This year I have mentioned web application security programmes, how software vulnerability testing recommended risk-based, application security programmes and generalised results from a survey about web application security programs.

But what are enterprises doing in real life and what are the issues? During the second day of OWASP AppSec Research 2010, Michael Craigue of Dell presented on Secure Application Development for the Enterprise: Practical, Real-World Tips. Although I missed it, people who did attend this track were enthusiastic about it and the video recording has now been published. I watched it last weekend.

Michael described Dell's 10-strong Global Information Security Services group and how it works with 3,000-5,000 developers in internal teams and how their appsec work is built on a published and maintained secure application development standard. Some of the problems encountered at Dell were platform diversity, security expert retention, the need to develop self-help documentation for the low and medium risk projects, lack of good metrics around security awareness training, high overhead of conventional threat modelling and the need to build security into the development lifecyle slowly, and in a business-focused manner.

At Dell, the project risk is calculated from ten factors including data classification, compliance requirements, whether it is externally facing, and the security knowledge of the development team. Interestingly, in the final questions from the audience, Michael mentioned Dell are using Open SAMM to identify gaps, measure how well their security programme is performing and to focus improvement efforts. Even projects that the group does not get involved with directly, are subject to quality checks and audit such as using Control Self Assessments (CSAs), which look for the artifacts required in the self-help documentation, even for low-risk applications.

There is another description of how software assurance practices at Ford in 2009, and recently published on US DHS's best practices web site Build Security In. The Ford programme is quite different. Every application security programme is unique because every organisation's culture, application and acceptance of risk is different.

What is yours like?

Yesterday, the UK Information Commissioner's Office (ICO) launched their Personal Information Online Code of Practice.

The new code is available online as an eBook together with associated guidance for individuals Protecting Your Personal Information Online. Hopefully the code will also be available as a standalone PDF for offline use and in print.

The Personal Information Online Code of Practice has been improved substantially since the draft for consultation was issued in December. The code describes the benefits of protecting personal information including increased trust, reduced reputational risk, better take-up of services, reduced risk of data breaches and associated enforcement action, improved competitive advantage, increased quality of data and decreased customer/client/citizen support costs.

I am pleased to see so many practical tips tied to real-world examples such as whether IP addresses are personal data (answer: probably). It is difficult to get the balance of detail and readability correct, but I think this document will hit the mark for many busy web site owners.

The code points to other matters that should be considered (e.g. risk assessments), but correctly doesn't details precisely how these are undertaken.

Update 9th July 2010: The Personal Information Online Code of Practice is now available both as a PDF and in print on request.

Sometimes when I'm out socially and people ask what I do, the conversation progresses to concerns about their own web site. They may have a hobby site, run a micro-business or be a manager or director of a small and medium-sized enterprise (SME)—there's all sorts of great entrepreneurial activity going on.

It is very common for SMEs not to have much time or budget for information security, and the available information can be poor or inappropriate (ISSA-UK, under the guidance of their Director of Research David Lacey, is trying to improve this). But what can SMEs do about their web presence—and it is very unusual not to have a web site, whatever the size of business.

Last week I was asked "Is using <company> okay for taking online payments?" and then "what else should I be doing?". Remember we are discussing protection of the SME's own web site, not protecting its employees from using other sites. If I had no information about the business or any existing web security issues, this is what I recommend checking and doing before anything else:

• Obtain regular backup copies of all data that changes (e.g. databases, logs, uploaded files) and store these securely somewhere other than the host servers. This may typically be daily, but the frequency should be selected based on how often data changes and how much data the SME might be prepared to lose in the event of total server failure.
  • check backup data can read and restored periodically
  • don't forget to securely delete data from old backups when they are no longer required
• Use a network firewall in front of the web site to limit public (unauthenticated user) access to those ports necessary to access the web site. If other services are required remotely, use the firewall to limit from where (e.g. IP addresses) these can be used.
  • keep a record of the firewall configuration up-to-date
  • limit who can make changes to the firewall
• Ensure the host servers are fully patched (e.g. operating system, services, applications and supporting code), check all providers for software updates regularly and allow time for installing these.
  • remove or disable all unnecessary services and other software
  • delete old, unused and backup files from the host servers
• Identify all accounts (log in credentials) that provide server access (not just normal web page access), such as used for transferring files, accessing administrative interfaces (e.g. CMS admin, database and server management/configuration control panels) and using remote desktop. Change the passwords. Keep a record of who has access and remove accounts that are no longer required and enable logging for all access using these accounts.
  • restrict what each account can do as much as possible
  • add restrictions to the use of these accounts (e.g. limit access by IP address, require written approval for use, keep account disabled by default)
• Check that every agreement with third parties that are required to operate the web site are in the organisation's own name. These may include the registration of domain names, SSL certificates, hosting contracts, monitoring services, data feeds, affiliate marketing agreements and service providers such as for address look-up, credit checks and making online payments.
  • ensure the third parties have the organisation's official contact details, and not those of an employee or of the site's developers
  • make note of any renewal dates
• Obtain a copy of everything required for the web site including scripts, static files, configuration settings, source code, account details and encryption keys. Keep this updated with changes as they are made.
  • verify who legally owns the source code, designs, database, photographs, etc.
  • check what other licences affect the web site (e.g. use of open source and proprietary software libraries, database use limitations).

Do what you can, when you can. Once those are done, then:

• Verify the web site and all its components (e.g. web widgets and other third party code/content) does not include common web application vulnerabilities that can be exploited by attackers (e.g. SQL injection, cross-site scripting).
  • use resources such as the OWASP Top Ten and WASC Threat Classification
  • build security requirements into future developments
• Check what obligations the organisation is under to protect business and other people's data such as the Data Protection Act, guidance from regulators, trade organisation rules, agreements with customers and other contracts (e.g. PCI DSS via the acquiring bank).
  • impose security standards and obligations on suppliers and partner organisations
  • keep an eye open for changes to business processes that affect data
• Document (even just some short notes) the steps to rebuild the web site somewhere else, and to transfer all the data and business processes to the new site.
  • include configuration details and information about third-party services required
  • think about what else will need to be done if the web site is unavailable (does it matter, if so what exactly is important?)
• Provide information to the web site's users how to help protect themselves and their data.
  • point them to relevant help such as from GetSafeOnline, CardWatch and Think U Know
  • provide easy methods for them to contact the organisation if they think there is a security or privacy problem
• Monitor web site usage behaviour (e.g. click-through rate, session duration, shopping cart abandonment rate, conversion rate), performance (e.g. uptime, response times) and reputation (e.g. malware, phishing, suspicious applications, malicious links) to gather trend data and identify unusual activity.
  • web server logs are a start, but customised logging is better
  • use reputable online tools (some of which are free) to help.

That's just the basics. So, what would be next for an SME? If the web site is a significant sales/engagement channel, the organisation has multiple web sites, is in a more regulated sector or one that is targetted particularly by criminals (e.g. gaming, betting and financial), takes payments or does other electronic commerce, allows users to add their own content or processes data for someone else, the above is just the start. Those SMEs probably need to be more proactive.

This helps to protect the SME's business information, but also helps to protect the web site users and their information. After all, the users are existing and potential customers, clients and citizens.

Oh, the best response I had to someone when I was explaining my work: "You're an anti-hacker than?". Well, I suppose so, but it's not quite how I'd describe it.

Any comments or suggestions?

Last night, after the first day of the OWASP AppSec Research 2010 conference, we had the pleasure of attending the conference gala dinner at the lavishly decorated Stockholm City Hall, also used for the annual Nobel Prize award ceremony.

Steve Lipner (Microsoft) gave the keynote speech today. He described the early step, creation and evolution of Microsoft's Security Development Lifecycle (SDL). This began in early 2002 which included team-wide security training, the introduction of early threat modelling, code review, use of some tools, undertaking security testing and modifying software defaults to make them more secure. These were seen as quick wins but were immature and ad-hoc processes. They then worked on the security "science" and "security audit" to build a more robust and repeatable program leading to the first edition of the SDL in 2004. It is regularly reviewed and updated and version 5.0 was released this year and 5.1 is due in October 2010. Whilst the SDL is based on Microsoft's own experiences and culture, he said it can be applied to non-Windows development, it does not rely on Windows tools and is not just for shrink-wrapped software development. Neither is it only suitable for waterfall or spiral development methodologies; the application of SDL to agile processes has been described recently. But the most important point he made is that SDL at Microsoft is not necessarily what will work in other software development teams—it is a very helpful starting point, but requires commitment and time to create processes and apply these consistently.

Immediately following the keynote speech, Pravir Chandra (Fortify and OWASP SAMM Project Leader) outlined the Software Assurance Maturity Model (SAMM) and lessons learned in its application to real software development programs. He emphasised the need to identify and classify all applications by risk, to determine what security activities are undertaken. He described that the argument for secure software development must be a business argument based on risk, that it has a real return on investment (ROI), and starting with a single development process and enhancing that can be a good way to introduce secure development practices. The activities undertaken need to be mapped to preventative, detective and corrective controls, and that the tasks need to specify roles, responsibilities and mappings to process flows. Also, he said that security knowledge needs to be spread widely with champions and experts, not just kept by a single specialist or group. He believes SAMM has a large proportion of overlap with Microsoft SDL and BSIMM, and is in the process of mapping SAMM's activities to the latter.

David Rajchenbach-Teller (MLState) described a new programming language for web applications called OPA. It has been designed from a clean start to avoid legacy concepts from the 1970s and 80s and is based on formal methods, is safe from the bottom up, using a single language for the whole application and is based on the distributed system model where not all principals are trusted, communications use web standards and security is mostly automatic. He showed some example code and described real applications in use today. He then described how it prevents a number of issues in the OWASP Top Ten 2010 but that is still under development, and for example, they are working on cross-site request forgery (CSRF) prevention mechanisms and extending the security policy feature set.

Cassio Goldschmidt (Symantec and SAFECode) presented an engaging explanation of how we are all responsible to a certain extent for the creation of software flaws. Whilst software manufacturers may be increasingly applying secure development practices, software is very complex, there are multiple layers of software on top of software and there is no effective way to prove software correctness. Adopters (e.g. home and corporate users) desire feature-rich software and security is not always visible. The environment affects purchasing decisions and home users in particular may not keep software patched. He said purchasing decisions in corporate entities may be made by different people than the users leading to a disconnect, and even patching can be delayed due to corporate cycles. Security researchers also have a part to play where the motivation and consequences of actions are not always transparent. Similarly governments find it difficult to make good law and the timescales cannot keep up with the fast pace of developments. They may provide incentives or require higher standards, but these can be blunt instruments. In summary he proposed that economics plays a larger part than technical solutions to the risks and impacts, even thought industry is moving in the right direction.

During and after lunch, OWASP board members and leaders discussed opportunities, issues and proposals to assist end-users find organisations who are providing products and services based on OWASP's knowledgebase.

Nick Nikiforakis (KU Leuven) described their analysis of eight file sharing services that are cloud-based, provide "one-click hosting" and are mostly anonymous. They found that although the services tended to offer both private distribution (e.g. by email link or instant messaging) and public distribution (e.g. links added to forums, blogs, etc) most of the services were relying on obscurity through obscurity. In many cases the URL token was predicable and even if the source filename was included, this was often not required. Given the predictability of tokens, they were able to obtain details of many different files on the file sharing systems, and tried to identify which were of the private or public type by an examination of whether the source filename could be found elsewhere using Yahoo. The remaining non-binary types were downloaded and examined to find a wide variety of data including bank statements, company budgets & salaries, personal data, documents with admin credentials, doctors notes and even a death certificate. Their advice, choose file sharing systems that have unpredictable tokens, encrypt the files and remove from the store as soon as possible.

The conference closed with thanks being given to the organisers, Kate Hartmann (OWASP Operations Director), OWASP board, helpers from the university, the sponsors, the sound and video teams, the caterers and the attendees. Prizes from various sponsor competitions and the capture the flag event were given. John Wilander reminded attendees about the upcoming AppSec US 2010 in September and announced that next year's AppSec EU would be help in Trinity College, Dublin, Ireland, and in Athens the year after.

Congratulations to the team from Sweden, Norway and Denmark for such a well-organised, and excellent appsec conference!

The Open Web Application Security Project (OWASP) AppSec Research 2010 conference started this morning following the previous two days of application security training. The conference began with a welcome and introduction from the primary organiser and OWASP Sweden chapter leader, John Wilander, and the OWASP Board.

This was immediately followed by the keynote address on Cross-Domain Theft and the Future of Browser Security by Chris Evans and Ian Fette (Google). They described how attacks are increasingly targetting the browser, and nowadays this may may mean its plug-ins rather than the browser itself. Browsers are generally moving to being sandboxed but it is harder to sandbox the plug-ins and it is operating system, as well as browser, specific. Chris described future softspots and the possible growth of multi-payload malware that tries to exploit two vulnerabilities e.g. to exploit code and then escape a sandbox. Ian described the large proportion of search engine results that seem to be phishing or malware sites and how blacklisting can help defend users. Interestingly he mentioned Google actually visits suspicious websites in a virtual machine to check whether malware exists.

The remainder of the day was split into three parallel tracks.

After the keynote, I attended the presentation by Lieven Desmet (KU Leuven) on client-side cross-site request forgery defence measures and their own CsFire Firefox extension. It builds upon previous efforts, particularly RequestRodeo (Martin Johns, 2006) but aims to provide a much more usable experience with very little user involvement. The extension is available to download and the team are looking for feedback, especially with problems caused with particular websites. They believe a combination of server and local policies may overcome these issues, such as sites spanning multiple domains.

Ivan Ristic presented the main threats against SSL (implementation flaws, rogue certification authority certificates, rogue certification authorities, usability issues, and application & configuration vulnerabilities. He then went on to describe the principal SSL deployment mistakes—these are very important considerations to take into account, especially in the design of a new website. His recommendation: create the site completely SSL-only from the start. And, use the free information and tools at SSL Labs.

The problem of using static code analysis tools with source code built using open source, proprietary and home-grown frameworks was described by Christain Hang (Armorize Technologies). He described how reflection, invocation sequence and cross-content propagation can lead to false positive and false negative results. For example, in the Struts framework for Java he showed how detailed knowledge of the configuration XML file is needed. He suggested that asking users to hard-code the analysis tool's configuration, or for the tool's developers to build support for each framework are unsustainable. His recommendation was to dynamically translate the framework logic into the source code, so the two are stitched together before the analysis is undertaken. He says it is not perfect, but it is easily extendible and equally applicable to home-grown frameworks.

After lunch, Mike Samuel and Jasvir Nagra (Google) described the Caja project and how it can help (in particular larger, more mature social networking sites), where the same origin policy is not sufficient, and policies need to change quickly to meet new demands and threats. The technique uses the concept of virtualisation to isolate and control the flow of third party HTML, JavaScript and CSS to the end user.

Johan Lindfors and Dag Konig (Microsoft) outlined the variety of security tools available for .NET development and testing. These included demonstrations of Team Foundation Server, Threat Modelling Tool, and an overview of FxCop, CAT.NET, Pex, Moles and the Web Application Configuration Editor. They also described the concepts behind code contracts. There is more about these on the security tools blog.

David Byrne and Charles Henderson (Trustwave), outlined the pros and cons of manual and automated testing. They moved onto examples that only manual testing would fine, and reminded the audience to to remember that vulnerabilities also come from (product/organisation) acquisitions, old/dead code and in third party libraries.

The day closed with a panel discussion about whether application security is fighting a losing battle.

The research papers, presentations, demonstrations from all three tracks are listed on the conference website, where the presentations, and recorded videos, will be available in due course.

This week I am attending OWASP AppSec Research 2010 in Stockholm, Sweden.

The four-day event has got off to a great start with some excellent application security training, and continues tomorrow and Thursday with the full conference.

I will blog about the conference presentations I attend, but meanwhile here are some photos of this beautiful city I took earlier today.

It seems like it would be a good place to come back to for a holiday. I'm sure the sunshine helps.

A special web application security meeting is being held at the School of Applied Sciences, Northumbria University in Newcastle upon Tyne on Wednesday 16th June.

In March Northumbria University became OWASP's first (and so far only) educational supporter in the UK, and joins a number of highly respected academic institutions around the world. This is perhaps not entirely unexpected due to the region's entrepreneurial culture, its digital renaissance in recent years, the area's highly skilled technical workforce and Northumbria University's proactive efforts to improve information security such as its innovative program for SMEs. Oh, and its a great area to live in.

The region has a well-developed support infrastructure for the digital industry including Codeworks Connect, AppNorth, Design Network North, Sunderland Software City, the Institute of Digital Innovation at Teesside University and One North East. Now, the Leeds/North chapter of the The Open Web Application Security Project (OWASP) is holding its first event in north east England hosted by Northumbria University.

There will be four talks on ENISA Common Assurance Maturity Model, Open Source Software Myths, SSL/TLS - Just When You Thought it was Safe to Return and OWASP AppSensor - The Self-Aware Web Application. I am presenting the first and last talks. The talks span compliance, network communication, configuration, verification and building security in. They will be of interest to digital entrepreneurs, owners of software start-up companies, computing and design students, as well as software architects, designers, developers, testers and information system auditors.

The event is free but you need to register to attend.

Keeping an open mind, having an interest in wider issues and seeing what people are doing in other disciplines can help bring fresh ideas into your own work.

Clerkenwell is at the heart of the design industry in London and Clerkenwell Design Week 2010 begins today. It is an opportunity to see some of the best new design ideas, products and thinking. Go along—it might just give you some new creative energy too.

Another event is a training day on Friday on several projects from the Open Web Application Security Project (OWASP). I will be presenting the WebScarab tool. If you are a software developer, it is a fantastic opportunity to find out about free tools and guides you can use in your work to make applications more secure. There are a few places left, so sign up now. It's free to OWASP members (individual membership costs $50 per annum).

Spring brings us new conferences and announcements of further events later in the year. Following Infosec Europe two weeks ago, three major software security conferences are coming up.

I visited Infosec at Earls Court on the middle day and was pleasantly surprised how busy it was, and how useful the day turned out. Apart from catching up with colleagues and other contacts, I attended a couple of presentations in the technical stream. But I was pleased to have at-length conversations with three web application firewall vendors (Breach Security, Imperva and Art of Defence who partner with Zeus Technology, and F5 Networks), to hear the latest developments in this sector. There were fewer pure penetration testing companies—perhaps evidence of a growing realisation that security needs to be considered throughout the whole development and operation software lifecycle.

Next week there is a new conference in London - the International Secure Systems Development Conference will be much less vendor orientated, and focuses on building security in to all types of software, including web applications. I'm looking forward to the speakers but will have difficulty deciding between the management and technical/coding tracks for some of the sessions. The International Secure Systems Development Conference is an excellent opportunity if you are in the UK and interested in software security. The conference is being held at Westminster Conference Centre on May 20-21st and tickets can be booked in advance.

Then in June the Open Web Application Security Project (OWASP) is holding it main European conference in Stockholm, Sweden. OWASP AppSec Research 2010 for both industry and academia will be the main application security event of the year in Europe. It is being coordinated by John Wilander the OWASP Sweden chapter leader with the help of the OWASP chapters in Sweden, Norway and Denmark. The main North American equivalent, AppSec US 2010 will be held at the University of California in Irvine.

There are also many smaller one-day OWASP meetings and events around the world and closer by. I'm hoping to get to OWASP AppSec Ireland which is also in September.

Looking for free application security events? Perhaps attend the UK OWASP chapters in London, Leeds/North and Scotland. There's even a free training event at the end of this month in central London.

The OWASP Top Ten - 2010 has just been released (see here, here, here, here, here, here, here, ...). The document, from the Open Web Application Security Project, is aimed at developers and describes the 10 most critical web application security risks, and since it is referenced by the Payment Card Industry Security Standards Council (PCI SCC) Data Security Standard (DSS), this now has an immediate compliance effect on organisations with web-enabled payment systems.

OWASP Top Ten - 2010 (mirror site) was issued as a release candidate (RC) in November 2009 at OWASP's Washington DC AppSec Conference. This Top Ten has assessed and ranked the risks based on technical impact—the document points out that each organisation needs to assess its own threats and where possible determine not just the technical impact, but the business impact, and recommends the Risk Rating Methodology from the OWASP Testing Guide.

Since November, there has been a wide-ranging discussion of the ranking and advice provided, and this has lead to some minor changes to the final document. I contributed to the OWASP Top Ten Project as a document reviewer. But now the Top Ten for 2010 is issued. As the document points out, this is only the first ten risks, and they may be different for an organisation's own information systems and business processes.

OWASP recognises the titles are not all risks (e.g. some are names of vulnerabilities) but this has been done to use the most commonly recognisable terminology. Each item in the Top Ten includes a description, how the risk can occur, how to detect if your application is vulnerable, example attack scenarios, how to prevent exploitation and detailed references for further information from a wide-range of sources. Of particular help are the various OWASP Cheat Sheets:

• SQL Injection Prevention Cheat Sheet
• XSS (Cross Site Scripting) Prevention Cheat Sheet
• Authentication Cheat Sheet
• Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
• Transport Layer Protection Cheat Sheet

For those who want to go beyond the Top Ten, the document provides guidance for developers, verifiers and organisations about what they can do next. It encourages organisations to consider an application risk management program, not just awareness training, application testing and remediation. It is a great starting point for developers with less knowledge about application security and is now also a handy reference for more-experienced teams. For example, the November RC1 version was used as the basis for over three hours of discussion on web application security at last Friday's OWASP London Free Training event.

The 2010 edition supersedes the previous 2007 edition. It is distributed under a Creative Commons (CC) Attribution Share-Alike licence and can be downloaded for free from the OWASP website or purchased as a printed book, at cost. The screen captures above are subject to this licence.