29 January 2015

Metrics

Posts relating to the category tag "metrics" are listed below.

29 January 2015

Anti-Automation Monitoring and Prevention

It seems London's Heathrow Airport has very little in the way of anti-automation monitoring or prevention in place.

Headline from the London Evening Standard which reads 'Heathrow noise complaints sent by automated software'

According to the London Evening Standard newspaper on Tuesday, a five-fold increase in complaints was in large part due to automated email submission.

Luck would seem to have been what led to the discovery that the emails were computer-generated when complaints were received an hour ahead of the flight schedule after the clocks changed from summer time.

Oops, let's hope that's not a metric used by the airport itself or a regulator.

Not that the airport would reasonably believe it to be the target of any activists! Surely not.

Posted on: 29 January 2015 at 16:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 January 2015

London Cyber Security Summit for Startups

OWASP London Chapter is helping host next week's Cyber Startup Summit in conjunction with techUK, PixelPin and Sonatype.

Banner for the summit that reads 'Cyber Startup Summit - 28th-30th January 2015, IDEALondon/Google Campus'

The primary focus of the Cyber Startup Summit is to promote innovation across cyber security. It intends to enable collaboration between enterprise security leaders, security startups, creative entrepreneurs, students and academics to discuss, connect and hack the hot topics within the world of cyber security. The summit comprises three events:

  • Secure Startup (Wednesday 28th morning) at IDEALondon, London EC2A 2BB
    Talks/workshops for generic startups to better understand how to develop secure products, secure existing products and secure the business assets/IP/data.

    9.00 Arrive
    9.30 Introduction & morning overview
    10.00 Interactive talks (15mins x4)
    - Developing Secure Fintech MVPs (cryptocurrency/mobile) - Marco Morana
    - Open Source Risk - David Jones
    - Securing your IP/Ideas - Mike Loginov
    - Securing Existing Tech (MVP/Product) - Justin Clarke
    11.00 Talk: Security by Design - Angela Sasse
    11.40 Talk: Good and Sanity - David Jones
    12.00 Leader Panel on "Securing Business Q&A"
    13.00 Finish

  • Cyber Innovation (Wednesday 28th afternoon) at IDEALondon, London EC2A 2BB
    Talks and security leader discussions on key topics discussing the now and future of cyber security innovation and how new cyber startups may have a part to play.

    13.30 Arrive
    14.00 Introduction & afternoon overview
    14.15 Talk: Nurturing Cyber Startups - Andy Williams
    14.30 Talk: Cyber Investment in FinTech - Ian Dowson
    14.45 Talk: Future of Cyber Innovation - Mike Loginov
    15.15 Talk: Think Secure, Now or Never - Amar Singh
    15.45 Talk: Risk, Regulation, Reputation - John Elliott
    16.30 Leader Panel on "Cyber Innovation Q&A" - Marco Morana, Amar Singh, Angela Sasse, Mike Loginov, John Elliott
    18.00 Finish (+drinks)

  • Hackathon (Thursday 29th and Friday 30th) at Campus London, London EC2A 4BX
    A two day hackathon for developers, students and the security community so work on new ideas that will either create a cyber security product or a product that has security at core.

    Day 1 - Thursday 29th January
    09.00 Participants arrive (+breakfast)
    09.30 Introduction & hackathon overview
    10.00 Participants with current ideas given 1 minute to present them to everyone
    11.00 Teams formed and the Hackathon begins.

    Day 2 - Friday 30th January
    09.00 Breakfast
    12.00 Lunch
    14.00 Presentations start - 3min presenting & 2min Q&A
    15.30 Break
    17.00 Winners announced
    17.30 Networking inc food and drink
    19.00 After Party at Silicon Drinkabout

Book a free place for the Secure Startup and Cyber Innovation events.

The hackathon is dedicated to ideas for new security (or secure) products. Participants can utilise available resources to create new security prototypes. Mentors will be on site. The hackathon is free but booking is required.

Posted on: 21 January 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2014

SANS SWAT Checklist and Poster

The SANS Institute has published a poster called Securing Web Application Technologies (SWAT).

Partial view of one section of the SANS Securing Web Application Technologies (SWAT) 2014 poster

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

SANS Institute David Rook Open Web Application Security Project
SWAT Checklist Category AppSec Principle Cornucopia Suit Proactive Control
Authentication Authentication Authentication Establish identity and authentication controls
Session management Session management Session management
Access control Authorisation,
Secure resource access
Authorization Implement appropriate access controls
Input and output handling Input validation,
Output validation
Data validation and encoding Validate all inputs,
Parameterize queries,
Encode data
Data protection Secure communications,
Secure storage
Cryptography,
Cornucopia
Protect data and privacy
Error handling and logging Error handling Cornucopia Implement logging, error handling and intrusion detection
Configuration and operations - Cornucopia -
- - (all requirements) Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

The file can be downloaded without registration.

Posted on: 02 December 2014 at 06:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 October 2014

Cost of Cyber Crime for UK Companies 2014

The third annual study of the cost of cyber crime in UK companies has been published.

Partial view of the cover from the Ponemon report ''

This 2014 report from Ponemon Institute is the third annual study of U.K companies, and is based on a representative sample of 38 organisations across industries. Findings for other regions/nations, relating to 257 companies in 7 countries in total, have also been published.

The report describes:

  • Mean annual cost
  • How the cost varies across sectors
  • Types of cyber crime
  • Mitigations
  • Effect of response time on incident cost.

2014 Cost of Cyber Crime Study: United Kingdom can be downloaded for free from HP after registration.

Also of use in this area, an analysis of the value of data and tools/services to criminals was published this month by the Infosec Institute.

Posted on: 17 October 2014 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 November 2013

CISO Guide to Application Security

A new book about application security for Chief Information Security Officers (CISOs) has been announced by OWASP.

The title page from OWASP's Application Security Guide For CISOs Version 1.0 (November 2013)

The Application Security Guide For CISOs seeks to help CISOs manage application security programs for their own roles, responsibilities, perspectives and needs. The book examines these aspects from CISOs' responsibilities from the perspectives of governance, compliance and risk. The primary author Marco Morana is a leader in application security within financial services sector, but the book is sector, region and technology agnostic. It is also completely technology and vendor neutral. Along with fellow contributors Tobias Gondrom, Eoin Keary, Andy Lewis and Stephanie Tan, I had the pleasure of contributing to Marco's content, reviewing the text and producing the print version of the book.

The 100-page document provides assistance with justifying investment in application security, how application security risks should be managed, how to build, maintain and improve an application security programme, and the types of metrics necessary to manage application security risks and application investments. There is a standalone introduction and executive summary. The core of the book is then collected into four parts:

  • I : Reasons for Investing in Application Security
  • II : Criteria for Managing Application Security Risks
  • III : Application Security Program
  • IV : Metrics For Managing Risks & Application Security Investments

There are also additional appendices with information about calculating the value of data and cost of an incident, as well as a cross-reference between the CISO guide and other OWASP guides, projects and other content.

The book can be obtained in three formats:

Marco and Tobias will be presenting the new CISO Guide, and the results from the 2013 CISO Survey, at next week's AppSec USA in New York.

Translations into other languages will become available over time as volunteers do these. If you can help please send a message to the project mailing list.

Posted on: 16 November 2013 at 05:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 November 2013

AppSensor at AppSec USA in New York

OWASP AppSec USA 2013 is in three weeks time from 18th to 21st November. This is expected to be the largest application security conference in the world ever.

Photograph of the Manhattan skyline with the Statue of Liberty in the foreground

OWASP AppSensor Project describes and provides demonstration code, for real-time application-specific attack detection and real-time response. The two primary AppSensor events during AppSec USA are being led by project leaders John Melton and Dennis Groves, and there is also a chance to contribute to the upcoming new AppSensor Guide:

  • AppSensor 2.0 Hackathon code writing, John Melton, Monday 18th November at 1:00pm - 5:00pm (Sky Lounge, 16th floor)
  • Writing and Documentation Review Session for documentation projects including AppSensor, Michael Hidalgo and Samantha Groves, Wednesday 20th November at 9.00am - 1.00pm (Sky Lounge, 16th Floor)
  • AppSensor Project presentation, Dennis Groves, Thursday 21st November at 2.00pm - 3.00pm (Edison Room, 5th Floor)

The first, part of the conference's OWASP Project Summit 2013, will be an opportunity to work with John to help write code for the AppSensor 2.0 services model (REST and SOAP). Further details of the summit here and here. Dennis will be providing an inspirational introduction to using AppSensor, and the technical and business benefits achievable.

Additionally, core contributor Ryan Barnett is providing a closely related training class about using ModSecurity for web application defence:

Training at OWASP conferences is always to a high standard, but the courses get booked up very quickly.

Along with John, Dennis and Ryan, most of the other core project contributors, including myself, will be in New York for the conference, so if you want to ask any questions, please just track one of us down. Ask at the conference support desk where to find us.

Regardless of your interest in AppSensor, there are another 120 application security sessions available during the week. If you haven't already booked for the training or conference, you can still register, but don't leave it too late.

Update 11th November 2013: Documentation writing and review session added.

Posted on: 01 November 2013 at 15:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 October 2013

Web Application Scanner Comparison from Miami

Hack Miami has published a paper comparing five web application security dynamic scanning tools.

Photograph of signs showing an explanation of the beach safety warning flags and monitoring information in Florida

The paper Hack Miami Web Application Scanner 2013 PwnOff - An Analysis of Automated Web Application Scanning Suites describes a one-off comparison undertaken during the HackMiami 2013 Hackers Conference. Tests were undertaken pre and post authentication for both normal and administrative users, against three web applications (one PHP, one JSP and one .Net). The paper assessed five scanners:

  • Acunetix
  • IBM Rational AppScan Standard
  • Metasploit Pro
  • NTO Objective NTO Spider
  • Portswigger Burp.

The scanners were assessed for the interface, vulnerability detection, reporting and overall value. It is useful to also refer to other comparisons such as Web Application Security Scanner Comparison and New Magic Quadrant for Application Security Testing 2013. But even better evaluate them yourself on your own applications and compare with manual testing methods.

And don't just leave security to the testing stage of development.

Posted on: 21 October 2013 at 11:18 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 October 2013

Microsoft SDL in the US Financial Services Sector

Microsoft has published a survey commissioned from The Edison Group which examines application development security in the US financial services sector.

Title page from the paper 'Microsoft Security Development Lifecycle Adoption: Why and How'

Microsoft Security Development Lifecycle Adoption: Why and How examines the adoption of Microsoft's process-driven Security Development Lifecycle (SDL) in this sector, the approaches taken, integration methods and looks at the benefits realised. The researchers interviewed a number of companies that use MS SDL.

I found the survey's most useful parts are the list of adopters' best practices and lessons learned. The case studies are perhaps too short to be of any significance, and the second one referring to using SDL for open source development almost seems to have been included to put the idea of using open source tools down, rather than contributing to the "why and how" of the report's title. Unnecessary and wasted space in the document.

Read, compare and contrast. Then consider how these types of things might work within your own organisation and with particular teams.

The paper also refers to the previously mentioned BITS Software Assurance Framework from the Financial Services Roundtable, and Part 1 (Overview and Concepts) of ISO 27034, but not other sources.

Posted on: 09 October 2013 at 08:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 July 2013

Data Disclosure Incident Database

The Verizon 2013 Data Breach Investigations Report provides a useful insight into a range of recorded data disclosure incidents.

Partial screen capture showing the data charting and drill down features available on the VERIS Community Database

For the first time, this data is now available to download or browse/mine interactively. The initial data set includes information from 1,200 incidents mainly during 2012 and 2013. Note these are heavily biased to the health sector.

The downloadable data are available free-of-charge without registration in JSON on GitHub such as this example. The data sets are recorded using the Vocabulary for Event Recording and Incident Sharing (VERIS). The interactive visualisation includes predefined views based on threat actors/motives (e.g. external, internal, partner), actions (e.g. hacking, malware, misuse, physical), assets affected (e.g. media, network, people, servers, user devices) and timeline/discovery.

As more data are added, especially from alternative sources, this will be a very valuable resource. See also the Data Loss DB, Breach Watch and the Web Hacking Incident Database (WHID).

Posted on: 27 July 2013 at 16:33 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 July 2013

New Magic Quadrant for Application Security Testing 2013

A new "magic quadrant" for application security testing has been published by Gartner.

Title header from Gartner's report ' Magic Quadrant for Application Security Testing'

Magic Quadrant for Application Security Testing by Neil MacDonald and Joseph Feiman, was published by Gartner last week on 2 July 2013. It addresses 16 suppliers whose products and services analyse and test applications for security vulnerabilities using static, dynamic and interactive testing techniques. The selection criteria required the suppliers had production products and services operational on 1st January 2013, and to have more than $2 million turnover in this business area.

The report discusses each supplier's offerings, and describes the market context referencing the convergence of capabilities due to customer requirements, increasingly complex web applications and the growth of mobile apps. Trends identified include increased provision of testing as a service, the need for comprehensive application discovery, testing of client-side code (including HTML5), the benefits of explicit framework support, integration with development life cycles, and testing of mobile and back-end interfaces. The use of these products and services as a security intelligence enabler is also discussed.

Gartner charge for the report, but two of the vendors in the "leaders" category have been very prompt and provided registration forms to obtain the report "free of charge" (here and here).

"Magic Quadrant for Application Security Testing" replaces the previous "Magic Quadrant for Dynamic Application Security Testing" and the "Magic Quadrant for Static Application Security Testing."

Posted on: 13 July 2013 at 08:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Metrics : Application Security and Privacy
https://www.clerkendweller.uk/metrics
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/metrics
Requested by 54.166.50.213 on Thursday, 26 February 2015 at 22:55 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk