27 March 2015

Financial Conduct Authority Update March 2015

The UK's Financial Conduct Authority (FCA) is becoming more proactive in the online application space.

Photograph of one of the dragon boundary marks at the boundary of the City of London on Embankment

Following last year's consultation on use of social media, the FCA has completed its review and has now confirmed its approach for financial promotions in social media.

The finalised guidance has been published as FG15/4 - Social Media and Customer Communications: The FCA's Supervisory Approach to Financial Promotions in Social Media.

This covers web sites and applications that enable users to create and share content or participate in social networking, including blogs, microblogs (e.g. Twitter), social and professional networks (e.g. Facebook, LinkedIn, Google+), forums, and image and video-sharing platforms (e.g. YouTube, Instagram, Vine, Pinterest. Any form of communication (including through social media) is capable of being a financial promotion, depending on whether it includes an invitation or inducement to engage in financial activity. So, for example, it would include 'advergames', where promotional messages are placed in entertainment applications.

On another matter, in addition to the document published in July on Considerations for Firms Thinking of Using Third-Party Technology (off-the-shelf) Banking Solutions, legal news blog Out-law.com reports the FCA is examining platforms' technology systems later this year.

The FCA is also consulting on proposed changes to its consumer credit rules and guidance. Almost a year ago on 1st April 2014 the FCA took over the regulation of consumer credit from the former Office of Fair Trading (OFT). This brought around 50,000 consumer credit firms into its scope.

And finally, the UK's new Payment Systems Regulator (PSR), launching next week and part of the FCA, has announced its regulatory framework for payment systems (summary factsheet). Customers of payment services providers may not be aware of this change — Card payment systems is in the 2015/16 programme of work.

Keep up-to-date with FCA and PSR news.

Posted on: 27 March 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 March 2015

Web Application Attacks from a WAF Perspective

I had lost track of Imperva's useful Hacker Intelligence Initiative (HII), threat advisories and Web Application Attack Reports (WAARs). The latest WAAR was published in October 2014.

Part of Imperva's 'Web Application Attack Report Edition #5 - October 2014' illustrating two of the charts included

Web Application Attack Report Edition #5 - October 2014 describes the most popular web application targets, attack vectors, duration and magnitude. The analysis is based on data from 99 web applications that had a web application firewall (WAF) from the vendor deployed in the period 1st August 2013 to 30th April 2014.

Attack data are included for:

  • SQL injection
  • Remote file inclusion
  • Local file inclusion
  • Directory traversal
  • Cross-site scripting
  • Comment spamming.

Other types of attack vector and threats are not covered. The report's introduction suggests that a further 201 web applications did not see any of these types of attack during the period.

Posted on: 24 March 2015 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 March 2015

The Hard Problem of Securing Enterprise Applications

This paper about securing enterprise applications has been sitting in my email since November. I eventually got round to reading it and apologise for not highlighting it sooner.

Vendor recommended security controls and compliance requirements leave huge gaps in application security. ... Most have no understanding of how the application platforms work, where security events should be collected, nor how to analyze application specific information.

Securing Enterprise Applications describes the problems modern enterprises have with application security: security use cases, security gaps and recommendations. These are my favourite selective snippets. This:

The biggest gap and most pressing need is that most monitoring systems do not understand enterprise applications. To continuously monitor enterprise applications you need to collect the appropriate data and then make sense of it.

And:

Traditional application security vendors who claim "deep packet inspection" for enterprise application security skirt understanding how the application actually works.

And:

Continuous monitoring of enterprise application activity, with full understanding of how that application works, is the most common gap in enterprise security strategies.

And:

This means that you can block activity, not just monitor. Properly configured with white/black listing, they help prevent exploitation of 0-day attacks and filter out other unwanted behavior. They work at the application layer so they are typically deployed one of three ways: as an agent on the application platform, as a reverse proxy for the application, or embedded into the application itself.

Read and implement AppSensor. It's free.

Posted on: 20 March 2015 at 08:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 March 2015

Payment Security and PCI DSS Compliance 2015

Verizon has published its annual PCI Compliance Report 2015 covering data up to the end of 2014, describing compliance, the sustainability of controls and ongoing risk management.

Partial screen capture from the Verizon report 'PCI Compliance Report 2015' showing one of the many charts

PCI Compliance Report 2015 analyses information from PCI Data Security Standard (PCI DSS) assessments undertaken by Verizon between 2012 and 2014, together with additional data from forensic investigation reports.

It describes the challenges of maintaining compliance and mentions the scale and complexity of requirements, uncertainty about scope and impact, the ongoing compliance cycle, lack of resources, lack of insight into business processes and misplaced confidence in existing information security maturity.

Each main requirement has a dedicated section summarising the changes in v3.0, describing the compliance challenges found, and providing recommendations for maintaining security and compliance. The authors describe methods they consider should be used to make compliance easier, more effective and sustainable.

There is a useful "compliance calendar" in Appendix C of the report which shows the periodic and other triggers for certain activities across the 12 requirements. A "must read" if you are a payment merchant or service provider.

Posted on: 17 March 2015 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 March 2015

Web Site Oops Roundup

Some news stories about web site security incidents caught my eye in the last week.

Photograph of a sign reading

These events outline some disappointing behaviour:

Not on your systems I hope!

Posted on: 10 March 2015 at 08:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 March 2015

Introduction to AppSensor for Developers

Following the recent v2.0 code release and promotion to flagship status there has been increased interest in the OWASP AppSensor Project concerning application-specific real-time attack detection and response.

Front page of the new 'AppSensor Introduction for Developers'

During the OWASP podcast interview with project co-leader John Melton, the idea of creating briefings for target groups was discussed by podcast host Mark Miller. I am pleased to say that thought rolled onto the project's mailing list, and John Melton rapidly wrote and published the text copy.

I took that copy and additional suggestions by Louis Nadeau to design a two-page briefing document. This is available to download from the OWASP web site:

Please circulate this to software developers. The text is also available on CrowdIn if anyone would like to volunteer to translate the briefing, or the guide for that matter, into other languages..

We also plan to create a short guide for Chief Information Security Officers (CISOs), with content drawn primarily from the first few chapters of the existing AppSensor Guide v2.0.

Posted on: 06 March 2015 at 10:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 March 2015

User Interface Modifications to Combat Buyer Fraud

A paper published for the 2015 Network and Distributed System Security (NDSS) Symposium in February describes user interface modification techniques to address liar buyer fraud, and the results of experiments assessing the potential for these to reduce ecommerce fraud losses.

Title from the paper 'Liar Buyer Fraud, and How to Curb It' by Markus Jakobsson, Hossein Siadati and Mayank Dhiman

Liar Buyer Fraud, and How to Curb It authors Markus Jakobsson, Hossein Siadati and Mayank Dhiman describe "liar buyer" fraud, how traditional anti-fraud technology fails to curb this problem, and details the results of experiments of proposed alternative techniques to reduce the problem.

The authors explain that liar buyer fraudsters are generally not repeat fraudsters, but are otherwise honest people who are first-time offenders that act fraudulently as the result of temporary poor judgement. This manifests itself in claims that deliveries were not made. It is believed that at least a quarter, and as much as half, of direct fraud affecting some organisations is the result of liar buyer fraud.

The ideas considered by the authors for their research involve changes to the user interface that promote user honesty:

  1. Disclosure that the customer's computer/device has been recognised
  2. Disclosure of the customer's location (e.g. IP address, post code or location map)
  3. Production of statements by the delivery person
  4. Simplifying methods of goods return
  5. Forcing the customer to make a promise
  6. Attending to angry and upset customers carefully.

The research focused on the first two of these and found they have a significant reduction in customer's willingness to file false claims. The other options look promising and, perhaps with the exception of the third approach, could be undertaken by real-world retailers in A/B/N testing.

Posted on: 03 March 2015 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 February 2015

Register Today for OWASP AppSec EU 2015 in Amsterdam

The leading application security training and conference event is being held in Amsterdam from 19th to 22nd May 2015. Register today.

Photograph of houses overlooking boats on a canal in Amsterdam - the location for OWASP AppSec EU 2015

OWASP AppSec EU 2015 is being held in the Amsterdam RAI Convention Centre just a single train stop from both Schiphol Airport in one direction, and central station in the other.

AppSec EU 2015 comprises:

It looks like it will be a superb event. Thanks to the event team for their work to date.

And of course, there is everything else Amsterdam has to offer.

Registration is open, but the price increases on 1st March (this Sunday), and there is another higher charge for tickets bought at the door. Amsterdam RAI Hotel and Travel Service is the official accommodation partner of OWASP AppSec EU 2015. Lastly, there are still a few sponsorship packages available.

Posted on: 27 February 2015 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 February 2015

Report on an Evaluation of Application Security Assessment Vendors

Forrester Research published an evaluation of a dozen application security vendors in December.

Figure 1 Evaluated Vendors: Product Information from the The Forrester Wave Application Security, Q4 2014, listing Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortify, IBM, Qualys, Quotium, Trend Micro, Veracode, Virtual Forge and WhiteHat Security

The researchers reviewed the market to identify application security assessment vendors that offer multiple capabilities, provide easy deployment and integration, are used by other Forrester clients and have competitive offerings.

Their selection was Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortify, IBM, Qualys, Quotium, Trend Micro, Veracode, Virtual Forge and WhiteHat Security.

The vendors offer mixed approaches in static analysis (SAST), dynamic analysis (DAST), and instrumented/ interactive technologies (IAST) techniques in order to detect weaknesses and vulnerabilities in general code, web applications, mobile applications, and commercial off-the-shelf (COTS) products. Their current product offerings, strategy and size of market presence were compared.

The brief report is available for an eye-watering $2,495 if you are not an existing client of Forrester. Alternatively, you can request a free copy from either IBM or WhiteHat Security (business details required).

Posted on: 24 February 2015 at 08:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 February 2015

Two Factor Authentication for Many UK Domain Registrants

UK domain registry Nominet is offering increased identity authentication measures for access to its online services.

Partial screen capture of Nominet's online portal for authenticated registrants showing the domain listing that includes clerkendweller.co.uk and clerkendweller.uk

Nominet has enabled optional two-factor authentication (2FA) for online log in. Some organisations have had their web site availability affected by compromise of the domain name, rather than the application or host systems. If your company owns any domains administered by Nominet, you probably have at least one online account.

Nominet Online Services is a system that allows registrants to manage their domain name register entries, including transferring or cancelling a registration, notifying Nominet of a change of details, and moving a domain name to a new registrar. Check all the email addresses used across your domain portfolio, and log in or create accounts. Then enable 2FA. Ensure these credentials are managed by the company and not individuals, or third parties for that matter.

Nominet is responsible for:

  • Top level domains (TLD)
    • cymru
    • wales
    • uk
    • (but not .scot)
  • .uk second level domains (SLDs)
    • co.uk
    • ltd.uk
    • me.uk
    • net.uk
    • org.uk
    • plc.uk
  • .uk restricted
    • .nic.uk
    • .sch.uk

Nominet has also published a short guide to the process. You will also need to manage credentials in domain acquisition processes, employee starters and leavers processes, and in handling security incident events when a 2FA device is lost or stolen.

Of course, you should make sure the designated email accounts are also protected with strong passwords that are changed regularly, and also have two-factor authentication implemented themselves.

Posted on: 20 February 2015 at 13:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Application Security and Privacy
https://www.clerkendweller.uk/
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/
Requested by 89.145.95.42 on Sunday, 29 March 2015 at 19:42 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk