applications?</p> <div class="quotation"><p>"Profiling" means any form of automated processing of personal data, intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the person's health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements.</p></div> <p>The European Commission's <a href="http://ec.europa.eu/justice/data-protection/article-29/">Article 29 Working Party</a> has <a href="http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20130528_pr_profiling_en.pdf">published</a> an opinion, in the form of an <a href="http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2013/20130513_advice-paper-on-profiling_en.pdf">advice leaflet</a>, to provide input into the current discussions on European data protection reform.</p> <p>The paper supports that the scope of Article 20 covering processing of personal data for the purpose of profiling or measures based on profiling, and that there should be greater transparency and control for data subjects of profiling and subsequent measures based upon the profile generated, and thus acknowledges the this creates more responsibility and accountability for data controllers.</p> <p>However, the paper suggests profiling and measures should only be subject to additional control if they significantly affect the interests, rights or freedoms of the data subject.</p> <p>See further discussion <a href="http://www.privacy-europe.com/blog/profiling-what-is-the-european-data-protection-authorities-direction/">here</a> and <a href="http://www.out-law.com/en/articles/2013/may/profiling-rules-should-not-apply-unless-individuals-rights-are-significantly-affected-says-privacy-body/">here</a>.</p> <p><a href='http://www.clerkendweller.com/2013/6/7/User-Profiling-and-Significant-Impact' style='display:none;'>User Profiling and "Significant Impact"</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> business logic privacy operation data protection technical legislation Fri, 07 Jun 2013 19:03:00 +0100 http://www.clerkendweller.com/2013/6/7/User-Profiling-and-Significant-Impact http://www.clerkendweller.com/2013/6/5/Request-to-Participate-in-the-OWASP-CISO-Survey-2013 <p>OWASP is conducting a survey among senior information security leaders and managers and needs your help. The results will be published in the OWASP CISO Report 2013, which shall be released in Autumn.</p> <p>The project team (Tobias Gondrom, Marco Morana, Eoin Keary and Ivy Zhang) have asked if we can share this invitation with security contacts in companies and other organisations. This would be a great help to achieve a broad outreach and derive valuable data and insights for OWASP and the industry as a whole.</p> <div style="margin-left:5%;margin-right:5%;font-style:italic;"> <p>Dear colleague,</p> <p>As a respected information security executive in the industry, OWASP (Open Web Application Security Project, <a href="https://www.owasp.org/index.php/">www.owasp.org</a>) would like to hear your opinion!</p> <p><a href="https://www.surveymonkey.com/s/CISO2013Survey">Link to take the CISO Survey 2013 now</a></p> <p>OWASP is preparing the Global CISO report 2013 and conducting a survey among CISOs and information security managers in relation to application security with the aim of providing you with new insights about the state of application security across various industry sectors and about new security trends and aligning our efforts to better help solving the problems of the future that you face.</p> <p>The survey shall take only a few minutes of your precious time and by completing it you are helping shape the future of OWASP, the Internet and software security. At the conclusion of the survey, the aggregated results will be publicly available in the form of a report on the owasp.org website, keeping your information completely anonymous.</p> <p>As you may know OWASP is a volunteer open-source organization dedicated to fighting the causes of software insecurity. We are also a registered charity &amp; non-profit in the USA and the EU. See more at <a href="https://www.owasp.org/index.php/About_OWASP">https://www.owasp.org/index.php/About_OWASP</a></p> <p>The survey can be found here: <a href="https://www.surveymonkey.com/s/CISO2013Survey">https://www.surveymonkey.com/s/CISO2013Survey</a></p> <p>And to spice things up, during the first 14 days of June (until June-16 23:59 GMT), if you provide your contact details at the end of the survey, you will also be entered into a drawing for one of the following donated prizes:</p> <ul> <li>1 free OWASP CISO training day pass at the <a href="https://appsec.eu/">AppSecEU in Hamburg</a></li> <li>1 free OWASP CISO training day pass at the <a href="http://appsecusa.org/2013/">AppSecUS in New York</a></li> <li>and 1 free CISO training day or half-day pass at one of the upcoming events in Asia.</li> </ul> <p>Thank you very much in advance for your time.</p> <p>Best regards,</p> <p>OWASP CISO Survey Project team</p> </div> <p>If you are a CISO, please complete the survey; otherwise please forward details to relevant contacts.</p> <p><a href='http://www.clerkendweller.com/2013/6/5/Request-to-Participate-in-the-OWASP-CISO-Survey-2013' style='display:none;'>Request to Participate in the OWASP CISO Survey 2013</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> corrective administrative maturity technical SDLC information assurance preventative detective physical Wed, 05 Jun 2013 08:27:00 +0100 http://www.clerkendweller.com/2013/6/5/Request-to-Participate-in-the-OWASP-CISO-Survey-2013 http://www.clerkendweller.com/2013/6/3/Presentation-from-OWASP-London-3rd-June-2013 <p><a href="https://www.clerkendweller.com/2013/5/21/OWASP-EU-Tour-2013-in-London-June-3rd">Today's OWASP London</a> event was very successful.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/cornucopia-ecommerce-2.jpg" width="500" height="305" alt="Colin Watson demonstrating the use of OWASP Cornucopia Ecommerce Website Edition to assess the application security requirements for an externally hosted payment page" /> <p>The majority of attendees had never been to an OWASP event previously, and three-quarters were developers. My own presentation has been uploaded to:</p> <ul> <li><a href="https://www.owasp.org/index.php/File:Owasplondon-colinwatson-cornucopia.odp">Open Office presentation</a> including the animated game</li> <li><a href="https://www.owasp.org/index.php/File:Owasplondon-colinwatson-cornucopia.pdf">Static PDF</a></li> </ul> <p>I have also uploaded an updated version of OWASP Cornucopia - Ecommerce Website Edition (<a href="https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx">v1.01</a>) with some minor changes and additions:</p> <ul> <li>Framework-specific card deck discussion added</li> <li>Additional FAQs created</li> <li>Descriptive text updated</li> <li>New cover image, and previous cover image moved to back</li> <li>Cut lines added</li> <li>Alternative rules and deck subset descriptions added</li> <li>Project website and mailing list added</li> <li>Cornucopia King cross-reference to AppSensor updated.</li> </ul> <p>Play to win!</p> <p><i>Update 10th June 2013:</i> The video recordings from are now available. The videos can be accessed via the links on the <a href="https://www.owasp.org/index.php/EUTour2013#London">EU Tour 2013 London page</a>. The recording of my own <a href="https://www.owasp.org/index.php/OWASP_Cornucopia">OWASP Cornucopia Ecommerce Website Edition</a> presentation is <a href="http://youtu.be/Q_LE-8xNXVk">here</a>.</p> <p><a href='http://www.clerkendweller.com/2013/6/3/Presentation-from-OWASP-London-3rd-June-2013' style='display:none;'>Presentation from OWASP London, 3rd June 2013</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> vulnerabilities preventative technical threats development testing requirements specification design risks Mon, 03 Jun 2013 18:33:00 +0100 http://www.clerkendweller.com/2013/6/3/Presentation-from-OWASP-London-3rd-June-2013 http://www.clerkendweller.com/2013/5/28/Consultation-on-Incident-Reporting-Notification-Thresholds <p>The UK's <a href="https://www.gov.uk/government/organisations/department-for-business-innovation-skills">Department for Business, Innovation and Skills</a> (BIS) is consulting on one aspect of the <a href="/2013/2/8/EU-Cybersecurity-Strategy-and-Proposed-Directive">proposed EU directive on network and information security</a> (NIS), announced in February.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/incident-reporting-1.jpg" width="500" height="300" alt="A table from the consultation document 'EU Directive on Network and Information Security SWD(2013) 31 &amp; SWD(2013) 32 ' showing an indication of possible reporting trigger thresholds" /> <p>This mandates certain sectors to compulsory reporting of security breaches that have a significant impact on the provision of core services to a national competent authority that would enforce the directive. These sectors include public administration, the finance, energy, transport and health sectors, as well as to "enablers of internet society services" which includes app stores, cloud service providers, social networks and e-payment providers. These requirements are unlikely to apply to individual ecommerce web sites, unless they enable the provision of other information society services.</p> <p>However the BIS' <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200708/bis-13-880-eu-directive-on-network-and-information-security-call.pdf">call for reviews and evidence</a>, with the title "EU Directive on Network and Information Security SWD(2013) 31 &amp; SWD(2013) 32", seeks input on just what a significant impact might be, and thus when notification would be necessary. Some example reporting thresholds are presented that incorporate the number of customers, citizens, clients, etc affected and the duration of the disruption or lack of availability. I note there is no mention of breaches of integrity or confidentiality, nor misuse of these systems whilst maintaining availability.</p> <p>The <a href="https://www.gov.uk/government/consultations/eu-directive-on-network-and-information-security-call-for-evidence">consultation</a> closes on 21st June. A response template is included within the document, and views can be returned using a web form, by email or by post.</p> <p><a href='http://www.clerkendweller.com/2013/5/28/Consultation-on-Incident-Reporting-Notification-Thresholds' style='display:none;'>Consultation on Incident Reporting Notification Thresholds</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> detective incidents operation Tue, 28 May 2013 14:37:00 +0100 http://www.clerkendweller.com/2013/5/28/Consultation-on-Incident-Reporting-Notification-Thresholds http://www.clerkendweller.com/2013/5/21/OWASP-EU-Tour-2013-in-London-June-3rd <p>As part of the <a href="https://www.owasp.org/index.php/EUTour2013">OWASP EU Tour 2013</a>, there will be a special event in London next month, along the lines of the recent ones in <a href="/2013/5/4/OWASP-European-Tour-KickOff-in-Cambridge">Cambridge</a> and Leicester.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/london-shard-3.jpg" width="500" height="348" alt="Photograph of London at dusk with the river Thames in the foreground and St Paul's cathedral lit up" /> <p>The one day conference is being held in central London on Monday 3rd of June 2013 at the <a href="http://www.lion-court.com/">Lion Court Conference Centre</a>, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but <a href="http://owasp-london.eventbrite.co.uk/">registration</a> is required as numbers are limited to 100.</p> <p>The agenda is still being finalised, but <a href="https://www.owasp.org/index.php/Ireland">OWASP Ireland</a> chapter leader <a href="http://ie.linkedin.com/in/fcerullo">Fabio Cerullo</a> is presenting PCIDSS for developers, <a href="https://www.owasp.org/index.php/Cambridge">OWASP Cambridge</a> chapter leader <a href="http://uk.linkedin.com/in/vdbaan">Steven van der Baan</a> will be talking about simple steps for secure coding, and <a href="https://www.owasp.org/index.php/London">OWASP London</a> chapter leader <a href="http://uk.linkedin.com/in/connectjunkie">Justin Clarke</a> will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating <a href="https://www.clerkendweller.com/2013/5/18/Cornucopia-Ecommerce-Website-Edition-v100">OWASP Cornucopia</a>. A very developer-orientated agenda so far.</p> <p>The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.</p> <p><i>Update 29th May 2013:</i> Dinis Cruz, Rory McCune and Tobias Gondrom are now also speaking.</p> <p><a href='http://www.clerkendweller.com/2013/5/21/OWASP-EU-Tour-2013-in-London-June-3rd' style='display:none;'>OWASP EU Tour 2013 in London on June 3rd</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> mobile vulnerabilities data protection threats SDLC PCIDSS trust risks code maturity Tue, 21 May 2013 19:59:00 +0100 http://www.clerkendweller.com/2013/5/21/OWASP-EU-Tour-2013-in-London-June-3rd http://www.clerkendweller.com/2013/5/18/Cornucopia-Ecommerce-Website-Edition-v100 <p>Cornucopia Ecommerce Website Edition v1.00 was <a href="https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx">uploaded</a> to the <a href="https://www.owasp.org/">OWASP website</a> in February and has now been upgraded to a full OWASP <a href="https://www.owasp.org/index.php/Category:OWASP_Project">project</a>.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/cornucopia-ecommerce-1.jpg" width="500" height="375" alt="Photograph of some playing cards from OWASP Ecommerce Web Site Edition v1.00" /> <p>Today, I have completed the new <a href="https://www.owasp.org/index.php/OWASP_Cornucopia">OWASP Cornucopia Project</a> pages which include:</p> <ul> <li>Description and objectives</li> <li><a href="https://www.owasp.org/images/2/29/Owaspnl-colinwatson-cornucopia.odp">Presentation</a> given at <a href="/2013/3/15/Presentations-at-OWASP-Netherlands">OWASP Netherlands</a> in March</li> <li>Links to all the references files, including a new <a href="https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip">security coding practice requirement identities</a>, created last week</li> <li>Instructions on how to play</li> <li>Frequently asked questions</li> <li>Acknowledgements</li> <li>Road map and how to get involved</li> <li>Link to the <abbr title="Payment Card Industry Security Standards Council">PCISSC</abbr> information supplement for <abbr title="Payment Card Industry Data Security Standard">PCIDSS</abbr> <a href="/2013/2/6/PCI-DSS-ECommerce-Guidelines">referencing Cornucopia</a></li> </ul> <p>Please let me know if you think I can add anything of use to the project pages.</p> <p>I am also working on some minor updates to the ecommerce website edition's documentation and deck. I will be presenting the project at an event in London shortly.</p> <p><a href='http://www.clerkendweller.com/2013/5/18/Cornucopia-Ecommerce-Website-Edition-v100' style='display:none;'>Cornucopia Ecommerce Website Edition v1.00</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> PCIDSS preventative technical threats SDLC development specification requirements risks design testing Sat, 18 May 2013 19:30:00 +0100 http://www.clerkendweller.com/2013/5/18/Cornucopia-Ecommerce-Website-Edition-v100 http://www.clerkendweller.com/2013/5/17/Internet-and-Mobile-Literacy-Usage-Opinions <p><a href="http://www.ofcom.org.uk/about/">OFCOM</a>, the UK communications sector's regulator and competition authority, has <a href="http://media.ofcom.org.uk/2013/04/23/uk-adults-taking-online-password-security-risks/">announced</a> a report on adults' use of media and attitudes.</p> <div class="quotation"><p>More than half of internet users say they use the same passwords for most websites</p></div> <p>The <a href="http://stakeholders.ofcom.org.uk/market-data-research/media-literacy/media-lit-research/adults-2013/">Adults' Media Use and Attitudes Report 2013</a> (<a href="http://stakeholders.ofcom.org.uk/binaries/research/media-literacy/adult-media-lit-13/2013_Adult_ML_Tracker.pdf">complete 181 page print version</a>) discusses media literacy, take-up, preference and media use, understanding, attitudes and concerns, use of the internet and mobile phones, and users in three class &mdash; new, "narrow" and non-users.</p> <div class="quotation"><p>Over half of all internet users think that online purchasing puts their privacy at risk</p></div> <p>There is a wealth of valuable data for strategic planning and marketing purposes, but also useful information on security and safety habits and attitudes to regulation of the internet. If you need information to help support decisions around security and usability, this report will have something of use to you.</p> <div class="quotation"><p>A quarter of internet users say they have experienced a virus on their home PC or laptop in the past year</p></div> <p>It is this weekend's best read.</p> <p><a href='http://www.clerkendweller.com/2013/5/17/Internet-and-Mobile-Literacy-Usage-Opinions' style='display:none;'>Internet and Mobile Literacy, Usage & Opinions</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> metrics data protection threats operation legislation risks Fri, 17 May 2013 08:34:00 +0100 http://www.clerkendweller.com/2013/5/17/Internet-and-Mobile-Literacy-Usage-Opinions http://www.clerkendweller.com/2013/5/10/IP-Address-Sharing-and-Individual-Identification <p>BT has announced a trial of its Carrier-Grade Network Address Translation (CGNAT) where Internet Protocol (IP) addresses will be shared between subscribers.</p> <div class="quotation"><p>organisations [will] generally have to treat IP addresses as personal data</p></div> <p><a href="http://www.ispreview.co.uk/index.php/2013/01/uk-isps-react-to-the-pros-and-cons-of-ipv4-internet-address-sharing.html">Concerns</a> have been expressed about the ability for some application to work if they rely on the assumption that IP addresses are unique, and also how this affects the identification of individual people.</p> <p><a href="http://www.out-law.com/">Out-law.com</a> provides a <a href="http://www.out-law.com/en/articles/2013/may/individuals-can-be-identified-despite-ip-address-sharing-bt-says/">good review of the issues and information from BT</a>, but links to the sources are not provided. BT has apparently stated they will still be able to identify individuals despite using CGNAT.</p> <p>But the issue of identification does not only relate to newsworthy "illegal online activity" but also for wider privacy protection of completely legal activity where it is clear that IP addresses really must be considered as personal identifiers, especially when they can be combined with other data sets. Something to be considered in privacy impact assessments.</p> <p><a href='http://www.clerkendweller.com/2013/5/10/IP-Address-Sharing-and-Individual-Identification' style='display:none;'>IP Address Sharing and Individual Identification</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> detective data protection identity IP addresses legislation Fri, 10 May 2013 09:48:00 +0100 http://www.clerkendweller.com/2013/5/10/IP-Address-Sharing-and-Individual-Identification http://www.clerkendweller.com/2013/5/7/Consultation-on-Cyber-Security-Standard <p>The UK Cabinet Office has announced a <a href="https://www.gov.uk/government/consultations/cyber-security-organisational-standards-call-for-evidence">consultation</a> into the proposed cyber risk management standard for organisations as part of its <a href="http://www.clerkendweller.com/2011/12/2/UK-Cyber-Security-Hub">cyber security strategy</a> announced in November 2011.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/security-experience-1.jpg" width="500" height="325" alt="Photograph of the feedback entry device for travellers at a Gatwick Airport who have just passed through the outbound security checks labelled 'How was your security experience' with four smiley-style buttons below" /> <p>The <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/193316/bis-13-853-cyber-security-organisational-standards-guidance.pdf">proposed guidance</a> and accompanying <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/132466/bis-13-659-cyber-security-organisational-standards-call-for-views-and-evidence.pdf">call for views and evidence</a> define Cyber security as "preservation of confidentiality, integrity, and availability of information in cyberspace" and cyberspace quite broadly as "complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form".</p> <p>The UK Government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. The current proposal outlines requirements for a standard, its objectives, outcomes, auditable requirements and controls in "at least" the following areas:</p> <ul> <li>Network security</li> <li>Malware prevention <li>Secure configuration of information systems </li> <li>Monitoring </li> <li>Removable media </li> <li>Home and mobile working </li> <li>Managing user privileges </li> <li>User education and awareness </li> <li>Incident management.</li> </ul> <p>So, somewhat disappointing that application security isn't mentioned, but those requirements pre-date this consultation - about the choice of an existing standard to follow.</p> <p>Responses can be sent by email to <a href="cybersecurity@bis.gsi.gov.uk">cybersecurity@bis.gsi.gov.uk</a> or by post to Cyber Security Team, BIS, 1 Victoria Street, London SW1H 0ET. The closing date to submit evidence is 14 October 2013.</p> <p><a href='http://www.clerkendweller.com/2013/5/7/Consultation-on-Cyber-Security-Standard' style='display:none;'>Consultation on Cyber Security Standard</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> legislation Tue, 07 May 2013 19:39:00 +0100 http://www.clerkendweller.com/2013/5/7/Consultation-on-Cyber-Security-Standard http://www.clerkendweller.com/2013/5/4/OWASP-European-Tour-KickOff-in-Cambridge <p>Following the success of similar events in Latin America, a rolling tour of events with <a href="https://www.owasp.org/">OWASP</a> speakers will be occurring in European Countries, beginning with Cambridge this month.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/european-tour-1.jpg" width="500" height="375" alt="Banner image from the OWASP European Tour flyer for the application security event in Cambridge, UK on 13th May 2013" /> <p>This first event of the tour has been organised in conjunction with Anglia Ruskin University's <a href="http://www.anglia.ac.uk/ruskin/en/home/faculties/fst/departments/comptech.html">Department of Computing</a> and Technology for <a href="http://www.anglia.ac.uk/ruskin/en/home/faculties/fst/news0/owasp_tour_2013.html">Monday 13 May 2013</a>.</p> <p>The <a href="http://www.anglia.ac.uk/ruskin/en/home/faculties/fst/news0/owasp_tour_2013.Maincontent.0005.file.tmp/OWASP%20EU%20Tour%202013%20-%20Cambridge%20Chapter%20and%20Anglia%20Ruskin%20University%20-%20Monday%20May%2013th%202013.pdf">agenda</a> lists all the speakers:</p> <ul> <li><a href="http://uk.linkedin.com/pub/adrian-winckles/3/2ab/258">Adrian Winckles</a>, <a href="https://www.owasp.org/index.php/Cambridge">OWASP Cambridge</a> Chapter Leader &amp; Senior Lecturer</li> <li><a href="http://www.cl.cam.ac.uk/~rja14/">Ross Anderson</a>, <a href="http://www.cam.ac.uk/">Cambridge University</a> <a href="http://www.cl.cam.ac.uk/">Computer Laboratory</a></li> <li>DI Stewart Garrick, <a href="http://content.met.police.uk/Home">Metropolitan Police</a> <a href="http://content.met.police.uk/Site/pceu">ECrime Unit</a></li> <li><a href="http://uk.linkedin.com/in/connectjunkie/">Justin Clarke</a>, <a href="https://www.owasp.org/index.php/London">OWASP London</a> Chapter Leader</li> <li><a href="http://ie.linkedin.com/in/eoinkeary/">Eoin Keary</a>, <a href="https://www.owasp.org/">OWASP</a> <a href="https://www.owasp.org/index.php/About_OWASP#2013_Global_Board_Members">Board Member</a></li> <li><a href="http://uk.linkedin.com/in/vdbaan/">Steven van der Baan</a>, <a href="https://www.owasp.org/index.php/Cambridge">OWASP Cambridge</a> Chapter Leader</li> <li>... and <a href="http://uk.linkedin.com/in/clerkendweller/">myself</a>.</li> </ul> <p>I will be speaking about application security vulnerability severity ranking and prioritisation. This will be of use if you have to create or consume vulnerability assessments and penetration test reports, or are involved in patch management or PCIDSS compliance.</p> <p>Thank you to <a href="http://ie.linkedin.com/in/fcerullo">Fabio Cerullo</a> and the OWASP team who made this tour happen.</p> <p>The event runs from 11:00 to 17:15 hrs and is located in LAB 002, Lord Ashcroft Building, <a href="http://www.anglia.ac.uk/ruskin/en/home.html">Anglia Ruskin University</a>, Cambridge. It is free to attend, but <a href="https://www.surveymonkey.com/s/OWASP-Tour-May2013">advance registration</a> is required.</p> <p><a href='http://www.clerkendweller.com/2013/5/4/OWASP-European-Tour-KickOff-in-Cambridge' style='display:none;'>OWASP European Tour Kick-Off in Cambridge</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> operation maturity specification technical SDLC PCIDSS information assurance risks disposal design testing development Sat, 04 May 2013 07:36:00 +0100 http://www.clerkendweller.com/2013/5/4/OWASP-European-Tour-KickOff-in-Cambridge http://www.clerkendweller.com/2013/4/30/2013-Information-Security-Breaches <p>Last week the UK's <a href="https://www.gov.uk/government/organisations/department-for-business-innovation-skills">Department for Business Innovation &amp; Skills</a> <a href="https://www.gov.uk/government/news/more-small-businesses-hit-by-cyber-attacks">published</a> the 2013 Information Security Breaches Survey, created in conjunction with PwC.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/breach-incidents-1.jpg" width="500" height="350" alt="One of the bar charts in the DBIS '2013 Information Security Breaches Survey'" /> <p>The <a href="https://www.gov.uk/government/publications/information-security-breaches-survey-2013-technical-report">report</a> presents the results of the survey and breaks the findings down for larger (&gt;250 staff), medium and smaller (&lt;50 staff) organisations. The term "cyber" appears 15 times and "APT" only once, so is generally hyperbole-free.</p> <p>The most interesting data points for me are:</p> <ul> <li>18% of "worst breaches" related to websites and internet gateways, and 4% to breach of laws/regulations</li> <li>For all breaches, operation disruption typically lasts a week, with 2-4weeks FTE effort responding to the incident, and a quarter of incidents leading to lost business</li> <li>Reputation losses were estimated to be between &pound;10,000 and &pound;100,000.</li> </ul> <p>The report is available to download <a href="https://www.gov.uk/government/publications/information-security-breaches-survey-2013-technical-report">in full</a> free of charge without registration.</p> <p><a href='http://www.clerkendweller.com/2013/4/30/2013-Information-Security-Breaches' style='display:none;'>2013 Information Security Breaches</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> maturity incidents threats operation technical corrective legislation Tue, 30 Apr 2013 20:53:00 +0100 http://www.clerkendweller.com/2013/4/30/2013-Information-Security-Breaches http://www.clerkendweller.com/2013/4/28/Reflections-on-Security-BSides-London-2013 <p>I have just had time to catch up on my attendance and <a href="https://www.clerkendweller.com/2013/4/19/AppSensor-at-Security-BSides-London">participation</a> at <a href="http://www.securitybsides.org.uk/">Security B-Sides London 2013</a>.</p> <img style="border:1px solid #999;padding:0;margin-top:1em;margin-bottom:1.2em;" src="http://www.clerkendweller.com/posts/2013/bsides-london-1.jpg" width="500" height="300" alt="One of the cartoon-like illustrated pages from the presentation 'The Realex Payments Application Security story' by David Rook (Security Ninja) at Security B-Sides London 2013" /> <p>This community-led event was held at the town hall of the <a href="http://www.rbkc.gov.uk/">Royal Borough of Kensington and Chelsea</a> on Wednesday 24th April, and was supported by a large number of speakers, educators, volunteers and sponsors. It was an extremely well organised, and useful, day.</p> <p>Following the very well attended welcome and introduction from the B-Sides London crew, I went to an immensely valuable and engaging presentation by <a href="ie.linkedin.com/pub/david-rook/3/41a/b1b">David Rook</a> (aka <a href="http://twitter.com/securityninja">Security Ninja</a>) on how he introduced and developed an application security programme at his employer Realex Payments. He has got to the point where customers are approaching his company to act as a payment services provider due only to their knowledge of Security Ninja, and so the marketing department kindly designed cartoon-style presentation slides (like the one illustrated above). They also had these printed as booklets to hand-out to those attending the talk at B-Sides London. David described what was done, how it was achieved, and things he would approach differently in hindsight. I won't spoil the plot for you as you will be able to read the booklet yourselves (keep an eye open for a <a href="http://www.securityninja.co.uk/blog/">blog post</a> (now <a href="http://www.slideshare.net/securityninja/b-sides-2013presentation">available</a>).</p> <p>After this, I went down to the new Rookie Track where new presenters had been given support through mentoring to give 15-minute presentations. Firstly I listened to <a href="http://uk.linkedin.com/in/artjom">Artjom Vassiljev</a> describe how he has built software security testing checks into a continuous integration process with Jenkins.</p> <p>Following a quick coffee break and catch up with some friends &amp; acquaintances, I returned to the Rookie Track and listened to <a href="https://www.linkedin.com/in/diarmaidmcmanus">Diarmaid McManus</a> describe a new Eclipse plugin called <a href="https://github.com/diarmaid-mcmanus/ESPSecurityPlugin">ESP</a> he has been working on to help integrate code review checks into developer's coding tools.</p> <p><a href="http://ru.linkedin.com/in/kseniadmitrieva">Ksenia Dmitrieva</a> provided an introduction to HTML5 risks and gave explanations and examples of common attacks. She also explained the preventative measures which should be used to protect against these issues.</p> <p>Post lunch, I tracked down <a href="http://uk.linkedin.com/in/diniscruz">Dinis Cruz</a> and we set up our workshop on using <a href="https://www.owasp.org/index.php/OWASP_O2_Platform">OWASP O2</a> to visualise <a href="https://www.owasp.org/index.php/OWASP_AppSensor_Project">OWASP AppSensor</a> behaviour. I introduced the concept of application-specific attack detection and response, and described how the ideas might be retrofitted relatively simply to an existing web application such as the bulletin board software <a href="https://www.phpbb.com/">phpBB</a>. A review of phpBB's inherent capabilities and logging provide a useful hook for detection points, and responses can include adding users to phpBB's list of "banned IPs" and blocking IPs at the operating system level. Dinis continued with a live demo of the AppSensor demo application, created by Michael Coates, and then he went on to show how AppSensor's new web services Java code can be called directly from within a .Net application TeamMentor.It was good to bounce ideas off the workshop participants and get their thoughts and suggestions on the practicalities of implementing AppSensor-like capabilities.</p> <p>Finally I saw <a href="http://uk.linkedin.com/in/gavinholt">Gavin Holt</a> talking about "NoSQL &amp; Big Data - A Way to Lose Even More Stuff" in which he described the common weaknesses in using NoSQL and attacks that attempt to access such systems and their data. I really liked the 15minute format on the Rookie Track and all three speakers I heard were really good.</p> <p>Overall, an excellent day. Many thanks to the very professional B-Sides London team in particular for making sure it all happened.</p> <p><i>Update 30th April 2013:</i> Link to Security Ninja's slides added. Ksenia Dmitrieva's talk added.</p> <p><a href='http://www.clerkendweller.com/2013/4/28/Reflections-on-Security-BSides-London-2013' style='display:none;'>Reflections on Security B-Sides London 2013</a></p> <p><a href='http://www.clerkendweller.com' style='display:none;'>Clerkendweller</a></p> detective design SDLC threats operation development testing preventative Sun, 28 Apr 2013 23:39:00 +0100 http://www.clerkendweller.com/2013/4/28/Reflections-on-Security-BSides-London-2013