18 April 2014


Posts relating to the category tag "administrative" are listed below.

25 February 2014

SANS 2014 Report on Application Security Programmes

The SANS Institute has published the results of a survey about application security programmes.

Partial screen capture of one of the charts from the SANS report 'Survey on Application Security Programs and Practices'

The researchers Jim Bird and Frank Kim stated the goals were to discover:

  • How widespread and mature application security programs are
  • Their effectiveness
  • What tools and practices are being utilised through the development lifecycle and which are most useful
  • How training is being undertaken and its effectiveness
  • How much is being spent on application security, where and whether this is aligned with organisational risk
  • What are the organisations' future plans for application security

488 respondents provided the data summarised in the report, with a quarter of these working in very large enterprises of more than 15,000 people and 39% from organisations with 1,000 or less people. 30% of respondents had development teams with less than 25 staff, and 6% had no developers at all, with all software development being outsourced.

The published report can be downloaded free of charge at SANS Survey on Application Security Programs and Practices.

The survey found that although organisations are investing more in application security, it is not particularly effective, and that root causes are not being addressed and instead there is still a reliance on mitigating software vulnerabilities after deployment. I recommend reading the findings and conclusions in full.

There was another document referenced in the report which I was not aware of. The US-based Financial Services Information Sharing and Analysis Centre has published a useful white paper titled Appropriate Software Security Control Types for Third Party Service and Product Providers to improve software security control practices.

Posted on: 25 February 2014 at 07:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 February 2014

OWASP CISO Survey Report Published

The report detailing results from the OWASP CIDSO Survey in 2013 has been published.

Cover from the OWASP CISO Survey and Report 2013, Version 1.0 - January 2014

The survey results report provides tactical intelligence on real-world application security, and complements the recent OWASP CISO Guide that describes how CISOs can act on this intelligence to achieve the optimal information security programs for their organisations.

The CISO survey report comprises:

  • Survey methodology
  • Objectives
  • Survey and report 2013
    • Threats and risks
    • Investments and challenges
    • Tools and technology
    • Governance and control
  • Conclusions
  • References

This is an excellent resource, largely due to the effort of OWASP board member Tobias Gondrom and the survey's participants, with generous assistance from Marco Marona, Stephanie Tan, and members of the former OWASP Global Industry Committee. Although I am kindly mentioned in the acknowledgements, I only made a minor contribution to this one.

The CISO Survey Project's activities and news are announced and discussed through a mailing list. It is also possible to register to receive email notifications about future releases and updates to the OWASP CISO Survey and related CISO projects.

Posted on: 19 February 2014 at 07:44 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 February 2014

Three Cloud Data Reports

Some brief related reading matter. All three of these reports are fairly short and easy digested.

Photograph of the City of London showing glass skyscrapers, including the more recent Heron Tower and 30 St Mary Axe, rising above the older office buildings

All three reports were published in January 2014:

  • The Insider Threat of Bring Your Own Cloud (BYOC), Ponemon Institute, describes the results of research into the effects on organisation security when employees are allowed to use public or private services to perform their roles.
  • Data Classification for Cloud ReadinessMicrosoft, presents the fundamental concepts of authentication, authorisation, and presents a summary of roles and responsibilities in cloud computing. A plan, do, check, act approach is suggested for data classification, and brief information is given about protecting such data.
  • CISO Perspectives on Data Classification, Microsoft, January 2014, provides information from a selection of Chief Information Security Officers (CISOs) on their own organisation data categories and processes for classification, some challenges and resources for further information.

Posted on: 18 February 2014 at 08:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 February 2014

Advertising, Keywording, Search Indexes and Trademarks

Lush cosmetics has won a High Court case against Amazon UK for online infringement of its trademark.

A photograph taken at last year's Clerkenwell Design Week showing a large hanging piece of artwork comprised of stainless steel tubing and purple translucent glass discs

Amazon did not sell products from the Lush range, yet it was bidding for the keyword "Lush" in Google Adwords. Furthermore using the search term "lush" on the internal Amazon search function listed non-Lush products. Out-Law.com has provided a full description and discussion of the decision.

As one commenter on this news story about the case says this is "the new reference case of keyword advertising disputes".

On a lighter note, Lush has launched a new shower smoothie named after Amazon UK's managing director Christopher North. In 2012 Lush trademarked Christopher North's name, earlier in the dispute with Amazon UK.

Posted on: 13 February 2014 at 12:03 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 February 2014

S is for Security, Spelling and Snafu

On Tuesday a net-savvy citizen (aka a cyber warrior) spotted viruses emanating from the primary NHS website NHS Choices.

A spokeswoman said a simple misplaced letter s in a domain name embedded in the code was responsible. A developer had typed googleaspis.com instead of googleapis.com

The news spread virally (i.e. was copied) by the mainstream press (e.g. here, here, here, here, etc) with good analysis and comment here).

It seems JavaScript was being loaded from "translate.googleaspis.com" rather than "translate.googleapis.com" and it had gone unnoticed for months, until a foreign rogue (aka hacker) registered the domain name and wrote a bit of code to modify the NHS Choices web pages so that links redirected to sites serving malware.

Said to be due to a "internal coding error", it sounds more like a case of missing functional testing, missing security testing, poor change control and inadequate operational monitoring (as well as the typo).

Apart from doing things professionally, as the news story in Info Security asks, why have third-party hosted code on the site at all? It's not as if anyone missed the functionality that didn't work.

Posted on: 07 February 2014 at 06:47 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 February 2014

Smart Grid Threat Landscape and Good Practice Guide

The European Union Agency for Network and Information Security (ENISA) has announced the publication of a new report on smart grid threats and good practices.

Smart grid asset mindmap from the ENISA report 'Smart Grid Threat Landscape and Good Practice Guide'

Smart Grid Threat Landscape and Good Practice Guide describes and enumerates smart grid assets, threats, vulnerabilities and good practices. the good practices are presented for two categories — firstly IT systems and logical networks, and secondly the supply chain.

I almost did't mention this report here, but there is some information about software assets, threats and vulnerabilities. So if smart grid is your thing, the report may be useful. The threat model presentation may be useful in other contexts.

Posted on: 04 February 2014 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 January 2014

Privacy Notices and Supplier Contracts

Over Christmas I caught up with a backlog of news stories, tweets and bookmarked items. One relating to privacy notices surprised me, despite being quite an old item.

Photograph of a locked wooden door with an adjacent metal enclosure housing a keypad, video camera, microphone and loudspeaker - a sign on the door reads 'Keep locked shut' and another handmade sign reads 'Visitors - Please press buzzer and show ID to  the camera - thank you'

It seems Google's terms of service (UK version) for Google Analytics include certain privacy requirements on its users (web site operators).

The web post identifies obligations placed on web site operators:

  • Have a privacy policy
  • Abide by all applicable laws relating to the collection of information from visitors
  • State the usage of third party tracking and usage of cookies for tracking

There are additional requirements for users of AdWords and AdSense. A handy reminder that your suppliers can be the source of additional information security and privacy mandates.

After all, if you have an incident, you don't want to be found breaking contractual obligations as well.

Posted on: 29 January 2014 at 08:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 January 2014

Section 5 of the Defamation Act 2013

Section 5 of the Defamation Act 2013, regarding website operators, relates to actions for defamation brought against the operator of a web site due to a statement published on the web site.

Partial view of the cover pages from the Ministry of Justice document 'Guidance on Section 5 of the Defamation
Act 2013 and Regulations: Frequently Asked Questions'

The The Defamation (Operators of Websites) Regulations 2013 came into force on the 1st January 2014. This week, the Ministry of Justice has published guidance and an FAQ document for complainants, web site operators and posters of statements of concern.

If Section 5 of the Act is followed by web site operators, it may provide a defence against a claim of defamation. For sites that publish user-generated content, the guidance and FAQs should be reviewed and a decision made as to whether to use the suggested processes. If adopted, consider providing users with guidance on creating and submitting a valid notice of complaint. Privacy notices may also have to be updated.

Note the Act also states that "The defence under this section is not defeated by reason only of the fact that the operator of the website moderates the statements posted on it by others."

Posted on: 23 January 2014 at 23:38 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 January 2014

OWASP London Event - Thursday 16th January 2014

Just a quick reminder that the next OWASP London chapter meeting is being held on Thursday, 16th January 2014. It is will be at Skype's offices at 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST. Arrive 18:00 for 18:30 hrs.

Please register in advance.

Update 15th January 2014: The presentations at this free meeting will be "Pushing Content Security Policy (CSP) to Production: Case Study of a Real-World Content-Security Policy Implementation" by Justin Clarke, and "2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs" by Marco Morana and Tobias Gondrom.

Posted on: 10 January 2014 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 December 2013

UK-Flavoured Cyber Security Standard

Further to the consultation earlier this year on selection of a cyber security standard for UK businesses, universities, charities and others, a report was published in November.

Photograph of commercial premises in London on a rainy evening

The research report on the consultation responses, interviews and analysis. That report identified properties (Annex B) of over 100 related standards such as target sector, product type, service type, language, status, currency, relevance and prevalence (Annex C). Nine shortlisted standards were assessed further against the cyber security framework.

  • Australian Defence Signals Directorate (DSD) Information Security Manual (ISM); formerly known as "ACSI33"
  • Bundesamt fur Sicherheit in der Informationstechnik (BSI) '100 Series'
  • HMG SPF (Security Policy Framework)
  • IASME (Information Assurance for Small & Medium-sized Enterprises
  • ISF (Information Security Forum) Standard for Good Practice for Cyber Security (SGP)
  • ISO27001:2005
  • ISO27002:2005
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Publicly Available Specification (PAS) 555:2013 (including Annexes)

The analysis concluded that no single standard comprehensively covers the totality of cyber security as defined in the government's framework.

The government has therefore announced it will not adopt a single standard, but will instead "work with industry to develop a new implementation profile" to become the preferred standard. It is understood this "profile will be based upon key ISO27000-series standards and will focus on basic cyber hygiene".

The new profile will be developed in conjunction with the Information Security Forum (ISF) and Information Assurance for Small and Medium Enterprises (IASME), and will be available in "early 2014" free of charge.

Posted on: 30 December 2013 at 10:53 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Administrative : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Thursday, 24 April 2014 at 11:59 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com