Clerkendweller : Web Security, Usability and Design

HTTP Strict Transport Security

Tue, 31 Aug 2010 08:37:00 +0100

It's good to see different groups working together to improve security. This week another browser manufacturer announced future support for an initiative relating to Transport Layer Security (TLS, the successor to SSL). HTTP Strict Transport...

Automated Attack Responses by Web Applications

Fri, 27 Aug 2010 08:52:00 +0100

I have been exploring further the possible response actions an application might make once it has detected a suspected or actual attack, as a contribution to the OWASP AppSensor project. There is now a draft document describing response actions, dis...

E-Commerce Due Diligence

Tue, 24 Aug 2010 08:27:00 +0100

Investment decisions for loans, mergers & acquisitions in primarily online businesses need just as much care as investing in more conventional businesses. This month I contributed to the Autumn 2010 newsletter of DeVere & Co, risk mana...

Avoiding Popular Passwords

Fri, 20 Aug 2010 07:00:00 +0100

A few weeks ago I mentioned two new research papers about the use of passwords on website. Another new paper from Microsoft Research and Harvard University discusses how to avoid, and protect web sites from, users selecting popular passwords. ...

Software Licensing

Thu, 19 Aug 2010 20:08:00 +0100

Software licensing may not be high on your agenda once a web site is operational. But software licences are an important part of ensuring your web site does not infringe any laws, regulations and contracts. From 15:30 hrs today, train services fr...

Application Security Logging

Tue, 17 Aug 2010 11:22:00 +0100

I have been meaning to write again about web application security logging, but luckily read a paper last week which provides excellent guidance. How to Do Application Logging Right is the best guidance I have come across to date. Co-written b...

PCI DSS and PA-DSS Standards Changes

Fri, 13 Aug 2010 08:36:00 +0100

PCI DSS and PA-DSS standards changes have been pre-announced by the Payment Card Industry Security Standards Council (PCI SCC). Yesterday's announcement, which also includes notice of changes to PIN Transaction Security (PTS) requirements, pro...

Phishing and Pharming Protection - Theory and Reality

Tue, 10 Aug 2010 08:45:00 +0100

The UK Centre for the Protection of National Infrastructure (CPNI) have published new guidance on understanding and managing the risks from phishing and pharming. Whilst most readers of this blog won't work on projects considered part of the n...

WCAG 2.0 Coming to More Commercial Websites Soon

Mon, 09 Aug 2010 18:31:00 +0100

Early last year I mentioned the security implications of the Web Content Accessibility Guidelines 2.0 and the scope for accessibility testing. I also spoke about whether an accessible web application be secure at the OWASP AppSec EU09 conference. ...

E-Consumer Protection Consultation

Fri, 06 Aug 2010 09:02:00 +0100

The UK's Office of Fair Trading (OFT) promotes and protects consumers' interests by ensuring markets work well, and that businesses act fairly and competitively. The government has asked the OFT to develop a longer term national strategy for consume...

Real World Enterprise Application Security Programmes

Tue, 03 Aug 2010 09:00:00 +0100

This year I have mentioned web application security programmes, how software vulnerability testing recommended risk-based, application security programmes and generalised results from a survey about web application security programs. But what ...

Economics of Website Users' Passwords

Fri, 30 Jul 2010 08:45:00 +0100

Two great papers on web site password security were published this month. We are swamped with passwords and every daily activity is increasingly linked with an online version, which requires users to register to obtain some additional benefits. Ever...

When is a Vulnerability not a Vulnerability?

Tue, 27 Jul 2010 09:29:00 +0100

Until this week, I had thought this question would be answered by checking the vulnerability could be exploited and by determining whether there was any technical or business impact. But I have just finished reading the Summer 2010 edition of Info...

Pay Attention to Encoding!

Mon, 26 Jul 2010 14:44:00 +0100

My company recently received a leaflet from (HMRC) with an invitation to attend one of their EmployerTalk seminars about payroll and tax including pay as you earn (PAYE). On the way from my hand to the recycling bin, something caught my eye: ...

Mobile Web Application Best Practices (Draft)

Fri, 23 Jul 2010 08:39:00 +0100

Mobile Web Application Best Practices has been published as a last call working draft by the W3C Mobile Web Best Practices Working Group. Mobile Web Application Best Practices is intended to to aid the development of rich and dynamic mobile we...