28 July 2015

Detective

Posts relating to the category tag "detective" are listed below.

31 March 2015

Participate in the OWASP Project Summit in Amsterdam

The Open Web Application Security Project (OWASP) is supporting a project summit during the two days prior to the main AppSec EU conference.

Photograph of a sign mounted on a door in Amsterdam which reads in Dutch and English 'Denk aan de buren a.u.b. - Please mind the neighbours'

A project summit on Tuesday 19th and Wednesday 20th May has been announced and information published on the AppSec EU 2015 web site. The concept of the summit is to work on improving and extending project outputs with other volunteers, and as such requires active participation and contribution.

Across all the sessions there are a wide range of inputs needed including requirements specification, architecture review, coding, testing, documentation/wiki writing and review, user interface design, planning, graphical design, video creation and translation. Full details, timings and objectives of each session are provided on the summit's wiki pages.

There are many projects participating, including sessions for projects I am actively involved in. My own parts of the summit are

Tuesday 19th May

  • 10:30-12:00 hrs OWASP Codes of Conduct - Document Review
    The current Codes of Conduct were developed primarily during the last major OWASP Summit in Portugal. They cover: Government Bodies Educational Institutions Standards Groups Trade Organizations Certifying Bodies Development Organizations This 1.5 hour session will review, edit, update and release v1.2 of each document. Participants should be interested in how external entities can be encouraged to support OWASP's mission, read the existing Codes of Conduct in advance, and come with suggestions for changes. The session agenda is 1. Introduction; 2. Joint review and edit (15 mins each document); 3. Publish updated documents to wiki (PDF and Word).
  • 13:00-15:00 hrs OWASP AppSensor (Documentation) - Guide Review
    The AppSensor Guide v2 was published in May last year, and has had two minor updates, the last one mainly due to the important release of the v2 code implementation. This session is to edit and improve the guide, since many of the chapters have not been fully reviewed. Participants should read a chapter or two in advance of the summit (chapter 5 onwards, but choose randomly/what is of interest) and bring their edits/comments to the session, where the guide will be updated. All participants will be acknowledged in the guide and on the project wiki page. The session agenda is 1. Briefing; 2. Live editing; 3. Publication updated PDF.
  • 15:30-16:30 hrs OWASP Snakes and Ladders - Dutch Translation
    OWASP Snakes and Ladders (web applications) has been translated into 5 other languages already, and Portuguese is in progress. But so far not Dutch. This rapid session will ask participants to translate the 900 words or so into Dutch, so that a PDF and Adobe Illustrator version can be created. It will also be possible to help remotely, as it will be set up on Crowdin. The session agenda is 1. Meet; 2.Translate; 3. Create Illustrator and PDF output; 4. Publish.

Wednesday 20th May

  • 09:00-12:00 hrs OWASP Cornucopia - Ecommerce Website Edition - Video
    The objective is to create a short "how to play the Cornucopia card game" video during this half-day session. Cornucopia is a card game that helps identify security requirements, but people may not be familiar with how easy it is to get started. Participants for this session are needed to be players, to create a narrative, to video the game being played, and if there is time and anyone has the skill, to edit the video and sound into a release version. It is preferable if participants are already a little familiar with the game and/or threat modelling. If there is time, we will also discuss alternative game strategies like a Jeopardy format. The session agenda is 1. Storyboarding; 2. Game play recording; 3. Editing; 4. Soundtrack; 5. Publish video.
  • 13:30-17:00 hrs OWASP AppSensor (Code) - Dashboard
    The AppSensor v2.0.0 code implementation final release was undertaken in January. One of the tasks to continue with is the development of a reporting dashboard. This session is to brainstorm ideas and layouts for the dashboard, and identify what tools/libraries can assist in the creation of the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will be dashboard mockups. The session agenda is 1. Introductions and objectives; 2. Information requirements; 3. User stories; 4. Information design; 5. Code libraries and frameworks.
  • 17:00-18:00 hrs OWASP Automated Threats to Web Applications - Website Owner Experiences
    The OWASP Automated Threats to Web Applications Project is undertaking research and will publish its outputs immediately prior to AppSec EU 2015. This meeting seeks input from training and conference attendees on their own organisations' experiences of automated attacks: What types of automated attacks occur and with what frequency? What were the symptoms? How are they detected? What incident response measures were taken? What steps were undertaken to prevent or mitigate such attacks? Participation/contribution can be anonymous or otherwise. The intention is to update the published documents during the session and if possible create additional sector-specific guidance.

Registration

Attendance at the project summit is free, but everyone is a participant to help achieve the objectives. Please register to let the team know who will be attending. Join as many or as few of the sessions as you like.

The summit is co-loacted at the Amsterdam RAI as the chargeable training courses running on the same days. Why not sign up for those and the conference at the same time?

I look forward to seeing some of you there.

Posted on: 31 March 2015 at 13:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 March 2015

Web Application Attacks from a WAF Perspective

I had lost track of Imperva's useful Hacker Intelligence Initiative (HII), threat advisories and Web Application Attack Reports (WAARs). The latest WAAR was published in October 2014.

Part of Imperva's 'Web Application Attack Report Edition #5 - October 2014' illustrating two of the charts included

Web Application Attack Report Edition #5 - October 2014 describes the most popular web application targets, attack vectors, duration and magnitude. The analysis is based on data from 99 web applications that had a web application firewall (WAF) from the vendor deployed in the period 1st August 2013 to 30th April 2014.

Attack data are included for:

  • SQL injection
  • Remote file inclusion
  • Local file inclusion
  • Directory traversal
  • Cross-site scripting
  • Comment spamming.

Other types of attack vector and threats are not covered. The report's introduction suggests that a further 201 web applications did not see any of these types of attack during the period.

Posted on: 24 March 2015 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 March 2015

The Hard Problem of Securing Enterprise Applications

This paper about securing enterprise applications has been sitting in my email since November. I eventually got round to reading it and apologise for not highlighting it sooner.

Vendor recommended security controls and compliance requirements leave huge gaps in application security. ... Most have no understanding of how the application platforms work, where security events should be collected, nor how to analyze application specific information.

Securing Enterprise Applications describes the problems modern enterprises have with application security: security use cases, security gaps and recommendations. These are my favourite selective snippets. This:

The biggest gap and most pressing need is that most monitoring systems do not understand enterprise applications. To continuously monitor enterprise applications you need to collect the appropriate data and then make sense of it.

And:

Traditional application security vendors who claim "deep packet inspection" for enterprise application security skirt understanding how the application actually works.

And:

Continuous monitoring of enterprise application activity, with full understanding of how that application works, is the most common gap in enterprise security strategies.

And:

This means that you can block activity, not just monitor. Properly configured with white/black listing, they help prevent exploitation of 0-day attacks and filter out other unwanted behavior. They work at the application layer so they are typically deployed one of three ways: as an agent on the application platform, as a reverse proxy for the application, or embedded into the application itself.

Read and implement AppSensor. It's free.

Posted on: 20 March 2015 at 08:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 March 2015

Payment Security and PCI DSS Compliance 2015

Verizon has published its annual PCI Compliance Report 2015 covering data up to the end of 2014, describing compliance, the sustainability of controls and ongoing risk management.

Partial screen capture from the Verizon report 'PCI Compliance Report 2015' showing one of the many charts

PCI Compliance Report 2015 analyses information from PCI Data Security Standard (PCI DSS) assessments undertaken by Verizon between 2012 and 2014, together with additional data from forensic investigation reports.

It describes the challenges of maintaining compliance and mentions the scale and complexity of requirements, uncertainty about scope and impact, the ongoing compliance cycle, lack of resources, lack of insight into business processes and misplaced confidence in existing information security maturity.

Each main requirement has a dedicated section summarising the changes in v3.0, describing the compliance challenges found, and providing recommendations for maintaining security and compliance. The authors describe methods they consider should be used to make compliance easier, more effective and sustainable.

There is a useful "compliance calendar" in Appendix C of the report which shows the periodic and other triggers for certain activities across the 12 requirements. A "must read" if you are a payment merchant or service provider.

Posted on: 17 March 2015 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 March 2015

Introduction to AppSensor for Developers

Following the recent v2.0 code release and promotion to flagship status there has been increased interest in the OWASP AppSensor Project concerning application-specific real-time attack detection and response.

Front page of the new 'AppSensor Introduction for Developers'

During the OWASP podcast interview with project co-leader John Melton, the idea of creating briefings for target groups was discussed by podcast host Mark Miller. I am pleased to say that thought rolled onto the project's mailing list, and John Melton rapidly wrote and published the text copy.

I took that copy and additional suggestions by Louis Nadeau to design a two-page briefing document. This is available to download from the OWASP web site:

Please circulate this to software developers. The text is also available on CrowdIn if anyone would like to volunteer to translate the briefing, or the guide for that matter, into other languages..

We also plan to create a short guide for Chief Information Security Officers (CISOs), with content drawn primarily from the first few chapters of the existing AppSensor Guide v2.0.

Posted on: 06 March 2015 at 10:21 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 February 2015

Register Today for OWASP AppSec EU 2015 in Amsterdam

The leading application security training and conference event is being held in Amsterdam from 19th to 22nd May 2015. Register today.

Photograph of houses overlooking boats on a canal in Amsterdam - the location for OWASP AppSec EU 2015

OWASP AppSec EU 2015 is being held in the Amsterdam RAI Convention Centre just a single train stop from both Schiphol Airport in one direction, and central station in the other.

AppSec EU 2015 comprises:

It looks like it will be a superb event. Thanks to the event team for their work to date.

And of course, there is everything else Amsterdam has to offer.

Registration is open, but the price increases on 1st March (this Sunday), and there is another higher charge for tickets bought at the door. Amsterdam RAI Hotel and Travel Service is the official accommodation partner of OWASP AppSec EU 2015. Lastly, there are still a few sponsorship packages available.

Posted on: 27 February 2015 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 February 2015

Software Assurance Maturity Model Practitioner Workshop

The OWASP Open Software Assurance Maturity Model (Open SAMM) team are holding a summit in Dublin at the end of March.

Extract from the Open Software Assurance Maturity Model (Open SAMM) document that describes the four business functions - governance, construction, verification, and deployment

As part of the two-day Open SAMM Summit 2015 a full day is being allocated to software assurance practitioners and those who want to learn about using the vendor-neutral and free Open SAMM to help measure, build and maintain security throughout the software development lifecycle.

Open SAMM helps organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organisation. The resources provided by SAMM assist:

  • Evaluating an organisation's existing software security practices
  • Building a balanced software security programme in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities within an organisation.

There seems to be plenty activity in the project. Keep up-to-date by following or joining the mailing list.

The users day, on Friday 27th March, is a combination of presentations, workshops and round-table discussions to help explain the approach, to make best use of a maturity model, to show how SAMM is being used by other companies, and to describe some upcoming project initiatives. The user day runs from 08:00 for 09:00 hrs through to 17:00 hrs, and is followed in the evening by an optional social event. Attendance is limited to the first 40 people who register and costs 150 EUR + VAT (21%). Travel, accommodation, subsistence at your own cost.

The following day, the SAMM project team, and any other volunteers who want to participate, will be working on creating outputs for the project.

The event is being held at The Gibson Hotel at Point Village Dublin 1, Ireland.

Posted on: 20 February 2015 at 09:59 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

17 February 2015

AppSensor Now A Flagship OWASP Project

I was extremely pleased at the release of the v2 AppSensor reference implementation inJanuary. Now I am excited that the Open Web Application Security Project (OWASP) has elevated the project's status.

Photograph of a green pendant flag flying against a blue sky

The completely voluntary OWASP project task force, led by Johanna Curiel, has been working through a backlog of project reviews. Over the last couple of years OWASP AppSensor Project has delivered significant steps in the coverage, quality, and depth of outputs. In fact it is also the only OWASP project that is both a documentation type of project, and a code one.

OWASP has promoted the project to the highest level - Flagship status. As co-leader with John Melton and Dennis Groves, and project founder Michael Coates, I am thrilled with this recognition.

OWASP's project inventory includes nine other Flagship projects and defines flagship status as:

The goal of OWASP Flagship projects is to identify, highlight, and support mainstream OWASP projects that make up a complete application security product of high quality and value to the software security industry. These projects are selected for their strategic value to OWASP and application security as a whole.

OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.

It is important to remember all the people who have volunteered their time and effort to reach this stage. So many good and generous people.

Mark Miller has just interviewed John Melton about the OWASP AppSensor Project as part of the OWASP 24/7 podcast series. He provides an overview of application-specific attack detection and response, discusses what is new in version 2.0.0, explains the architectural options, describes the process flow, and mentions what else is on the roadmap.

AppSensor will be participating in this year's AppSec EU application security conference in Amsterdam, from 19th to 22nd May 2015. I hope you can make it.

Posted on: 17 February 2015 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 February 2015

Security Information Sharing Standards and Tools

European Union Agency for Network and Information Security (ENISA) has published a summary of security information sharing formats, at the same time of the release of its good practice guide on Actionable Information for Security Incident Response.

Diagram from the ENISA report 'Standards and Tools for Exchange and Processing of Actionable Information' illustrating the relationships between standards for sharing of security information

Actionable security information is accurate and timely information that may help incident handlers reduce the number of infections, or address vulnerabilities before they are exploited.

The companion to the good practice guide is Standards and Tools for Exchange and Processing of Actionable Information which describes 53 different information sharing standards that are a mix of formats, protocols, technical approaches and frameworks in common use. These span:

  • Information sharing formats
    • Formats for low level data
    • Actionable observables
    • Enumerations
    • Scoring and measurement frameworks
    • Reporting formats
    • High-level frameworks
  • Transport and serialization
    • Transport methods
    • Serialization methods.

In addition, the report highlights 16, primarily open source, information sharing tools and platforms for the exchange and processing of actionable information, spanning automated distribution of data, supporting analytics, general purpose log management and handling high-level information.

Very useful - thank you ENISA.

Posted on: 13 February 2015 at 11:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 February 2015

NIST SP 800-163 Vetting the Security of Mobile Applications

In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.

One of the tables from NIST SP 800-163 'Vetting the Security of Mobile Applications' showing top level general categories of iOS app vulnerabilities

SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is also intended for developers that are interested in understanding the types of software vulnerabilities that may arise in their apps during the software development life cycle (SDLC). The report is grouped into planning, testing and app approval/rejection sections:

  • Planning
    • Security requirements
    • Understanding vetting limitations
    • Budget and staffing
  • Testing
    • General app security requirements
    • Testing approaches
    • Sharing results
  • App approval/rejection
    • Report and risk auditing
    • Organisation-specific vetting criteria
    • Final approval/rejection.

The guidance is practical and highlights risks that are mobile app specific as well as general application security risks. Appendices B & C provide helpful categorised lists of Android and iOS mobile app vulnerability types respectively.

Posted on: 10 February 2015 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Detective : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.242.138.24 on Friday, 31 July 2015 at 14:22 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk