One of the benefits of being in central London during the week is the number of events it is possible to attend.

With too much choice, it is sometimes possible to miss opportunities to expand your knowledge, but yesterday I took the opportunity to attend for the first time, a meeting of the London Web Performance Group being held at the London Canal Museum near King's Cross.

David Burns spoke about web performance testing and continuous integration. He described how he had developed processes for building web performance testing into development processes and is now able to do this with continuous integration.

Although initially this began by asking helpdesk staff to time the loading of web pages using stop watches (long ago in 2006), he now uses Selenium Web Driver in combination with BrowserMob Proxy. The latter allows data export in the HTTP Archive format (HAR) (more information). This data can then be viewed, aggregated and analysed. The long Q&A session provided plenty of time for discussion of the techniques, how Ajax can be monitored, and alternative methodologies.

Perhaps there are some ideas here to investigate for security testing.

Future meetings of this group will be looking at Ajax, and performance testing of mobile applications. I have joined the group to receive future announcements.

Gartner published its report Magic Quadrant for Dynamic Application Security Testing (DAST) at the end of December.

The report is currently available to download free of charge if you register on Veracode's website. But it looks like if your turnover is less than $500 million, or say it is, the sales folk may be less likely to bother you.

The report is a useful summary, but I don't think it does enough to highlight the need for DAST to be just one part of a mix of activities contributing to a secure software development lifecycle, and therefore more secure applications. There's plenty of activity out there combining developer training, secure coding guidelines, vulnerability management, web application firewall dynamic patching and static analysis techniques too.

Happy new year. Planning your diary already? Looking for the best European conference for information about application security?

Europe's premier application security conference, AppSec EU, is being held in Athens, Greece, from 10th to 13th July 2012. As in Stockholm two years ago, this event has a research theme, but there will be plenty of practical information, advice and application security training.

In May I participated in the OWASP Greece chapter Training Day in Athens and was overwhelmed by the level of attendance from the enthusiastic and knowledgeable development community. I am sure the sponsorship opportunities and tickets will be snapped up quickly.

AppSec EU Research 2012 is being hosted by the Department of Informatics and Telecommunications of the University of Athens.

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

• 2.2 Cross-origin resource sharing
• 2.3 Web storage
• 2.4 Offline web application
• 2.5 Web messaging
• 2.6 Custom scheme and content handlers
• 2.7 Web sockets API
• 2.8 Geolocation API
• 2.9 Implicit relevant features of HTML5
  Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?

Andrew Austin and Laurie Williams at North Carolina State University's Department of Computer Science have published a paper comparing techniques used to discover security vulnerabilities in already implemented software applications.

One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques describes a comparative study to assess two electronic healthcare record applications using four different vulnerability discovery techniques:

• Exploratory manual penetration testing
• Automated static analysis, combined with ,manual review of the results
• Automated (dynamic) penetration testing, combined with manual review of the results
• Systematic manual penetration testing

The paper is a superb review of the pros and cons of each technique. I was a little confused at first about the vulnerability discovery rate metric, since it excludes the time for tools to run. I also think the data in Table VI might not be consistent with the previous tables in the paper, but I may have misunderstood something here.

Nevertheless, this doesn't affect the conclusions that systematic manual penetration testing was the most efficient technique for finding design flaws, but combining that with both static analysis and automated penetration testing will provide the most comprehensive results, since no single technique discovers every type of vulnerability.

Tired of digging through page after page of links to find knowledge about a work-related subject? Making information security guidance accessible is a challenge too.

Microsoft has announced a new SDL Industry Talk Wall on the Security Development Lifecycle (SDL) website. It is a live view of news, resources and answers to common questions around SDL, created using HTML5, with the ability to filter by return on investment, progress of the SDL itself, tools, cloud-related aspects and events.

This is a great way to promote secure software development lifecycle processes, and encourages people to browse through the latest information. I wish I had thought of doing this before.

This week I was drafting a penetration test scoping document, and Word's grammar-checker gave me an interesting suggestion.

I had written a rather poorly crafted sentence, and at first Word suggested I add the word "neither" to improve readability. That seemed reasonable, but then it suggested I reword the entire sentence to: "The penetration tester that contravenes neither United Kingdom legislation nor any PCI-DSS requirement shall undertake nothing".

A fascinating insight, but not quite what I had in mind. Althought it might be true, I started my sentence from scratch again.

COBIT defines a range of domains, processes and control objectives relevant to to secure software development lifecycle. ISACA has now published a white paper on web application security risks.

Web Application Security - Business Risk Decisions provides an introduction to the security issues relating to web applications and discusses the risks and common security weaknesses. It references other projects and resources that are relevant to web application security.

The paper recommends a systems-based approach which will be familiar to adopters of COBIT and similar frameworks. It emphasises the governance aspects, especially the need for enterprise support. The paper recommends a programme to drive security throughout the SDLC to include:

• Business/executive support
• Training
• Supply chain
• Policies and standards
• Technical controls
• Ongoing programme of scanning/code review
• Legacy code
• Project management
• Effective incident response capabilities

The approach is welcome. IT Auditors can be your friends! It will be interesting to see if this develops into a more formal initiative by ISACA.

I have been out and about this week at some events in London.

On Tuesday evening I attended another meeting of the London Ajax User Group hosted as usual at the nearby Skills Matters eXchange. The meeting had attracted over 50 developers who had come to listen to the talks — one about using HTML5 Web Sockets, and the other about template-based JavaScript development. Well I shouldn't really have been surprised by the number of attendees, the user group's slogan is "London's largest group of Ajax, JavaScript and HTML5 developers", so the topics were right on target.

Micheil Smith began by describing how HTML5 web sockets can be used to provide near real-time web for interactive content. He explained how web sockets are replacing pseudo real-time techniques like HTTP polling, LiveConnect, forever iFrame, HTTP long polling, and XHR streaming. He described uses for web sockets and some of the issues that can cause problems such as ports blocked by firewalls and different traffic patterns leading to server capacity problems.

Mark Wubben then explained how sites/applications need to work with and without JavaScript. He discussed a method called Eyebrow, based on Mustache templating language and Django Template Language (DTL), which achieves this and harnesses the power of server side generation combined with application execution on the client.

These user groups are a great way to keep in touch with issues developers are having and technology trends. Then on Wednesday and Thursday I attended RSA Conference Europe 2011 which had a more corporate/security type of audience. The two presentations I found most useful were by Bryan Sullivan and Ramon Krikken.

Bryan Sullivan explained security issues related to NoSQL databases — similarities and differences with relational databases, and what extra set of issues need to be considered when designing and developing systems using these data stores. He demonstrated injection techniques against MongoDB and then moved on to compelling examples of server-side JavaScript injection using Node.js as an example. He discussed risky constructs to look for during code review and ways to avoid some typical pitfalls. Lots of things to add to my code review and security testing notes.

Ramon Krikken described usage scenarios for tokenisation of sensitive data and explained that he thought tokenisation is oversold, under-analysed and not well understood. He outlined the issues around choice of algorithm, architectural implementation, input data and business processes which have led him to the conclusion that tokenisation is cryptography, if not actually encryption. This presentation really was an eye-opener and cut right through to the weaknesses and possible attacks on such systems. If Ramon is speaking near you, make sure to go along. There is a summary podcast available.

I also enjoyed the discussion group run by Brian Honan focused on the practicalities and issues of incident response in the cloud.

My own session about attack-aware software application built upon my previous presentations at AppSec EU 2011, the Software Assurance Forum Fall 2011, the training course I gave and AppSensor Summit at AppSec US 2011. It is always good to receive views & feedback, and about ten percent of the audience of 70-80 had questions or comments to make. I will also be talking about this topic at OWASP Leeds on 25th October.

SQL injection is one of those attacks which most developers have heard of, but may not be familiar with.

I stumbled upon some really good guidance on doing some of your own homework on learning about SQL injection. Best Damn Quick Tips for a Total SQL Injection Newbie (Period) quickly describes three steps (reading, setting up a vulnerable web environment and mimicking attackers) to go from little to lots of knowledge. Yes, really do this on your own test vulnerable applications — never start trying things out on applications or systems you are not authorised to examine.

Then for the last step which is to research defensive measures, the best resource is the OWASP SQL Injection Prevention Cheat Sheet. Happy reading!