24 February 2015


Posts relating to the information security principle "Non-repudiation" are listed below.

02 January 2015

Application Security and Privacy

Happy new year. For 2015 I have renamed this blog to "Clerkendweller: Application Security and Privacy".

Photograph of a footpath sign in the Northumberland with a notice 'Warning Troops Training - Otterburn Training Area', and the Cheviot Hills behind

This update reflects the greater focus on both information security and privacy, and the description has been changed to "A blog about security and privacy issues for software application designers, developers and owners" dropping the references to the lesser-covered usability and design aspects. It also acknowledges that many of the application issues discussed are not purely web related, but relate to software applications of many types.

Let's see how it goes.

Posted on: 02 January 2015 at 17:51 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

12 December 2014

I'm in a Top 10 List!

I was pleasantly surprised to find my blog mentioned in someone else's top 10 list.

Partial screen capture of the Cooke & Mason '10 Top Cyber Security News & Resources Every Business Should Visit'

Cooke & Mason has published a 10 Top Cyber Security News & Resources Every Business Should Visit. I'm not sure if it's in order, but this blog is listed sixth on the page.

Perhaps I have mentioned "cyber" and "insurance" quite often, but those other references are big names and big hitters.

Posted on: 12 December 2014 at 08:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 December 2014

Some Other Security Games

If you're not into card and board games like Cornucopia security requirements or Snakes and Ladders risks and controls, why not try a couple of new online hacking games?

Screenshot from the Game of Hacks

Try these:

  • HACKvent 2014 is an online advent calendar with a difference. There are 24 challenges - one each day - which started on 1st December (sorry this is a bit late). All the challenges are available until 31st December, and additional points can be earned for writing up detailed solutions.
  • Game of Hacks tests your application hacking skills as an individual or against someone you know, with beginner, intermediate and advanced skill levels.

And back to the physical games, Adam Shostack, inventor of the Microsoft Elevation of Privilege threat modelling card game, edited the OWASP Cornucopia wiki page to add a link to a list of tabletop security games and related resources he maintains. I've ordered a couple of those for the break.

Good luck.

Posted on: 10 December 2014 at 18:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 December 2014

On Anonymity and Accountability

A post by information security practitioner Robert Hansen titled Anonymity or Accountability raised an interesting topic.

I wonder about the language here — "safety" and "freedom" are not opposites...

I think there is a terminology problem, and some misunderstandings about privacy from this security viewpoint. But a useful discussion to have. Read more on the WhiteHat Security blog.

Posted on: 07 December 2014 at 13:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 December 2014

The Problems with Security Badges, Seals and Marks

A paper presented at this year's Association for Computing Machinery (ACM) Conference on Computer and Communications Security discusses why security-related third-party seals are poor indicators of site security, and how in some cases can actually assist attackers to compromise the web sites.

Partial view of the content in the paper 'Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals'

Problems with one of the privacy seal providers have been in the news recently, and the paper Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals assesses the effect on a web site's security by including a security seal from service providers Norton Secured, McAfee Secure, Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity.

The paper's authors Tom Van Goethem, Frank Piessens, Wouter Joosen and Nick Nikiforakis examined the guarantees offered by these schemes, and the realities. Their findings were:

  • There is a lack of thoroughness, meaning insecure websites being certified as secure
  • Malware hosted on a certified web site can trivially evade detection
  • Some attacks can be facilitated by the seal scheme
  • Phishing attacks can be aided by the use of seals
  • The seals can be used to help attackers find vulnerable web sites.

The message is to concentrate on building and operating secure web sites, rather than using a seal to create the illusion of security. Application security through the software development life cycle (SDLC).

Posted on: 05 December 2014 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2014

SANS SWAT Checklist and Poster

The SANS Institute has published a poster called Securing Web Application Technologies (SWAT).

Partial view of one section of the SANS Securing Web Application Technologies (SWAT) 2014 poster

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

SANS Institute David Rook Open Web Application Security Project
SWAT Checklist Category AppSec Principle Cornucopia Suit Proactive Control
Authentication Authentication Authentication Establish identity and authentication controls
Session management Session management Session management
Access control Authorisation,
Secure resource access
Authorization Implement appropriate access controls
Input and output handling Input validation,
Output validation
Data validation and encoding Validate all inputs,
Parameterize queries,
Encode data
Data protection Secure communications,
Secure storage
Protect data and privacy
Error handling and logging Error handling Cornucopia Implement logging, error handling and intrusion detection
Configuration and operations - Cornucopia -
- - (all requirements) Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

The file can be downloaded without registration.

Posted on: 02 December 2014 at 06:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 November 2014

Game On at OWASP Cambridge and London

Next week I will be attending two free United Kingdom OWASP events, and providing a full talk at one of them.

Part of the OWASP Snakes and Ladders game board


On Tuesday 2nd December, I will speak for the first time at OWASP Cambridge about OWASP Cornucopia, the ecommerce website security requirement card game. Jerome Smith will present a second talk about a SSL Checklist for Pentesters.

Also at the event in Cambridge I will briefly mention the somewhat less serious application security awareness board game OWASP Snakes and Ladders and will be handing out free copies to everyone attending, kindly paid for by the OWASP Cambridge chapter. We will have time after the presentations to play both Cornucopia and Snakes and Ladders. On the subject of Snakes and Ladders, this week volunteers Yongliang He, Cédric Messeguer, Riotaro Okada and Ivy Zhang have generously translated the game for web applications into Chinese, French and Japanese.

Please register in advance for the free event in Cambridge The meeting will be held in the Lord Ashcroft Building, Room LAB003; 17:00 for a prompt start at 17:30 hrs.


On Thursday 4th December, OWASP London is holding its final event of the year in Skype's offices at 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST, 18:00 for 18:30 hrs start. Christian Martorella will be talking about Offensive Open-Source Intelligence (OSINT) — the process, techniques and how attackers are using it to prepare their cyber attacks. Afterwards project leader Matteo Meucci will speak about the new OWASP Testing Guide v4.

Then, as in Cambridge, I will mention OWASP Snakes and Ladders, with printed copies available for everyone, but this time paid for by the London chapter.

Please remember to register for OWASP London on Thursday 4th December.


There are numerous other UK OWASP chapters — join their mailing lists to be informed of future meetings.

Seeking a bigger application security event? In January OWASP London will be organising a cyber security week, and AppSec EU 2015 is being held in Amsterdam next May. The call for research, papers and trainers for the latter are now open.

Posted on: 28 November 2014 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 November 2014

Web Application Rules in the .Trust Policy

NCC Group has invested resources in developing and promoting the concept of a Top-Level Domain (TLD) where greater information assurance is provided — the .trust TLD. Note this service has nothing to do with the organisation TRUSTe mentioned yesterday.

Partial screen capture from a page on the NCC .Trust website that explains how .trust stands on three core principles: verify, secure and assure

The recently announced (October 2014) .trust technical policy defines five policy areas (abuse, DNS, email, network and web application), each with rules and sub-rules. Although .trust is not for me on this blog (nor by some parts of NCC that insist on using .guide and .com for information and resources, including the very confusing redirect URL https://trust.guide), it may gain commercial traction and I was interested to see how their policy mapped to other standards.

I have compared the web application policy rules with the OWASP Application Security Verification Standard (ASVS), OWASP Testing Guide (Testing), the OWASP Top Ten (T10) and the Payment Card Industry Data Security Standard (PCI DSS). This is from the perspective of the .trust technical policy, and a mapping does not mean "the same as".

.Trust Technical Policy Rule OWASP PCI SSC
ID Rule ASVS v2 Testing v4 T10 2013 PCI DSS v3
6.1 Serve Content Over HTTPS V10.1, V10.2, V10.3 CRYPST-001 A5, A6 6.5.4,
6.2 Provide an Appropriate HTTP Strict-Transport-Security Header V3.15 CONFIG-007 A5, A6 6.5.4
6.3 Provide an Appropriate HTTP Public-Key-Pins Header - - A5, A6 6.5.4
6.4 Provide an Appropriate Content Security Policy 1.0 HTTP Header - - A3, A5 -
6.5 Provide an Appropriate X-Frame-Options HTTP Header V11.10 CLIENT-009 A5 -
6.6 Provide an Appropriate X-Content-Type-Options HTTP Header - - A5 -
6.7 Provide an Appropriate X-XSS-Protection HTTP Header - - A3, A5 -
6.8 Restrictions on the Use of JavaScript V5.16 CLIENT-002 A3 -
6.9 Do Not Serve Web Applications Containing Cross-Site Scripting Vulnerabilities V5.5, V5.16 INPVAL-001, INPVAL-002, CLIENT-001, CLIENT-002, CLIENT-003, CLIENT-004, CLIENT-005 A3 6.5.7
6.10 Must Not Serve Web Applications Containing Cross-Site Request Forgery Vulnerabilities V4.16 BUSLOGIC-002 A8 6.5.9
6.11 Must Not Serve Web Applications containing SQL Injection Vulnerabilities V5.10 INPVAL-005 A1 6.5.1
6.12 Must Not Serve Web Applications Containing HTTP Header Injection Vulnerabilities - INPVAL-016 A1 6.5.1
6.13 Do Not Serve Web Applications Containing Shell Command or Process Injection Vulnerabilities V5.12 INPVAL-013 A1 6.5.1
6.14 Do Not Serve Web Applications Containing Code Execution Vulnerabilities V5.1 INPVAL-014, INPVAL-012 - 6.5.2
6.15 Do Not Serve Web Applications Containing LDAP Injection Vulnerabilities V5.11 INPVAL-006 A1 6.5.1
6.16 Do Not Serve Web Applications Containing Directory Traversal Vulnerabilities V16.2 AUTHZ-001 - -
6.17 Do Not Serve Web Applications Containing XML Injection Vulnerabilities - INPVAL-008 A1 6.5.1
6.18 Do Not Serve Web Applications Containing XPATH Injection Vulnerabilities - INPVAL-010 A1 6.5.1
6.19 Do Not Serve Web Applications Containing XML Entity Expansion Vulnerabilities V5.13/14 - - -
6.20 Must Not Serve Web Applications Containing Open Redirects V16.1 CLIENT-004 A10 -
6.21 Do Not Serve Web Application Content from User Home Directories - - A5 6.5.8
6.22 Do Not Serve Web Application Directory Index Pages V4.5 - A5 6.5.5
6.23 Serve an Appropriate crossdomain.xml File With all Web Applications V16.10 CONFIG-008 A5 -
6.24 Serve an Appropriate clientaccesspolicy.xml File With all Web Applications V16.10 CONFIG-008 A5 -
6.25 Protect Application Cookies V3.12, V3.14, V3.15 SESS-002,
A2 6.5.10
6.26 Perform Adequate Authentication of Users and Accounts V2.2, V2.7, V2.13, V2.17, V2.18, V2.20 AUTHN-002, AUTHN-003, AUTHN-004, AUTHN-005, AUTHN-006, AUTHN-007, AUTHN-008, AUTHN-009, AUTHN-010 A2, A6 6.5.3,
6.27 Perform Adequate Authorization of Functions and Access to Data V4.1, V4.3 AUTHZ-002, AUTHZ-003, AUTHZ-004 A4, A7 6.5.8
6.28 Use Strong Session Identifiers V3.6, V3.7, V3.8, V3.11 SESS-003,
A2 6.5.10
6.29 Provide a Maximum Inactivity Timeout V3.3 SESS-007 A2 6.5.10
6.30 Host User-Generated Content From a Separate Domain - - A5 -

So considerable overlap, but there are unique testing in each of the above.

The seven rules in the .trust Abuse Policy are also relevant for hosted content such as what is linked to, what is redirected to, avoidance of obfuscation, and the types of files hosted, especially aspects that might be considered malware.

Posted on: 21 November 2014 at 11:46 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

06 November 2014

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.

OWASP Snakes and Ladders Mobile Apps

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects of good and evil, or virtues and vices. In this OWASP version, the virtuous behaviours (ladders) are secure coding practices and the vices (snakes) are application security risks. I have created two versions so far:

I created the game to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, I use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

OWASP Snakes and Ladders Web Applications

The game might be a useful transition from learning about the OWASP Top Ten Risks and before moving into the Top Ten Proactive Controls in a PCI DSS developer training session for example.

Snakes and Ladders Web Applications is available in German and Spanish, as well as in (British) English. Translations to Chinese, Dutch and Japanese are also in progress. The OWASP volunteers who are generously translating the text and performing proof reading are:

  • Manuel Lopez Arredondo
  • Tobias Gondrom
  • Martin Haslinger
  • Riotaro Okada
  • Ferdinand Vroom
  • Ivy Zhang

Print-ready PDFs have been published - these are poster sized A2 (international world-wide paper sizes). But the original files are Adobe Illustrator, so these are also available for anyone to use and improve upon. OWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence.

Just print out the sheet as large as you can make them. It is better to play using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

You can also follow two mock games on Twitter which upload a position image every hour:

Please enjoy and share.

Further information, and all the PDFs and source files, are available on the Snakes and Ladders project website. Please keep in touch by joining the project mailing list.

Posted on: 06 November 2014 at 08:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 November 2014

Payment Checkout Flaws and Bugs

The announcement last week by researchers from Newcastle University about a problem with Visa's contactless cards reminded me to mention again commons issues with checkout and payment functions in web and mobile applications.

Photograph of customers in a household lighting stand during Clerkenwell Design Week 2014

The Visa fault relates to not enforcing the same limits on transactions when using foreign currencies. The paper is being presented this week at the 21st ACM Conference on Computer and Communications Security in Scottsdale, Arizona. While we hope we would not make similar mistakes ourselves, almost every web/mobile checkout/payment system I come across has some sort of problems.

I do not believe I have mentioned it previously, but if you are developing an online payment API, mobile or web payment application, you should read a paper from Microsoft Research issued in 2011. How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores (presented at IEEE Symposium on Security & Privacy 2011 in Oakland, California) describes findings from research into the security of several web payment applications.

Many of these problems are data validation or authorisation issues, but can be labelled as "business logic flaws". My own checklist for reviewing payment application functionality is below:

  • Buy at arbitrary price
  • Buy at nil price
  • Buy without paying
  • Buy one at item at another item's price
  • Pay for one basket at another basket's price
  • Update the basket while paying for the original one
  • Voucher, gift card and discount enumeration or manipulation
  • Repeat order/payment
  • Missing "mandatory" steps
  • Refund after payment
  • Chargeback after payment
  • Pay customer instead of seller
  • Missing checks/enforcement of data validation/signing
  • Enumeration of accounts, customers, payment cards, baskets, orders, email addresses, phone numbers
  • Manipulation of out-of-band messages (e.g. emails, SMS, direct messaging)
  • Payment confirmation manipulation
  • Tax and currency conversion manipulation
  • Rate of use and floor limits
  • Staff/internal backdoors
  • Fraud opportunities
  • Test data/cards works/present
  • Third-party hosted content
  • Privacy contraventions
  • PCI DSS contraventions.

This does not describe every method, but I hope the list is of use to others anyway. Generic attacks (e.g. injection, path traversal, cross-site request forgery, man-in-the-middle, unpatched components) also crop up in ecommerce payment functions, like everywhere else.

Posted on: 04 November 2014 at 20:11 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Non-repudiation Security Principle : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by on Friday, 27 February 2015 at 06:01 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk