24 March 2015

Integrity

Posts relating to the information security principle "Integrity" are listed below.

17 February 2015

AppSensor Now A Flagship OWASP Project

I was extremely pleased at the release of the v2 AppSensor reference implementation inJanuary. Now I am excited that the Open Web Application Security Project (OWASP) has elevated the project's status.

Photograph of a green pendant flag flying against a blue sky

The completely voluntary OWASP project task force, led by Johanna Curiel, has been working through a backlog of project reviews. Over the last couple of years OWASP AppSensor Project has delivered significant steps in the coverage, quality, and depth of outputs. In fact it is also the only OWASP project that is both a documentation type of project, and a code one.

OWASP has promoted the project to the highest level - Flagship status. As co-leader with John Melton and Dennis Groves, and project founder Michael Coates, I am thrilled with this recognition.

OWASP's project inventory includes nine other Flagship projects and defines flagship status as:

The goal of OWASP Flagship projects is to identify, highlight, and support mainstream OWASP projects that make up a complete application security product of high quality and value to the software security industry. These projects are selected for their strategic value to OWASP and application security as a whole.

OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.

It is important to remember all the people who have volunteered their time and effort to reach this stage. So many good and generous people.

Mark Miller has just interviewed John Melton about the OWASP AppSensor Project as part of the OWASP 24/7 podcast series. He provides an overview of application-specific attack detection and response, discusses what is new in version 2.0.0, explains the architectural options, describes the process flow, and mentions what else is on the roadmap.

AppSensor will be participating in this year's AppSec EU application security conference in Amsterdam, from 19th to 22nd May 2015. I hope you can make it.

Posted on: 17 February 2015 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 February 2015

Security Information Sharing Standards and Tools

European Union Agency for Network and Information Security (ENISA) has published a summary of security information sharing formats, at the same time of the release of its good practice guide on Actionable Information for Security Incident Response.

Diagram from the ENISA report 'Standards and Tools for Exchange and Processing of Actionable Information' illustrating the relationships between standards for sharing of security information

Actionable security information is accurate and timely information that may help incident handlers reduce the number of infections, or address vulnerabilities before they are exploited.

The companion to the good practice guide is Standards and Tools for Exchange and Processing of Actionable Information which describes 53 different information sharing standards that are a mix of formats, protocols, technical approaches and frameworks in common use. These span:

  • Information sharing formats
    • Formats for low level data
    • Actionable observables
    • Enumerations
    • Scoring and measurement frameworks
    • Reporting formats
    • High-level frameworks
  • Transport and serialization
    • Transport methods
    • Serialization methods.

In addition, the report highlights 16, primarily open source, information sharing tools and platforms for the exchange and processing of actionable information, spanning automated distribution of data, supporting analytics, general purpose log management and handling high-level information.

Very useful - thank you ENISA.

Posted on: 13 February 2015 at 11:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 February 2015

NIST SP 800-163 Vetting the Security of Mobile Applications

In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.

One of the tables from NIST SP 800-163 'Vetting the Security of Mobile Applications' showing top level general categories of iOS app vulnerabilities

SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is also intended for developers that are interested in understanding the types of software vulnerabilities that may arise in their apps during the software development life cycle (SDLC). The report is grouped into planning, testing and app approval/rejection sections:

  • Planning
    • Security requirements
    • Understanding vetting limitations
    • Budget and staffing
  • Testing
    • General app security requirements
    • Testing approaches
    • Sharing results
  • App approval/rejection
    • Report and risk auditing
    • Organisation-specific vetting criteria
    • Final approval/rejection.

The guidance is practical and highlights risks that are mobile app specific as well as general application security risks. Appendices B & C provide helpful categorised lists of Android and iOS mobile app vulnerability types respectively.

Posted on: 10 February 2015 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 February 2015

Mobile Payment Initiatives

The European Payments Council (EPC), coordination and decision-making body of the European banking industry in relation to payments, has released an updated overview of mobile payments initiatives in the Single Euro Payments Area (SEPA) and beyond.

Title page from the European Payments Council report 'EPC Overview on Mobile Payments Initiatives'

EPC Overview on Mobile Payments Initiatives is a handy reference that includes details of new initiatives right up to October 2014.

The overview covers developments by banks, payment card companies, payment service providers, telecommunications networks, mobile phone manufacturers, retailers and other commercial bodies in SEPA and around the world:

  • Mobile Contactless Payments (MCP)
  • Mobile Remote Payments (MRP)
  • M-Wallet
  • Mobile POS (mPOS)
  • Other wearable payment devices

If you are developing products in this area, the report will be invaluable.

Posted on: 03 February 2015 at 07:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 February 2015

CMA Consultations on Consumer Data

The UK Competition and Markets Authority (CMA) has two current related consultations.

Photograph of a yellow pendant flag flying on a mask against a blue sky

Data Sharing and Open Data in Banking

Following the publication of the report Data Sharing and Open Data for Banks in December 2014 which examined how financial technology firms can make better use of bank data on behalf of customers through application programming interfaces (APIs) and open data, the government is now seeking views on how an open API standard could be delivered in UK banking.

The call for evidence describes evidence is sought from banks, consumer groups, financial services providers, card schemes, payment institutions, financial technology firms and app and software designers. In particular views are sought about how the recommendations in the report should be developed, what benefits more open data in banking could bring to consumers and how an open API standard in UK banking could best be delivered.

The Data Sharing and Open Data in Banking call for evidence closes on 25th February 2015. Responses can be sent by email to Datasharing.CfE@hmtreasury.gsi.gov.uk or by post to Data Sharing and Open Data in Banking, Banking and Credit Team, HM Treasury, 1 Horse Guards Road, London SW1A 2HQ.

The Commercial Use of Consumer Data

The CMA is also seeking information on the commercial collection and use of UK consumers' data, and the implications (benefits and risks) for firms and consumers.

The briefing document details the scope as UK consumer data collected both inside and outside the UK in the context of the internet and more widely; collected directly by businesses as well as by appliances, applications and cloud services; collected at any time, both with and without the knowledge of consumers; includes both data on specific transactions for goods and services (including paid for and free-at-use services) as well as data not specific to such transactions; and used by firms dealing directly with consumers (for instance to target groups and individuals with offers), and third party firms (using data sourced from firms dealing directly with consumers) who analyse this data to provide commercial services to other firms.

The consultation on Commercial Use of Consumer Data closes at 5pm on Friday 6 March 2015. Responses can be submitted using the online form or by completing a form and returning to ConsumerData@cma.gsi.gov.uk or by post to Consumer Data Call for Information, Competition and Markets Authority, 7th floor Victoria House, 37 Southampton Row, London WC1B 4AD.

Posted on: 02 February 2015 at 10:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 January 2015

OWASP AppSensor Code v2.0.0 Final Release

I was extremely pleased to read yesterday that the final version of the new AppSensor reference implementation has been published following three previous release candidates.

Screen capture from the AppSensor microsite developed by John Melton for the OWASP AppSensor Project

The OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response.

John Melton with the help of other code contributors and feedback from the project's code development mailing list have finished a complete overhaul of the previous code. In the words of the version 2.0.0 announcement, the most significant changes are:

  • Client-server architecture supporting multiple communication modes including: REST, SOAP, Thrift, local (shared JVM, java-only)
  • Any language can be used on the client application. The only requirement is that the language selected must support the communication protocol of the execution mode that is configured (i.e. if using REST as the execution mode, the language must be capable of making HTTP requests.) The server-side components are Java, but this places no restriction on the client applications themselves
  • There is no longer a hard dependency on [OWASP] ESAPI. AppSensor is a standalone project, though it can be integrated with projects that also use ESAPI if desired
  • The core components of the system have been renamed and now follow the AppSensor v2 book naming conventions, which is based on standard IDS terminology for clarity
  • Basic user correlation is supported so that client applications that share a user base (SSO) can share attack detection/response information.

John also created a special AppSensor microsite.

This is all free to use (see code licence). Begin using the new code with the getting started information.

Posted on: 30 January 2015 at 08:26 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 January 2015

Anti-Automation Monitoring and Prevention

It seems London's Heathrow Airport has very little in the way of anti-automation monitoring or prevention in place.

Headline from the London Evening Standard which reads 'Heathrow noise complaints sent by automated software'

According to the London Evening Standard newspaper on Tuesday, a five-fold increase in complaints was in large part due to automated email submission.

Luck would seem to have been what led to the discovery that the emails were computer-generated when complaints were received an hour ahead of the flight schedule after the clocks changed from summer time.

Oops, let's hope that's not a metric used by the airport itself or a regulator.

Not that the airport would reasonably believe it to be the target of any activists! Surely not.

Posted on: 29 January 2015 at 16:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 January 2015

NISTIR 8018 - Public Safety Mobile Application Security Requirements Works

The previously mentioned draft NIST Interagency Report (NISTIR) 8018 has now been released in final version.

he public safety mobile application security effort focuses on improving the mobile application development process, specifically the mobile application testing tools, by understanding and collecting the security requirements relevant to the public safety community.

The consultation of the previous draft closed on 13th September 2014. The final NISTIR 8018 (23 January 2015) captures security requirements for public safety mobile applications from the workshop between the Association of Public-Safety Communications Officials (APCO) International, the first responders' network FirstNet and the US Department of Commerce.

NISTIR 8018, PDF download.

Posted on: 27 January 2015 at 09:13 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 January 2015

London Cyber Security Summit for Startups

OWASP London Chapter is helping host next week's Cyber Startup Summit in conjunction with techUK, PixelPin and Sonatype.

Banner for the summit that reads 'Cyber Startup Summit - 28th-30th January 2015, IDEALondon/Google Campus'

The primary focus of the Cyber Startup Summit is to promote innovation across cyber security. It intends to enable collaboration between enterprise security leaders, security startups, creative entrepreneurs, students and academics to discuss, connect and hack the hot topics within the world of cyber security. The summit comprises three events:

  • Secure Startup (Wednesday 28th morning) at IDEALondon, London EC2A 2BB
    Talks/workshops for generic startups to better understand how to develop secure products, secure existing products and secure the business assets/IP/data.

    9.00 Arrive
    9.30 Introduction & morning overview
    10.00 Interactive talks (15mins x4)
    - Developing Secure Fintech MVPs (cryptocurrency/mobile) - Marco Morana
    - Open Source Risk - David Jones
    - Securing your IP/Ideas - Mike Loginov
    - Securing Existing Tech (MVP/Product) - Justin Clarke
    11.00 Talk: Security by Design - Angela Sasse
    11.40 Talk: Good and Sanity - David Jones
    12.00 Leader Panel on "Securing Business Q&A"
    13.00 Finish

  • Cyber Innovation (Wednesday 28th afternoon) at IDEALondon, London EC2A 2BB
    Talks and security leader discussions on key topics discussing the now and future of cyber security innovation and how new cyber startups may have a part to play.

    13.30 Arrive
    14.00 Introduction & afternoon overview
    14.15 Talk: Nurturing Cyber Startups - Andy Williams
    14.30 Talk: Cyber Investment in FinTech - Ian Dowson
    14.45 Talk: Future of Cyber Innovation - Mike Loginov
    15.15 Talk: Think Secure, Now or Never - Amar Singh
    15.45 Talk: Risk, Regulation, Reputation - John Elliott
    16.30 Leader Panel on "Cyber Innovation Q&A" - Marco Morana, Amar Singh, Angela Sasse, Mike Loginov, John Elliott
    18.00 Finish (+drinks)

  • Hackathon (Thursday 29th and Friday 30th) at Campus London, London EC2A 4BX
    A two day hackathon for developers, students and the security community so work on new ideas that will either create a cyber security product or a product that has security at core.

    Day 1 - Thursday 29th January
    09.00 Participants arrive (+breakfast)
    09.30 Introduction & hackathon overview
    10.00 Participants with current ideas given 1 minute to present them to everyone
    11.00 Teams formed and the Hackathon begins.

    Day 2 - Friday 30th January
    09.00 Breakfast
    12.00 Lunch
    14.00 Presentations start - 3min presenting & 2min Q&A
    15.30 Break
    17.00 Winners announced
    17.30 Networking inc food and drink
    19.00 After Party at Silicon Drinkabout

Book a free place for the Secure Startup and Cyber Innovation events.

The hackathon is dedicated to ideas for new security (or secure) products. Participants can utilise available resources to create new security prototypes. Mentors will be on site. The hackathon is free but booking is required.

Posted on: 21 January 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 January 2015

New Application Security Program Quick Start Guide

WhiteHat Security has donated a getting started guide to the Open Web Application Security Project (OWASP).

To be successful, we should aim for a program that is more than simply testing sites and delivering results to stake holders. Those activities represent just two of the many inputs and outputs necessary to reduce the risk associated with web applications.

The Application Security Program Quick Start Guide provides information on setting up or improving a software development security initiative, and is now an OWASP project. It was created by Gabriel Gumbs, Jeremiah Grossman, Robert Hansen, Jerry Hoff and Matt Johansen. The guide is arranged in "5 days" of actions, which might be somewhat hopeful, but is a useful summary of what WhiteHat has found to work elsewhere.

The version 1.0 document is available in Word and PDF formats. The guide is free to use and is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Posted on: 16 January 2015 at 19:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Integrity Security Principle : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.87.147.64 on Saturday, 28 March 2015 at 05:16 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk