16 November 2013


Posts relating to the category tag "metrics" are listed below.

16 November 2013

CISO Guide to Application Security

A new book about application security for Chief Information Security Officers (CISOs) has been announced by OWASP.

The title page from OWASP's Application Security Guide For CISOs Version 1.0 (November 2013)

The Application Security Guide For CISOs seeks to help CISOs manage application security programs for their own roles, responsibilities, perspectives and needs. The book examines these aspects from CISOs' responsibilities from the perspectives of governance, compliance and risk. The primary author Marco Morana is a leader in application security within financial services sector, but the book is sector, region and technology agnostic. It is also completely technology and vendor neutral. Along with fellow contributors Tobias Gondrom, Eoin Keary, Andy Lewis and Stephanie Tan, I had the pleasure of contributing to Marco's content, reviewing the text and producing the print version of the book.

The 100-page document provides assistance with justifying investment in application security, how application security risks should be managed, how to build, maintain and improve an application security programme, and the types of metrics necessary to manage application security risks and application investments. There is a standalone introduction and executive summary. The core of the book is then collected into four parts:

  • I : Reasons for Investing in Application Security
  • II : Criteria for Managing Application Security Risks
  • III : Application Security Program
  • IV : Metrics For Managing Risks & Application Security Investments

There are also additional appendices with information about calculating the value of data and cost of an incident, as well as a cross-reference between the CISO guide and other OWASP guides, projects and other content.

The book can be obtained in three formats:

Marco and Tobias will be presenting the new CISO Guide, and the results from the 2013 CISO Survey, at next week's AppSec USA in New York.

Translations into other languages will become available over time as volunteers do these. If you can help please send a message to the project mailing list.

Posted on: 16 November 2013 at 05:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 November 2013

AppSensor at AppSec USA in New York

OWASP AppSec USA 2013 is in three weeks time from 18th to 21st November. This is expected to be the largest application security conference in the world ever.

Photograph of the Manhattan skyline with the Statue of Liberty in the foreground

OWASP AppSensor Project describes and provides demonstration code, for real-time application-specific attack detection and real-time response. The two primary AppSensor events during AppSec USA are being led by project leaders John Melton and Dennis Groves, and there is also a chance to contribute to the upcoming new AppSensor Guide:

  • AppSensor 2.0 Hackathon code writing, John Melton, Monday 18th November at 1:00pm - 5:00pm (Sky Lounge, 16th floor)
  • Writing and Documentation Review Session for documentation projects including AppSensor, Michael Hidalgo and Samantha Groves, Wednesday 20th November at 9.00am - 1.00pm (Sky Lounge, 16th Floor)
  • AppSensor Project presentation, Dennis Groves, Thursday 21st November at 2.00pm - 3.00pm (Edison Room, 5th Floor)

The first, part of the conference's OWASP Project Summit 2013, will be an opportunity to work with John to help write code for the AppSensor 2.0 services model (REST and SOAP). Further details of the summit here and here. Dennis will be providing an inspirational introduction to using AppSensor, and the technical and business benefits achievable.

Additionally, core contributor Ryan Barnett is providing a closely related training class about using ModSecurity for web application defence:

Training at OWASP conferences is always to a high standard, but the courses get booked up very quickly.

Along with John, Dennis and Ryan, most of the other core project contributors, including myself, will be in New York for the conference, so if you want to ask any questions, please just track one of us down. Ask at the conference support desk where to find us.

Regardless of your interest in AppSensor, there are another 120 application security sessions available during the week. If you haven't already booked for the training or conference, you can still register, but don't leave it too late.

Update 11th November 2013: Documentation writing and review session added.

Posted on: 01 November 2013 at 15:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 October 2013

Web Application Scanner Comparison from Miami

Hack Miami has published a paper comparing five web application security dynamic scanning tools.

Photograph of signs showing an explanation of the beach safety warning flags and monitoring information in Florida

The paper Hack Miami Web Application Scanner 2013 PwnOff - An Analysis of Automated Web Application Scanning Suites describes a one-off comparison undertaken during the HackMiami 2013 Hackers Conference. Tests were undertaken pre and post authentication for both normal and administrative users, against three web applications (one PHP, one JSP and one .Net). The paper assessed five scanners:

  • Acunetix
  • IBM Rational AppScan Standard
  • Metasploit Pro
  • NTO Objective NTO Spider
  • Portswigger Burp.

The scanners were assessed for the interface, vulnerability detection, reporting and overall value. It is useful to also refer to other comparisons such as Web Application Security Scanner Comparison and New Magic Quadrant for Application Security Testing 2013. But even better evaluate them yourself on your own applications and compare with manual testing methods.

And don't just leave security to the testing stage of development.

Posted on: 21 October 2013 at 11:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 October 2013

Microsoft SDL in the US Financial Services Sector

Microsoft has published a survey commissioned from The Edison Group which examines application development security in the US financial services sector.

Title page from the paper 'Microsoft Security Development Lifecycle Adoption: Why and How'

Microsoft Security Development Lifecycle Adoption: Why and How examines the adoption of Microsoft's process-driven Security Development Lifecycle (SDL) in this sector, the approaches taken, integration methods and looks at the benefits realised. The researchers interviewed a number of companies that use MS SDL.

I found the survey's most useful parts are the list of adopters' best practices and lessons learned. The case studies are perhaps too short to be of any significance, and the second one referring to using SDL for open source development almost seems to have been included to put the idea of using open source tools down, rather than contributing to the "why and how" of the report's title. Unnecessary and wasted space in the document.

Read, compare and contrast. Then consider how these types of things might work within your own organisation and with particular teams.

The paper also refers to the previously mentioned BITS Software Assurance Framework from the Financial Services Roundtable, and Part 1 (Overview and Concepts) of ISO 27034, but not other sources.

Posted on: 09 October 2013 at 08:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 July 2013

Data Disclosure Incident Database

The Verizon 2013 Data Breach Investigations Report provides a useful insight into a range of recorded data disclosure incidents.

Partial screen capture showing the data charting and drill down features available on the VERIS Community Database

For the first time, this data is now available to download or browse/mine interactively. The initial data set includes information from 1,200 incidents mainly during 2012 and 2013. Note these are heavily biased to the health sector.

The downloadable data are available free-of-charge without registration in JSON on GitHub such as this example. The data sets are recorded using the Vocabulary for Event Recording and Incident Sharing (VERIS). The interactive visualisation includes predefined views based on threat actors/motives (e.g. external, internal, partner), actions (e.g. hacking, malware, misuse, physical), assets affected (e.g. media, network, people, servers, user devices) and timeline/discovery.

As more data are added, especially from alternative sources, this will be a very valuable resource. See also the Data Loss DB, Breach Watch and the Web Hacking Incident Database (WHID).

Posted on: 27 July 2013 at 16:33 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 July 2013

New Magic Quadrant for Application Security Testing 2013

A new "magic quadrant" for application security testing has been published by Gartner.

Title header from Gartner's report ' Magic Quadrant for Application Security Testing'

Magic Quadrant for Application Security Testing by Neil MacDonald and Joseph Feiman, was published by Gartner last week on 2 July 2013. It addresses 16 suppliers whose products and services analyse and test applications for security vulnerabilities using static, dynamic and interactive testing techniques. The selection criteria required the suppliers had production products and services operational on 1st January 2013, and to have more than $2 million turnover in this business area.

The report discusses each supplier's offerings, and describes the market context referencing the convergence of capabilities due to customer requirements, increasingly complex web applications and the growth of mobile apps. Trends identified include increased provision of testing as a service, the need for comprehensive application discovery, testing of client-side code (including HTML5), the benefits of explicit framework support, integration with development life cycles, and testing of mobile and back-end interfaces. The use of these products and services as a security intelligence enabler is also discussed.

Gartner charge for the report, but two of the vendors in the "leaders" category have been very prompt and provided registration forms to obtain the report "free of charge" (here and here).

"Magic Quadrant for Application Security Testing" replaces the previous "Magic Quadrant for Dynamic Application Security Testing" and the "Magic Quadrant for Static Application Security Testing."

Posted on: 13 July 2013 at 08:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 June 2013

Website Security Statistics Report 2013

WhiteHat Security in the United States has published another edition of its Website Security Statistics Report. This would seem to be the 13th edition, although the numbering label appears to have been dropped.

Partial image of one of the industry scorecards from the WhiteHat Website Security Statistics Report 2013

Like previous editions, the 2013 report contains a wealth of valuable information about the prevalence of web site security vulnerabilities, the time required to resolve them, the drivers for application security, accountabilities for system/data breaches, and what type of security activities are being undertaken in the software development processes to prevent vulnerabilities occurring in production releases.

Information leakage and cross-site scripting continue to be the most prevalent issues found. SQL injection is still notable, although its prevalence has reduced slightly over the last eight years, but it is certainly not yet extinct. The most common drivers for security are reported to be compliance and risk reduction.

But I am most excited about the industry-sector scorecards included for banking, financial services, healthcare, retail and technology industry. These summarise the report's data for each sector in an easily comprehensible manner. They are ideal templates for an organisation's own high-level web site security metrics dashboards.

As mentioned before, the definition of "serious vulnerabilities" in previous versions of this report included only those with a High, Critical or Urgent severity as defined by PCI DSS naming conventions, exploitation of which "could lead to server breach, user account take-over, data loss or compliance failure". The current edition seems to have changed this to "those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news". So somewhat wider, but it would be good to know more about this definition.

Registration is required to download the report at the link provided above.

Posted on: 18 June 2013 at 18:17 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 May 2013

Internet and Mobile Literacy, Usage & Opinions

OFCOM, the UK communications sector's regulator and competition authority, has announced a report on adults' use of media and attitudes.

More than half of internet users say they use the same passwords for most websites

The Adults' Media Use and Attitudes Report 2013 (complete 181 page print version) discusses media literacy, take-up, preference and media use, understanding, attitudes and concerns, use of the internet and mobile phones, and users in three class — new, "narrow" and non-users.

Over half of all internet users think that online purchasing puts their privacy at risk

There is a wealth of valuable data for strategic planning and marketing purposes, but also useful information on security and safety habits and attitudes to regulation of the internet. If you need information to help support decisions around security and usability, this report will have something of use to you.

A quarter of internet users say they have experienced a virus on their home PC or laptop in the past year

It is this weekend's best read.

Posted on: 17 May 2013 at 08:34 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

22 February 2013

Threats, Attacks, Exploits and Defences

On Wednesday this week, Trustwave has published the full version of its latest global information security report. It is comprehensive, information-rich, and well designed.

Part of page from the Trustwave 2013 Global Security Report showing a diagram that illustrates the main sectors for which mobile apps security testing data in the report relates to

2013 Trustwave Global Security Report (registration required) provides information from their incident investigations, updates from law enforcement agencies around the world (including SOCA), threat intelligence (attack sources, motivations, emerging techniques, attacks and defences), and some international perspective viewpoints. The sources used to aggregate data and draw conclusions from include their vulnerability scanning, penetration testing and incident response investigation services, publicly disclosed data breaches, email sources, published vulnerabilities, and analysis of malicious web sites. Even this cannot be said to be completely representative, but it is amongst the better data available.

Based on the incident investigation information, payment cardholder data was the primary target because it is highly saleable for subsequent use in fraudulent transactions. Secondly personal data is noted as having some monetary data. The primary targets were retail, food & beverage and the hospitality sector via their e-commerce and retail channels (web sites and point of sale/payment processing). These of course reflect organisations that are required to, or felt the need to, engage a company like Trustwave to perform incident investigation. Thus there will be a bias towards medium and larger organisations with personal, credit and debit card data.

Where large quantities of data were compromised, the incident investigations identified weak administrative credentials, SQL injection and remote file inclusion as the primary vulnerabilities, with data being exfiltrated using HTTP and HTTP over TLS, RDP, SMTP and SMB protocols due to missing egress firewall controls. The report recommends building a defence in depth strategy with multiple layers of security. In terms of important applications, a holistic approach that builds security in throughout the development and operation is required. In the section on international perspectives for EMEA, the report notes there is an increasing trend of medium-sized and non-banking organisations developing strategic application security programmes, where assurance activities are based on the business risk each application presents.

Information points from the WASC Web Hacking Incident Database are also presented. These relate to publicly reported incidents of web applications during 2012 that have an identified outcome. This does not pretend to be fully representative of all web application attacks, but it does represent many significant events. The most common attack methods were denial of service followed by SQL injection.

The top 10 application vulnerabilities (I believe the label on the table on page 50 possibly mistakenly includes the word "mobile") highlights how common cross-site scripting (XSS) and cross-site request forgery (CSRF) are, based on a sample of application penetration tests. Separate information is also presented for mobile application penetration tests, comparing the findings to the OWASP Mobile Top 10.

The other part of the report of interest to application software designers and architects is the statistical analysis of nearly 3.1 million encrypted passwords from Active Directory servers. In order of number of occurrences "Welcome1" is the most common password, followed by "STORE123", "Password1", "password", "Hello123", and "12345678". "training" and "Welcome2". "STORE123" sounds very like point of sale (POS) systems. These results and analysis of password composition and markup will be useful where there is a desire to limit the use of common passwords and formats.

Definitely worthwhile reading.

Posted on: 22 February 2013 at 11:06 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 August 2012

Software Assurance Maturity Scorecards

I have posted a new message to the Software Assurance Maturity Model (SAMM) blog regarding scorecard charts.

Partial view of a SAMM scorecard chart showing the software assurance maturity levels against the security practices

Like the previously created roadmaps, the scorecard charts use a transformation from an XML file to create an SVG image. They illustrate a team, project or organisation's maturity level, scored against SAMM, at a single point in time (the scorecard charts in the SAMM document compare scores at two points in time).

The XML template, schema and transformation files are available to download without charge or registration.

Posted on: 10 August 2012 at 07:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Metrics : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/metrics
Requested by on Wednesday, 16 April 2014 at 14:05 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com