04 April 2014


Posts relating to the category tag "SDLC" are listed below.

04 April 2014

Regulation of Software with a Medical Purpose

I seem to have a series of regulation-related posts at the moment. Perhaps the time of year. An article on OutLaw.com discusses how mobile apps and other software medical purpose may be subject to regulation.

Photograph of shelves in a shop displaying rows of medications

The UK's Medicines and Healthcare Products Regulations Agency (MHRA) is responsible for regulating all medicines and medical devices in the UK by ensuring they work and are acceptably safe. It has issued new guidance on "medical device stand-alone software (including apps)" which is defined as "software which has a medical purpose which at the time of it being placed onto the market is not incorporated into a medical device". Thus "software... intended by the manufacturer to be used for human beings for the purpose of:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
  • investigation, replacement or modification of the anatomy or of a physiological process,
  • control of conception..."

Guidance on Medical Device Stand-alone Software (Including Apps) describes the scope, requirements and software-specific considerations. Product liability and safety considerations are also mentioned.

This introduces the potential need for registration, documentation, self-assessment, validation, monitoring and incident reporting, especially if the software performs any form of diagnosis or assessment. The OutLaw.com article provides a good analysis and views from experts.

Posted on: 04 April 2014 at 10:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 March 2014

Regulator Weighs into the Consumer Software Sector

The US Federal Trade Commission has brought two companies to task over inadequate data protection in their mobile apps.

The settlements require Fandango and Credit Karma to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments every other year for the next 20 years. The settlements also prohibit Fandango and Credit Karma from misrepresenting the level of privacy or security of their products and services.

In the proceedings against Credit Karma Inc, the complaint describes the company's website and mobile app which consumers can use to monitor and evaluate their credit and financial status. And, in the proceedings against Fandango LLC the complaint describes how the company has a website and mobile application that allow consumers to purchase movie tickets and view showtimes, trailers, and reviews.

The cases describe a number of problems with security but focus on how the apps had disabled SSL certificate validation leading to the possibility attackers could redirect and intercept network traffic, decrypt, monitor, or alter any of the information transmitted from or to the application, including personally identifiable information. The FTC also said the companies mis-represented the security of the apps to consumers.

The consent orders require the companies not to misrepresent how the apps maintain and protect the privacy, security, confidentiality, or integrity of information. Additionally they must establish and implement, and thereafter maintain, a comprehensive security program including in summary:

  • Designated employee to coordinate the security programme and be accountable for it
  • Assessment of security and privacy risks and safeguards that mitigate these
  • Security throughout the software development lifecycle including employee training and management; secure engineering and defensive programming; product design and development, secure software design, development, and testing; review, assessment, and response to third-party security vulnerability reports; and prevention, detection, and response to attacks, intrusions, or systems failures
  • Implementation, testing and periodic re-assessment of security controls, systems and procedures
  • Due diligence and assessment of service providers
  • Monitoring, review and improvement of the security programme.

Furthermore, these programmes are to be independently assessed initially and then biennially for 20 years by an independent third-party professional who is suitably qualified. The orders mention the assessor may be a "Certified Secure Software Lifecycle Professional (CSSLP) with experience in secure mobile programming; Certified Information System Security Professional (CISSP) with professional experience in the Software Development Security domain and secure mobile programming, or a similarly qualified person or organisation approved by the FTC.

It looks like the year for comprehensive security software development lifecycle initiatives such as Open SAMM, MS-SDL and the Bits Framework.

Posted on: 31 March 2014 at 09:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 March 2014

OWASP Top Ten 2013 A9 and Principle 7 (Security) of the Data Protection Act

The UK Information Commissioner's Office (ICO) has made a clear statement that it believes unpatched software is no longer acceptable.

30% of PCs still use Microsoft XP. If your business does after 8 April 2014 it may be breaching #DPA

The ICO does not provide much prescriptive guidance about Principle 7 of the Data Protection Act (DPA) 1998 concerning security, and data controllers and processors have to read all the guidance and enforcement actions to get a feel for what is expected. Thus for example, for many years the ICO has taken a very dim view of losing mobile devices that have unencrypted storage media.

It seems the time has come for addressing published software vulnerabilities in a timely manner is also to be included in the bare minimum controls the ICO expects to be in place to protect personal data.

In a tweet and referenced post on the ICO's blog Simon Rice, Group Manager for the ICO's technology team, has highlighted how having unpatched vulnerabilities, that are not mitigated in any other way, in software and infrastructure could be considered a breach of the DPA 7th principle.

Read more about vulnerabilities in software components from OWASP, and also how one UK charity was fined last week by the ICO after a data breach involving a vulnerability in a website content management system (CMS).

Posted on: 13 March 2014 at 12:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 February 2014

SANS 2014 Report on Application Security Programmes

The SANS Institute has published the results of a survey about application security programmes.

Partial screen capture of one of the charts from the SANS report 'Survey on Application Security Programs and Practices'

The researchers Jim Bird and Frank Kim stated the goals were to discover:

  • How widespread and mature application security programs are
  • Their effectiveness
  • What tools and practices are being utilised through the development lifecycle and which are most useful
  • How training is being undertaken and its effectiveness
  • How much is being spent on application security, where and whether this is aligned with organisational risk
  • What are the organisations' future plans for application security

488 respondents provided the data summarised in the report, with a quarter of these working in very large enterprises of more than 15,000 people and 39% from organisations with 1,000 or less people. 30% of respondents had development teams with less than 25 staff, and 6% had no developers at all, with all software development being outsourced.

The published report can be downloaded free of charge at SANS Survey on Application Security Programs and Practices.

The survey found that although organisations are investing more in application security, it is not particularly effective, and that root causes are not being addressed and instead there is still a reliance on mitigating software vulnerabilities after deployment. I recommend reading the findings and conclusions in full.

There was another document referenced in the report which I was not aware of. The US-based Financial Services Information Sharing and Analysis Centre has published a useful white paper titled Appropriate Software Security Control Types for Third Party Service and Product Providers to improve software security control practices.

Posted on: 25 February 2014 at 07:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 February 2014

OWASP CISO Survey Report Published

The report detailing results from the OWASP CIDSO Survey in 2013 has been published.

Cover from the OWASP CISO Survey and Report 2013, Version 1.0 - January 2014

The survey results report provides tactical intelligence on real-world application security, and complements the recent OWASP CISO Guide that describes how CISOs can act on this intelligence to achieve the optimal information security programs for their organisations.

The CISO survey report comprises:

  • Survey methodology
  • Objectives
  • Survey and report 2013
    • Threats and risks
    • Investments and challenges
    • Tools and technology
    • Governance and control
  • Conclusions
  • References

This is an excellent resource, largely due to the effort of OWASP board member Tobias Gondrom and the survey's participants, with generous assistance from Marco Marona, Stephanie Tan, and members of the former OWASP Global Industry Committee. Although I am kindly mentioned in the acknowledgements, I only made a minor contribution to this one.

The CISO Survey Project's activities and news are announced and discussed through a mailing list. It is also possible to register to receive email notifications about future releases and updates to the OWASP CISO Survey and related CISO projects.

Posted on: 19 February 2014 at 07:44 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 January 2014

Cornucopia Source Card Data

I have recently published the data on the OWASP Cornucopia Ecommerce Website Edition card game in XML format.

Part of the XML data file illustrating the format

The XML data (for version 1.03) is an extract of all the information included on the playing cards included in the source word processer document. Going forward I intend to maintain both versions in parallel.

I am hoping the XML version will allow people to consume the data in other documents, applications and systems, or help them create their own printable versions more easily. Like everything else in the project this is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

As a demonstration of using the XML file, the Cornucopia project now has a Twitter account (@OWASPCornucopia), which tweets the attack text from a pseudo-randomly selected card twice daily. For example, the sequence of three (this time) tweets from a couple of hours ago today:

  • [2014-01-24] Standby, the croupier is dealing a Cornucopia Ecommerce Website Edition card http://bit.ly/1g7dEZE #owasp #pcidss #appsec ...
  • The card for Friday morning (GMT+0) is the Nine of Cryptography, which reads "Andy can bypass random number generation, random GUID...
  • ...generation, hashing and encryption functions because they have been self-built and/or are weak"

Currently the card is selected from the whole pack each time, but this could (should?) be changed to randomly select a card from the deck until all cards have been dealt. The account's profile photo is updated to match the card for an hour, before it reverts to a more generic image. The tweets might just about be helpful as an application security awareness resource — perhaps as "appsec requirement of the day".

A trivial use, but it was fun doing some coding. And working on this helped me come up with a solution for another problem I have been thinking about.

Posted on: 24 January 2014 at 10:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 December 2013

Building Secure Software at OWASP London

The next OWASP London event will be on Thursday 12th of December 2013, at 18:00 for 18:30 hrs at Morgan Stanley in Canary Wharf.

Photograph of an office block under construction in the City of London

I am speaking, but I am particularly looking forward to Ofer Maor's presentation about Interactive Application Security Testing (IAST). The presentations are:

  • IAST: Runtime Code & Data Security Analysis - Beyond SAST/DAST
    Ofer Maor

    Until recently, Static and Dynamic Application Security Testing (SAST/DAST) dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...
  • OWASP Cornucopia
    Colin Watson

    Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project

So, there will be a broad mix of information suitable for a wide range of developers, testers, and verifiers - of whatever skill level. My own presentation will be similar to the one I gave in June during the OWASP EU Tour, but it has been specially updated for this event. There will also be news about next year's AppSec Europe being held in Cambridge. I imagine we will move to a local bar/pub at around 20:30 hrs to continue the discussion.

Further details are available on the chapter's page. Free registration is required for access to the host's building (Morgan Stanley, 25 Cabot Square, E14 4QA). Registration closes when all spaces are booked, or the evening before, whichever is soonest.

Posted on: 03 December 2013 at 08:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2013

Guide to Drupal Security

Drupal is a popular content management system. Like other frameworks, Drupal requires security configuration, together with that of associated system components, during initial setup and during operation.

One of the pages from the new Drupal security guidance document 'Drupal Security Best Practices  - A Guide for Governments and Nonprofits'

The Drupal Security Best Practices - A Guide for Governments and Nonprofits provides guidance server, PHP, database and Drupal configuration guidance, but also describes the need for separate environments, and activities for regular maintenance. This is helpful resource and the additional Drupal security resources listed in section "L" on page 30 of the guide should also be read.

The guide can be downloaded free of charge, but the registration form can be used to be kept informed about updates. Contributions to the guide are encouraged.

Posted on: 02 December 2013 at 09:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 November 2013

CISO Guide to Application Security

A new book about application security for Chief Information Security Officers (CISOs) has been announced by OWASP.

The title page from OWASP's Application Security Guide For CISOs Version 1.0 (November 2013)

The Application Security Guide For CISOs seeks to help CISOs manage application security programs for their own roles, responsibilities, perspectives and needs. The book examines these aspects from CISOs' responsibilities from the perspectives of governance, compliance and risk. The primary author Marco Morana is a leader in application security within financial services sector, but the book is sector, region and technology agnostic. It is also completely technology and vendor neutral. Along with fellow contributors Tobias Gondrom, Eoin Keary, Andy Lewis and Stephanie Tan, I had the pleasure of contributing to Marco's content, reviewing the text and producing the print version of the book.

The 100-page document provides assistance with justifying investment in application security, how application security risks should be managed, how to build, maintain and improve an application security programme, and the types of metrics necessary to manage application security risks and application investments. There is a standalone introduction and executive summary. The core of the book is then collected into four parts:

  • I : Reasons for Investing in Application Security
  • II : Criteria for Managing Application Security Risks
  • III : Application Security Program
  • IV : Metrics For Managing Risks & Application Security Investments

There are also additional appendices with information about calculating the value of data and cost of an incident, as well as a cross-reference between the CISO guide and other OWASP guides, projects and other content.

The book can be obtained in three formats:

Marco and Tobias will be presenting the new CISO Guide, and the results from the 2013 CISO Survey, at next week's AppSec USA in New York.

Translations into other languages will become available over time as volunteers do these. If you can help please send a message to the project mailing list.

Posted on: 16 November 2013 at 05:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 November 2013

BSIMM 5 Released

The fifth edition of the Building Security In Maturity Model (BSIMM) survey of secure software development practices has been published by Cigital, a year since the previous version.

Partial screen capture of the infographic published with BSIMM V

BSIMM v5 now includes recent data from 67 companies across a dozen sectors, including 26 from financial services and 25 independent software vendors. On average the companies had practiced formalised software security processes for over 4 years, and had over 4,000 developers (1,600 median). BSIMM surveyed the companies against 112 activities which can be used to assess your own programmes.

The survey reports that the most successful software security initiatives are typically run by a senior executive who reports to the highest levels in an organisation. An, this release includes the expected infographic to accompany the report.

There is a wide range of approaches across the surveyed companies. However, the following objectives/activities were identified most commonly in highly successful software security programs to

  • Establish SSDL gates (but do not enforce) / Identify gate locations, gather necessary artifacts
  • Promote privacy / Identify PII obligations
  • Promote culture of security throughout the organisation / Provide awareness training
  • Prioritise applications by data consumed/manipulated / Create a data classification scheme and inventory
  • Create proactive security guidance around security features / Build and publish security features
  • Meet demand for security features / Create security standards
  • Get started with architectural analysis / Perform security feature review
  • Drive efficiency/consistency with automation / Use automated tools along with manual review
  • Start security testing in familiar functional territory / Drive tests with security requirements and security features
  • Demonstrate that your organisation's code needs help too / Use external penetration testers to find problems
  • Provide a solid host/network foundation for software / Ensure host and network security basics are in place
  • Use ops data to change dev behaviour / Identify software bugs found in operations monitoring and feed them back to development

The survey also provides some insight into trends in US companies (50) versus those in Europe (17), and notes companies in the latter are undertaking fewer activities on average.

Posted on: 05 November 2013 at 09:25 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

SDLC : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/sdlc
Requested by on Thursday, 24 April 2014 at 01:02 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com