15 April 2014


Posts relating to the category tag "maturity" are listed below.

15 April 2014

Consultation on UK Cyber Essentials Scheme

As mentioned previously, the UK government has now published a draft cyber security standard and assurance framework for SMEs.

Cover from HM Government's 'Cyber Essentials Scheme: Proposed Assurance Framework'

The relevant documents for the Cyber Essentials Scheme are:

The test specification includes "basic web application scanning for [four] common vulnerabilities [in unauthenticated areas only]" , which doesn't seem to be at a level that would be adequate for even the simplest brochureware website. And other types of application, such as mobile apps, are not mentioned at all. I suppose it's a start, but is it enough to make any difference?

The Department for Business, Innovation & Skills is seeking feedback on the draft assurance framework. A response template can be completed and returned by email to cybersecurity@bis.gsi.gov.uk. The consultation closes on 7th May 2014 and the scheme will be launched in the summer.

Posted on: 15 April 2014 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 April 2014

Regulation of Software with a Medical Purpose

I seem to have a series of regulation-related posts at the moment. Perhaps the time of year. An article on OutLaw.com discusses how mobile apps and other software medical purpose may be subject to regulation.

Photograph of shelves in a shop displaying rows of medications

The UK's Medicines and Healthcare Products Regulations Agency (MHRA) is responsible for regulating all medicines and medical devices in the UK by ensuring they work and are acceptably safe. It has issued new guidance on "medical device stand-alone software (including apps)" which is defined as "software which has a medical purpose which at the time of it being placed onto the market is not incorporated into a medical device". Thus "software... intended by the manufacturer to be used for human beings for the purpose of:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
  • investigation, replacement or modification of the anatomy or of a physiological process,
  • control of conception..."

Guidance on Medical Device Stand-alone Software (Including Apps) describes the scope, requirements and software-specific considerations. Product liability and safety considerations are also mentioned.

This introduces the potential need for registration, documentation, self-assessment, validation, monitoring and incident reporting, especially if the software performs any form of diagnosis or assessment. The OutLaw.com article provides a good analysis and views from experts.

Posted on: 04 April 2014 at 10:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 March 2014

Regulator Weighs into the Consumer Software Sector

The US Federal Trade Commission has brought two companies to task over inadequate data protection in their mobile apps.

The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.

In the proceedings against Credit Karma Inc, the complaint describes the company's website and mobile app which consumers can use to monitor and evaluate their credit and financial status. And, in the proceedings against Fandango LLC the complaint describes how the company has a website and mobile application that allow consumers to purchase movie tickets and view showtimes, trailers, and reviews.

The cases describe a number of problems with security but focus on how the apps had disabled SSL certificate validation leading to the possibility attackers could redirect and intercept network traffic, decrypt, monitor, or alter any of the information transmitted from or to the application, including personally identifiable information. The FTC also said the companies mis-represented the security of the apps to consumers.

The consent orders require the companies not to misrepresent how the apps maintain and protect the privacy, security, confidentiality, or integrity of information. Additionally they must establish and implement, and thereafter maintain, a comprehensive security program including in summary:

  • Designated employee to coordinate the security programme and be accountable for it
  • Assessment of security and privacy risks and safeguards that mitigate these
  • Security throughout the software development lifecycle including employee training and management; secure engineering and defensive programming; product design and development, secure software design, development, and testing; review, assessment, and response to third-party security vulnerability reports; and prevention, detection, and response to attacks, intrusions, or systems failures
  • Implementation, testing and periodic re-assessment of security controls, systems and procedures
  • Due diligence and assessment of service providers
  • Monitoring, review and improvement of the security programme.

Furthermore, these programmes are to be independently assessed initially and then biennially for 20 years by an independent third-party professional who is suitably qualified. The orders mention the assessor may be a "Certified Secure Software Lifecycle Professional (CSSLP) with experience in secure mobile programming; Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and secure mobile programming, or a similarly qualified person or organisation approved by the FTC.

It looks like the year for comprehensive security software development lifecycle initiatives such as Open SAMM, MS-SDL and the Bits Framework.

Posted on: 31 March 2014 at 09:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 March 2014

OWASP Top Ten 2013 A9 and Principle 7 (Security) of the Data Protection Act

The UK Information Commissioner's Office (ICO) has made a clear statement that it believes unpatched software is no longer acceptable.

30% of PCs still use Microsoft XP. If your business does after 8 April 2014 it may be breaching #DPA

The ICO does not provide much prescriptive guidance about Principle 7 of the Data Protection Act (DPA) 1998 concerning security, and data controllers and processors have to read all the guidance and enforcement actions to get a feel for what is expected. Thus for example, for many years the ICO has taken a very dim view of losing mobile devices that have unencrypted storage media.

It seems the time has come for addressing published software vulnerabilities in a timely manner is also to be included in the bare minimum controls the ICO expects to be in place to protect personal data.

In a tweet and referenced post on the ICO's blog Simon Rice, Group Manager for the ICO's technology team, has highlighted how having unpatched vulnerabilities, that are not mitigated in any other way, in software and infrastructure could be considered a breach of the DPA 7th principle.

Read more about vulnerabilities in software components from OWASP, and also how one UK charity was fined last week by the ICO after a data breach involving a vulnerability in a website content management system (CMS).

Posted on: 13 March 2014 at 12:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 February 2014

SANS 2014 Report on Application Security Programmes

The SANS Institute has published the results of a survey about application security programmes.

Partial screen capture of one of the charts from the SANS report 'Survey on Application Security Programs and Practices'

The researchers Jim Bird and Frank Kim stated the goals were to discover:

  • How widespread and mature application security programs are
  • Their effectiveness
  • What tools and practices are being utilised through the development lifecycle and which are most useful
  • How training is being undertaken and its effectiveness
  • How much is being spent on application security, where and whether this is aligned with organisational risk
  • What are the organisations' future plans for application security

488 respondents provided the data summarised in the report, with a quarter of these working in very large enterprises of more than 15,000 people and 39% from organisations with 1,000 or less people. 30% of respondents had development teams with less than 25 staff, and 6% had no developers at all, with all software development being outsourced.

The published report can be downloaded free of charge at SANS Survey on Application Security Programs and Practices.

The survey found that although organisations are investing more in application security, it is not particularly effective, and that root causes are not being addressed and instead there is still a reliance on mitigating software vulnerabilities after deployment. I recommend reading the findings and conclusions in full.

There was another document referenced in the report which I was not aware of. The US-based Financial Services Information Sharing and Analysis Centre has published a useful white paper titled Appropriate Software Security Control Types for Third Party Service and Product Providers to improve software security control practices.

Posted on: 25 February 2014 at 07:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 February 2014

Notes from Gamifiers London 05 Feb 2014

Gamifiers is a quarterly London meet up, for people who use, or want to use, gamification in their team, organisation, product or service.

As mentioned previously I attended the Gamifiers meet up on 5th February.

Photograph of Toby Beresford introducing the gamifiers meet up at IBM Southbank Client Centre on Wednesday 5th February 2014

Co-organiser Toby Beresford explained the morning's agenda and started the event by describing, and debating his own ideas about game rule maturity and the growth of tournaments and leagues. Andrzej Marczewski continued the introductory part mentioning the International Gamification Confederation (GamFed) and also some information from Gartner that "80% of gamified applications will fail". I challenged this by suggesting that "100% of Gartner reports state that 80% of something will fail/not succeed/are worse/etc".

An Coppens described her Master's work on using gamification in the recruitment process. She described how there is high staff churn in on-air planner roles for TV advertising. It is a high pressure role, generally with a lack of internal promotional route and in an industry that means there is often a poor candidate fit (i.e. the role attracts the wrong people), combined with being in a heavily regulated sector. An identified the types of skills and etiquette required to stay in the job for the 18 months needed to become proficient, and created a game to screen candidates that is fun to play, but includes real job-related metrics. The idea was subsequently implemented partially by one TV broadcaster, but the concept could be applied in other sectors.

Then Ed Cervantes-Watson described how Cancer Research developed Dryathalon to increase the charity's engagement with males, and to provide another fundraising channel. The website had an extremely high conversion rate to participants, but they discovered that the volunteers who were directly recruited and were given personalised motivation emails and badges, generated 40% more income than those that had signed up via other routes that did not provide these. Ed went on to present a new game called Genes in Space, which uses game player's eyes to help identify mutations in genome data that are then investigated in more detail by the charity's scientists. Gamers plot courses through obstacles without knowing they are actually reviewing genome data.

Peter Laughton gave an insight into current game design trends, which I have summarised below:

  • Move from landscape to portrait orientation
  • From (back from) thumb to index finger
  • Multiple currency support
  • Rise of downloadable content, to get people involved in your universe
  • Make the game for less money, $1million instead of $10million dollars
  • Interaction distance from 3m back to 30cm, playing on a tablet typically
  • Multiplayer rules more important
  • Fail fast, develop 10% first, if it works build rest

After a refreshment break, I presented the application security card game OWASP Cornucopia telling the story of how the idea emerged, how it was created, and events that transpired, including support from Blackfoot. I also described how it has been promoted through social media and at other events. We then had a game of cards using an example web administrative area as the subject of our attacks.

The comments and ideas while playing the games were tremendously helpful. The participants were neither software developers nor information security folk, so it was interesting to hear the views of people who are much more experienced gamifiers. I will write up the feedback and publish it on the public Cornucopia mailing list.

Thank you to IBM Southbank for providing the venue and refreshments.

Posted on: 11 February 2014 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 December 2013

UK-Flavoured Cyber Security Standard

Further to the consultation earlier this year on selection of a cyber security standard for UK businesses, universities, charities and others, a report was published in November.

Photograph of commercial premises in London on a rainy evening

The research report on the consultation responses, interviews and analysis. That report identified properties (Annex B) of over 100 related standards such as target sector, product type, service type, language, status, currency, relevance and prevalence (Annex C). Nine shortlisted standards were assessed further against the cyber security framework.

  • Australian Defence Signals Directorate (DSD) Information Security Manual (ISM); formerly known as "ACSI33"
  • Bundesamt fur Sicherheit in der Informationstechnik (BSI) '100 Series'
  • HMG SPF (Security Policy Framework)
  • IASME (Information Assurance for Small & Medium-sized Enterprises
  • ISF (Information Security Forum) Standard for Good Practice for Cyber Security (SGP)
  • ISO27001:2005
  • ISO27002:2005
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Publicly Available Specification (PAS) 555:2013 (including Annexes)

The analysis concluded that no single standard comprehensively covers the totality of cyber security as defined in the government's framework.

The government has therefore announced it will not adopt a single standard, but will instead "work with industry to develop a new implementation profile" to become the preferred standard. It is understood this "profile will be based upon key ISO27000-series standards and will focus on basic cyber hygiene".

The new profile will be developed in conjunction with the Information Security Forum (ISF) and Information Assurance for Small and Medium Enterprises (IASME), and will be available in "early 2014" free of charge.

Posted on: 30 December 2013 at 10:53 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 November 2013

CISO Guide to Application Security

A new book about application security for Chief Information Security Officers (CISOs) has been announced by OWASP.

The title page from OWASP's Application Security Guide For CISOs Version 1.0 (November 2013)

The Application Security Guide For CISOs seeks to help CISOs manage application security programs for their own roles, responsibilities, perspectives and needs. The book examines these aspects from CISOs' responsibilities from the perspectives of governance, compliance and risk. The primary author Marco Morana is a leader in application security within financial services sector, but the book is sector, region and technology agnostic. It is also completely technology and vendor neutral. Along with fellow contributors Tobias Gondrom, Eoin Keary, Andy Lewis and Stephanie Tan, I had the pleasure of contributing to Marco's content, reviewing the text and producing the print version of the book.

The 100-page document provides assistance with justifying investment in application security, how application security risks should be managed, how to build, maintain and improve an application security programme, and the types of metrics necessary to manage application security risks and application investments. There is a standalone introduction and executive summary. The core of the book is then collected into four parts:

  • I : Reasons for Investing in Application Security
  • II : Criteria for Managing Application Security Risks
  • III : Application Security Program
  • IV : Metrics For Managing Risks & Application Security Investments

There are also additional appendices with information about calculating the value of data and cost of an incident, as well as a cross-reference between the CISO guide and other OWASP guides, projects and other content.

The book can be obtained in three formats:

Marco and Tobias will be presenting the new CISO Guide, and the results from the 2013 CISO Survey, at next week's AppSec USA in New York.

Translations into other languages will become available over time as volunteers do these. If you can help please send a message to the project mailing list.

Posted on: 16 November 2013 at 05:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 November 2013

BSIMM 5 Released

The fifth edition of the Building Security In Maturity Model (BSIMM) survey of secure software development practices has been published by Cigital, a year since the previous version.

Partial screen capture of the infographic published with BSIMM V

BSIMM v5 now includes recent data from 67 companies across a dozen sectors, including 26 from financial services and 25 independent software vendors. On average the companies had practiced formalised software security processes for over 4 years, and had over 4,000 developers (1,600 median). BSIMM surveyed the companies against 112 activities which can be used to assess your own programmes.

The survey reports that the most successful software security initiatives are typically run by a senior executive who reports to the highest levels in an organisation. An, this release includes the expected infographic to accompany the report.

There is a wide range of approaches across the surveyed companies. However, the following objectives/activities were identified most commonly in highly successful software security programs to

  • Establish SSDL gates (but do not enforce) / Identify gate locations, gather necessary artifacts
  • Promote privacy / Identify PII obligations
  • Promote culture of security throughout the organisation / Provide awareness training
  • Prioritise applications by data consumed/manipulated / Create a data classification scheme and inventory
  • Create proactive security guidance around security features / Build and publish security features
  • Meet demand for security features / Create security standards
  • Get started with architectural analysis / Perform security feature review
  • Drive efficiency/consistency with automation / Use automated tools along with manual review
  • Start security testing in familiar functional territory / Drive tests with security requirements and security features
  • Demonstrate that your organisation's code needs help too / Use external penetration testers to find problems
  • Provide a solid host/network foundation for software / Ensure host and network security basics are in place
  • Use ops data to change dev behaviour / Identify software bugs found in operations monitoring and feed them back to development

The survey also provides some insight into trends in US companies (50) versus those in Europe (17), and notes companies in the latter are undertaking fewer activities on average.

Posted on: 05 November 2013 at 09:25 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 November 2013

AppSensor at AppSec USA in New York

OWASP AppSec USA 2013 is in three weeks time from 18th to 21st November. This is expected to be the largest application security conference in the world ever.

Photograph of the Manhattan skyline with the Statue of Liberty in the foreground

OWASP AppSensor Project describes and provides demonstration code, for real-time application-specific attack detection and real-time response. The two primary AppSensor events during AppSec USA are being led by project leaders John Melton and Dennis Groves, and there is also a chance to contribute to the upcoming new AppSensor Guide:

  • AppSensor 2.0 Hackathon code writing, John Melton, Monday 18th November at 1:00pm - 5:00pm (Sky Lounge, 16th floor)
  • Writing and Documentation Review Session for documentation projects including AppSensor, Michael Hidalgo and Samantha Groves, Wednesday 20th November at 9.00am - 1.00pm (Sky Lounge, 16th Floor)
  • AppSensor Project presentation, Dennis Groves, Thursday 21st November at 2.00pm - 3.00pm (Edison Room, 5th Floor)

The first, part of the conference's OWASP Project Summit 2013, will be an opportunity to work with John to help write code for the AppSensor 2.0 services model (REST and SOAP). Further details of the summit here and here. Dennis will be providing an inspirational introduction to using AppSensor, and the technical and business benefits achievable.

Additionally, core contributor Ryan Barnett is providing a closely related training class about using ModSecurity for web application defence:

Training at OWASP conferences is always to a high standard, but the courses get booked up very quickly.

Along with John, Dennis and Ryan, most of the other core project contributors, including myself, will be in New York for the conference, so if you want to ask any questions, please just track one of us down. Ask at the conference support desk where to find us.

Regardless of your interest in AppSensor, there are another 120 application security sessions available during the week. If you haven't already booked for the training or conference, you can still register, but don't leave it too late.

Update 11th November 2013: Documentation writing and review session added.

Posted on: 01 November 2013 at 15:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Maturity : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/maturity
Requested by on Friday, 25 April 2014 at 09:13 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com