07 April 2014


Posts relating to the information security principle "Non-repudiation" are listed below.

07 April 2014

Do You Know OWASP AppSensor on Twitter?

At the weekend I received an email message from Twitter to OWASP Cornucopia with the subject line "Do you know OWASP AppSensor on Twitter?".

Screen capture of an email from Twitter to @OWaspCornucopia woth subject line 'Do you know OWASP AppSensor on Twitter?'

That's a "yes". I am a Project Leader for both of these OWASP projects with their own Twitter accounts:

Good guess Twitter!

My own Twitter account is @clerkendweller.

Posted on: 07 April 2014 at 12:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 April 2014

Regulation of Software with a Medical Purpose

I seem to have a series of regulation-related posts at the moment. Perhaps the time of year. An article on OutLaw.com discusses how mobile apps and other software medical purpose may be subject to regulation.

Photograph of shelves in a shop displaying rows of medications

The UK's Medicines and Healthcare Products Regulations Agency (MHRA) is responsible for regulating all medicines and medical devices in the UK by ensuring they work and are acceptably safe. It has issued new guidance on "medical device stand-alone software (including apps)" which is defined as "software which has a medical purpose which at the time of it being placed onto the market is not incorporated into a medical device". Thus "software... intended by the manufacturer to be used for human beings for the purpose of:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
  • investigation, replacement or modification of the anatomy or of a physiological process,
  • control of conception..."

Guidance on Medical Device Stand-alone Software (Including Apps) describes the scope, requirements and software-specific considerations. Product liability and safety considerations are also mentioned.

This introduces the potential need for registration, documentation, self-assessment, validation, monitoring and incident reporting, especially if the software performs any form of diagnosis or assessment. The OutLaw.com article provides a good analysis and views from experts.

Posted on: 04 April 2014 at 10:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 March 2014

Web Security Incident Records and Classifications

I just went through the list of recent enforcement actions taken by the ICO.

Screen shot of the submitted response that reads 'Would it be possible for the ICO to classify the vulnerabilities/weaknesses related to software (e.g. websites) in monetary penalty notices, enforcement actions and undertakings? i.e. any published vulnerabilities (CVEs), misconfigurations (CCEs) or software weaknesses (CWEs) that were exploited. Where an incident involves a mis-directed email or fax, or an unencrypted laptop, the root cause is easily identified, but in software-related incidents, there is not the same degree of clarity from the ICO. This information would be invaluable for research, help raise awareness, and assist other organisations to focus their efforts. References https://cve.mitre.org/ http://cce.mitre.org/ http://cwe.mitre.org/ http://scap.nist.gov/'

Periodically I collect information from there and submit incidents to the Web Hacking Incident Database (WHID) using their submission form.

It was disappointing to note the lists of monetary penalty notices, enforcement actions and undertakings on the ICO web site have been truncated and there is no archive. The site's search can be used for some, but I still had to access the helpful Breach Watch to access some past ICO documents. I submitted website feedback about this to the ICO.

The WHID incident submission form asks for the attack method, weakness exploited and outcomes. In many cases this will be unknown, but this prompted me to make a request to the ICO that they classify incidents to raise awareness and help others and help the prioritisation of risk reduction measures. There wasn't an appropriate place on the main ICO web site to do this, so I submitted the suggestion (see image above) on the latest blog post by their Group Manager, which also mentions the recent British Pregnancy Advice Service data breach (BPAS). Awaiting moderation.

Update 9th April 2014: Just noticed, my comment has been published.

Posted on: 27 March 2014 at 11:24 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 March 2014

Extra Curricular Activities for AppSec EU 2014 Cambridge UK

Remember that OWASP AppSec Europe 2014 is being held in the university city of Cambridge during June.

This is a great opportunity for software builders, breakers and defenders to attend training and presentations by the leading application security experts in the world. AppSec Europe is running from Monday 23rd to the Thursday 26th of June 2014 at Anglia Ruskin University in Cambridge, UK.

Anglia Ruskin Cambridge Campus is located between the railway station and the centre of Cambridge; London is 45-60 minutes from London (King's Cross station) by train (driving by car is possible but not recommended).

The training and conference schedule will be published in a few weeks, but it is worth getting the dates in your diary now.

If you are planning your visit, you may want to allow time to see some other places of interest before or after the training and conference. I heard there is going to be a punting competition on Friday 27th, and there are of course many things to see and do in Cambridge, nearby London, and further afield in the UK. If you have science and technology interests, I suggest these places in London and Cambridge.

Engineer Tony Sale demonstrating the rebuilt Colossus at the National Museum Computing, Bletchley

Highly recommended:

  • Bletchley Park and National Museum Computing, in Bletchley near Milton Keynes, the centre of the UK's code breaking activities during world war 2, also, with the largest collection of functional historic computers in Europe, and most impressively a rebuilt Colossus, the world's first electronic computer
  • Science Museum, in South Kensington London, including Charles Babbage's drawings for the first calculating machines and a recently constructed fully functional Difference Engine #2, built from the original designs
  • National Maritime Museum and Royal Observatory in Greenwich London - the prime meridian / GMT 0
  • Kew Bridge Steam Museum with its gigantic steam engines (running weekends), and nearby Royal Botanic Gardens with its historic glasshouses in Kew London
Babbage's Difference Engine #2 at the Science Museum, London

Also consider these:

The prime meridian at Greenwich, London

The London Underground is an antique itself (just over 150 years), so if you are into such things there is also the London Transport Museum in Covent Garden, London. Other more general museums to visit are probably the British Museum in London and the Fitzwilliam Museum in Cambridge. For a view over the whole of London, try the Shard, the tallest building in Western Europe (tickets required, book in advance).

If you have any other suggestions for visitors, or questions about other types of places to visit or things to do, please contribute.

Posted on: 18 March 2014 at 08:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 March 2014

Apple iOS Security

Apple has released an update to its previous 2012 guide to iOS security.

Cover page from the new Apple security guide to 'iOS Security' published February 2014

The new version, iOS Security, February 2014 has 50% more content, with new sections about:

  • System software Authorization
  • Secure Enclave
  • Touch ID
  • FIPS 140-2
  • A whole new section on App Security
    • App Code Signing
    • Runtime Process Security
    • Data Protection in Apps
    • Accessories
  • Single Sign-on
  • AirDrop Security
  • A another new section on Internet Services
    • iMessage
    • FaceTime
    • Siri
    • iCloud
    • iCoud Keychain

And updated content in the previously existing System Architecture, Encryption and Data Security, Network Security and Device Access sections.

Posted on: 04 March 2014 at 08:33 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 February 2014

SANS 2014 Report on Application Security Programmes

The SANS Institute has published the results of a survey about application security programmes.

Partial screen capture of one of the charts from the SANS report 'Survey on Application Security Programs and Practices'

The researchers Jim Bird and Frank Kim stated the goals were to discover:

  • How widespread and mature application security programs are
  • Their effectiveness
  • What tools and practices are being utilised through the development lifecycle and which are most useful
  • How training is being undertaken and its effectiveness
  • How much is being spent on application security, where and whether this is aligned with organisational risk
  • What are the organisations' future plans for application security

488 respondents provided the data summarised in the report, with a quarter of these working in very large enterprises of more than 15,000 people and 39% from organisations with 1,000 or less people. 30% of respondents had development teams with less than 25 staff, and 6% had no developers at all, with all software development being outsourced.

The published report can be downloaded free of charge at SANS Survey on Application Security Programs and Practices.

The survey found that although organisations are investing more in application security, it is not particularly effective, and that root causes are not being addressed and instead there is still a reliance on mitigating software vulnerabilities after deployment. I recommend reading the findings and conclusions in full.

There was another document referenced in the report which I was not aware of. The US-based Financial Services Information Sharing and Analysis Centre has published a useful white paper titled Appropriate Software Security Control Types for Third Party Service and Product Providers to improve software security control practices.

Posted on: 25 February 2014 at 07:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 February 2014

Web Application Security Vulnerability Scanner Comparison 2014

Commercial and open source tools and services used to scan web applications for security vulnerabilities have again been assessed and compared.

Partial screen capture of the web application scanner price and feature comparison table, updated 6th February 2014

Shay Chen has undertaken an enormous re-assessment of 63 "black box" web application security vulnerability scanners.

The work, methodology, findings and analysis are extensively documented in Shay's own blog post The Web Application Vulnerability Scanners Benchmark. The assessment involved using a collection of 1413 vulnerable test cases spanning six different attack vectors (SQL injection, reflected cross-site scripting, path traversal/line feed injection, remote file inclusion, unvalidated redirects, presence of old, backup and unreferenced files).

There is a a lot of variation, and comparisons are difficult. Getting adequate coverage by tools of your own applications can be challenging, or at least time-consuming. And, despite the large amount of effort taken to perform this comparison, not all the vulnerabilities that could be present in your own web applications will have been tested in this exercise. Furthermore, you might have non-web applications to test as well.

I am not sure I can add anything to Shay's own extensive description of the research. Read his findings and draw your own conclusions.

Posted on: 14 February 2014 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 February 2014

Notes from Gamifiers London 05 Feb 2014

Gamifiers is a quarterly London meet up, for people who use, or want to use, gamification in their team, organisation, product or service.

As mentioned previously I attended the Gamifiers meet up on 5th February.

Photograph of Toby Beresford introducing the gamifiers meet up at IBM Southbank Client Centre on Wednesday 5th February 2014

Co-organiser Toby Beresford explained the morning's agenda and started the event by describing, and debating his own ideas about game rule maturity and the growth of tournaments and leagues. Andrzej Marczewski continued the introductory part mentioning the International Gamification Confederation (GamFed) and also some information from Gartner that "80% of gamified applications will fail". I challenged this by suggesting that "100% of Gartner reports state that 80% of something will fail/not succeed/are worse/etc".

An Coppens described her Master's work on using gamification in the recruitment process. She described how there is high staff churn in on-air planner roles for TV advertising. It is a high pressure role, generally with a lack of internal promotional route and in an industry that means there is often a poor candidate fit (i.e. the role attracts the wrong people), combined with being in a heavily regulated sector. An identified the types of skills and etiquette required to stay in the job for the 18 months needed to become proficient, and created a game to screen candidates that is fun to play, but includes real job-related metrics. The idea was subsequently implemented partially by one TV broadcaster, but the concept could be applied in other sectors.

Then Ed Cervantes-Watson described how Cancer Research developed Dryathalon to increase the charity's engagement with males, and to provide another fundraising channel. The website had an extremely high conversion rate to participants, but they discovered that the volunteers who were directly recruited and were given personalised motivation emails and badges, generated 40% more income than those that had signed up via other routes that did not provide these. Ed went on to present a new game called Genes in Space, which uses game player's eyes to help identify mutations in genome data that are then investigated in more detail by the charity's scientists. Gamers plot courses through obstacles without knowing they are actually reviewing genome data.

Peter Laughton gave an insight into current game design trends, which I have summarised below:

  • Move from landscape to portrait orientation
  • From (back from) thumb to index finger
  • Multiple currency support
  • Rise of downloadable content, to get people involved in your universe
  • Make the game for less money, $1million instead of $10million dollars
  • Interaction distance from 3m back to 30cm, playing on a tablet typically
  • Multiplayer rules more important
  • Fail fast, develop 10% first, if it works build rest

After a refreshment break, I presented the application security card game OWASP Cornucopia telling the story of how the idea emerged, how it was created, and events that transpired, including support from Blackfoot. I also described how it has been promoted through social media and at other events. We then had a game of cards using an example web administrative area as the subject of our attacks.

The comments and ideas while playing the games were tremendously helpful. The participants were neither software developers nor information security folk, so it was interesting to hear the views of people who are much more experienced gamifiers. I will write up the feedback and publish it on the public Cornucopia mailing list.

Thank you to IBM Southbank for providing the venue and refreshments.

Posted on: 11 February 2014 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 January 2014

Gamification the OWASP Cornucopia Way

I am running a workshop around the use of the OWASP Cornucopia security requirements card game next week on Wednesday 5th February in London

A few cards from a pack of  OWASP Cornucopia Ecommerce Website Edition

The workshop is being organised as part of the regular free Gamifiers Meetup.

The first session with a number of excellent speakers, from 09:30 to 11:00, will discuss how gamification can uplift key performance indicators. Then in the second session from 11:00 to 14:00 hrs I, and my colleagues from Blackfoot, will introduce Cornucopia, how the game was design, the factors important in its design and how it has developed. We will have an opportunity to play the game.

You will need to register for each session independently: session 1 and session 2. The location is IBM Southbank, 76/78 Upper Ground, Southbank, London SE1 9PZ.

I am also hoping to speak about the game at OWASP Manchester later in February.

Posted on: 31 January 2014 at 08:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 January 2014

Cloudy With Poor Visibility

On Thursday last week I attended a different sort of regular London event for the first time.

PCloudCamp sign outside the event in Shoreditch, London, UK

The CloudCamp London meeting with the topic It's all About the Apps! on Thursday 23rd January was held in Shoreditch Works Village Hall in trendy Hoxton Square.

It seems CloudCamp is meant to be an "unconference" where "early adopters of Cloud Computing technologies exchange ideas". Mmmm. I did not partake the free beer or free pizza, and wasn't sure who had paid for it, and should have been more worried about the use of the term "unconference" and the location being called a "village hall". I should have also taken note of the warning signal when the start time moved twice due to "the BBC running late".

Due to the topic I was expecting more of a technical audience. It wasn't that there weren't people with deep technical knowledge, but they seemed somewhat overwhelmed by the businessy, especially salesy types. And I found some of them a bit annoying.

There was a 15-20 minute introduction followed by half a dozen 5-minute lighting talks. The latter provided some insight into the motivations of people attending, but there seemed to be lack of clarity about what cloud is. I was hoping it was something other/more than "to reduce the number of systems administrators" an organisation has. To summarise, I think the main take-aways were:

  • Cloud is still not defined
  • There is now legacy cloud
  • ITIL is a four letter word

It might be the right sort of event for you, but I am undecided if I would attend again. I think perhaps my expectations were off the mark. Go and make your own mind up.

Posted on: 25 January 2014 at 16:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Non-repudiation Security Principle : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/Non-repudiation
Requested by on Wednesday, 23 April 2014 at 16:32 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com