Gartner published its report Magic Quadrant for Dynamic Application Security Testing (DAST) at the end of December.

The report is currently available to download free of charge if you register on Veracode's website. But it looks like if your turnover is less than $500 million, or say it is, the sales folk may be less likely to bother you.

The report is a useful summary, but I don't think it does enough to highlight the need for DAST to be just one part of a mix of activities contributing to a secure software development lifecycle, and therefore more secure applications. There's plenty of activity out there combining developer training, secure coding guidelines, vulnerability management, web application firewall dynamic patching and static analysis techniques too.

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

• 2.2 Cross-origin resource sharing
• 2.3 Web storage
• 2.4 Offline web application
• 2.5 Web messaging
• 2.6 Custom scheme and content handlers
• 2.7 Web sockets API
• 2.8 Geolocation API
• 2.9 Implicit relevant features of HTML5
  Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?

While on the topic of research papers, I came across another interesting paper on the UC Berkely web site while checking the reference for the effect of development tools on security.

Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin and Dawn Song have undertaken an assessment of cross-site scripting (XSS) sanitisation in web application frameworks. A Systematic Analysis of XSS Sanitization in Web Application Frameworks is somewhat heavy on the maths in places, but that shouldn't put off those involved in development who want to learn more about the difficulties of sanitisation and the limitations of the sanitisation methods that are supported in some frameworks.

In a comment about my previous post, Andre Gironda recommended another paper, this time from researchers in the Computer Science Division at UC Berkeley.

Matthew Finifter and David Wagner's paper Exploring the Relationship Between Web Application Development Tools and Security describes an analysis of vulnerabilities in nine implementations of the same web application, developed by professional programmers.

The authors are at pains to highlight possible and actual uncertainties in their analysis which is quite limited in scope, but they have derived a very useful methodology for comparing applications developed in different languages and frameworks. Their findings with greatest confidence were:

• There is no relationship between choice of programming language and application security.
• automatic (built-in) framework protection measures are effective at precluding vulnerabilities, whilst manual (optional) ones provide little value.
• Manual source code review is more effective at finding vulnerabilities than automated dynamic (penetration) testing.

But do read the paper in full, and consider how the results might be used to improve your own secure software development lifecycles.

Although the authors discuss related work in this area, I would like to see more comparable data, but suspect that obtaining unbiased test applications may be difficult.

Andrew Austin and Laurie Williams at North Carolina State University's Department of Computer Science have published a paper comparing techniques used to discover security vulnerabilities in already implemented software applications.

One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques describes a comparative study to assess two electronic healthcare record applications using four different vulnerability discovery techniques:

• Exploratory manual penetration testing
• Automated static analysis, combined with ,manual review of the results
• Automated (dynamic) penetration testing, combined with manual review of the results
• Systematic manual penetration testing

The paper is a superb review of the pros and cons of each technique. I was a little confused at first about the vulnerability discovery rate metric, since it excludes the time for tools to run. I also think the data in Table VI might not be consistent with the previous tables in the paper, but I may have misunderstood something here.

Nevertheless, this doesn't affect the conclusions that systematic manual penetration testing was the most efficient technique for finding design flaws, but combining that with both static analysis and automated penetration testing will provide the most comprehensive results, since no single technique discovers every type of vulnerability.

The UK's Centre for the Protection of National Infrastructure (CPNI) has updated its guidance on protecting business applications with the publication this month of a new document on developing and implementing secure web applications.

Development and Implementation of Secure Web Applications is a well-written and digestible 81-page A4 document arranged in seven main sections:

• Introduction to web application security
• General aspects of web application security
• Access handling (authentication, session management and access control)
• Injection flaws
• Application users and security
• Thick client security
• Preparing the infrastructure

It appears to replace the good, but somewhat dated document "Briefing 10/2006 - Secure web Applications - Development, Installation and Security Testing" created by their predecessor National Infrastructure Security Co-ordination Centre (NISCC), and issued in April 2006. The new document is more compact and focused, and I think I prefer it. Yes of course it is more up-to-date, and while it would be possible to argue why some things are included and not others, these others things tend to be explained further in the references. It's clear there is considerable overlap with information from OWASP and the Microsoft SDL, but I'm sure the reverse is true to an extent too.

It is very encouraging CPNI have taken the time to produce an updated document, but that probably reflects the types of risks facing their audience. I am especially pleased to see the section on infrastructure, since application security cannot be an island on its own. I would say the guidance is probably on the medium-to-heavy weight side of advice, but that is probably appropriate for critical national infrastructure, and the document does discuss threat modelling initially. It might seem overwhelming to some organisations new to the subject, and that might need some help on what to do first.

I think the document could perhaps do with more cross-referencing to additional information resources elsewhere. Yes, documents can always be improved, and I am sure we will find niggles and faults with use, but threats evolve and so does our knowledge.

I have been invited to run a workshop at the next Software Assurance (SwA) Forum in Arlington, Virginia.

The Software Assurance Program of the US Department of Homeland Security's National Cyber Security Division co-sponsors SwA Forums semi-annually with the US Department of Defense and the National Institute for Standards and Technology (NIST). The events aim to bring together government, industry, and academia with vested interests in software assurance to discuss and promote integrity, security, and reliability in software.

My session on Wednesday 14th September in the track on "SwA at the Code Level" will relate to the content of the full-day training course "Application Attack Detection & Response" I am providing at OWASP AppSec USA the following week in Minneapolis.

At the SwA Forum I am also looking forward to the subsequent workshops on Dimensions of Static Analysis-Based Assurance with Mike Oara, OWASP Acquisition Language for Software Assurance with Jeff Williams, and Scaleable Application Security Practices with Jim Manico. I am also hoping to hear about any updates to the previously mentioned Software Assurance Pocket Guides.

Please do attend. The 5-day programme is packed with useful sessions on practical software assurance topics..

SwA Forum - Fall 2011 is being held at the Software Engineering Institute (SEI), 4301 Wilson Blvd, Arlington, VA 22203, from 12th to 16th September 2011. There is no charge for the event but prior registration is required.

A new white paper from Carnegie Mellon University describes alternative clickjacking attacks that do not reply on the use of iframes.

Lin-Shung Huang and Collin Jackson announced the overview white paper Clickjacking Attacks Unresolved describing their research topic, references to related research and example demonstrations. The paper outlines how using the X-Frame-Options header and anti-framing code are recommended but are not a complete solution. The authors are continuing with their research, which will include advice on countermeasures.

So, one to watch.

I'm now back in London after my talk and live demonstration at last night's well-attended OWASP Belgium chapter meeting.

There's a good review of the evening added very promptly by Xavier Mertens (@xme) on his blog. Josh Corman (@joshcorman) provided an unexpected extra presentation towards the end of the evening where he discussed the ideas and manifesto of the rugged software initiative. I'll come back to that at a later date, but for now would like to mention the excellent talk given by Andreas Falkenberg on web services security.

He provided a carefully structured walk-through of web services technology and SOAP security features before introducing us to the idea of signature wrapping attacks, and how they might be used to exploit public web services. He also described recommended countermeasures. I won't go into the detail here, but Andreas has a paper available if you contact him. However, I did want to mention WS-Attacks.org which is a nascent project to provide information about vulnerabilities and attacks against web service standards and implementations. Many of these are unique to web services, and are in addition to the more widely-known web vulnerabilities that affect "normal" web applications.

This is a fantastic resource, and needs greater visibility amongst those responsible for designing and implementing web services.

The European Network and information Security Agency (ENISA) has published a summary of Secure Software Engineering (SSE) Initiatives.

The report has compiled a list of existing Secure Software Engineering initiatives focused on finding and preventing software vulnerabilities. This is a first step in addressing the problem of software vulnerabilities by ENISA which it sees as a growing problem in cyber security. The report lists 80 initiatives in the areas of:

• Requirements engineering
• Procurement criteria for secure software
• Risk-based development
• Security in agile methods
• Policy frameworks for web access control
• Security testing methodologies and code reviewing
• Patch and update management

This will be a very useful reference point for other agencies, and for anyone involved with building security into the software development life cycle (secure SDLC). If anything is missing, ENISA would like to know. The report notes they found no government-driven SEE initiatives in the EU.

The project's manager Vangelis Stavropoulos and other ENISA representatives are holding a special workshop session Global Secure Software Initiatives - Beyond Awareness with OWASP to talk about this initiative with industry professionals at AppSec Europe 2011 on Thursday June 9th at Trinity College, Dublin. The session will focus on how to acheive the implementation of existing secure software development knowledge, and the role that governments can play in supporting these activities.

Also, at AppSec EU this year, the OWASP Global Industry Committee is hosting three outreach sessions on Friday the 10th of June. Nishi Kumar will be presenting "Security for Managers and Executives" to highlight the OWASP documentation, training, architecture, tools and infrastructure is available. Rex Booth will be discussing, and seeking feedback on, the upcoming "CISO Survey" to maximise the benefit to CISOs and their peers. Joe Bernik with Sarah Baso are holding an "Industry Outreach Roundtable" which will be a forum to discuss how OWASP can give value to all industry sectors, what the impediments are and what could be changed to help.