I have to thank Alexis Fitzgerald for pointing out this weekend's reading — the latest edition of the Global Risks report from the World Economic Forum.

All 50 risks examined in this year's Global Risks 2012 - Seventh Edition fall in the high-impact and high-likelihood areas. This year cyber attacks have been identified as one of the top five risks in terms of likelihood. However it terms of impact, issues like major systemic financial failure, water supply crises, food shortage crises, chronic fiscal imbalances and extreme volatility in energy and agricultural prices have much greater effect.

The rising issue of cyber attacks is related to the ability for this to be undertaken remotely and anonymously, as well as the much increased "hyperconnectivity" of systems. The objectives of cyber attacks are stated as sabotage, espionage and subversion (e.g. spreading false information and denial of service attacks).

This isn't a report for the micro-scale, but examines risks from the perspective of the world and nation states. However, that isn't to say that larger companies and other organisations can't learn something from the report. A detailed analysis of last year's earthquake in north-east Japan, identifies how more highly-networked businesses (with distributed leadership, is loosely coupled, has dispersed workforces, has cross-trained generalists and guides by simple but flexible rules) fared better than more hierarchical centralised policy-driven tightly coupled ones. The questions for stakeholder on page 35 are good tips for consideration in developing and updating incident response and disaster recovery plans — whatever the scale of the organisation or system.

The report may also be of interest to those involved with sector-wide bodies for encouraging building resilience into their member organisations. On that subject, the US Department of Energy and Department of Homeland Security have announced a new initiative to develop best practices in the form of a cyber security maturity model for the electricity sector.

If this global risk is your thing, you may also want to have a look at the Cyber Power Index which attempts to benchmark the ability of the G20 countries to withstand cyber attacks and to deploy the digital infrastructure needed for a productive economy.

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

• 2.2 Cross-origin resource sharing
• 2.3 Web storage
• 2.4 Offline web application
• 2.5 Web messaging
• 2.6 Custom scheme and content handlers
• 2.7 Web sockets API
• 2.8 Geolocation API
• 2.9 Implicit relevant features of HTML5
  Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?

The European Network and Information Security Agency(ENISA) has published a report on the risks and benefits of emerging life-logging applications.

The report examines the benefits of life-logging and information security risks for individuals, industry and state/government. The analysis assesses the risks and provides recommendations for each group.

Perhaps of most interest here are the recommendations for life-logging industry and service providers, summarised on pages 9-10 of the report, including privacy-friendly defaults, using privacy impact assessments and risk management approaches, direct online access for data access/audit, advice for individuals on the risks, distributed storage, workplace issues, encryption on user devices and multi-factor authentication.

The report is based around a life-logging scenario (Appendix I) which is used to highlight the issues and impacts on various parties. If you provide services in this area, or are considering anything closely related to this space, I think you will find the risk analysis (and risk assessment spreadsheet in Appendix II) a good starting point for your own efforts.

Following a successful training course yesterday with great group of delegates, today I attended the OWASP AppSensor Project working group at AppSec USA 2011.

The AppSensor Summit was held to review the project's recent developments and activities, and to gather ideas from existing and new contributors to create a future roadmap. It was good to meet at long last John Melton, AppSensor's lead programmer, and catch up with Michael Coates and Ryan Barnett.

The summit also attracted a diverse range of developers, architects, users and security vendors. There were probably about 10-12 people attending all day, with a few more popping in and out as their timetables and other commitments allowed. The discussions defined the contents for a new book, an AppSensor development life cycle, an integration plan and a new concept to modularise the analysis engine to simplify integration with application software. The idea of creating a set of example usage profiles was also suggested. I think my name is down to help mainly with a new version of the AppSensor book, but I hope I can contribute with some of the interface definitions for interactions with the analysis engine, and possible signalling/exporting functionality.

The meeting notes are available, so if you have any comments or suggestions, please add them there, or discuss them via the project's mailing list.

The talks at the conference begin tomorrow.

The new edition of CrossTalk Magazine, the Journal of Defense Software Engineering, includes an article about OWASP AppSensor Project.

In this September/October 2011 edition, CrossTalk focuses on the theme of Protecting Against Predatory Practices. Articles examine the most recent dangers the software community faces and methodologies used to protect information against cyber espionage. They explore the latest threats, security measures, software security automation, and social networking dangers.

I had the pleasure of working with AppSensor project leader Michael Coates, and project contributors John Melton and Dennis Groves to write the article Creating Attack-Aware Software Applications with Real-Time Defenses describing why conventional defences fail to protect applications and the benefits of building-in application-specific defenses. We describe the accumulation of information, ideas and code within the AppSensor Project, how these can be applied to an organisation's own software applications, and plans for the continued development of the project.

If you would like to find out more, I will be speaking at Software Assurance (SwA) Forum - Fall 2011 tomorrow, running a one-day training course at AppSec USA 2011 on 20th September, and participating in the recently announced AppSensor Summit on 21st September 2011.

The UK's Centre for the Protection of National Infrastructure (CPNI) has updated its guidance on protecting business applications with the publication this month of a new document on developing and implementing secure web applications.

Development and Implementation of Secure Web Applications is a well-written and digestible 81-page A4 document arranged in seven main sections:

• Introduction to web application security
• General aspects of web application security
• Access handling (authentication, session management and access control)
• Injection flaws
• Application users and security
• Thick client security
• Preparing the infrastructure

It appears to replace the good, but somewhat dated document "Briefing 10/2006 - Secure web Applications - Development, Installation and Security Testing" created by their predecessor National Infrastructure Security Co-ordination Centre (NISCC), and issued in April 2006. The new document is more compact and focused, and I think I prefer it. Yes of course it is more up-to-date, and while it would be possible to argue why some things are included and not others, these others things tend to be explained further in the references. It's clear there is considerable overlap with information from OWASP and the Microsoft SDL, but I'm sure the reverse is true to an extent too.

It is very encouraging CPNI have taken the time to produce an updated document, but that probably reflects the types of risks facing their audience. I am especially pleased to see the section on infrastructure, since application security cannot be an island on its own. I would say the guidance is probably on the medium-to-heavy weight side of advice, but that is probably appropriate for critical national infrastructure, and the document does discuss threat modelling initially. It might seem overwhelming to some organisations new to the subject, and that might need some help on what to do first.

I think the document could perhaps do with more cross-referencing to additional information resources elsewhere. Yes, documents can always be improved, and I am sure we will find niggles and faults with use, but threats evolve and so does our knowledge.

I have been invited to run a workshop at the next Software Assurance (SwA) Forum in Arlington, Virginia.

The Software Assurance Program of the US Department of Homeland Security's National Cyber Security Division co-sponsors SwA Forums semi-annually with the US Department of Defense and the National Institute for Standards and Technology (NIST). The events aim to bring together government, industry, and academia with vested interests in software assurance to discuss and promote integrity, security, and reliability in software.

My session on Wednesday 14th September in the track on "SwA at the Code Level" will relate to the content of the full-day training course "Application Attack Detection & Response" I am providing at OWASP AppSec USA the following week in Minneapolis.

At the SwA Forum I am also looking forward to the subsequent workshops on Dimensions of Static Analysis-Based Assurance with Mike Oara, OWASP Acquisition Language for Software Assurance with Jeff Williams, and Scaleable Application Security Practices with Jim Manico. I am also hoping to hear about any updates to the previously mentioned Software Assurance Pocket Guides.

Please do attend. The 5-day programme is packed with useful sessions on practical software assurance topics..

SwA Forum - Fall 2011 is being held at the Software Engineering Institute (SEI), 4301 Wilson Blvd, Arlington, VA 22203, from 12th to 16th September 2011. There is no charge for the event but prior registration is required.

Application Attack Detection & Response is the title of the one-day hands-on training course I am providing at North America's most important application security conference AppSec USA 2011 in Minneapolis, MN.

I mentioned the course in May and since then have been preparing the course presentations, exercises, team handouts and other supporting materials. This week they are now ready and I have been through a dry-run of the whole day. The course is going to be very participatory. I will be presenting information largely based on the OWASP AppSensor Project, but half of the time will be spent on practical exercises which show how to plan a defensive strategy using application-specific intrusion detection and response.

Through the day the attendees will work in small teams building the specification for application-specific defenses of an example web application, in a tutorial-based approach. The course is technology and programming language-agnostic. In fact there is no code at all, but attendees need to be familiar with web application risks, vulnerabilities and the types of techniques attackers use to identify and exploit weaknesses. The exercises will be paper based but electronic templates will also be provided. The day will culminate in a defense simulation exercise, where the teams will score each other's defensive models against a range of attacks. 12 attacks will be selected at random from a set of pre-built scenarios with the code names:

• Slow Discoverer
• Yadda Yadda Yadda
• Hit & Run
• An Offshore Enquiry
• Scratch 'n' Sniff
• A Visit From A Foreign Gentleman
• Nosey Parker
• Coupon Chaser
• Build Your Own Data Warehouse
• Fraudulent Fingers
• Teen Leaver's Delight
• Blast From The Past
• The Forbidden Scriptures
• Slab Fondler's Folly
• Yet Another Hopeless User
• The Thirteen Problems
• Protect and Survive

You will have to be there to discover what these are all about, but perhaps you can guess some of them?

The AppSec USA 2011 organisers have been fantastic, especially Adam Baso and Lorna Alamri of the OWASP Minneapolis-St. Paul (OWASP MSP) chapter. I am really looking forward to the week there.

I believe there are still some places left on the course, so if you want to learn about this topic and leave well-briefed to apply the techniques in your own projects or software specifications, please register as soon as possible. The course begins at 8:30 am. This is the only time this one-day course is being offered in the Americas.

On the following day (21st September), apart from one-day training courses with Robert Zakon and Sumit Siddharth, there will be an AppSensor working session, and ESAPI summit. The conference then runs on the 22nd-23rd September.

This week Bruce Schneier mentioned a document published in December 2010 by CERT, at Carnegie Mellon University's Software Engineering Institute. I hadn't been aware of this previously.

The Taxonomy of Operational Cyber Security Risks is part of CERT's work on resilience management. It identifies and organises sources of operational risk to information and technology assets that have consequences affecting the confidentiality, availability or integrity of information or information systems.

The taxonomy is based around four classes: actions of people, systems and technology failures, failed internal processes, and external events.

The taxonomy complements the previous the Department of Homeland Security (DHS) Risk Lexicon and also discusses harmonisation with the Federal Information Security Management Act of 2002 (FISMA 2002), security guidance contained within the National Institute of Standards and Technology (NIST) Special Publications series, and the threat profile concept contained within the CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method.

The mapping of NIST SP 800-53 Rev 3 controls to the taxonomy subclasses and elements in Appendix 3 is especially useful.

For those in the field of operational defense of applications, there is currently a discussion in the OWASP Defenders community' mailing list about creating a Top 10 for operational web application security risks. Ryan Barnett's initial message is here, and the discussion continues here, here, and here. Contribute your thoughts.

Do you remember Lush Cosmetics' rather public payment card data and personal data loss announced in January 2011? After 4 months of being compromised, the problem was recognised, customers were notified and the web site was shutdown.

Lush had allowed people's data to be stolen via its own web site. We still await to hear what the fines and other penalties will be levied under the Payment Card Industry Security Standards Council (PCI SSC) Data Security Standard (DSS) if they are found to have been non-compliant at the time. However the UK's Information Commissioner's Office (ICO) became involved due to the related loss of 5,000 individual's personal data and confirmed in a press release on Wednesday this week that Lush Cosmetics had also breached the Data Protection Act 1998. Formed in 1994-1995, Lush Cosmetics has been a registered data controller (No. Z8189523) since late 2003.

As expected, no enforcement notice or monetary penalty has been issued, but Lush Cosmetics Limited's Managing Director, Mark Constantine, has signed an undertaking to ensure that personal data are processed in accordance with the seventh data protection principle concerning security, and in particular take the following measures to improve the protection of personal, and cardholder data:

1. Appropriate technical and organisational measures are employed, and maintained, to prevent the unlawful processing of customer data, particularly within web based systems;
2. Only the minimum amount of customer personal data is stored and that this is retained only for as long as a relevant business need exists;
3. Computer systems storing customer personal data must be subject of regular penetration testing , with activity logs retained for an appropriate period of time and frequently interrogated for evidence of malicious attack;
4. The processing of customer credit card data is conducted by a PCI compliant external service provider;
5. The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

...as long as the Data Protection Act, or succeeding legislation are in force. So correctly a focus on Lush's web systems, including penetration testing of systems holding personal data. But also other appropriate security measures as necessary. Let's hope Lush aren't left thinking penetration testing is the answer — security needs to be considered at all stages of acquisition, development, deployment and operation.

And yes, that's right, the ICO is insisting on compliance with PCI DSS. The ICO made it clear in the press release of its expectations for PCI DSS compliance by other online retailers, that will otherwise risk enforcement action by the ICO.

This seems to be a valid approach, since fines, investigation costs, etc may still be levied for lack of PCI DSS compliance too. But I have some concerns with how Lush are portraying their squeaky-clean new status in the web site's terms and conditions:

I'm not entirely sure that moving all cardholder data off-site to a PCI DSS compliant third party processor necessarily means much about the security of other data on the Lush web site and elsewhere at Lush, or much about systems outside the cardholder data environment. Is this just meaningless bubbly rhetoric to provide false assurance, or maybe Lush still does not understand what they are doing? Complying with regulatory and contractual mandates isn't the same as believing in "filling the world with perfume and in the right to make mistakes, lose everything and start again". Some of that "honest meaning" mentioned by Lush would be welcome here too.

Personally I think the PCI SSC should be a bit more strict about how their name can be used to endorse systems. Hey, clerkendweller.com meets PCI DSS compliance criteria too! There's no cardholder data to begin with...