15 April 2014


Posts relating to the category tag "operation" are listed below.

15 April 2014

Consultation on UK Cyber Essentials Scheme

As mentioned previously, the UK government has now published a draft cyber security standard and assurance framework for SMEs.

Cover from HM Government's 'Cyber Essentials Scheme: Proposed Assurance Framework'

The relevant documents for the Cyber Essentials Scheme are:

The test specification includes "basic web application scanning for [four] common vulnerabilities [in unauthenticated areas only]" , which doesn't seem to be at a level that would be adequate for even the simplest brochureware website. And other types of application, such as mobile apps, are not mentioned at all. I suppose it's a start, but is it enough to make any difference?

The Department for Business, Innovation & Skills is seeking feedback on the draft assurance framework. A response template can be completed and returned by email to cybersecurity@bis.gsi.gov.uk. The consultation closes on 7th May 2014 and the scheme will be launched in the summer.

Posted on: 15 April 2014 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 April 2014


Nominet, the .uk country code top level domain name registry, has announced an upcoming change to its terms and conditions which expressly prohibits any .uk domains (and from 2014 .cymru and .wales) being used to carry out criminal activity.

Partial view of Nominet's press release 'Nominet formalises approach to tackling criminal activity on .uk domains'

In the announcement, Nominet explains how it will be working with existing bodies, who are able to alert it to criminal activity on a .uk domain name:

The process and criteria used by the law enforcement agencies to identify the domains is not divulged. But following administrative checks by Nominet, it will suspend the identified domain name being used "for any unlawful purpose", with subsequent complaints being referred back to the relevant law enforcement agency. Nominet intends to report after six months, and thereafter quarterly, on the nature and volume of requests received from each law enforcement agency and about the outcome of related complaints.

Furthermore, Nominet is also taking the opportunity to introduce a ban on registering "proscribed" domain names that appear to "indicate, comprise or promote a serious sexual offence and also where there is no reasonable or legitimate use for that domain".

The revised terms and conditions come into force on 4th May 2014 and are available online with changes highlighted in red.

See also my post last Friday about Regulation of Software with a Medical Purpose.

Posted on: 11 April 2014 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 April 2014

Do You Know OWASP AppSensor on Twitter?

At the weekend I received an email message from Twitter to OWASP Cornucopia with the subject line "Do you know OWASP AppSensor on Twitter?".

Screen capture of an email from Twitter to @OWaspCornucopia woth subject line 'Do you know OWASP AppSensor on Twitter?'

That's a "yes". I am a Project Leader for both of these OWASP projects with their own Twitter accounts:

Good guess Twitter!

My own Twitter account is @clerkendweller.

Posted on: 07 April 2014 at 12:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 April 2014

Regulation of Software with a Medical Purpose

I seem to have a series of regulation-related posts at the moment. Perhaps the time of year. An article on OutLaw.com discusses how mobile apps and other software medical purpose may be subject to regulation.

Photograph of shelves in a shop displaying rows of medications

The UK's Medicines and Healthcare Products Regulations Agency (MHRA) is responsible for regulating all medicines and medical devices in the UK by ensuring they work and are acceptably safe. It has issued new guidance on "medical device stand-alone software (including apps)" which is defined as "software which has a medical purpose which at the time of it being placed onto the market is not incorporated into a medical device". Thus "software... intended by the manufacturer to be used for human beings for the purpose of:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
  • investigation, replacement or modification of the anatomy or of a physiological process,
  • control of conception..."

Guidance on Medical Device Stand-alone Software (Including Apps) describes the scope, requirements and software-specific considerations. Product liability and safety considerations are also mentioned.

This introduces the potential need for registration, documentation, self-assessment, validation, monitoring and incident reporting, especially if the software performs any form of diagnosis or assessment. The OutLaw.com article provides a good analysis and views from experts.

Posted on: 04 April 2014 at 10:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 March 2014

Regulator Weighs into the Consumer Software Sector

The US Federal Trade Commission has brought two companies to task over inadequate data protection in their mobile apps.

The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.

In the proceedings against Credit Karma Inc, the complaint describes the company's website and mobile app which consumers can use to monitor and evaluate their credit and financial status. And, in the proceedings against Fandango LLC the complaint describes how the company has a website and mobile application that allow consumers to purchase movie tickets and view showtimes, trailers, and reviews.

The cases describe a number of problems with security but focus on how the apps had disabled SSL certificate validation leading to the possibility attackers could redirect and intercept network traffic, decrypt, monitor, or alter any of the information transmitted from or to the application, including personally identifiable information. The FTC also said the companies mis-represented the security of the apps to consumers.

The consent orders require the companies not to misrepresent how the apps maintain and protect the privacy, security, confidentiality, or integrity of information. Additionally they must establish and implement, and thereafter maintain, a comprehensive security program including in summary:

  • Designated employee to coordinate the security programme and be accountable for it
  • Assessment of security and privacy risks and safeguards that mitigate these
  • Security throughout the software development lifecycle including employee training and management; secure engineering and defensive programming; product design and development, secure software design, development, and testing; review, assessment, and response to third-party security vulnerability reports; and prevention, detection, and response to attacks, intrusions, or systems failures
  • Implementation, testing and periodic re-assessment of security controls, systems and procedures
  • Due diligence and assessment of service providers
  • Monitoring, review and improvement of the security programme.

Furthermore, these programmes are to be independently assessed initially and then biennially for 20 years by an independent third-party professional who is suitably qualified. The orders mention the assessor may be a "Certified Secure Software Lifecycle Professional (CSSLP) with experience in secure mobile programming; Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and secure mobile programming, or a similarly qualified person or organisation approved by the FTC.

It looks like the year for comprehensive security software development lifecycle initiatives such as Open SAMM, MS-SDL and the Bits Framework.

Posted on: 31 March 2014 at 09:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 March 2014

Track Your Domain Name and SSL Certificate Expiry

It can be embarrassing if your website domain registration is not renewed on time or an SSL certificate expires.

Partial screen capture of a web browsing showing a warning for a name mismatch on an SSL certificate

SSL certificates can usually be replaced relatively quickly, in the case of a domain name, there is a risk the name is lost forever. Domain names can be particularly troubling, as some registrars will redirect traffic to their own or random other websites, possibly containing material you would not want to be associated with.

While you ought to have your own processes in place to ensure these events do not occur for any domain names and certificates assigned to systems, I came across a handy service that might also be able to provide early warning reminders.

You need to make sure all the relevant domains are set up correctly. Identifying all domain names in use for supporting web systems and other services, including those that redirect can be a challenge, but needs to be done and maintained. I have used the service for a few months now; the domain alerts seem to work for non .uk domains only, and I'm not sure the SSL certificate expiry service is fully working. Still it might be useful for some.

Not paying the bills of your hosting and DNS service providers is another way for these events to occur!

PS If you want to examine whether there are similar domain names which someone may mis-type when trying to access your site, there is a handy online tool to help with that too.

Posted on: 21 March 2014 at 17:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 March 2014

The Cost of Privacy Breaches

Yesterday, the UK's privacy regulator Information Commissioner's Office (ICO) announced that the British Pregnancy Advice Service (BPAS), a UK registered charity, has been fined £200,000 for losing personal data relating to 9,900 individuals from its web site in March 2012.

[BPAS] bpas has robust systems of governance in place for both clinical and general management

The Monetary Penalty Notice, issued on 28th February 2014, describes how someone found vulnerabilities in the BPAS web site content management system (CMS) using a scanning tool. It seems they did not have to resort to manual application penetration testing. They exploited this to deface the website and also take personal data from people who had submitted an advice call back form on the site. Each record contained the name, date of birth, address and telephone number of the person. Although no other sensitive data was stored, the individuals were probably asking for advice about one of the services offered by the charity: contraceptive advice, abortion, counselling, STI screening, sterilisation, vasectomy and treatment for erectile dysfunction.

[ICO] Some of the call back details were from individuals whose ethnicity and social background could have led to physical harm or even death if the information had been disclosed by the attacker.

The perpetrator threatened to publish the names of the individuals. Fortunately he was identified, an injunction was obtained from the High Court to prevent him from publishing any information, the data was recovered and the he was arrested by the police, and apparently subsequently received a prison sentence of 32 months. Even though the web site was allegedly not meant to be storing the call back information, it was still BPAS's responsibility to ensure this was the case, and also to secure its assets more generally. But the charity has published a press release stating surprise and shock at the level of the fine.

[BPAS] we are horrified by the scale of the fine, which does not reflect the fact that bpas was a victim of a serious crime by someone opposed to what we do. ... This fine seems out of proportion when compared with those levelled against other organisations who were not themselves the victims of a crime.

This would seem to be a likely attack. There will be individuals who will want to harm BPAC and its reputation. We do not know the method of exploitation, although a vulnerability found by simple scanning of the CMS suggests so perhaps it could relate to perhaps:

  • SQL injection via the CMS log in form
  • Theft of admin credentials or session identifiers using cross-site scripting
  • Authentication bypass

BPAS suggests that the data was lost because it was being stored without their knowledge. But if the web site can be compromised it could be as easy for the attacker to capture the information in transit even if it is not stored on the server.

The real victims could so easily have been the people whose data was stolen not BPAS. Is a £20 fine per individual affected actually enough? Also, the data might have been taken previously by someone else who neither defaced the website and nor contacted BPAS about their success. If an organisation thinks it cannot afford a fine of this level, it should take action to reduce the likelihood of it occurring. The disruption and effort dealing with this sort of event is also very great. In the event of data not being recovered and prevented from being distributed more widely as in this case, the cost of identity monitoring might exceed the fine issued by the ICO.

[me] is a £20 fine per individual affected actually enough?

The ICO also recently announced a new Conducting Privacy Impact Assessments (PIAs) Code of Practice, developed after a consultation about how PIAs have been working. In that announcement, Steve Wood ICO Head of Policy said:

[ICO] The development of projects involving the processing of large amounts of personal information is no longer the preserve of the public sector and large businesses. Today even an app developer can be developing a product in their bedroom that involves using thousands of people's information.

Same for non-bedroom developed websites. Charities and professional services organisations take note.

Posted on: 08 March 2014 at 18:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 February 2014

Fill Yer Boots with Hyperlinks

Have you ever had any nagging doubts about whether you are allowed to link to other websites without their consent? Or perhaps you have been bullied by a website owner into removing links to them?

Yellow blossom on an acacia tree in central London

The European Court of Justice (ECJ) has ruled that web sites are not infringing copyright by simply linking to third party content content. However, this is not the case if the hyperlink is to content that requires some sort of access control such as meant for subscribers.

The ruling is described in a press release. And further details about the case between a web company Retriever Sverige AB and journalists from the Swedish newspaper Goteborgs-Posten are available.

Quote that to anyone who asks.

Posted on: 28 February 2014 at 10:45 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 February 2014

SANS 2014 Report on Application Security Programmes

The SANS Institute has published the results of a survey about application security programmes.

Partial screen capture of one of the charts from the SANS report 'Survey on Application Security Programs and Practices'

The researchers Jim Bird and Frank Kim stated the goals were to discover:

  • How widespread and mature application security programs are
  • Their effectiveness
  • What tools and practices are being utilised through the development lifecycle and which are most useful
  • How training is being undertaken and its effectiveness
  • How much is being spent on application security, where and whether this is aligned with organisational risk
  • What are the organisations' future plans for application security

488 respondents provided the data summarised in the report, with a quarter of these working in very large enterprises of more than 15,000 people and 39% from organisations with 1,000 or less people. 30% of respondents had development teams with less than 25 staff, and 6% had no developers at all, with all software development being outsourced.

The published report can be downloaded free of charge at SANS Survey on Application Security Programs and Practices.

The survey found that although organisations are investing more in application security, it is not particularly effective, and that root causes are not being addressed and instead there is still a reliance on mitigating software vulnerabilities after deployment. I recommend reading the findings and conclusions in full.

There was another document referenced in the report which I was not aware of. The US-based Financial Services Information Sharing and Analysis Centre has published a useful white paper titled Appropriate Software Security Control Types for Third Party Service and Product Providers to improve software security control practices.

Posted on: 25 February 2014 at 07:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 February 2014

OWASP CISO Survey Report Published

The report detailing results from the OWASP CIDSO Survey in 2013 has been published.

Cover from the OWASP CISO Survey and Report 2013, Version 1.0 - January 2014

The survey results report provides tactical intelligence on real-world application security, and complements the recent OWASP CISO Guide that describes how CISOs can act on this intelligence to achieve the optimal information security programs for their organisations.

The CISO survey report comprises:

  • Survey methodology
  • Objectives
  • Survey and report 2013
    • Threats and risks
    • Investments and challenges
    • Tools and technology
    • Governance and control
  • Conclusions
  • References

This is an excellent resource, largely due to the effort of OWASP board member Tobias Gondrom and the survey's participants, with generous assistance from Marco Marona, Stephanie Tan, and members of the former OWASP Global Industry Committee. Although I am kindly mentioned in the acknowledgements, I only made a minor contribution to this one.

The CISO Survey Project's activities and news are announced and discussed through a mailing list. It is also possible to register to receive email notifications about future releases and updates to the OWASP CISO Survey and related CISO projects.

Posted on: 19 February 2014 at 07:44 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Operation : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/operation
Requested by on Saturday, 19 April 2014 at 12:57 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com