27 February 2015

Maturity

Posts relating to the category tag "maturity" are listed below.

27 February 2015

Register Today for OWASP AppSec EU 2015 in Amsterdam

The leading application security training and conference event is being held in Amsterdam from 19th to 22nd May 2015. Register today.

Photograph of houses overlooking boats on a canal in Amsterdam - the location for OWASP AppSec EU 2015

OWASP AppSec EU 2015 is being held in the Amsterdam RAI Convention Centre just a single train stop from both Schiphol Airport in one direction, and central station in the other.

AppSec EU 2015 comprises:

It looks like it will be a superb event. Thanks to the event team for their work to date.

And of course, there is everything else Amsterdam has to offer.

Registration is open, but the price increases on 1st March (this Sunday), and there is another higher charge for tickets bought at the door. Amsterdam RAI Hotel and Travel Service is the official accommodation partner of OWASP AppSec EU 2015. Lastly, there are still a few sponsorship packages available.

Posted on: 27 February 2015 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 February 2015

Software Assurance Maturity Model Practitioner Workshop

The OWASP Open Software Assurance Maturity Model (Open SAMM) team are holding a summit in Dublin at the end of March.

Extract from the Open Software Assurance Maturity Model (Open SAMM) document that describes the four business functions - governance, construction, verification, and deployment

As part of the two-day Open SAMM Summit 2015 a full day is being allocated to software assurance practitioners and those who want to learn about using the vendor-neutral and free Open SAMM to help measure, build and maintain security throughout the software development lifecycle.

Open SAMM helps organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organisation. The resources provided by SAMM assist:

  • Evaluating an organisation's existing software security practices
  • Building a balanced software security programme in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities within an organisation.

There seems to be plenty activity in the project. Keep up-to-date by following or joining the mailing list.

The users day, on Friday 27th March, is a combination of presentations, workshops and round-table discussions to help explain the approach, to make best use of a maturity model, to show how SAMM is being used by other companies, and to describe some upcoming project initiatives. The user day runs from 08:00 for 09:00 hrs through to 17:00 hrs, and is followed in the evening by an optional social event. Attendance is limited to the first 40 people who register and costs 150 EUR + VAT (21%). Travel, accommodation, subsistence at your own cost.

The following day, the SAMM project team, and any other volunteers who want to participate, will be working on creating outputs for the project.

The event is being held at The Gibson Hotel at Point Village Dublin 1, Ireland.

Posted on: 20 February 2015 at 09:59 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

21 January 2015

London Cyber Security Summit for Startups

OWASP London Chapter is helping host next week's Cyber Startup Summit in conjunction with techUK, PixelPin and Sonatype.

Banner for the summit that reads 'Cyber Startup Summit - 28th-30th January 2015, IDEALondon/Google Campus'

The primary focus of the Cyber Startup Summit is to promote innovation across cyber security. It intends to enable collaboration between enterprise security leaders, security startups, creative entrepreneurs, students and academics to discuss, connect and hack the hot topics within the world of cyber security. The summit comprises three events:

  • Secure Startup (Wednesday 28th morning) at IDEALondon, London EC2A 2BB
    Talks/workshops for generic startups to better understand how to develop secure products, secure existing products and secure the business assets/IP/data.

    9.00 Arrive
    9.30 Introduction & morning overview
    10.00 Interactive talks (15mins x4)
    - Developing Secure Fintech MVPs (cryptocurrency/mobile) - Marco Morana
    - Open Source Risk - David Jones
    - Securing your IP/Ideas - Mike Loginov
    - Securing Existing Tech (MVP/Product) - Justin Clarke
    11.00 Talk: Security by Design - Angela Sasse
    11.40 Talk: Good and Sanity - David Jones
    12.00 Leader Panel on "Securing Business Q&A"
    13.00 Finish

  • Cyber Innovation (Wednesday 28th afternoon) at IDEALondon, London EC2A 2BB
    Talks and security leader discussions on key topics discussing the now and future of cyber security innovation and how new cyber startups may have a part to play.

    13.30 Arrive
    14.00 Introduction & afternoon overview
    14.15 Talk: Nurturing Cyber Startups - Andy Williams
    14.30 Talk: Cyber Investment in FinTech - Ian Dowson
    14.45 Talk: Future of Cyber Innovation - Mike Loginov
    15.15 Talk: Think Secure, Now or Never - Amar Singh
    15.45 Talk: Risk, Regulation, Reputation - John Elliott
    16.30 Leader Panel on "Cyber Innovation Q&A" - Marco Morana, Amar Singh, Angela Sasse, Mike Loginov, John Elliott
    18.00 Finish (+drinks)

  • Hackathon (Thursday 29th and Friday 30th) at Campus London, London EC2A 4BX
    A two day hackathon for developers, students and the security community so work on new ideas that will either create a cyber security product or a product that has security at core.

    Day 1 - Thursday 29th January
    09.00 Participants arrive (+breakfast)
    09.30 Introduction & hackathon overview
    10.00 Participants with current ideas given 1 minute to present them to everyone
    11.00 Teams formed and the Hackathon begins.

    Day 2 - Friday 30th January
    09.00 Breakfast
    12.00 Lunch
    14.00 Presentations start - 3min presenting & 2min Q&A
    15.30 Break
    17.00 Winners announced
    17.30 Networking inc food and drink
    19.00 After Party at Silicon Drinkabout

Book a free place for the Secure Startup and Cyber Innovation events.

The hackathon is dedicated to ideas for new security (or secure) products. Participants can utilise available resources to create new security prototypes. Mentors will be on site. The hackathon is free but booking is required.

Posted on: 21 January 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 January 2015

New Application Security Program Quick Start Guide

WhiteHat Security has donated a getting started guide to the Open Web Application Security Project (OWASP).

To be successful, we should aim for a program that is more than simply testing sites and delivering results to stake holders. Those activities represent just two of the many inputs and outputs necessary to reduce the risk associated with web applications.

The Application Security Program Quick Start Guide provides information on setting up or improving a software development security initiative, and is now an OWASP project. It was created by Gabriel Gumbs, Jeremiah Grossman, Robert Hansen, Jerry Hoff and Matt Johansen. The guide is arranged in "5 days" of actions, which might be somewhat hopeful, but is a useful summary of what WhiteHat has found to work elsewhere.

The version 1.0 document is available in Word and PDF formats. The guide is free to use and is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Posted on: 16 January 2015 at 19:10 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 January 2015

Application Security and Privacy Mapping 2015

I have updated my chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK.

Principal Influences on UK Web Applications' mind map diagram for January 2015

For a fuller explanation, read my post about the update last October.

Access the Principal Influences on UK Applications 2015 chart, hosted on my company's web site.

Posted on: 14 January 2015 at 10:39 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

02 December 2014

SANS SWAT Checklist and Poster

The SANS Institute has published a poster called Securing Web Application Technologies (SWAT).

Partial view of one section of the SANS Securing Web Application Technologies (SWAT) 2014 poster

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

SANS Institute David Rook Open Web Application Security Project
SWAT Checklist Category AppSec Principle Cornucopia Suit Proactive Control
Authentication Authentication Authentication Establish identity and authentication controls
Session management Session management Session management
Access control Authorisation,
Secure resource access
Authorization Implement appropriate access controls
Input and output handling Input validation,
Output validation
Data validation and encoding Validate all inputs,
Parameterize queries,
Encode data
Data protection Secure communications,
Secure storage
Cryptography,
Cornucopia
Protect data and privacy
Error handling and logging Error handling Cornucopia Implement logging, error handling and intrusion detection
Configuration and operations - Cornucopia -
- - (all requirements) Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

The file can be downloaded without registration.

Posted on: 02 December 2014 at 06:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 November 2014

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.

OWASP Snakes and Ladders Mobile Apps

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects of good and evil, or virtues and vices. In this OWASP version, the virtuous behaviours (ladders) are secure coding practices and the vices (snakes) are application security risks. I have created two versions so far:

I created the game to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, I use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

OWASP Snakes and Ladders Web Applications

The game might be a useful transition from learning about the OWASP Top Ten Risks and before moving into the Top Ten Proactive Controls in a PCI DSS developer training session for example.

Snakes and Ladders Web Applications is available in German and Spanish, as well as in (British) English. Translations to Chinese, Dutch and Japanese are also in progress. The OWASP volunteers who are generously translating the text and performing proof reading are:

  • Manuel Lopez Arredondo
  • Tobias Gondrom
  • Martin Haslinger
  • Riotaro Okada
  • Ferdinand Vroom
  • Ivy Zhang

Print-ready PDFs have been published - these are poster sized A2 (international world-wide paper sizes). But the original files are Adobe Illustrator, so these are also available for anyone to use and improve upon. OWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence.

Just print out the sheet as large as you can make them. It is better to play using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

You can also follow two mock games on Twitter which upload a position image every hour:

Please enjoy and share.

Further information, and all the PDFs and source files, are available on the Snakes and Ladders project website. Please keep in touch by joining the project mailing list.

Posted on: 06 November 2014 at 08:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 October 2014

Application Security and Privacy Mapping 2014

The chart detailing the most important guidance, standards, legislation and organisations that can influence mobile and web application development security and privacy in the UK has been comprehensively updated.

Partial image of the 'Principal Influences on UK Web Applications' mind map diagram

Principal Influences on UK Applications is managed by me and published on my company's web site as a mind map diagram and text tree, together with a change log. The primary sectors addressed are software applications in the retail, financial services, professional services, charitable, marketing, telecommunications and government sectors.

My focus for this chart is:

  • Mobile app and web application (web sites, web services) development
  • Guidance and standards
  • Regulators, regulation and legislation
  • Supporting organisations such as professional groups, trade bodies and academic institutions).

The chart can also be useful beyond the realms of application security and application privacy. For example, organisations implementing an information security management system (ISMS) needing to keep up-to-date with compliance requirements, and those seeking knowledge on wider information assurance (IA) aspects.

The related UK Information Assurance Community Map, published by the Information Assurance Collaboration Group (IACG), will also be of interest to some readers.

Posted on: 10 October 2014 at 07:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

07 October 2014

Request to Participate in the OWASP CISO Survey 2014

The OWASP CISO Survey Report was published in January 2014.

OWASP is again conducting the survey among senior information security leaders and managers and needs your help. The results will be published in the OWASP CISO Report 2014 which will be free to access and use. The project team has asked if we can share this invitation with security contacts in companies and other organisations.

Dear colleague,

The new OWASP CISO Survey 2014 will be closing soon. Hundreds of CISOs already shared their thoughts, but we need to broaden the data pool further to later be able to derive good regional analysis of the results.

So please help by forwarding to your chapters, sharing with your colleagues, and forwarding to the security managers within your organisations and peers!

As respected information security leaders in the industry, OWASP (Open Web Application Security Project, www.owasp.org) would like to hear your opinion and invite you to share this survey invitation with your security managers and/or peers.

OWASP is preparing the Global CISO report 2014 and conducting a survey among CISOs and senior information security managers in relation to application security with the aim of providing you with new insights about the state of application security across various industry sectors and about new security trends and aligning our efforts to better help solving the problems of the future that you face.

The survey shall take only a few minutes of your precious time and by completing it you are helping shape the future of Internet and software security. At the conclusion of the survey, the aggregated results will be publicly available in the form of a free report on the owasp.org website, keeping your information completely anonymous. (If you are interested, the published results of the last CISO Survey Report 2013 can be found https://www.owasp.org/index.php/OWASP_CISO_Survey).

As you may know, OWASP is a volunteer open-source organization dedicated to fighting the causes of software insecurity. We are also a registered charity & non-profit in the USA and the EU. See more at https://www.owasp.org/index.php/About_OWASP.

The survey can be found here: https://www.surveymonkey.com/s/CISOSurvey2014

Or if you prefer a different language, this survey is also available in:

Early participants, before October-8 (23:59 GMT) [tomorrow!], can take part in a raffle. If you provide your contact details at the end of the survey, you will be entered into a drawing for one of the generously donated prizes. The Survey will finally close on October 31st.

Thank you very much in advance for your time and input.

Best regards,

Your OWASP Global CISO Survey & Report Project team

If you are a CISO, please complete the survey; otherwise please forward details to relevant contacts.

Posted on: 07 October 2014 at 18:35 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 August 2014

BSI Kitemark for Website and App Security - More Information Required

This week UK standards body BSI has joined the market for security trust marks and seals, by enlarging its range of kitemarks to include a new one for what it calls "secure digital transactions" involving web sites and mobile apps.

Partial screen capture of the BSI web page 'BSI Kitemark for Secure Digital Transactions'

The BSI Kitemark for Secure Websites and Apps (or "BSI Kitemark for Secure Digital Transactions"), requires a website or app to undergo initial and ongoing checks, and if successful the organisation can display the kitemark on the application and related marketing materials.

BSI suggests this will help consumers:

  • Identify more secure websites or apps
  • Increase trust in apps and websites belonging to an organisation
  • Have greater confidence when buying online.

The BSI kitemark originated as the British Standards Mark in 1903 for tramway rail dimensions. Having a BSI kitemark associated with a product or service confirms that it conforms to a particular BSI standard. In this case it is 27001 plus some defined technical verification, which one would have thought ought to be a control already defined in the 27001 implementation anyway.

The kitemark will be associated with a single web site (one hostname?) or single app, but the requirements cover both the organisation as well as the application:

  • Organisation
    • Achieve and maintain certification to the Information Security Management System Standard (ISO 27001) for the parts of the business that handle confidential data
  • Web site or app
    • Initial penetration test which "scans" for vulnerabilities and security flaws
    • Quarterly penetration tests, review of the results and actions taken.

The assessment sounds like there is no code review or requirement for building security in to multiple stages of the development lifecycle. And I wonder if the use of a kitemark on a mobile app also means the related web services and other systems involved with the transactions have also been assessed. I am also a little worried that the word "scan" is included in the same sentence as "penetration tests" — that doesn't sound right at all. It would be good to know what exactly is required, so consumers can be given more than marketing messages.

Furthermore apparently there are no checks for non-security compliance issues like data protection or marketing privacy. Consumers might expect those in a "secure application". I wonder if an application in-scope for PCI DSS can hold the kitemark but not be compliant with PCI DSS.

So although parts of the organisation that "handle confidential data" have to be ISO 27001 compliant, if the development part (or outsourced development part) does not handle confidential data, then perhaps that is out of scope?

The kitemark has been piloted in the banking industry, but BSI hopes its adoption will be much more widespread. BSI does not seem to have achieved the kitemark for its own web site (and nor does this blog!). My question is do we trust the scheme? More information is required.

Note also the new kitemark for financial products, which relates to compliance with the recommendations of the Sergeant Review of Simple Financial Products (final report), that does notincludes no security or privacy requirements.

Posted on: 29 August 2014 at 11:51 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Maturity : Application Security and Privacy
https://www.clerkendweller.uk/maturity
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/maturity
Requested by 54.159.134.239 on Tuesday, 3 March 2015 at 20:18 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk