31 July 2015


Posts relating to the information security principle "Non-repudiation" are listed below.

31 July 2015

OWASP Automated Threat Handbook v1.00

I have been working on a new OWASP incubator project since February this year — the Automated Threats to Web Applications Project.

One of the threat events descriptions from the 'OWASP Automated Threat Handbook v1.00'

There are many aspects of automation that can contribute to application security, but there are also automated threats that disrupt operations. There is a significant body of knowledge about application vulnerability types, and some general consensus about identification and naming. But I believe issues relating to the misuse of valid functionality (which may be caused by design flaws rather than implementation bugs) are less well defined. Yet these problems are seen day-in, day-out by web application owners.

Excessive abuse of functionality is commonly misreported as application denial-of-service (DoS) attacks, such as HTTP flooding or application resource exhaustion, when in fact the DoS is a side-effect. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or in any other top issue list or dictionary.

This has contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues. I wrote some use case scenarios for having defined names and properties of the threat events:

  • Defining application development security requirements
  • Sharing intelligence within a sector
  • Exchanging threat data between CERTs
  • Enhancing application penetration test findings
  • Specifying service acquisition needs
  • Characterising vendor services.

Following a number of months of research and some peer review, I am pleased to publish the first main output of this - the OWASP Automated Threat Handbook for Web Applications. Initially this is primarily the ontology of automated threats, but the aim is to now develop additional guidance on:

  • Mitigations
  • Guidance for builders
  • Guidance for defenders
  • Effectiveness of alternative controls
  • Threat identification metrics.

I am grateful to those people who have already provided input, discussed the classifications, and suggested improvements.

All outputs are free and open source. There is a two-page project summary The 68-page v1.00 handbook can be downloaded as a PDF or obtained as a print on demand book.

To join the discussion, or to contribute knowledge, or to keep up with the latest news, please join the project's mailing list.

Also, please come along to my talk about the project at AppSec USA 2015 in San Francisco.

Posted on: 31 July 2015 at 09:53 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 July 2015

AppSensor Guide v2.0.2

I have published an updated version of the OWASP AppSensor Guide, the guide to application-specific real time attack detection and response.

Cover from the OWASP AppSensor Guide v2.0.2 published on 27th July 2015

The v2.0.2 AppSensor Guide is available free of charge digitally in DOC and PDF formats, and in print at cost from Lulu.

This is a minor update that includes:

  • Reference the extensive work on the reference code implementation undertaken since the v2.0.1 guide was published in May 2014
  • Changes due to further peer review
  • Alterations based on feedback while writing the CISO Briefing
  • Fix spelling and grammatical errors
  • Added missed and new additional contributors' names
  • Added information on more recent presentations that mention AppSensor
  • Comments added about the related product category Runtime Application Self-Protection (RASP)
  • Checked and updated reference source hyperlinks
  • Removal of commercial implementation references
  • Cover design modified slightly for consistency with the CISO Briefing.

All the edits are shown with track changes on, in another word processing document.

The AppSensor Guide complements information on the AppSensor microsite, the Introduction for Developers flyer and the CISO Briefing. Copies will be available at AppSec USA in September.

Posted on: 28 July 2015 at 13:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 July 2015

AngularJS Security

Security was given a high profile on the agenda of this year's Norwegian Developers Conference (NDC).

Partial screen capture from the AngularJS web site showing the FAQ regarding security

One talk which caught my eye was Kevin Hakanson's presentation about developing securely on AngularJS.

He explained his knowledge and guidance for AngularJS based around the OWASP Top 10 risks, and his presentation is now available online. The slides contain many useful code samples and demos.

A couple of other AngularJS security resources I would recommend are:

Posted on: 17 July 2015 at 08:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 July 2015

E-Banking Transaction Authorisation

I listened to Wojciech Dworakowski speak at AppSec EU 2015 about e-banking transaction authorisation.

Partial screen capture showing the contents list from the OWASP Transaction Authorization Cheat Sheet

His presentation is available to watch, but he mentioned that he was working on a new document for the OWASP cheat sheet series.

The Transaction Authorization Cheat Sheet has been published. It describes necessary functional and non-functional requirements to implement transaction authorisation properly.

Whilst such checks are common in financial applications to confirm with the intended user that an electronic fund transfer is valid, transaction authorisation also occurs in other applications such as for account validation.

Posted on: 14 July 2015 at 08:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 July 2015

Hosted Payment Pages, the Payment Services Directive and PCI DSS Validation & Reporting

Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.

From the ECB's 'Guidelines on Internet Payments Security' on strong customer authentication in clause 7.5: 'PSPs offering acquiring services should require their e-merchant to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. based on a transaction risk analysis, or involving low-value payments, as referred to in the PSD.'

The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (HPP) would currently be acceptable for validation and reporting to SAQ A (or using those parts in a full report on compliance, depending upon transaction volumes or as required by a card scheme or acquirer).

But move on a year. The payment service provider (PSP) sector is coming under increasing regulation. PSPs are subject to the Payment Services Directive (PSD) which was implemented in the UK through the Payment Services Regulations 2009 (PSRs), which came into effect on 1st November 2009.

The PSRs affects firms providing payment services and their customers including banks, building societies, e-money issuers, money remitters, non-bank credit card issuers, and non-bank merchant acquirers. Thus whilst it is not directly applicable to e-commerce merchants (or emerchants as the PSD refers to them), the PSPs that provide e-commerce merchants with payment systems are affected.

Following an extensive consultation process, and a draft published in October last year, the European Banking Authority (EBA) published its final guidance in December 2014. This guidance is known as the Final Guidelines on the Security of Internet Payments and comes into effect next month on 1st August 2015.

This places obligations on PSPs to impose certain security requirements on e-commerce merchants. For example PSPs must require their ecommerce merchants to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet.

Furthermore the guidance requires PSPs to encourage merchants never to store "sensitive payment data", and places an obligation on PSPs to include requirements in their contracts and to carry out regular checks" of its ecommerce merchants:

From the ECB's 'Guidelines on Internet Payments Security' on protection of sensitive payment data in clauses 11.2 and 11.3: 'PSPs should ensure that when exchanging sensitive payment data via the internet, secure end-to-end encryption 20 is applied between the communicating parties throughout the respective communication session, in order to safeguard the confidentiality and integrity of the data, using strong and widely recognised encryption techniques.' and 'PSPs offering acquiring services should encourage their e-merchants not to store any sensitive payment data. In the event e-merchants handle, i.e. store, process or transmit sensitive payment data, such PSPs should contractually require the emerchants to have the necessary measures in place to protect these data. PSPs should carry out regular checks and if a PSP becomes aware that an e-merchant handling sensitive payment data does not have the required security measures in place, it should take steps to enforce this contractual obligation, or terminate the contract'

Perhaps of most note is the guidance that states PSPs should require e-commerce merchants to use a full redirect rather than any other type of architecture, and that this excludes any framed hosted payment page:

From the ECB's 'Guidelines on Internet Payments Security' on customer education and communication in clause 12.5: 'Acquiring PSPs should require e-merchants to clearly separate payment-related processes from the online shop in order to make it easier for customers to identify when they are communicating with the PSP and not the payee (e.g. by re-directing the customer and opening a separate window so that the payment process is not shown within a frame of the e-merchant)'

Whether this will actually filter through from PSPs to their e-commerce customers, or from the acquiring banks to their merchants is yet to be seen. The UK's Financial Conduct Authority (FCA) has stated it will not be able to comply with the guidance. Regardless of this, leading merchants that do not already use a full redirect are investigating what changes might be necessary to achieve this and the level of user experience possible. The reasons to move to a full redirect are to reduce the risk to cardholder data, to lower the risk of a cardholder data incident, and to change at a time of their choosing before it is imposed through a contractual obligation.

For some merchants this may entail moving to a different PSP that is able to offer suitable PSP-hosted templates and configuration to provide a suitable user interface (UI) for web desktop and mobile users that supports all the options the merchant requires, such as internationalisation.

Some nations, PSPs and acquiring banks may also be waiting for the implementation of the Payment Services Directive 2 (PSD2), possibly in 2017. The intention of PSD2 is to harmonise the approaches across member nation states, and also to reduce the inappropriate use of exemptions.

Posted on: 07 July 2015 at 10:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

26 June 2015

Game Fame

I have been catching up on a backlog of information security related podcasts, and one episode of the Security Influencers Channel from January mentions my application security games.

Adam Shostack, who developed the Elevation of Privilege Threat Modelling Card Game and is responsible for Microsoft's software threat modeling process, maintains a page on security games and said about my OWASP Cornucopia card game:

Let me actually plug an awesome OWASP project that hasn't got enough attention, and that's the Cornucopia game... which are designed to help people with web security... so folks should go check that out

Interviewer Jeff Williams also mentioned my OWASP Snakes and Ladders board game:

There's actually another game out of OWASP that you may have seen called Snakes and Ladders... it's very cool... it's a take off on Chutes and Ladders game... but it's all security stuff... it's actually really fun

Thank you for the mentions. Check out episode 26 of the podcast. The games are free to use and can be downloaded from the OWASP website.

And, if you are attending AppSec USA 2015 in San Francisco, I heard yesterday that my submission to deliver Cornucopia card game lightning training has been accepted and runs from 2-3pm on Thursday 24th September. All the one-hour duration lightning training sessions are free to all conference attendees and run alongside the conference talks on Thursday 24th and Friday 25th September. Now just three months away.

Posted on: 26 June 2015 at 07:43 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 June 2015

Ecommerce and Financial Web Application Vulnerabilities

NCC Group has published some guidance for finance/e-commerce application penetration testers.

Partial view of a table from 'Common Security Issues in Financially-Oriented Web Applications'

Common Security Issues in Financially-Oriented Web Applications is arranged in the following sections:

  • Time-of-Check-Time-of-Use (TOCTOU) and race condition issues
  • Parameter manipulation
  • Replay attacks (capture-replay)
  • Rounding issues
  • Numerical processing
  • Card number-related issues
  • Dynamic prices, prices with tolerance, or referral schemes
  • Discount codes, vouchers, offers, reward points, and gift cards
  • Cryptography
  • Downloadables and virtual goods
  • Hidden and insecure backend APIs
  • Using test data in production environment
  • Currency arbitrage in deposit/buy and withdrawal/refund.

Soroush Dalili has provided a very useful extensive guide here, which should be used by developers as well as testers.

On this topic, I would also recommend watching the presentation by Wojtek Dworakowski at AppSec EU 2015 in May about E-Banking Transaction Authorization - Common Vulnerabilities, Security Verification And Best Practices For Implementation ( or download.

All the other presentation recordings from AppSec EU 2015 can be found on YouTube and to download.

Posted on: 19 June 2015 at 08:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 June 2015

AppSensor Code Version 2.1 and Beyond

Last Tuesday John Melton completed and announced the release of the AppSensor version 2.1.0 reference implementation.

Photograph of Hadrian's Roman Wall in Northumberland, England

OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response. The reference implementation allows developers to use these powerful concepts in existing applications and is provided under an MIT open-source licence.

Version 2.1.0 includes additional execution modes, additional emitters, enhanced documentation, a Maven upgrade dependency versions, and Spring Security integration. Additionally two demonstration applications have been added. The first example example application illustrates how to use AppSensor in local mode with the Spring Security integration. The second example shows the use of AppSensor for something other than application layer IDS — in this case, as an exception tracker.

The code can be downloaded from GitHub.

John is now hoping to move onto creating a user interface (UI) for the reference implementation, and is seeking feedback on the UI architecture and design. Please contribute your ideas by adding comments this week.

Posted on: 15 June 2015 at 07:06 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 June 2015

Website Vulnerability Statistics Report 2015

WhiteHat Security in the United States has published the 15th edition of its Website Security Statistics Report.

Partial view of one of the charts in the WhiteHat Website Security Statistics Report 2015' showing Frequency of Adhoc Code Review by Industry Sector

Website Security Statistics Report 2015 presents core data relating to:

  • Likelihood of a vulnerability existing in web applications
  • The number of days per annum applications have one or more serious vulnerabilities (window of exposure).

These are defined in aggregate and also by industry sector. But this year's report also provides a deeper analysis of how these numbers and security activities in the software development lifecycle relate to breaches, vulnerability prevalence, and remediation rates.

The report is available after registering from the WhiteHat website.

Posted on: 11 June 2015 at 17:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 June 2015

Opinion on Data Protection in Mobile Health

The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.

The cover sheet from the European Data Protection Supervisor (EDPS) opinion on Mobile Health (mHealth)

Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the use of mobile apps. The apps can deliver health-related services through smart devices often processing personal information about health and other lifestyle and well-being information.

The EDPS was concerned the adverse effect mHealth may have on individuals' rights to privacy and personal data protection, and wanted to highlight relevant aspects that might be overlooked. It builds on existing data protection rules and draws upon the 2013 opinion adopted by the Article 29 Working Party on mobile apps installed on smart devices. It also considers the implications of the potential changes in the proposed General Data Protection Regulation ("GDPR").

The opinion's view is that the following measures, reproduced verbatim, would bring about substantial benefits for data protection:

  • The EU legislator should, in future policy making measures in the field of mHealth, foster accountability and allocation of responsibility of those involved in the design, supply and functioning of apps (including designers and device manufacturers)
  • App designers and publishers should design devices and apps to increase transparency and the level of information provided to individuals in relation to processing of their data and avoid collecting more data than is needed to perform the expected function. They should do so by embedding privacy and data protection settings in the design and by making them applicable by default, in case individuals are not invited to set their data protection options manually, for instance when installing apps on their smart devices
  • Industry should use Big data in mHealth for purposes that are beneficial to the individuals and avoid using them for practices that could cause them harm, such as discriminatory profiling
  • The legislator should enhance data security and encourage the application of privacy by design and by default through privacy engineering and the development of building blocks and tools.

In the document's conclusion, the EDPS hopes that compliance with data protection principles and rules will contributing to the full development of the mHealth sector.

Posted on: 02 June 2015 at 08:29 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Non-repudiation Security Principle : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/Non-repudiation
Requested by on Thursday, 26 November 2015 at 19:33 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk