31 March 2015

Non-repudiation

Posts relating to the information security principle "Non-repudiation" are listed below.

30 January 2015

OWASP AppSensor Code v2.0.0 Final Release

I was extremely pleased to read yesterday that the final version of the new AppSensor reference implementation has been published following three previous release candidates.

Screen capture from the AppSensor microsite developed by John Melton for the OWASP AppSensor Project

The OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response.

John Melton with the help of other code contributors and feedback from the project's code development mailing list have finished a complete overhaul of the previous code. In the words of the version 2.0.0 announcement, the most significant changes are:

  • Client-server architecture supporting multiple communication modes including: REST, SOAP, Thrift, local (shared JVM, java-only)
  • Any language can be used on the client application. The only requirement is that the language selected must support the communication protocol of the execution mode that is configured (i.e. if using REST as the execution mode, the language must be capable of making HTTP requests.) The server-side components are Java, but this places no restriction on the client applications themselves
  • There is no longer a hard dependency on [OWASP] ESAPI. AppSensor is a standalone project, though it can be integrated with projects that also use ESAPI if desired
  • The core components of the system have been renamed and now follow the AppSensor v2 book naming conventions, which is based on standard IDS terminology for clarity
  • Basic user correlation is supported so that client applications that share a user base (SSO) can share attack detection/response information.

John also created a special AppSensor microsite.

This is all free to use (see code licence). Begin using the new code with the getting started information.

Posted on: 30 January 2015 at 08:26 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 January 2015

NISTIR 8018 - Public Safety Mobile Application Security Requirements Works

The previously mentioned draft NIST Interagency Report (NISTIR) 8018 has now been released in final version.

he public safety mobile application security effort focuses on improving the mobile application development process, specifically the mobile application testing tools, by understanding and collecting the security requirements relevant to the public safety community.

The consultation of the previous draft closed on 13th September 2014. The final NISTIR 8018 (23 January 2015) captures security requirements for public safety mobile applications from the workshop between the Association of Public-Safety Communications Officials (APCO) International, the first responders' network FirstNet and the US Department of Commerce.

NISTIR 8018, PDF download.

Posted on: 27 January 2015 at 09:13 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 January 2015

London Cyber Security Summit for Startups

OWASP London Chapter is helping host next week's Cyber Startup Summit in conjunction with techUK, PixelPin and Sonatype.

Banner for the summit that reads 'Cyber Startup Summit - 28th-30th January 2015, IDEALondon/Google Campus'

The primary focus of the Cyber Startup Summit is to promote innovation across cyber security. It intends to enable collaboration between enterprise security leaders, security startups, creative entrepreneurs, students and academics to discuss, connect and hack the hot topics within the world of cyber security. The summit comprises three events:

  • Secure Startup (Wednesday 28th morning) at IDEALondon, London EC2A 2BB
    Talks/workshops for generic startups to better understand how to develop secure products, secure existing products and secure the business assets/IP/data.

    9.00 Arrive
    9.30 Introduction & morning overview
    10.00 Interactive talks (15mins x4)
    - Developing Secure Fintech MVPs (cryptocurrency/mobile) - Marco Morana
    - Open Source Risk - David Jones
    - Securing your IP/Ideas - Mike Loginov
    - Securing Existing Tech (MVP/Product) - Justin Clarke
    11.00 Talk: Security by Design - Angela Sasse
    11.40 Talk: Good and Sanity - David Jones
    12.00 Leader Panel on "Securing Business Q&A"
    13.00 Finish

  • Cyber Innovation (Wednesday 28th afternoon) at IDEALondon, London EC2A 2BB
    Talks and security leader discussions on key topics discussing the now and future of cyber security innovation and how new cyber startups may have a part to play.

    13.30 Arrive
    14.00 Introduction & afternoon overview
    14.15 Talk: Nurturing Cyber Startups - Andy Williams
    14.30 Talk: Cyber Investment in FinTech - Ian Dowson
    14.45 Talk: Future of Cyber Innovation - Mike Loginov
    15.15 Talk: Think Secure, Now or Never - Amar Singh
    15.45 Talk: Risk, Regulation, Reputation - John Elliott
    16.30 Leader Panel on "Cyber Innovation Q&A" - Marco Morana, Amar Singh, Angela Sasse, Mike Loginov, John Elliott
    18.00 Finish (+drinks)

  • Hackathon (Thursday 29th and Friday 30th) at Campus London, London EC2A 4BX
    A two day hackathon for developers, students and the security community so work on new ideas that will either create a cyber security product or a product that has security at core.

    Day 1 - Thursday 29th January
    09.00 Participants arrive (+breakfast)
    09.30 Introduction & hackathon overview
    10.00 Participants with current ideas given 1 minute to present them to everyone
    11.00 Teams formed and the Hackathon begins.

    Day 2 - Friday 30th January
    09.00 Breakfast
    12.00 Lunch
    14.00 Presentations start - 3min presenting & 2min Q&A
    15.30 Break
    17.00 Winners announced
    17.30 Networking inc food and drink
    19.00 After Party at Silicon Drinkabout

Book a free place for the Secure Startup and Cyber Innovation events.

The hackathon is dedicated to ideas for new security (or secure) products. Participants can utilise available resources to create new security prototypes. Mentors will be on site. The hackathon is free but booking is required.

Posted on: 21 January 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 January 2015

New Application Security Program Quick Start Guide

WhiteHat Security has donated a getting started guide to the Open Web Application Security Project (OWASP).

To be successful, we should aim for a program that is more than simply testing sites and delivering results to stake holders. Those activities represent just two of the many inputs and outputs necessary to reduce the risk associated with web applications.

The Application Security Program Quick Start Guide provides information on setting up or improving a software development security initiative, and is now an OWASP project. It was created by Gabriel Gumbs, Jeremiah Grossman, Robert Hansen, Jerry Hoff and Matt Johansen. The guide is arranged in "5 days" of actions, which might be somewhat hopeful, but is a useful summary of what WhiteHat has found to work elsewhere.

The version 1.0 document is available in Word and PDF formats. The guide is free to use and is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Posted on: 16 January 2015 at 19:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 January 2015

Application Security and Privacy Mapping 2015

I have updated my chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK.

Principal Influences on UK Web Applications' mind map diagram for January 2015

For a fuller explanation, read my post about the update last October.

Access the Principal Influences on UK Applications 2015 chart, hosted on my company's web site.

Posted on: 14 January 2015 at 10:39 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

02 January 2015

Application Security and Privacy

Happy new year. For 2015 I have renamed this blog to "Clerkendweller: Application Security and Privacy".

Photograph of a footpath sign in the Northumberland with a notice 'Warning Troops Training - Otterburn Training Area', and the Cheviot Hills behind

This update reflects the greater focus on both information security and privacy, and the description has been changed to "A blog about security and privacy issues for software application designers, developers and owners" dropping the references to the lesser-covered usability and design aspects. It also acknowledges that many of the application issues discussed are not purely web related, but relate to software applications of many types.

Let's see how it goes.

Posted on: 02 January 2015 at 17:51 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

12 December 2014

I'm in a Top 10 List!

I was pleasantly surprised to find my blog mentioned in someone else's top 10 list.

Partial screen capture of the Cooke & Mason '10 Top Cyber Security News & Resources Every Business Should Visit'

Cooke & Mason has published a 10 Top Cyber Security News & Resources Every Business Should Visit. I'm not sure if it's in order, but this blog is listed sixth on the page.

Perhaps I have mentioned "cyber" and "insurance" quite often, but those other references are big names and big hitters.

Posted on: 12 December 2014 at 08:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 December 2014

Some Other Security Games

If you're not into card and board games like Cornucopia security requirements or Snakes and Ladders risks and controls, why not try a couple of new online hacking games?

Screenshot from the Game of Hacks

Try these:

  • HACKvent 2014 is an online advent calendar with a difference. There are 24 challenges - one each day - which started on 1st December (sorry this is a bit late). All the challenges are available until 31st December, and additional points can be earned for writing up detailed solutions.
  • Game of Hacks tests your application hacking skills as an individual or against someone you know, with beginner, intermediate and advanced skill levels.

And back to the physical games, Adam Shostack, inventor of the Microsoft Elevation of Privilege threat modelling card game, edited the OWASP Cornucopia wiki page to add a link to a list of tabletop security games and related resources he maintains. I've ordered a couple of those for the break.

Good luck.

Posted on: 10 December 2014 at 18:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 December 2014

On Anonymity and Accountability

A post by information security practitioner Robert Hansen titled Anonymity or Accountability raised an interesting topic.

I wonder about the language here — "safety" and "freedom" are not opposites...

I think there is a terminology problem, and some misunderstandings about privacy from this security viewpoint. But a useful discussion to have. Read more on the WhiteHat Security blog.

Posted on: 07 December 2014 at 13:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 December 2014

The Problems with Security Badges, Seals and Marks

A paper presented at this year's Association for Computing Machinery (ACM) Conference on Computer and Communications Security discusses why security-related third-party seals are poor indicators of site security, and how in some cases can actually assist attackers to compromise the web sites.

Partial view of the content in the paper 'Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals'

Problems with one of the privacy seal providers have been in the news recently, and the paper Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals assesses the effect on a web site's security by including a security seal from service providers Norton Secured, McAfee Secure, Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity.

The paper's authors Tom Van Goethem, Frank Piessens, Wouter Joosen and Nick Nikiforakis examined the guarantees offered by these schemes, and the realities. Their findings were:

  • There is a lack of thoroughness, meaning insecure websites being certified as secure
  • Malware hosted on a certified web site can trivially evade detection
  • Some attacks can be facilitated by the seal scheme
  • Phishing attacks can be aided by the use of seals
  • The seals can be used to help attackers find vulnerable web sites.

The message is to concentrate on building and operating secure web sites, rather than using a seal to create the illusion of security. Application security through the software development life cycle (SDLC).

Posted on: 05 December 2014 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Non-repudiation Security Principle : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 50.16.119.243 on Tuesday, 21 April 2015 at 07:33 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk