WhiteHat Security in the United States has published another edition of its Website Security Statistics Report. This would seem to be the 13th edition, although the numbering label appears to have been dropped.

Like previous editions, the 2013 report contains a wealth of valuable information about the prevalence of web site security vulnerabilities, the time required to resolve them, the drivers for application security, accountabilities for system/data breaches, and what type of security activities are being undertaken in the software development processes to prevent vulnerabilities occurring in production releases.

Information leakage and cross-site scripting continue to be the most prevalent issues found. SQL injection is still notable, although its prevalence has reduced slightly over the last eight years, but it is certainly not yet extinct. The most common drivers for security are reported to be compliance and risk reduction.

But I am most excited about the industry-sector scorecards included for banking, financial services, healthcare, retail and technology industry. These summarise the report's data for each sector in an easily comprehensible manner. They are ideal templates for an organisation's own high-level web site security metrics dashboards.

As mentioned before, the definition of "serious vulnerabilities" in previous versions of this report included only those with a High, Critical or Urgent severity as defined by PCI DSS naming conventions, exploitation of which "could lead to server breach, user account take-over, data loss or compliance failure". The current edition seems to have changed this to "those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news". So somewhat wider, but it would be good to know more about this definition.

Registration is required to download the report at the link provided above.

Today's OWASP London event was very successful.

The majority of attendees had never been to an OWASP event previously, and three-quarters were developers. My own presentation has been uploaded to:

• Open Office presentation including the animated game
• Static PDF

I have also uploaded an updated version of OWASP Cornucopia - Ecommerce Website Edition (v1.01) with some minor changes and additions:

• Framework-specific card deck discussion added
• Additional FAQs created
• Descriptive text updated
• New cover image, and previous cover image moved to back
• Cut lines added
• Alternative rules and deck subset descriptions added
• Project website and mailing list added
• Cornucopia King cross-reference to AppSensor updated.

Play to win!

Update 10th June 2013: The video recordings from are now available. The videos can be accessed via the links on the EU Tour 2013 London page. The recording of my own OWASP Cornucopia Ecommerce Website Edition presentation is here.

As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

Update 29th May 2013: Dinis Cruz, Rory McCune and Tobias Gondrom are now also speaking.

The fifth semi-annual "State of Software Security Report - The Intractable Problem of Insecure Software" has been issued by Veracode (see my previous comments on volumes 1, 2, 3 and 4).

In Volume 5, there is extended analysis of the vulnerability trends, an analysis of issues by five common programming language (Java, .NET, C/C++, PHP and ColdFusion), and there is a more detailed description of the data broken down by three types of application: mobile, web and non-web.

The analysis pf mobile application tested includes a table showing the distribution of types of vulnerability for Android, iOSS and Java ME highlighting how these significantly affect the types of flaws found. The data on mobile apps remains a very small proportion of the total data set. Appendix A includes further detail on the data set, and this reveals that 78% of the applications were internally developed, 14% commercial, 7% open source and just 1% outsourced.

Three regional OWASP application security conferences are planned for later this year.

OWASP runs the most comprehensive application security conferences with a very high standard of training courses, speakers and delegates to network with. The next three conferences are:

• August 20-23: AppSec EU Research 2013, Hamburg, Germany
• October 1-4: AppSec Latam 2013, Lima, Peru
• November 18-21: AppSec USA 2013, New York, USA

The calls for training and papers are open for AppSec EU and AppSec USA. I hope to attend both of these. AppSec Asia will occur again in spring 2014.

On Wednesday this week, Trustwave has published the full version of its latest global information security report. It is comprehensive, information-rich, and well designed.

2013 Trustwave Global Security Report (registration required) provides information from their incident investigations, updates from law enforcement agencies around the world (including SOCA), threat intelligence (attack sources, motivations, emerging techniques, attacks and defences), and some international perspective viewpoints. The sources used to aggregate data and draw conclusions from include their vulnerability scanning, penetration testing and incident response investigation services, publicly disclosed data breaches, email sources, published vulnerabilities, and analysis of malicious web sites. Even this cannot be said to be completely representative, but it is amongst the better data available.

Based on the incident investigation information, payment cardholder data was the primary target because it is highly saleable for subsequent use in fraudulent transactions. Secondly personal data is noted as having some monetary data. The primary targets were retail, food & beverage and the hospitality sector via their e-commerce and retail channels (web sites and point of sale/payment processing). These of course reflect organisations that are required to, or felt the need to, engage a company like Trustwave to perform incident investigation. Thus there will be a bias towards medium and larger organisations with personal, credit and debit card data.

Where large quantities of data were compromised, the incident investigations identified weak administrative credentials, SQL injection and remote file inclusion as the primary vulnerabilities, with data being exfiltrated using HTTP and HTTP over TLS, RDP, SMTP and SMB protocols due to missing egress firewall controls. The report recommends building a defence in depth strategy with multiple layers of security. In terms of important applications, a holistic approach that builds security in throughout the development and operation is required. In the section on international perspectives for EMEA, the report notes there is an increasing trend of medium-sized and non-banking organisations developing strategic application security programmes, where assurance activities are based on the business risk each application presents.

Information points from the WASC Web Hacking Incident Database are also presented. These relate to publicly reported incidents of web applications during 2012 that have an identified outcome. This does not pretend to be fully representative of all web application attacks, but it does represent many significant events. The most common attack methods were denial of service followed by SQL injection.

The top 10 application vulnerabilities (I believe the label on the table on page 50 possibly mistakenly includes the word "mobile") highlights how common cross-site scripting (XSS) and cross-site request forgery (CSRF) are, based on a sample of application penetration tests. Separate information is also presented for mobile application penetration tests, comparing the findings to the OWASP Mobile Top 10.

The other part of the report of interest to application software designers and architects is the statistical analysis of nearly 3.1 million encrypted passwords from Active Directory servers. In order of number of occurrences "Welcome1" is the most common password, followed by "STORE123", "Password1", "password", "Hello123", and "12345678". "training" and "Welcome2". "STORE123" sounds very like point of sale (POS) systems. These results and analysis of password composition and markup will be useful where there is a desire to limit the use of common passwords and formats.

Definitely worthwhile reading.

A draft of the next edition of the OWASP Top 10 is available for review and comment.

OWASP Top 10 - 2013 Release Candidate includes some changes to the current 2010 edition:

• A1 Injection
• A2 Broken Authentication and Session Management (was formerly A3)
• A3 Cross-Site Scripting (XSS) (was formerly A2)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration (was formerly A6)
• A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
• A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
• A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
• A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
• A10 Unvalidated Redirects and Forwards

OWASP plans to issue the final public release of the OWASP Top 10 - 2013 in April or May after a public comment period ending 30th March 2013. The alternative methods for submitting comments are described on the first page of the draft document. There are discussions already on the OWASP Top Ten Project's mailing list.

Sony Computer Entertainment Europe Limited (SCEE) has received a monetary penalty of £250,000 from the UK's Information Commissioner's Office (ICO).

The monetary penalty notice describes the background and the ICO's reasoning but is heavily redacted. Apparently the intrusion and theft of data occurred as a result of attack that exploited unpatched software to gain access to personal and business data, including insecurely stored passwords. It is a great pity the monetary penalty notice has had redactions, since other ICO similar notices and undertakings don't seem to be able to have this benefit, and neither do organisations issued with enforcement notices by the FSA.

SCEE are allowed an early payment discount of 20% if the monetary penalty is paid by 14th February 2013, but it is widely reported that Sony are to appeal against the decision. But I am not sure that whether it was "a focused and determined criminal attack" or not makes any difference as to the requirement for baseline security measures. Also that "there is no evidence that encrypted payment card details were accessed" and that "personal data is unlikely to have been used for fraudulent purposes" doesn't mean there wasn't a breach of the Data Protection Act 1998.

There's a great post on the Open Source Vulnerability Database blog about software vulnerability figures that reminds us not to trust statistics.

The comparison of counts of advisories, vulnerabilities from Microsoft and independent sources reveals a lot of leeway in presentation of facts. This problem is nothing to do with Microsoft in particular — the same applies to all published vulnerability data, and even in assessment and testing reports. The vulnerability density (vulnerability per software product, lines of code, customer, etc) would seem to be more important in any case.

If you remember, Microsoft does not take into account likelihood in its severity ranking, so "critical" and the other categories can also be misleading. So, if I may, I might add:

where I choose "~=" to represent "do not necessarily equal". Determine whether each vulnerability affects you in your own environment, the likelihood of it being exploited, and what the actual impact could be.

I just came across KPMG's review of information leakage from corporate web sites, published in September.

Hopefully nothing new, but the report sums up the typical state of configuration of many web sites. Most web sites leak information publicly which is useful to an attacker to craft their subsequent search for vulnerabilities. KPMG simply reviewed the public-facing resources on 2,000 companies, from a wide range of sectors, in the Forbes 2,000 list to identify many missing security basics.

Publish and be Damned, Cyber Vulnerability Index 2012 is a quick read; what can you expect to discover?

• Large number of sensitive file locations and "hidden" functionality such as administrative interfaces (with banking the worst affected sector)
• Exposure of sensitive information in millions of online forum and newsgroup postings (with software & services the worst sector)
• Thousands of web servers with missing security patches or out-dated software (with Japan, Switzerland and Kazakhstan the worst countries, and Utilities the worst sector)

How well would your organisation do?