26 June 2015

Game Fame

I have been catching up on a backlog of information security related podcasts, and one episode of the Security Influencers Channel from January mentions my application security games.

Adam Shostack, who developed the Elevation of Privilege Threat Modelling Card Game and is responsible for Microsoft's software threat modeling process, maintains a page on security games and said about my OWASP Cornucopia card game:

Let me actually plug an awesome OWASP project that hasn't got enough attention, and that's the Cornucopia game... which are designed to help people with web security... so folks should go check that out

Interviewer Jeff Williams also mentioned my OWASP Snakes and Ladders board game:

There's actually another game out of OWASP that you may have seen called Snakes and Ladders... it's very cool... it's a take off on Chutes and Ladders game... but it's all security stuff... it's actually really fun

Thank you for the mentions. Check out episode 26 of the podcast. The games are free to use and can be downloaded from the OWASP website.

And, if you are attending AppSec USA 2015 in San Francisco, I heard yesterday that my submission to deliver Cornucopia card game lightning training has been accepted and runs from 2-3pm on Thursday 24th September. All the one-hour duration lightning training sessions are free to all conference attendees and run alongside the conference talks on Thursday 24th and Friday 25th September. Now just three months away.

Posted on: 26 June 2015 at 07:43 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 June 2015

Docker Security Resources

Two recent publications provide security advice for Docker users.

Partial view of content from the CIS Benchmark for Docker Engine 1.6The Center for Internet Security (CIS) has published a Benchmark for Docker Engine 1.6. A related tool Docker Bench is a script that checks for all the automatable tests included in the CIS Docker 1.6 Benchmark.

In March, a white paper Introduction to Container Security was also published.

See also the Docker Security page.

Posted on: 23 June 2015 at 16:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 June 2015

Ecommerce and Financial Web Application Vulnerabilities

NCC Group has published some guidance for finance/e-commerce application penetration testers.

Partial view of a table from 'Common Security Issues in Financially-Oriented Web Applications'

Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:

  • Time-of-Check-Time-of-Use (TOCTOU) and race condition issues
  • Parameter manipulation
  • Replay attacks (capture-replay)
  • Rounding issues
  • Numerical processing
  • Card number-related issues
  • Dynamic prices, prices with tolerance, or referral schemes
  • Discount codes, vouchers, offers, reward points, and gift cards
  • Cryptography
  • Downloadables and virtual goods
  • Hidden and insecure backend APIs
  • Using test data in production environment
  • Currency arbitrage in deposit/buy and withdrawal/refund.

Soroush Dalili has provided a very useful extensive guide here, which should be used by developers as well as testers.

On this topic, I would also recommend watching the presentation by Wojtek Dworakowski at AppSec EU 2015 in May about E-Banking Transaction Authorization - Common Vulnerabilities, Security Verification And Best Practices For Implementation ( or download.

All the other presentation recordings from AppSec EU 2015 can be found on YouTube and to download.

Posted on: 19 June 2015 at 08:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 June 2015

The Value of Personal Information

The story that consumers and others are willing to give away information about their personal life to companies in exchange for some trivial benefit is often heard. A new research paper published in the United States undermines this belief.

Clubbers enjoying Carl Cox dj-ing in Ibiza

The Tradeoff Fallacy - How Marketers Are Misrepresenting American Consumers And Opening Them Up to Exploitation has been written by Joseph Turow and Michael Hennessy from the Annenberg Public Policy Center at the University of Pennsylvania and NoraDraper from the Department of Communication at the University of New Hampshire.

People often release information about themselves in ways that suggest little concern about disclosure and collection of their personal data.

The authors found that a large pool of Americans feel resigned to the inevitability of surveillance and the power of marketers to harvest their data. And people who are resigned do not predictably decide to give up their data. Additionally there was no statistical relationship found between being resigned to marketers' use of data and accepting or rejecting various kinds of supermarket discounts.

Read the paper and further analysis on Techcrunch.

Posted on: 16 June 2015 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 June 2015

AppSensor Code Version 2.1 and Beyond

Last Tuesday John Melton completed and announced the release of the AppSensor version 2.1.0 reference implementation.

Photograph of Hadrian's Roman Wall in Northumberland, England

OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response. The reference implementation allows developers to use these powerful concepts in existing applications and is provided under an MIT open-source licence.

Version 2.1.0 includes additional execution modes, additional emitters, enhanced documentation, a Maven upgrade dependency versions, and Spring Security integration. Additionally two demonstration applications have been added. The first example example application illustrates how to use AppSensor in local mode with the Spring Security integration. The second example shows the use of AppSensor for something other than application layer IDS — in this case, as an exception tracker.

The code can be downloaded from GitHub.

John is now hoping to move onto creating a user interface (UI) for the reference implementation, and is seeking feedback on the UI architecture and design. Please contribute your ideas by adding comments this week.

Posted on: 15 June 2015 at 07:06 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 June 2015

Website Vulnerability Statistics Report 2015

WhiteHat Security in the United States has published the 15th edition of its Website Security Statistics Report.

Partial view of one of the charts in the WhiteHat Website Security Statistics Report 2015' showing Frequency of Adhoc Code Review by Industry Sector

Website Security Statistics Report 2015 presents core data relating to:

  • Likelihood of a vulnerability existing in web applications
  • The number of days per annum applications have one or more serious vulnerabilities (window of exposure).

These are defined in aggregate and also by industry sector. But this year's report also provides a deeper analysis of how these numbers and security activities in the software development lifecycle relate to breaches, vulnerability prevalence, and remediation rates.

The report is available after registering from the WhiteHat website.

Posted on: 11 June 2015 at 17:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 June 2015

Opinion on Data Protection in Mobile Health

The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.

The cover sheet from the European Data Protection Supervisor (EDPS) opinion on Mobile Health (mHealth)

Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the use of mobile apps. The apps can deliver health-related services through smart devices often processing personal information about health and other lifestyle and well-being information.

The EDPS was concerned the adverse effect mHealth may have on individuals' rights to privacy and personal data protection, and wanted to highlight relevant aspects that might be overlooked. It builds on existing data protection rules and draws upon the 2013 opinion adopted by the Article 29 Working Party on mobile apps installed on smart devices. It also considers the implications of the potential changes in the proposed General Data Protection Regulation ("GDPR").

The opinion's view is that the following measures, reproduced verbatim, would bring about substantial benefits for data protection:

  • The EU legislator should, in future policy making measures in the field of mHealth, foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps (including designers and device manufacturers)
  • App designers and publishers should design devices and apps to increase transparency and the level of information provided to individuals in relation to processing of their data and avoid collecting more data than is needed to perform the expected function. They should do so by embedding privacy and data protection settings in the design and by making them applicable by default, in case individuals are not invited to set their data protection options manually, for instance when installing apps on their smart devices
  • Industry should use Big data in mHealth for purposes that are beneficial to the individuals and avoid using them for practices that could cause them harm, such as discriminatory profiling
  • The legislator should enhance data security and encourage the application of privacy by design and by default through privacy engineering and the development of building blocks and tools.

In the document's conclusion, the EDPS hopes that compliance with data protection principles and rules will contributing to the full development of the mHealth sector.

Posted on: 02 June 2015 at 08:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 May 2015

iOS Security Guide 2015

Apple has updated its extensive iOS security guidance.

Apple is committed to helping protect customers with leading privacy and security technologies that are designed to safeguard personal information, as well as comprehensive methods to help protect corporate data in an enterprise environment.

Security Guide, April 2015, for iOS 8.3 or later, provides details about how security technology and features are implemented within the iOS platform. It also provides information on how to use these in organisations with their own policies and procedures.

See also the Center for Internet Security (CIS) iPhone security benchmarks, last updated October 2014.

Posted on: 29 May 2015 at 10:38 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 May 2015

FCA Guidance on Financial Crime

The UK's Financial Conduct Authority (FCA) has published updated guidance on reducing the risk of financial crime.

Chapter header '5. Data security' in the FCA guidance 'Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime'

Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime provides information to regulated firms on how to avoid financial crime. But many of the topics and guidance will be of use to a wider audience. The document provides guidance regarding financial crime systems and controls, money laundering and terrorist financing, fraud, data security, bribery and corruption, and sanctions and asset freezes. Some of these are clearly sector-specific but there is generally applicable advice too.

Chapter 5 on data security draws on, and extends, guidance originally published in the former FSA's document Data Security, published in 2008.

Part 2 of the documents contains summaries of, and links to, thematic reviews of various financial crime risks. It includes the consolidated examples of good and poor practice that were included with the recent reviews' findings.

The guidance took effect on 27 April 2015.

Posted on: 28 May 2015 at 08:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 May 2015

SANS 2015 State of Application Security

The SANS Institute has published this year's survey results about application security programmes.

One of the charts from the SANS report '2015 State of Application Security: Closing the
Gap' showing the popularity of language and perceived security risk

In a change to last year's report the authors of 2015 State of Application Security: Closing the Gap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.

Jim Bird, Eric Johnson and Frank Kim analysed data from 435 respondents, a quarter of which came from financial services/banking. two-thirds of respondents worked in organisations with 1,000 or more people.

The report is full of useful information, that reflects the languages, frameworks and development practices utilised by the survey participants.The top challenges for builders and defenders are identified, drivers, practices, and also which standards, guidance, lifecycle models and other guidance are referenced by the organisations' own application security programmes.

A breakdown of the proportion of the overall IT budget spent on application security is also presented.

The report is free to access and download.

Posted on: 18 May 2015 at 09:09 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/
Requested by on Wednesday, 1 July 2015 at 15:37 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk