31 July 2015

Integrity

Posts relating to the information security principle "Integrity" are listed below.

15 June 2015

AppSensor Code Version 2.1 and Beyond

Last Tuesday John Melton completed and announced the release of the AppSensor version 2.1.0 reference implementation.

Photograph of Hadrian's Roman Wall in Northumberland, England

OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response. The reference implementation allows developers to use these powerful concepts in existing applications and is provided under an MIT open-source licence.

Version 2.1.0 includes additional execution modes, additional emitters, enhanced documentation, a Maven upgrade dependency versions, and Spring Security integration. Additionally two demonstration applications have been added. The first example example application illustrates how to use AppSensor in local mode with the Spring Security integration. The second example shows the use of AppSensor for something other than application layer IDS — in this case, as an exception tracker.

The code can be downloaded from GitHub.

John is now hoping to move onto creating a user interface (UI) for the reference implementation, and is seeking feedback on the UI architecture and design. Please contribute your ideas by adding comments this week.

Posted on: 15 June 2015 at 07:06 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 June 2015

Website Vulnerability Statistics Report 2015

WhiteHat Security in the United States has published the 15th edition of its Website Security Statistics Report.

Partial view of one of the charts in the WhiteHat Website Security Statistics Report 2015' showing Frequency of Adhoc Code Review by Industry Sector

Website Security Statistics Report 2015 presents core data relating to:

  • Likelihood of a vulnerability existing in web applications
  • The number of days per annum applications have one or more serious vulnerabilities (window of exposure).

These are defined in aggregate and also by industry sector. But this year's report also provides a deeper analysis of how these numbers and security activities in the software development lifecycle relate to breaches, vulnerability prevalence, and remediation rates.

The report is available after registering from the WhiteHat website.

Posted on: 11 June 2015 at 17:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 June 2015

Opinion on Data Protection in Mobile Health

The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.

The cover sheet from the European Data Protection Supervisor (EDPS) opinion on Mobile Health (mHealth)

Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the use of mobile apps. The apps can deliver health-related services through smart devices often processing personal information about health and other lifestyle and well-being information.

The EDPS was concerned the adverse effect mHealth may have on individuals' rights to privacy and personal data protection, and wanted to highlight relevant aspects that might be overlooked. It builds on existing data protection rules and draws upon the 2013 opinion adopted by the Article 29 Working Party on mobile apps installed on smart devices. It also considers the implications of the potential changes in the proposed General Data Protection Regulation ("GDPR").

The opinion's view is that the following measures, reproduced verbatim, would bring about substantial benefits for data protection:

  • The EU legislator should, in future policy making measures in the field of mHealth, foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps (including designers and device manufacturers)
  • App designers and publishers should design devices and apps to increase transparency and the level of information provided to individuals in relation to processing of their data and avoid collecting more data than is needed to perform the expected function. They should do so by embedding privacy and data protection settings in the design and by making them applicable by default, in case individuals are not invited to set their data protection options manually, for instance when installing apps on their smart devices
  • Industry should use Big data in mHealth for purposes that are beneficial to the individuals and avoid using them for practices that could cause them harm, such as discriminatory profiling
  • The legislator should enhance data security and encourage the application of privacy by design and by default through privacy engineering and the development of building blocks and tools.

In the document's conclusion, the EDPS hopes that compliance with data protection principles and rules will contributing to the full development of the mHealth sector.

Posted on: 02 June 2015 at 08:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 May 2015

iOS Security Guide 2015

Apple has updated its extensive iOS security guidance.

Apple is committed to helping protect customers with leading privacy and security technologies that are designed to safeguard personal information, as well as comprehensive methods to help protect corporate data in an enterprise environment.

Security Guide, April 2015, for iOS 8.3 or later, provides details about how security technology and features are implemented within the iOS platform. It also provides information on how to use these in organisations with their own policies and procedures.

See also the Center for Internet Security (CIS) iPhone security benchmarks, last updated October 2014.

Posted on: 29 May 2015 at 10:38 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 May 2015

FCA Guidance on Financial Crime

The UK's Financial Conduct Authority (FCA) has published updated guidance on reducing the risk of financial crime.

Chapter header '5. Data security' in the FCA guidance 'Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime'

Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime provides information to regulated firms on how to avoid financial crime. But many of the topics and guidance will be of use to a wider audience. The document provides guidance regarding financial crime systems and controls, money laundering and terrorist financing, fraud, data security, bribery and corruption, and sanctions and asset freezes. Some of these are clearly sector-specific but there is generally applicable advice too.

Chapter 5 on data security draws on, and extends, guidance originally published in the former FSA's document Data Security, published in 2008.

Part 2 of the documents contains summaries of, and links to, thematic reviews of various financial crime risks. It includes the consolidated examples of good and poor practice that were included with the recent reviews' findings.

The guidance took effect on 27 April 2015.

Posted on: 28 May 2015 at 08:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 May 2015

SANS 2015 State of Application Security

The SANS Institute has published this year's survey results about application security programmes.

One of the charts from the SANS report '2015 State of Application Security: Closing the
Gap' showing the popularity of language and perceived security risk

In a change to last year's report the authors of 2015 State of Application Security: Closing the Gap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.

Jim Bird, Eric Johnson and Frank Kim analysed data from 435 respondents, a quarter of which came from financial services/banking. two-thirds of respondents worked in organisations with 1,000 or more people.

The report is full of useful information, that reflects the languages, frameworks and development practices utilised by the survey participants.The top challenges for builders and defenders are identified, drivers, practices, and also which standards, guidance, lifecycle models and other guidance are referenced by the organisations' own application security programmes.

A breakdown of the proportion of the overall IT budget spent on application security is also presented.

The report is free to access and download.

Posted on: 18 May 2015 at 09:09 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 May 2015

Lightning OWASP Project Presentations at AppSec EU 2015

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.

Partial screen capture from the OWASP wiki showing part of the extensive project inventory

With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organised social events, it looks like this year's event is shaping up very well.

As well as the project summit, some projects are being discussed in some of the main conference presentations.

When the call for papers was announced last year, I proposed having some sessions that gave the opportunity for a larger number of project leaders to explain their work, the target users, the benefits, and what materials are available. I am pleased to say the conference team liked the idea and allocated two 45-minute slots. These are being used to showcase innovation in OWASP projects to the main conference audience.

Both lightning talk sessions occur on Thursday 21st May. Each talk is 10 minutes long. The speakers and their projects are listed below.

14:30 - 15:15 hrs

  • Spyros GASTERATOS
    Hackademic Challenges, implementing realistic scenarios with known vulnerabilities in a safe, controllable environment.
  • Andrew VAN DER STOCK and Daniel CUTHBERT
    Application Security Verification Standard, providing a basis for assessing web application technical security controls, to establish a level of confidence in the security of web applications.
  • Jonathan CARTER
    Reverse Engineering and Code Modification Prevention, educating security architects, risks analysts, software engineers, and pen testers around binary risks from code integrity violation and reverse engineering.
  • Matteo MEUCCI
    Testing Guide, version 4 the de facto standard for performing web application penetration testing.

15:45 - 16:30 hrs

  • Jim MANICO
    Top 10 Proactive Controls, describing the most important control and control categories that every architect and developer should include in every project, and Cheat Sheet Series, providing a concise collection of high value information on specific web application security topics.
  • Tao SAUVAGE and Marios KOURTESIS
    Offensive Web Testing Framework (OWTF), making security assessments as efficient as possible by automating the manual uncreative part of pen testing, and providing out-of-box support for the OWASP Testing Guide, and NIST and PTES standards.
  • Ann RACUYA-ROBBINS and Luis ENRIQUEZ
    Knowledge Based Authentication Performance Metrics, establishing standard performance metrics for knowledge based authentication (KBA) in alignment the NSTIC guiding principles - at the intersection of security, identity and privacy.
  • Sebastien DELEERSNYDER
    Software Assurance Maturity Model (OpenSAMM), an open framework to help organizations measure, improve and manage their software security practice that is tailored to the specific risks facing the organization.

I will introduce each session, the speakers and keep time. I hope you can join me to hear about these contributions to application security directly from the leaders themselves. We will have time after the sessions for further discussion and questions.

Posted on: 08 May 2015 at 09:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 May 2015

Android Security 2014

Google announced early last month the release of a report analysing security in the Android ecosystem.

One of the charts from Google's report 'Android Security 2014 Year in Review'

Android Security 2014 Year in Review describes varies measures of security including occurrence of potentially harmful mobile applications, platform API abuse and network level abuse.

Information is provided on Google's 4-tier severity rating systems for vulnerabilities.

Security enhancements during 2014 are also discussed, together with newer changes such as the enhanced Google Play review process to help protect users.

Posted on: 06 May 2015 at 11:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 May 2015

Snakes & Ladders Coming To Shoreditch

A week on Monday, on the 11th May, I will be speaking during the MAKE day at this year's Digital Shoreditch.

Partial screen capture of the Digital Shoreditch web site at http://digitalshoreditch.com/

The Digital Shoreditch Festival 2015 is a two week mass-community celebration with participants from the world of tech, creative, and all related industries, running from 11th to 24th May. The schedule for the main programme (11th-15th May) has a separate theme for each day — MAKE, GROW, NEXT, CONNECT and LIVE.

The MAKE day offers the chance to learn by doing and bring new ideas to life with with a "vibrant mix of entrepreneurs, artists, scientists, makers, designers and hackers from across the creative ecosystem". I will be talking about the Snakes and Ladders application security board game for developers.

OWASP Snakes and Ladders is a print-your-own board game that is a fun way to learn about the desirable security controls and tricks software applications face. There are two versions — one for web applications and one for mobile apps.

I am speaking at 15:40 hrs in Shoreditch Town Hall. This will be the first time any of the printed sheets for the mobile app board game will be available — previously I have printed and given away the web application board game. Both will be available on Monday.

Otherwise, I am also looking forward to all the other sessions on the day and during the rest of the week. Tickets are on sale.

Hope to see you there.

Posted on: 01 May 2015 at 08:42 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 April 2015

Summary of Last Year's ICO Enforcement Action

PwC UK has published a summary of enforcement actions taken by the Information Commissioner's Office (ICO) in 2014.

Partial view of a chart from the PwC report 'Privacy and Security Enforcement Tracker 2014' showing a comparison of the number of each enforcement type undertaken by the ICO in 2012, 2013 and 2014

The Privacy and Security Enforcement Tracker 2014 summarises and comments on information originally published by the ICO on its web site concerning actions it has taken against organisations. This includes enforcement notices, monetary penalty notices, prosecutions and undertakings.

The report also summarises trends in other jurisdictions and provides information about Belgium, France, Germany, Italy, Lithuania, Mexico, Poland, Russia, Spain, Sweden, Switzerland and the United States of America.

Although the information security risk mitigations and controls required by the ICO are not summarised, for those processing personal data online, the ICO itself summarised these in May.

Posted on: 28 April 2015 at 07:17 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Integrity Security Principle : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.227.83.19 on Monday, 31 August 2015 at 14:14 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk