07 April 2014


Posts relating to the information security principle "Non-repudiation" are listed below.

24 January 2014

Cornucopia Source Card Data

I have recently published the data on the OWASP Cornucopia Ecommerce Website Edition card game in XML format.

Part of the XML data file illustrating the format

The XML data (for version 1.03) is an extract of all the information included on the playing cards included in the source word processer document. Going forward I intend to maintain both versions in parallel.

I am hoping the XML version will allow people to consume the data in other documents, applications and systems, or help them create their own printable versions more easily. Like everything else in the project this is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

As a demonstration of using the XML file, the Cornucopia project now has a Twitter account (@OWASPCornucopia), which tweets the attack text from a pseudo-randomly selected card twice daily. For example, the sequence of three (this time) tweets from a couple of hours ago today:

  • [2014-01-24] Standby, the croupier is dealing a Cornucopia Ecommerce Website Edition card http://bit.ly/1g7dEZE #owasp #pcidss #appsec ...
  • The card for Friday morning (GMT+0) is the Nine of Cryptography, which reads "Andy can bypass random number generation, random GUID...
  • ...generation, hashing and encryption functions because they have been self-built and/or are weak"

Currently the card is selected from the whole pack each time, but this could (should?) be changed to randomly select a card from the deck until all cards have been dealt. The account's profile photo is updated to match the card for an hour, before it reverts to a more generic image. The tweets might just about be helpful as an application security awareness resource — perhaps as "appsec requirement of the day".

A trivial use, but it was fun doing some coding. And working on this helped me come up with a solution for another problem I have been thinking about.

Posted on: 24 January 2014 at 10:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 January 2014

Security, Privacy and Usability of Online Seals

The European Union Agency for Network and Information Security (ENISA) has published a report about marks, seals, logos, icons, badges, etc displayed to provide information to users about the trustworthiness of web sites and web applications.

Partial view of the title page from ENISA's 'On the Security, Privacy and Usability of Online Seals - An Overview'

On the Security, Privacy and Usability of Online Seals examines the European policy context, security and privacy requirements for seals, the communication issues, verification issues and economic aspects.

Three challenges are described:

  • Users are beginning to make trust decisions about seal issuers (rather than just the web site or application)
  • Users have to judge the range of evaluation methods to determine if the seal is adequate for themselves
  • It is difficult and maybe impossible for users to check the evaluated web site / application is the same as the one they want to use.

The report provides some recommendations, which of course includes "further research".

See also the related Mobile App Privacy Labelling, Privacy and Terms of Use Labelling, A Software Security Kitemark, Privacy, Labelling and Legislation, Trust and E-commerce Trustmarks, and older posts referenced from those.

Posted on: 17 January 2014 at 09:37 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 January 2014

More Bad News From The Banks

It seems that although banks might be "where the money is", they may not be spending it in the right places when it comes to information security.

Partial screen capture from the blog post about smartphone banking apps and their security vulnerabilities

In December I mentioned a study of vulnerabilities in banks' websites, especially the high prevalence of cross-site scripting (XSS).

Last week, the results of a one-week study of 40 iOS personal banking mobile apps, provided by major banks throughout the world. The study reveals the rather poor state of client-side software security, with all the apps deployable on jailbroken devices, most had non-SSL links, almost half were susceptible to Man in The Middle (MiTM) attacks since they did not validate the authenticity of SSL certificates, and half were vulnerable to cross-site scripting (XSS). Read more bad news in the blog post.

The list of security tests mentioned in the study would be worthwhile undertaking for any mobile app development plan.

I am quite surprised about this is such a highly-regulated sector. Although each compromised bank account may not have much significance to the bank, the impact on individuals is very high, and financial services regulators are likely to show concerns.

Posted on: 16 January 2014 at 11:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 January 2014

Malware Warning Messages and Click-Through Resistance

Another paper of interest was mentioned on Light Blue Touchpaper last week.

Extract of a page from ''

David Modic and Ross J. Anderson, University of Cambridge Computer Laboratory, have published Reading this May Harm Your Computer: The Psychology of Malware Warnings describes an experiment to determine if users can be encouraged to act on malware security warnings through social-psychological techniques.

The researchers investigated the use of:

  • Appeal to authority
  • Social compliance
  • Concrete threats
  • Vague threats.

The paper is a good read, so I won't spoil what the paper's findings were. But if you are providing any form of warnings in your software that you do not want human users to ignore them, enhancing "click-through resistance", at least read the paper's conclusion.

The research will also be useful for designing opt-ins to terms and conditions, other policies and data processing consents.

Posted on: 08 January 2014 at 09:20 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 December 2013

Building Secure Software at OWASP London

The next OWASP London event will be on Thursday 12th of December 2013, at 18:00 for 18:30 hrs at Morgan Stanley in Canary Wharf.

Photograph of an office block under construction in the City of London

I am speaking, but I am particularly looking forward to Ofer Maor's presentation about Interactive Application Security Testing (IAST). The presentations are:

  • IAST: Runtime Code & Data Security Analysis - Beyond SAST/DAST
    Ofer Maor

    Until recently, Static and Dynamic Application Security Testing (SAST/DAST) dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...
  • OWASP Cornucopia
    Colin Watson

    Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project

So, there will be a broad mix of information suitable for a wide range of developers, testers, and verifiers - of whatever skill level. My own presentation will be similar to the one I gave in June during the OWASP EU Tour, but it has been specially updated for this event. There will also be news about next year's AppSec Europe being held in Cambridge. I imagine we will move to a local bar/pub at around 20:30 hrs to continue the discussion.

Further details are available on the chapter's page. Free registration is required for access to the host's building (Morgan Stanley, 25 Cabot Square, E14 4QA). Registration closes when all spaces are booked, or the evening before, whichever is soonest.

Posted on: 03 December 2013 at 08:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 November 2013

CISO Guide to Application Security

A new book about application security for Chief Information Security Officers (CISOs) has been announced by OWASP.

The title page from OWASP's Application Security Guide For CISOs Version 1.0 (November 2013)

The Application Security Guide For CISOs seeks to help CISOs manage application security programs for their own roles, responsibilities, perspectives and needs. The book examines these aspects from CISOs' responsibilities from the perspectives of governance, compliance and risk. The primary author Marco Morana is a leader in application security within financial services sector, but the book is sector, region and technology agnostic. It is also completely technology and vendor neutral. Along with fellow contributors Tobias Gondrom, Eoin Keary, Andy Lewis and Stephanie Tan, I had the pleasure of contributing to Marco's content, reviewing the text and producing the print version of the book.

The 100-page document provides assistance with justifying investment in application security, how application security risks should be managed, how to build, maintain and improve an application security programme, and the types of metrics necessary to manage application security risks and application investments. There is a standalone introduction and executive summary. The core of the book is then collected into four parts:

  • I : Reasons for Investing in Application Security
  • II : Criteria for Managing Application Security Risks
  • III : Application Security Program
  • IV : Metrics For Managing Risks & Application Security Investments

There are also additional appendices with information about calculating the value of data and cost of an incident, as well as a cross-reference between the CISO guide and other OWASP guides, projects and other content.

The book can be obtained in three formats:

Marco and Tobias will be presenting the new CISO Guide, and the results from the 2013 CISO Survey, at next week's AppSec USA in New York.

Translations into other languages will become available over time as volunteers do these. If you can help please send a message to the project mailing list.

Posted on: 16 November 2013 at 05:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 November 2013

AWS Security Guidance and Information

This month Amazon has published updated documents in their AWS Security Center.

The following are especially worthwhile reading:

But do skim through the other list of security resources in case there is something more specific of relevance.

Posted on: 13 November 2013 at 08:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 October 2013

Trends in SSL

SSL Pulse provides a regular snapshot of SSL support across one million top web sites.

Partial view of the SSL Pulse dashboard showing some of the charts available

SSL Pulse is now tracking the support for SSL forward security and RC4 cipher suites. The dashboard has been updated to include these aspects from the 2nd October 2013 onwards.

The full list of dashboard charts is:

  • Incomplete certificate chain
  • Weak or insecure cipher suites
  • Key strength
  • Use of HTTP Strict Transport Security header
  • Protocol support
  • Renegotiation support
  • Key strength distribution
  • Use of extended validation (EV) certificates
  • Vulnerable to BEAST attack
  • SPDY protocol support
  • TLS compression support
  • Forward secrecy support
  • RC4 support.

See SSL/TLS Deployment Best Practices for more information.

Posted on: 29 October 2013 at 09:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 October 2013

Are Your Users Receiving JavaScript?

Wondering about JavaScript support in your web site's user base?

Photograph of a lit-up pumpkin which has had a skull carved into the flesh and LED lights poked through the pumpkin shell

Pete Herlihy, of the UK Government Digital Service, has described the results of some measurements performed against the Gov.uk home page.

It seems the question is not what proportion of user support JavaScript, but what proportion receive it. Read the blog comments for further perspectives and links to additional information.

I didn't realise that gov.uk is now SSL-only (or HTTPS-only as they refer to this in their own standards for government services). These standards also state that once the use of HTTPS setup has been configured, verified, and is working correctly, service managers should enable HTTP Strict Transport Security (HSTS) header on production domains (www., admin. and assets.).

Posted on: 27 October 2013 at 23:47 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

24 September 2013

OWASP ASVS for Web Applications 2013 Beta Release

OWASP's less well known, but immensely useful, Application Security Verification Standard (ASVS) for web applications has been updated and a beta version was released just prior to AppSec EU last month.

Diagram from the OWASP ASVS Web Application Standard 2013 showing the four different web application security verification levels

The ASVS Web Application Standard 2013 defines a set of technical controls for applications that should be verified as part of security testing processes. They are primarily application controls but also include relevant ones in the host environment. The document describes three use cases — for application certification, for alignment of testing methodology and for selection of external suppliers.

The number of classes requirements has been expanded to 13, and now covers:

  • Authentication
  • Session management
  • Access control
  • Input validation
  • Cryptography at rest
  • Error handling and logging
  • Data protection
  • Communications
  • HTTP
  • Malicious controls
  • Business logic
  • Files and resources
  • Mobile.

Each class includes around 10-20 specific requirements. The new sections, and re-allocation of some requirements means that the numbering has changed significantly. The cross-referencing will be important for those already using the ASVS Web Application Standard 2009.

Not all the requirements need to be achieved for every application. The choice can clearly be organisation-specific, based on its own risk assessment, but the document describes four levels of verification, each successive level increasing the number of mandatory requirements.

The project team, primarily Andrew van der Stock, Sahba Kazerooni, Daniel Cuthbert, and Krishna Raja, are working on gathering feedback from the community, creating use-case examples, and mapping to other OWASP projects such as the upcoming new Developer and Testing Guides.

Please help by providing your own ideas to finalise the beta release via the project's mailing list.

Posted on: 24 September 2013 at 08:34 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Non-repudiation Security Principle : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Sunday, 20 April 2014 at 14:48 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com