06 March 2015

Detective

Posts relating to the category tag "detective" are listed below.

02 December 2014

SANS SWAT Checklist and Poster

The SANS Institute has published a poster called Securing Web Application Technologies (SWAT).

Partial view of one section of the SANS Securing Web Application Technologies (SWAT) 2014 poster

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

SANS Institute David Rook Open Web Application Security Project
SWAT Checklist Category AppSec Principle Cornucopia Suit Proactive Control
Authentication Authentication Authentication Establish identity and authentication controls
Session management Session management Session management
Access control Authorisation,
Secure resource access
Authorization Implement appropriate access controls
Input and output handling Input validation,
Output validation
Data validation and encoding Validate all inputs,
Parameterize queries,
Encode data
Data protection Secure communications,
Secure storage
Cryptography,
Cornucopia
Protect data and privacy
Error handling and logging Error handling Cornucopia Implement logging, error handling and intrusion detection
Configuration and operations - Cornucopia -
- - (all requirements) Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

The file can be downloaded without registration.

Posted on: 02 December 2014 at 06:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 October 2014

Cost of Cyber Crime for UK Companies 2014

The third annual study of the cost of cyber crime in UK companies has been published.

Partial view of the cover from the Ponemon report ''

This 2014 report from Ponemon Institute is the third annual study of U.K companies, and is based on a representative sample of 38 organisations across industries. Findings for other regions/nations, relating to 257 companies in 7 countries in total, have also been published.

The report describes:

  • Mean annual cost
  • How the cost varies across sectors
  • Types of cyber crime
  • Mitigations
  • Effect of response time on incident cost.

2014 Cost of Cyber Crime Study: United Kingdom can be downloaded for free from HP after registration.

Also of use in this area, an analysis of the value of data and tools/services to criminals was published this month by the Infosec Institute.

Posted on: 17 October 2014 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 October 2014

Request to Participate in the OWASP CISO Survey 2014

The OWASP CISO Survey Report was published in January 2014.

OWASP is again conducting the survey among senior information security leaders and managers and needs your help. The results will be published in the OWASP CISO Report 2014 which will be free to access and use. The project team has asked if we can share this invitation with security contacts in companies and other organisations.

Dear colleague,

The new OWASP CISO Survey 2014 will be closing soon. Hundreds of CISOs already shared their thoughts, but we need to broaden the data pool further to later be able to derive good regional analysis of the results.

So please help by forwarding to your chapters, sharing with your colleagues, and forwarding to the security managers within your organisations and peers!

As respected information security leaders in the industry, OWASP (Open Web Application Security Project, www.owasp.org) would like to hear your opinion and invite you to share this survey invitation with your security managers and/or peers.

OWASP is preparing the Global CISO report 2014 and conducting a survey among CISOs and senior information security managers in relation to application security with the aim of providing you with new insights about the state of application security across various industry sectors and about new security trends and aligning our efforts to better help solving the problems of the future that you face.

The survey shall take only a few minutes of your precious time and by completing it you are helping shape the future of Internet and software security. At the conclusion of the survey, the aggregated results will be publicly available in the form of a free report on the owasp.org website, keeping your information completely anonymous. (If you are interested, the published results of the last CISO Survey Report 2013 can be found https://www.owasp.org/index.php/OWASP_CISO_Survey).

As you may know, OWASP is a volunteer open-source organization dedicated to fighting the causes of software insecurity. We are also a registered charity & non-profit in the USA and the EU. See more at https://www.owasp.org/index.php/About_OWASP.

The survey can be found here: https://www.surveymonkey.com/s/CISOSurvey2014

Or if you prefer a different language, this survey is also available in:

Early participants, before October-8 (23:59 GMT) [tomorrow!], can take part in a raffle. If you provide your contact details at the end of the survey, you will be entered into a drawing for one of the generously donated prizes. The Survey will finally close on October 31st.

Thank you very much in advance for your time and input.

Best regards,

Your OWASP Global CISO Survey & Report Project team

If you are a CISO, please complete the survey; otherwise please forward details to relevant contacts.

Posted on: 07 October 2014 at 18:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 October 2014

Online Organised Crime 2014

Europol's European Cybercrime Centre (EC3) has published a new report about online organised crime.

Partial screen capture of the cover from European Cybercrime Centre (EC3) report '2014 Internet Organised Crime Threat Assessment (iOCTA)'

EC3 is the focal point in the EU's fight against cybercrime which supports Member States and the European Union's institutions operational and analytical capacity for investigations, and cooperation with international partners.

The 2014 Internet Organised Crime Threat Assessment (iOCTA) (summary findings and recommendations) identifies global trends, a service-based culture, and abuse of anonymisation as the main issues. the recommendations presented relate to activities in awareness, capacity building, training, partnerships, protection and investigation.

Although the data is rather generic for application threats, there is good information for broader risk assessments.

Posted on: 01 October 2014 at 09:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 September 2014

AppSensor 2x2x2

OWASP AppSensor co-project leader John Melton has published two further AppSensor v2 assets.

Screen capture of the AppSensor 2 web site showing the headings on the user guide section - instrument your application, test and deploy the system, monitor, and tweak as necessary

AppSensor defines how to implement application intrusion detection and automated response.

Website 2.0.0

John has designed, coded and written a new standalone website for AppSensor. It was published on Friday and includes a brief description of the concept, an overview, getting started information and a user guide for the reference implementation. In John's words, the objectives were to:

  • Explain the high level concept in a simple way and point people back to the project site and the book for more detail
  • Give developers a nice entry point to the project - modelled after other framework/library sites
  • Give us more flexibility in how we present the project (not just wiki format)
  • In the future, hoping to have live demos.

I think it succeeds on the first three of these, and I will help if I can with the final statement.

To provide feedback or to contribute, please use the project's general mailing list.

Code 2.0.0 beta

If the new website wasn't enough, John has also been putting in many hours of coding to finish developing the new standalone version AppSensor reference implementation. On Sunday he announced the beta release of version 2.0.0.

The reference implementation currently supports three execution modes:

  • REST web service
  • SOAP web service
  • Local (embedded Java).

John is hoping a final release can be arranged for October/November.

To provide feedback or to contribute, please use the project's code development mailing list.

2x2x2

So the AppSensor project now has a new guide, a new website, and will imminently have a final release of the version 2 code. I am thrilled. I will be highlighting this new code when I speak at the London API event tomorrow evening. If you are attending that, I will have some free printed copies of the AppSensor Guide with me — if you would like one, please ask me a question about AppSensor.

Posted on: 16 September 2014 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 September 2014

Out and About During September

I have mentioned before about the many useful security, design and development meet-ups and events that I try to get along to.

Photograph of Google's Addy Osmani speaking about memory management at the London Web Performance Group on 26th August

A couple of weeks ago, I went along to a very useful London Web Performance Group meeting with the title of Google Web Perf Special. It was a bit outside my normal day-to-day work, so I found it particularly useful. Well the talks were recorded are are now available on line:

My upcoming plans for event attendance are:

If you are attending any of those, please find me and say hello.

Posted on: 09 September 2014 at 08:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 July 2014

Cyber Security in the Utility, Energy and Manufacturing Sectors

The Ponemon Institute has published the results of a survey examining how utility, energy and manufacturing organisations are addressing cyber security threats.

Photograph showing people in one of the service tunnels under the Thames Barrier, London

Critical Infrastructure: Security Preparedness and Maturity draws from interviews with 599 global IT and IT security executives in 13 countries, with a third of the responses from Europe.

The report demonstrates that although there is a high level of awareness, the priority given to reducing cyber risk is low, with a resulting low level of IT security maturity. Regarding actual incidents and breaches, there seem to be a high proportion of, or at least awareness of, accidents/mistakes, with negligent insiders being the highest rated threat. I think I'd like to see data for each of utility, energy and manufacturing as I suspect there will be marked differences in the threats.

From a monitoring perspective it seems that "real-time alerts are not effective" and that "more than 80 percent are false positives".

I think that's a "could do better" report.

Posted on: 23 July 2014 at 19:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 July 2014

Application Security Testing Magic Quadrant 2014

While on the topic of magic quadrants, the 2014 magic quadrant for application testing vendor products has also been released.

Partial screen capture of the introductory text from the Gartner Application Security Testing Magic Quadrant report

The report examines application security testing (AST) products and services spanning:

  • Static AST (SAST) i.e. automated application source, byte or binary code scanning
  • Dynamic AST (DAST) i.e. runtime automated testing
  • Interactive AST (IAST) that combines elements of both SAST and DAST.

The report is available "free" after registration from many of the vendors named, and here for Gartner subscribers, where it can also be purchased for a mere $1,995.00.

Interesting findings, but not quite what i would expect from seeing some of these in use in real life.

Posted on: 11 July 2014 at 13:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 June 2014

CBEST Threat-Led Penetration Testing for UK Financial Services Sector

The Bank of England announced a cyber security penetration testing framework earlier this month.

Partial view of the CBEST logo on the cover of the open source  CBEST Implementation Guide

The CBEST threat intelligence-led cyber security testing framework for financial institutions was revealed by Andrew Gracie (Executive Director, Resolution, Bank of England) speaking at the British Bankers' Association Cyber Risk Conference on 10th June. The scheme is backed by accreditation standards for threat intelligence and penetration testing.

The framework was developed in conjunction with Her Majesty's Treasury, and the Financial Conduct Authority, vendor Digital Shadows and impartial vendor-led accreditation quango CREST. There are a good range of CBEST-related quotations on Bob's Guide, some comment at The Register, a short description on the Digital Shadows web site, and CREST also outlines the framework. CREST lists additional documents which can be obtained under a non disclosure agreement (NDA).

The following open source documents, licensed under the Creative Commons Attribution 4.0 International Licence, have been published on the Bank of England website:

The name CBEST does not appear to be an abbreviation or acronym of anything in particular, other than perhaps a simple modification of the word CREST.

Posted on: 20 June 2014 at 10:34 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 June 2014

Personal Data Protection in Online Systems - Part 2/2 Security Controls

Yesterday I described the new report from the ICO, Protecting Personal Data in Online Services: Learning From the Mistakes of Others. Below is a list of the matching security controls for each issue mentioned in the report.

Examining the ICO report in greater detail, provides additional clues about the requirements expected in each class of vulnerability. The report "is not aimed at experienced security professionals", but rather at those responsible for the security of the online systems, and hopefully this list will be useful to those individuals.

My breakdown of the matching security controls, based on my interpretation of the report's text, are listed below.

Issue from ICO Security Report Derived Security Controls
Failure to keep software security up to date
  • Create and maintain a policy for software patching
  • Maintain a list of all software, including components (e.g. third-party libraries, frameworks), their versions, source and method of monitoring for security patches and other updates
  • Define who is responsible for the patching of each software component
  • Create, use and maintain a procedure for assessing security patches and other software updates, that includes a risk assessment
  • Apply software security patches in a timely manner
  • Do not use software that is no longer supported by the supplier/vendor/development company; or limit its use and undertake a risk assessment and apply additional controls
  • Create, maintain and operate a process for checking that security patches have been applied to all software components, or those that have not been applied have adequately justified, documented and applied mitigating controls
Lack of protection from SQL injection
  • Create and maintain a process for other people and organisations to report security issues about your applications
  • Create and maintain a procedure for assessing and fixing security flaws in custom application code, and include these issues in the software patching documentation (see above), and if SQL injection is found in one place, examine similar code elsewhere
  • Identify who is responsible for preventing SQL injection in each custom coded application (e.g. software such as websites developed by/for the organisation)
  • Require the default to be to use the safest server-side method for database queries supported by the API or framework
  • Ensure the prevention, detection and remediation of SQL injection vulnerabilities are included at multiple stages of the software development lifecycle (e.g. coding standards, peer/independent code review with audit trail, automated code review, automated vulnerability assessment, penetration testing before going live)
  • Use the software patching policy and processes (see above) for software components used by the custom applications
  • Include a requirement in contracts with third party development to build security into their development practices and inform you when they become aware critical vulnerabilities like SQL injection, and then provide patches
  • Use automated application vulnerability assessments (scanning) to help identify SQL injection, but ensure these cover all the application (e.g. for authenticated customers and administrators too)
  • Undertaking penetration testing in the production/live environment of custom-built applications (external and internal-facing) that interact with databases and other data stores, and repeat periodically
Exposure of unnecessary protocols & services
  • Do not use insecure protocols such as Telnet and plain FTP
  • Implement access control for all protocols (e.g for secure FTP disallowing anonymous access, preventing SMTP being used as an open relay)
  • Use firewalls to prevent external access to internal services
  • Remove, disable or block un-necessary services (see also decommissioning below)
  • Limit remote access to trusted IP addresses and enforce access using an encrypted method
  • Segment services so that a compromise of one does not lead to wider system compromise
  • Consider using a Virtual private Network (VPN) using strong credentials (such as two-factor authentication) for all remote access
  • Scan ports of all system components periodically to verify that only the intended services are available externally, internally, and from particular other locations
  • Document and periodically review all the services allowed
Exposure of decommissioned software/services
  • Maintain a schedule of all software/services in use
  • Ensure all system components (hardware, software, configuration files, databases, files, services, ports, DNS records, etc) are decommissioned when no longer needed, and maintain a record of how this was undertaken
  • Test/audit that decommissioned components no longer exist and cannot be accessed
  • For hardware disposal, ensure data is securely removed
Insecure storage of passwords
  • Create and maintain a password policy for all types of system users
  • Encourage, and allow, users to choose stronger passwords
  • Discourage users from having the same password on multiple systems
  • Discourage or prevent commonly used passwords
  • Never store or send passwords in plain text
  • Never encrypt passwords unless there are extremely robust key protection and key management processes in place
  • Use one-way hashing of passwords with a long salt value, unique for each user
  • Use a hashing method that is slow (e.g. PBKDF2, bcrypt or scrypt)
  • Do not use weak hashing methods such as MD5 or SHA-1
  • Review hashing best practice periodically, and build in considerations to allow future changes to the hashing method
  • Ensure password breaches are included in incident report planning
Failure to encrypt online communications
  • Identify and record all information that should be encrypted in transit
  • Ensure the encryption method (e.g. SSL/TLS) is configured correctly and that certificate are valid
  • Maintain a list of all certificates and ensure they are renewed before expiry
  • Consider using Extended Validation (EV) digital certificates to provide a higher level of identity assurance to users
  • Do not use SSL v2, and preferably enable TLS 1.2), disable weak ciphers (i.e.enable ciphers with 128 bi strength or greater) and avoid weak ciphers (e.g. RC4) or those that provide no encryption or no authentication i.e. null ciphers)
  • Ensure the information cannot be accessed without encryption
  • When web pages are sent over SSL/TLS, ensure every single component in the page (e.g. images, style sheets, scripts and third-party hosted content) is also sent over SSL/TLS
  • Never send session identifiers (e.g. cookies identifying an authenticated user) over unencrypted connections
  • Ensure SSL/TLS websites are only accessible by hostnames included in the certificate, and not by IP address)
  • Consider making websites completely "SSL/TLS only
  • Review transport encryption best practice periodically and update configurations as required
Processing data in inappropriate locations
  • Identify and maintain an inventory of all locations where personal data is stored, processed and transmitted
  • Do not allow unauthorised access (e.g. public access) to personal data
  • Do not use production data in development and test systems
  • Incorporate personal data access into systems design processes
  • Use network segmentation to assist with limiting access to personal data (e.g. segregate non production systems, segregate teams or departments with access to sensitive personal data)
  • Use redundancy/diversity to protect against accidental loss or destruction of, or damage to, personal data
  • Create and maintain policies for the storage, processing and transmission of personal data
  • Create, maintain and use procedures for transfers of personal data
  • Do not place copies of personal data in unprotected locations
  • Enforce appropriate access control in custom applications (e.g. websites)
  • Provide training about the access, use and transfers of personal data
  • Monitor transfers of personal data
Use of default credentials including passwords
  • Change all default passwords across all system components
  • Disable or remove guest and demonstration accounts
  • Use strong passwords to replace default ones (see above)
  • Avoid hard coding of access credentials (and never in software code), but use encryption if possible if necessary to store elsewhere (e.g. configuration files)

So, not such a short list. It is a combination of technical, administrative and physical controls, and not just applicable to online systems, but all electronic systems that store, process and transmit personal data, and generally regardless of whether it is sensitive personal data or not.

Posted on: 03 June 2014 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Detective : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.87.101.216 on Friday, 6 March 2015 at 17:32 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk