I will be travelling to Nijmegen on Wednesday 13th March having been invited to speak at the OWASP Netherlands local chapter.

At the meeting in the Radboud Universiteit Nijmegen, I will present two brand new talks.

• "Record It!" — Do you know security event information should be recorded by an application? The presentation will outline which event properties are useful, what should be avoided and how logging can be implemented. In this short presentation, the benefits of good application logging will also be described. The content is drawn from the OWASP (Application Security) Logging Cheat Sheet
• "OWASP Cornucopia" — Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. The PCI DSS referenced OWASP Cornucopia - Ecommerce Web Application Edition will be presented and used to demonstrate how it can help developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide.

OWASP board member Jim Manico is also presenting on the subject of "Access Control Design Best Practices". Jim is a great speaker and I am looking forward to this.

The venue is the Beta-faculty, Huygensgebouw, at Heyendaalseweg 135, Nijmegen, Parkeergarage P11. Registration and pizza will occur from 18:30 hrs until 19:15 hrs when my first talk commences. The presentations will end at 21:00 hrs followed by a period for further networking. Registration is free but necessary.

On Wednesday this week, Trustwave has published the full version of its latest global information security report. It is comprehensive, information-rich, and well designed.

2013 Trustwave Global Security Report (registration required) provides information from their incident investigations, updates from law enforcement agencies around the world (including SOCA), threat intelligence (attack sources, motivations, emerging techniques, attacks and defences), and some international perspective viewpoints. The sources used to aggregate data and draw conclusions from include their vulnerability scanning, penetration testing and incident response investigation services, publicly disclosed data breaches, email sources, published vulnerabilities, and analysis of malicious web sites. Even this cannot be said to be completely representative, but it is amongst the better data available.

Based on the incident investigation information, payment cardholder data was the primary target because it is highly saleable for subsequent use in fraudulent transactions. Secondly personal data is noted as having some monetary data. The primary targets were retail, food & beverage and the hospitality sector via their e-commerce and retail channels (web sites and point of sale/payment processing). These of course reflect organisations that are required to, or felt the need to, engage a company like Trustwave to perform incident investigation. Thus there will be a bias towards medium and larger organisations with personal, credit and debit card data.

Where large quantities of data were compromised, the incident investigations identified weak administrative credentials, SQL injection and remote file inclusion as the primary vulnerabilities, with data being exfiltrated using HTTP and HTTP over TLS, RDP, SMTP and SMB protocols due to missing egress firewall controls. The report recommends building a defence in depth strategy with multiple layers of security. In terms of important applications, a holistic approach that builds security in throughout the development and operation is required. In the section on international perspectives for EMEA, the report notes there is an increasing trend of medium-sized and non-banking organisations developing strategic application security programmes, where assurance activities are based on the business risk each application presents.

Information points from the WASC Web Hacking Incident Database are also presented. These relate to publicly reported incidents of web applications during 2012 that have an identified outcome. This does not pretend to be fully representative of all web application attacks, but it does represent many significant events. The most common attack methods were denial of service followed by SQL injection.

The top 10 application vulnerabilities (I believe the label on the table on page 50 possibly mistakenly includes the word "mobile") highlights how common cross-site scripting (XSS) and cross-site request forgery (CSRF) are, based on a sample of application penetration tests. Separate information is also presented for mobile application penetration tests, comparing the findings to the OWASP Mobile Top 10.

The other part of the report of interest to application software designers and architects is the statistical analysis of nearly 3.1 million encrypted passwords from Active Directory servers. In order of number of occurrences "Welcome1" is the most common password, followed by "STORE123", "Password1", "password", "Hello123", and "12345678". "training" and "Welcome2". "STORE123" sounds very like point of sale (POS) systems. These results and analysis of password composition and markup will be useful where there is a desire to limit the use of common passwords and formats.

Definitely worthwhile reading.

The European Commission published its Cybersecurity Strategy and details of a new proposed directive yesterday under the Digital Agenda flagship for ten-year growth.

In the Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace describes five strategic priorities:

• Achieving cyber resilience
• Drastically reducing cyber crime
• Developing cyberdefense policy and capabilities related to the Common Security and Defence Policy (CSDP)
• Develop the industrial and technological resources for cybersecurity
• Establish a coherent international cyberspace policy for the European Union and promote core EU values.

These lead to actions including:

• Developing strong national cyber resilience capabilities, notably by building expertise on security and resilience of industrial control systems, transport and energy infrastructure
• A voluntary certification programme to promote enhanced skills and competence of IT professionals (e.g. website administrators)
• Training on NIS and secure software development and personal data protection for computer science students
• Increase accountability of registrars of domain names and ensure accuracy of information on website ownership
• Examine how major providers of ICT hardware and software could inform national competent authorities on detected vulnerabilities that could have significant security-implications
• Develop ... technical guidelines and recommendations for the adoption of NIS standards and good practices
• Stimulate the development and adoption of industry-led security standards, technical norms and security-by-design and privacy-by-design principles
• Develop, in cooperation with the insurance sector, harmonised metrics for calculating risk premiums, that would enable companies that have made investments in security to benefit from lower risk premiums.

The Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union is a complementary measure aimed to standardise efforts in member states. Responsibilities are placed on public administrations and market operators in the private sector. The latter is defined to include both providers of information society services which enable the provision of other information society services (e.g. e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores), and operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking that provide credit, financial market infrastructure such as stock exchanges, and organisations providing health care.

There is a helpful commentary of initial opinions on ComputerWeekly.com

Happy new year. Sophos has released its review of security attacks in 2012 with a look forward to what can be expected in 2013.

The Security Threat Report 2013 describes the increase in attacks against social media platforms and the cloud services. The report includes a feature on the Blackhole malware exploit kit, and has sections on the increase in attacks against Java and Android operating system, ransomware and attacks against OS X.

And for 2013? More of the same.

A recent blog post about cardholder-not-present (CNP) fraud, reminded me to mention UK statistics for payment card fraud in the UK.

Fraud The Facts 2012 (PDF version) published by UK Payments Administration, describes the state of fraud in the UK payment industry. Information in the section on plastic card fraud includes data on the scale of fraud and trends, with additional details about CNP fraud, counterfeit card fraud, lost & stolen card fraud, card ID theft, and mail non-receipt fraud. The measures being taken by the UK payments industry are also described briefly.

The section on online and phone banking fraud describes losses over the last seven years, the most common scams (phishing, malware and money mules), and the steps being taken by the industry to prevent online and telephone fraud.

The document also includes information on cheque fraud, and fraud prevention advice for cardholders.

It took me a while to hear about a recent research report from the Ponemon Institute regarding application business logic attacks.

2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition, published in early October, describes the results of a survey of 425 United Kingdom IT and IT security practitioners with some responsibility for the security of their transactional website and who were familiar with logic abuse. A parallel report details the survey of 643 similar professionals in the United States of America. In these studies, business logic abuse is the mis-use of intentional web site functionality to "perpetrate cyber attacks, hacks or fraud".

The most interesting figure is that 90% of companies lost revenues due to the financial or brand impact of fraud (alone?), and 20-25% lost more than 5% of their total revenues. The business logic abuse scenarios presented are web scraping, account hijacking, click fraud, botnets causing denial of service, electronic wallet exploitation, coupon abuse, testing stolen credit cards, mobile device malware to take over customer accounts, app store/marketplace fraud, and mass registration.

However, I was most interested to see what these IT and IT Security practitioners considered ought to be the steps that are taken to detect or prevent business logic abuse. The answers appeared to be selected from a pre-defined list provided in the survey, with "Manual inspection and assessment of web pages" during development and in production seemingly being the two most "important or very important" methods (each by about 50% of those responding). This is not "business logic security testing" since "thorough testing of the website's functionality prior to production" was a different item and considered important or very important by 20-30% of those responding.

But there was no mention of defining security requirement in advance, secure design, threat assessment, manual and automated code analysis, etc, or of building attack detection and prevention into the web sites themselves. Yes, web application firewalls (WAFs) and "content aware firewalls" were mentioned, and it seems the surveys' authors and respondents are very biaised towards operational practices.

The reports' conclusions appear to have missed that the activities are generally too late (not just too little), and that a range of security practices are needed throughout the software development life cycle (SDLC). However, the reports' recommendation to assign responsibility for web site security is correctly the most important first step.

In Scotland and northern England, a "waff" is a gust or puff of air, or a passing glimpse. It is also a verb meaning to flutter or cause to flutter. In this post I want to avoid hot air, waffle and waggish comments to highlight guidance on the deployment and use of web application firewalls (WAFs).

WAFs can be controversial in that they can be a blunt instrument to add some protection to web applications, may not be well understood, are often not configured well, can be expensive to acquire, require an ongoing resource commitment, may cause problems with valid business functionality, could lead to the delegation of responsibility for application security primarily to operations, and if not integrated with other software assurance activities, can lead to the mistaken assumption that applications are secure. These issues need to be considered, but WAFs are a valid tool to have in your arsenal of defences.

Some more recent, and older long-standing, viewpoints and uses are described in the sources listed in alphabetical order below:

• Defending Against Denial of Service Attacks
  Securosis, November 2012
  The applicability of WAFs as a measure to contribute to the defence of applications against denial of service attacks
• Effectiveness of Web Application Firewalls
  Larry Suto, November 2011
  An evaluation of some commercial and open source web application firewalls
• ModSecurity Blog
  Trustwave
  Interesting articles on techniques that can be implemented using a WAF such as this, this and this
• Pragmatic WAF Management: Giving Web Apps a Fighting Chance
  Securosis, September 2012
  Issues, WAF management process, policy management, application lifecycle integration and protecting WAFs
• Protocol-Level Evasion of Web Application Firewalls
  Ivan Ristic, July 2012
  Discussion of the challenges of implementing WAFs and the types of evasion issues seen in production WAFs
• Use of Web Application Firewalls
  OWASP Germany local chapter, September 2008
  Characteristics, benefits, risks, selection criteria and best practices
• Web Application Firewall Evaluation Criteria
  WASC, January 2006
  A solid resource due to be updated in conjunction with OWASP

If you have, or are thinking of using WAFs, do read all of the above and subsequent discussions about some of those papers, as well as listening to suppliers/vendors. Then make up your own mind.

Another recent paper from Securosis addresses defending against denial of service (DoS) attacks.

Defending Against Denial of Service Attacks examines the types of attacks prevalent currently, and methods to maintain availability and minimise the adverse economic effect. The paper begins by identifying the threats‐protection racketeers, hacktivists, cyber war, exfiltrators, competitors, and business success itself.

The types of attack are described and defences for networks and applications are described. For applications, building security into the software development life cycle, web application firewalls (WAFs), anti-DoS devices and service providers, content delivery networks (CDN) are described. The need for a multi-faceted approach to application DoS protection is recommended in the paper.

I think some applications will just be more problematic than others and avoiding security vulnerabilities, minimising the attack surface and building in application-specific attack detection and response will help here too.

The paper includes links to further insightful sources of information, and recommends that to be effective, the process for defending against denial of service attacks needs to include activities before, during and after an attack.

The UK's Information Commissioner's Office (ICO) Head of Policy, Steve Wood, recently discussed the issues around data anonymisation on the ICO blog. Anonymised data is information that does not identify any individuals, either in isolation or when cross referenced with other data available, and he suggested the need to develop an effective and balanced risk framework for personal data anonymisation to protect privacy and yet provide opportunities to exploit the data.

Anonymisation is another technique that can be used to reduce the risk from the loss or unauthorised access to personal data, along with data minimisation, pseudonymisation, aggregation, masking, encryption and tokenisation.

Following the ICO's public consultation earlier in 2012, a new code of practice has been issued under the Data Protection Act that focuses on managing the data protection risks related to anonymisation. Anonymisation: Managing Data Protection Risk Code of Practice intends to assist organisations that need to anonymise personal data, identifies the issues to consider, discusses whether consent is required, confirms there are fewer legal restrictions on anonymised data, and describes the legal tests required under the Data Protection Act.

The code provides guidance on a decision making process to help when considering the release of anonymised data that includes establishing a process to take into account the:

• likelihood of re-identification being attempted
• likelihood the re-identification would be successful
• anonymisation techniques which are available to use
• quality of the data after anonymisation has taken place and whether this will meet the needs of the organisation using the anonymised information.

The key point behind the code is the need to make a risk-based decision, and this could form part of a privacy impact assessment.

I very much like the examples and case studies in the three annexes. The case study in Annex 1 includes an example of how the "scope of personal data" can be minimised in the same way the "scope for PCIDSS" can be. In the latter, the storage of encrypted card holder data by an organisation that does not have access to the encryption keys can be deemed out of scope of PCIDSS requirements. In the code's case study, the partial redaction of data, means the originating organisation must still consider the information as personal data (because it has the full version of the data, and the key to reverse the redaction), but another party that only has the redacted data set does not need to treat the information as personal data. Parallel compliance examples.

The section on governance, discusses the need for assigning responsibilities, providing staff training, having procedures to help identify difficult cases, keeping up-to-date with legislation, the use of privacy impact assessments, being transparent with the individuals concerned, reviewing possible consequences, and preparing for an incident when re-identification has occurred.

Two reports just published provide some useful data on mobile uptake.

The IAB has announced is US Mobile Shoppers Survey 2012. Apart from a shiny infographic, the powerpoint-looking report can be downloaded without registration. Almost 70% of US citizens have a smartphone, tablet or e-Reader, and the overwhelming majority of smartphone owners have used them to access retailers' web sites and mobile apps. 50% of smartphone users and 30% tablet users have used their devices in-store.

In a related blog post at 34sp.com, the degree to which mobile internet is replacing desktop internet usage is analysed. Some data is sourced from traffic to their own systems, and so is not necessarily representative of more general trends, but also includes information from a wide range of other sources. Most interesting statistic: mobile-only web users in rapidly advancing countries like South Africa, India and Egypt account for more than double the proportion of users than in the US.

Certainly there is a challenge to maintain security and compliance, such as for privacy, in such rapidly changing market conditions where there is a dash to support mobile.