24 April 2015

Integrity

Posts relating to the information security principle "Integrity" are listed below.

17 March 2015

Payment Security and PCI DSS Compliance 2015

Verizon has published its annual PCI Compliance Report 2015 covering data up to the end of 2014, describing compliance, the sustainability of controls and ongoing risk management.

Partial screen capture from the Verizon report 'PCI Compliance Report 2015' showing one of the many charts

PCI Compliance Report 2015 analyses information from PCI Data Security Standard (PCI DSS) assessments undertaken by Verizon between 2012 and 2014, together with additional data from forensic investigation reports.

It describes the challenges of maintaining compliance and mentions the scale and complexity of requirements, uncertainty about scope and impact, the ongoing compliance cycle, lack of resources, lack of insight into business processes and misplaced confidence in existing information security maturity.

Each main requirement has a dedicated section summarising the changes in v3.0, describing the compliance challenges found, and providing recommendations for maintaining security and compliance. The authors describe methods they consider should be used to make compliance easier, more effective and sustainable.

There is a useful "compliance calendar" in Appendix C of the report which shows the periodic and other triggers for certain activities across the 12 requirements. A "must read" if you are a payment merchant or service provider.

Posted on: 17 March 2015 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 March 2015

Introduction to AppSensor for Developers

Following the recent v2.0 code release and promotion to flagship status there has been increased interest in the OWASP AppSensor Project concerning application-specific real-time attack detection and response.

Front page of the new 'AppSensor Introduction for Developers'

During the OWASP podcast interview with project co-leader John Melton, the idea of creating briefings for target groups was discussed by podcast host Mark Miller. I am pleased to say that thought rolled onto the project's mailing list, and John Melton rapidly wrote and published the text copy.

I took that copy and additional suggestions by Louis Nadeau to design a two-page briefing document. This is available to download from the OWASP web site:

Please circulate this to software developers. The text is also available on CrowdIn if anyone would like to volunteer to translate the briefing, or the guide for that matter, into other languages..

We also plan to create a short guide for Chief Information Security Officers (CISOs), with content drawn primarily from the first few chapters of the existing AppSensor Guide v2.0.

Posted on: 06 March 2015 at 10:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 March 2015

User Interface Modifications to Combat Buyer Fraud

A paper published for the 2015 Network and Distributed System Security (NDSS) Symposium in February describes user interface modification techniques to address liar buyer fraud, and the results of experiments assessing the potential for these to reduce ecommerce fraud losses.

Title from the paper 'Liar Buyer Fraud, and How to Curb It' by Markus Jakobsson, Hossein Siadati and Mayank Dhiman

Liar Buyer Fraud, and How to Curb It authors Markus Jakobsson, Hossein Siadati and Mayank Dhiman describe "liar buyer" fraud, how traditional anti-fraud technology fails to curb this problem, and details the results of experiments of proposed alternative techniques to reduce the problem.

The authors explain that liar buyer fraudsters are generally not repeat fraudsters, but are otherwise honest people who are first-time offenders that act fraudulently as the result of temporary poor judgement. This manifests itself in claims that deliveries were not made. It is believed that at least a quarter, and as much as half, of direct fraud affecting some organisations is the result of liar buyer fraud.

The ideas considered by the authors for their research involve changes to the user interface that promote user honesty:

  1. Disclosure that the customer's computer/device has been recognised
  2. Disclosure of the customer's location (e.g. IP address, post code or location map)
  3. Production of statements by the delivery person
  4. Simplifying methods of goods return
  5. Forcing the customer to make a promise
  6. Attending to angry and upset customers carefully.

The research focused on the first two of these and found they have a significant reduction in customer's willingness to file false claims. The other options look promising and, perhaps with the exception of the third approach, could be undertaken by real-world retailers in A/B/N testing.

Posted on: 03 March 2015 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 February 2015

Register Today for OWASP AppSec EU 2015 in Amsterdam

The leading application security training and conference event is being held in Amsterdam from 19th to 22nd May 2015. Register today.

Photograph of houses overlooking boats on a canal in Amsterdam - the location for OWASP AppSec EU 2015

OWASP AppSec EU 2015 is being held in the Amsterdam RAI Convention Centre just a single train stop from both Schiphol Airport in one direction, and central station in the other.

AppSec EU 2015 comprises:

It looks like it will be a superb event. Thanks to the event team for their work to date.

And of course, there is everything else Amsterdam has to offer.

Registration is open, but the price increases on 1st March (this Sunday), and there is another higher charge for tickets bought at the door. Amsterdam RAI Hotel and Travel Service is the official accommodation partner of OWASP AppSec EU 2015. Lastly, there are still a few sponsorship packages available.

Posted on: 27 February 2015 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 February 2015

Report on an Evaluation of Application Security Assessment Vendors

Forrester Research published an evaluation of a dozen application security vendors in December.

Figure 1 Evaluated Vendors: Product Information from the The Forrester Wave Application Security, Q4 2014, listing Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortify, IBM, Qualys, Quotium, Trend Micro, Veracode, Virtual Forge and WhiteHat Security

The researchers reviewed the market to identify application security assessment vendors that offer multiple capabilities, provide easy deployment and integration, are used by other Forrester clients and have competitive offerings.

Their selection was Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortify, IBM, Qualys, Quotium, Trend Micro, Veracode, Virtual Forge and WhiteHat Security.

The vendors offer mixed approaches in static analysis (SAST), dynamic analysis (DAST), and instrumented/ interactive technologies (IAST) techniques in order to detect weaknesses and vulnerabilities in general code, web applications, mobile applications, and commercial off-the-shelf (COTS) products. Their current product offerings, strategy and size of market presence were compared.

The brief report is available for an eye-watering $2,495 if you are not an existing client of Forrester. Alternatively, you can request a free copy from either IBM or WhiteHat Security (business details required).

Posted on: 24 February 2015 at 08:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 February 2015

Two Factor Authentication for Many UK Domain Registrants

UK domain registry Nominet is offering increased identity authentication measures for access to its online services.

Partial screen capture of Nominet's online portal for authenticated registrants showing the domain listing that includes clerkendweller.co.uk and clerkendweller.uk

Nominet has enabled optional two-factor authentication (2FA) for online log in. Some organisations have had their web site availability affected by compromise of the domain name, rather than the application or host systems. If your company owns any domains administered by Nominet, you probably have at least one online account.

Nominet Online Services is a system that allows registrants to manage their domain name register entries, including transferring or cancelling a registration, notifying Nominet of a change of details, and moving a domain name to a new registrar. Check all the email addresses used across your domain portfolio, and log in or create accounts. Then enable 2FA. Ensure these credentials are managed by the company and not individuals, or third parties for that matter.

Nominet is responsible for:

  • Top level domains (TLD)
    • cymru
    • wales
    • uk
    • (but not .scot)
  • .uk second level domains (SLDs)
    • co.uk
    • ltd.uk
    • me.uk
    • net.uk
    • org.uk
    • plc.uk
  • .uk restricted
    • .nic.uk
    • .sch.uk

Nominet has also published a short guide to the process. You will also need to manage credentials in domain acquisition processes, employee starters and leavers processes, and in handling security incident events when a 2FA device is lost or stolen.

Of course, you should make sure the designated email accounts are also protected with strong passwords that are changed regularly, and also have two-factor authentication implemented themselves.

Posted on: 20 February 2015 at 13:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 February 2015

Software Assurance Maturity Model Practitioner Workshop

The OWASP Open Software Assurance Maturity Model (Open SAMM) team are holding a summit in Dublin at the end of March.

Extract from the Open Software Assurance Maturity Model (Open SAMM) document that describes the four business functions - governance, construction, verification, and deployment

As part of the two-day Open SAMM Summit 2015 a full day is being allocated to software assurance practitioners and those who want to learn about using the vendor-neutral and free Open SAMM to help measure, build and maintain security throughout the software development lifecycle.

Open SAMM helps organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organisation. The resources provided by SAMM assist:

  • Evaluating an organisation's existing software security practices
  • Building a balanced software security programme in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities within an organisation.

There seems to be plenty activity in the project. Keep up-to-date by following or joining the mailing list.

The users day, on Friday 27th March, is a combination of presentations, workshops and round-table discussions to help explain the approach, to make best use of a maturity model, to show how SAMM is being used by other companies, and to describe some upcoming project initiatives. The user day runs from 08:00 for 09:00 hrs through to 17:00 hrs, and is followed in the evening by an optional social event. Attendance is limited to the first 40 people who register and costs 150 EUR + VAT (21%). Travel, accommodation, subsistence at your own cost.

The following day, the SAMM project team, and any other volunteers who want to participate, will be working on creating outputs for the project.

The event is being held at The Gibson Hotel at Point Village Dublin 1, Ireland.

Posted on: 20 February 2015 at 09:59 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

19 February 2015

Is clerkendweller.uk Really 45 Years Old?

Some spam to my inbox was promoting another of those web site information resources.

Partial screen capture from the information site showing the domain created, updated and expires dates are all 1st January 1970

Apart from the unusual grammar, amusingly the page tells me that this web site is 45 years old. This blog has been running a few years (if including the use of the .com domain name) but no, not quite that old. Possibly something to do with the 1970 dates?

Default values? Input and output data validation?

Posted on: 19 February 2015 at 11:39 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 February 2015

AppSensor Now A Flagship OWASP Project

I was extremely pleased at the release of the v2 AppSensor reference implementation inJanuary. Now I am excited that the Open Web Application Security Project (OWASP) has elevated the project's status.

Photograph of a green pendant flag flying against a blue sky

The completely voluntary OWASP project task force, led by Johanna Curiel, has been working through a backlog of project reviews. Over the last couple of years OWASP AppSensor Project has delivered significant steps in the coverage, quality, and depth of outputs. In fact it is also the only OWASP project that is both a documentation type of project, and a code one.

OWASP has promoted the project to the highest level - Flagship status. As co-leader with John Melton and Dennis Groves, and project founder Michael Coates, I am thrilled with this recognition.

OWASP's project inventory includes nine other Flagship projects and defines flagship status as:

The goal of OWASP Flagship projects is to identify, highlight, and support mainstream OWASP projects that make up a complete application security product of high quality and value to the software security industry. These projects are selected for their strategic value to OWASP and application security as a whole.

OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.

It is important to remember all the people who have volunteered their time and effort to reach this stage. So many good and generous people.

Mark Miller has just interviewed John Melton about the OWASP AppSensor Project as part of the OWASP 24/7 podcast series. He provides an overview of application-specific attack detection and response, discusses what is new in version 2.0.0, explains the architectural options, describes the process flow, and mentions what else is on the roadmap.

AppSensor will be participating in this year's AppSec EU application security conference in Amsterdam, from 19th to 22nd May 2015. I hope you can make it.

Posted on: 17 February 2015 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 February 2015

Security Information Sharing Standards and Tools

European Union Agency for Network and Information Security (ENISA) has published a summary of security information sharing formats, at the same time of the release of its good practice guide on Actionable Information for Security Incident Response.

Diagram from the ENISA report 'Standards and Tools for Exchange and Processing of Actionable Information' illustrating the relationships between standards for sharing of security information

Actionable security information is accurate and timely information that may help incident handlers reduce the number of infections, or address vulnerabilities before they are exploited.

The companion to the good practice guide is Standards and Tools for Exchange and Processing of Actionable Information which describes 53 different information sharing standards that are a mix of formats, protocols, technical approaches and frameworks in common use. These span:

  • Information sharing formats
    • Formats for low level data
    • Actionable observables
    • Enumerations
    • Scoring and measurement frameworks
    • Reporting formats
    • High-level frameworks
  • Transport and serialization
    • Transport methods
    • Serialization methods.

In addition, the report highlights 16, primarily open source, information sharing tools and platforms for the exchange and processing of actionable information, spanning automated distribution of data, supporting analytics, general purpose log management and handling high-level information.

Very useful - thank you ENISA.

Posted on: 13 February 2015 at 11:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Integrity Security Principle : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.205.130.92 on Monday, 27 April 2015 at 02:50 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk