31 July 2015

Metrics

Posts relating to the category tag "metrics" are listed below.

31 July 2015

OWASP Automated Threat Handbook v1.00

I have been working on a new OWASP incubator project since February this year — the Automated Threats to Web Applications Project.

One of the threat events descriptions from the 'OWASP Automated Threat Handbook v1.00'

There are many aspects of automation that can contribute to application security, but there are also automated threats that disrupt operations. There is a significant body of knowledge about application vulnerability types, and some general consensus about identification and naming. But I believe issues relating to the misuse of valid functionality (which may be caused by design flaws rather than implementation bugs) are less well defined. Yet these problems are seen day-in, day-out by web application owners.

Excessive abuse of functionality is commonly misreported as application denial-of-service (DoS) attacks, such as HTTP flooding or application resource exhaustion, when in fact the DoS is a side-effect. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or in any other top issue list or dictionary.

This has contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues. I wrote some use case scenarios for having defined names and properties of the threat events:

  • Defining application development security requirements
  • Sharing intelligence within a sector
  • Exchanging threat data between CERTs
  • Enhancing application penetration test findings
  • Specifying service acquisition needs
  • Characterising vendor services.

Following a number of months of research and some peer review, I am pleased to publish the first main output of this - the OWASP Automated Threat Handbook for Web Applications. Initially this is primarily the ontology of automated threats, but the aim is to now develop additional guidance on:

  • Mitigations
  • Guidance for builders
  • Guidance for defenders
  • Effectiveness of alternative controls
  • Threat identification metrics.

I am grateful to those people who have already provided input, discussed the classifications, and suggested improvements.

All outputs are free and open source. There is a two-page project summary The 68-page v1.00 handbook can be downloaded as a PDF or obtained as a print on demand book.

To join the discussion, or to contribute knowledge, or to keep up with the latest news, please join the project's mailing list.

Also, please come along to my talk about the project at AppSec USA 2015 in San Francisco.

Posted on: 31 July 2015 at 09:53 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 June 2015

Website Vulnerability Statistics Report 2015

WhiteHat Security in the United States has published the 15th edition of its Website Security Statistics Report.

Partial view of one of the charts in the WhiteHat Website Security Statistics Report 2015' showing Frequency of Adhoc Code Review by Industry Sector

Website Security Statistics Report 2015 presents core data relating to:

  • Likelihood of a vulnerability existing in web applications
  • The number of days per annum applications have one or more serious vulnerabilities (window of exposure).

These are defined in aggregate and also by industry sector. But this year's report also provides a deeper analysis of how these numbers and security activities in the software development lifecycle relate to breaches, vulnerability prevalence, and remediation rates.

The report is available after registering from the WhiteHat website.

Posted on: 11 June 2015 at 17:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

14 April 2015

Remote Banking Fraud Up, Card Fraud Up

The Financial Fraud Action UK (FFA UK) has published its latest figures about financial fraud in the UK.

e-commerce card fraud losses increased from £190.1m in 2013 to £217.4m in 2014 — a 14 per cent rise

In a news release published at the end of March, the FFA UK states the increase is primarily due to a change in tactic by fraudsters who are deceiving customers rather than attacking the payments technology and systems directly. It warns about the increasing numbers of scams which aim to trick people into disclosing financial details or transferring their money directly to fraudsters.

As a result of these trends there is now a new Joint Declaration by UK Banks, Card Issuers and Building Societies is a combined effort to combat phone-initiated fraud.

Online banking fraud increased from £40.9m to£60.4m in 2014, a 48 per cent rise.

Card fraud losses were driven by criminals using UK cards fraudulently abroad, where the security features can be circumvented in some locations.

Posted on: 14 April 2015 at 07:37 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 March 2015

Payment Security and PCI DSS Compliance 2015

Verizon has published its annual PCI Compliance Report 2015 covering data up to the end of 2014, describing compliance, the sustainability of controls and ongoing risk management.

Partial screen capture from the Verizon report 'PCI Compliance Report 2015' showing one of the many charts

PCI Compliance Report 2015 analyses information from PCI Data Security Standard (PCI DSS) assessments undertaken by Verizon between 2012 and 2014, together with additional data from forensic investigation reports.

It describes the challenges of maintaining compliance and mentions the scale and complexity of requirements, uncertainty about scope and impact, the ongoing compliance cycle, lack of resources, lack of insight into business processes and misplaced confidence in existing information security maturity.

Each main requirement has a dedicated section summarising the changes in v3.0, describing the compliance challenges found, and providing recommendations for maintaining security and compliance. The authors describe methods they consider should be used to make compliance easier, more effective and sustainable.

There is a useful "compliance calendar" in Appendix C of the report which shows the periodic and other triggers for certain activities across the 12 requirements. A "must read" if you are a payment merchant or service provider.

Posted on: 17 March 2015 at 08:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 January 2015

Anti-Automation Monitoring and Prevention

It seems London's Heathrow Airport has very little in the way of anti-automation monitoring or prevention in place.

Headline from the London Evening Standard which reads 'Heathrow noise complaints sent by automated software'

According to the London Evening Standard newspaper on Tuesday, a five-fold increase in complaints was in large part due to automated email submission.

Luck would seem to have been what led to the discovery that the emails were computer-generated when complaints were received an hour ahead of the flight schedule after the clocks changed from summer time.

Oops, let's hope that's not a metric used by the airport itself or a regulator.

Not that the airport would reasonably believe it to be the target of any activists! Surely not.

Posted on: 29 January 2015 at 16:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 January 2015

London Cyber Security Summit for Startups

OWASP London Chapter is helping host next week's Cyber Startup Summit in conjunction with techUK, PixelPin and Sonatype.

Banner for the summit that reads 'Cyber Startup Summit - 28th-30th January 2015, IDEALondon/Google Campus'

The primary focus of the Cyber Startup Summit is to promote innovation across cyber security. It intends to enable collaboration between enterprise security leaders, security startups, creative entrepreneurs, students and academics to discuss, connect and hack the hot topics within the world of cyber security. The summit comprises three events:

  • Secure Startup (Wednesday 28th morning) at IDEALondon, London EC2A 2BB
    Talks/workshops for generic startups to better understand how to develop secure products, secure existing products and secure the business assets/IP/data.

    9.00 Arrive
    9.30 Introduction & morning overview
    10.00 Interactive talks (15mins x4)
    - Developing Secure Fintech MVPs (cryptocurrency/mobile) - Marco Morana
    - Open Source Risk - David Jones
    - Securing your IP/Ideas - Mike Loginov
    - Securing Existing Tech (MVP/Product) - Justin Clarke
    11.00 Talk: Security by Design - Angela Sasse
    11.40 Talk: Good and Sanity - David Jones
    12.00 Leader Panel on "Securing Business Q&A"
    13.00 Finish

  • Cyber Innovation (Wednesday 28th afternoon) at IDEALondon, London EC2A 2BB
    Talks and security leader discussions on key topics discussing the now and future of cyber security innovation and how new cyber startups may have a part to play.

    13.30 Arrive
    14.00 Introduction & afternoon overview
    14.15 Talk: Nurturing Cyber Startups - Andy Williams
    14.30 Talk: Cyber Investment in FinTech - Ian Dowson
    14.45 Talk: Future of Cyber Innovation - Mike Loginov
    15.15 Talk: Think Secure, Now or Never - Amar Singh
    15.45 Talk: Risk, Regulation, Reputation - John Elliott
    16.30 Leader Panel on "Cyber Innovation Q&A" - Marco Morana, Amar Singh, Angela Sasse, Mike Loginov, John Elliott
    18.00 Finish (+drinks)

  • Hackathon (Thursday 29th and Friday 30th) at Campus London, London EC2A 4BX
    A two day hackathon for developers, students and the security community so work on new ideas that will either create a cyber security product or a product that has security at core.

    Day 1 - Thursday 29th January
    09.00 Participants arrive (+breakfast)
    09.30 Introduction & hackathon overview
    10.00 Participants with current ideas given 1 minute to present them to everyone
    11.00 Teams formed and the Hackathon begins.

    Day 2 - Friday 30th January
    09.00 Breakfast
    12.00 Lunch
    14.00 Presentations start - 3min presenting & 2min Q&A
    15.30 Break
    17.00 Winners announced
    17.30 Networking inc food and drink
    19.00 After Party at Silicon Drinkabout

Book a free place for the Secure Startup and Cyber Innovation events.

The hackathon is dedicated to ideas for new security (or secure) products. Participants can utilise available resources to create new security prototypes. Mentors will be on site. The hackathon is free but booking is required.

Posted on: 21 January 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2014

SANS SWAT Checklist and Poster

The SANS Institute has published a poster called Securing Web Application Technologies (SWAT).

Partial view of one section of the SANS Securing Web Application Technologies (SWAT) 2014 poster

SWAT 2014 (PDF) is a two-page large-format colourful poster combining a SWAT checklist with a What Works in Application Security chart.

The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:

SANS Institute David Rook Open Web Application Security Project
SWAT Checklist Category AppSec Principle Cornucopia Suit Proactive Control
Authentication Authentication Authentication Establish identity and authentication controls
Session management Session management Session management
Access control Authorisation,
Secure resource access
Authorization Implement appropriate access controls
Input and output handling Input validation,
Output validation
Data validation and encoding Validate all inputs,
Parameterize queries,
Encode data
Data protection Secure communications,
Secure storage
Cryptography,
Cornucopia
Protect data and privacy
Error handling and logging Error handling Cornucopia Implement logging, error handling and intrusion detection
Configuration and operations - Cornucopia -
- - (all requirements) Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in

So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.

The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).

The file can be downloaded without registration.

Posted on: 02 December 2014 at 06:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 October 2014

Cost of Cyber Crime for UK Companies 2014

The third annual study of the cost of cyber crime in UK companies has been published.

Partial view of the cover from the Ponemon report ''

This 2014 report from Ponemon Institute is the third annual study of U.K companies, and is based on a representative sample of 38 organisations across industries. Findings for other regions/nations, relating to 257 companies in 7 countries in total, have also been published.

The report describes:

  • Mean annual cost
  • How the cost varies across sectors
  • Types of cyber crime
  • Mitigations
  • Effect of response time on incident cost.

2014 Cost of Cyber Crime Study: United Kingdom can be downloaded for free from HP after registration.

Also of use in this area, an analysis of the value of data and tools/services to criminals was published this month by the Infosec Institute.

Posted on: 17 October 2014 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 November 2013

CISO Guide to Application Security

A new book about application security for Chief Information Security Officers (CISOs) has been announced by OWASP.

The title page from OWASP's Application Security Guide For CISOs Version 1.0 (November 2013)

The Application Security Guide For CISOs seeks to help CISOs manage application security programs for their own roles, responsibilities, perspectives and needs. The book examines these aspects from CISOs' responsibilities from the perspectives of governance, compliance and risk. The primary author Marco Morana is a leader in application security within financial services sector, but the book is sector, region and technology agnostic. It is also completely technology and vendor neutral. Along with fellow contributors Tobias Gondrom, Eoin Keary, Andy Lewis and Stephanie Tan, I had the pleasure of contributing to Marco's content, reviewing the text and producing the print version of the book.

The 100-page document provides assistance with justifying investment in application security, how application security risks should be managed, how to build, maintain and improve an application security programme, and the types of metrics necessary to manage application security risks and application investments. There is a standalone introduction and executive summary. The core of the book is then collected into four parts:

  • I : Reasons for Investing in Application Security
  • II : Criteria for Managing Application Security Risks
  • III : Application Security Program
  • IV : Metrics For Managing Risks & Application Security Investments

There are also additional appendices with information about calculating the value of data and cost of an incident, as well as a cross-reference between the CISO guide and other OWASP guides, projects and other content.

The book can be obtained in three formats:

Marco and Tobias will be presenting the new CISO Guide, and the results from the 2013 CISO Survey, at next week's AppSec USA in New York.

Translations into other languages will become available over time as volunteers do these. If you can help please send a message to the project mailing list.

Posted on: 16 November 2013 at 05:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

01 November 2013

AppSensor at AppSec USA in New York

OWASP AppSec USA 2013 is in three weeks time from 18th to 21st November. This is expected to be the largest application security conference in the world ever.

Photograph of the Manhattan skyline with the Statue of Liberty in the foreground

OWASP AppSensor Project describes and provides demonstration code, for real-time application-specific attack detection and real-time response. The two primary AppSensor events during AppSec USA are being led by project leaders John Melton and Dennis Groves, and there is also a chance to contribute to the upcoming new AppSensor Guide:

  • AppSensor 2.0 Hackathon code writing, John Melton, Monday 18th November at 1:00pm - 5:00pm (Sky Lounge, 16th floor)
  • Writing and Documentation Review Session for documentation projects including AppSensor, Michael Hidalgo and Samantha Groves, Wednesday 20th November at 9.00am - 1.00pm (Sky Lounge, 16th Floor)
  • AppSensor Project presentation, Dennis Groves, Thursday 21st November at 2.00pm - 3.00pm (Edison Room, 5th Floor)

The first, part of the conference's OWASP Project Summit 2013, will be an opportunity to work with John to help write code for the AppSensor 2.0 services model (REST and SOAP). Further details of the summit here and here. Dennis will be providing an inspirational introduction to using AppSensor, and the technical and business benefits achievable.

Additionally, core contributor Ryan Barnett is providing a closely related training class about using ModSecurity for web application defence:

Training at OWASP conferences is always to a high standard, but the courses get booked up very quickly.

Along with John, Dennis and Ryan, most of the other core project contributors, including myself, will be in New York for the conference, so if you want to ask any questions, please just track one of us down. Ask at the conference support desk where to find us.

Regardless of your interest in AppSensor, there are another 120 application security sessions available during the week. If you haven't already booked for the training or conference, you can still register, but don't leave it too late.

Update 11th November 2013: Documentation writing and review session added.

Posted on: 01 November 2013 at 15:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Metrics : Application Security and Privacy
https://www.clerkendweller.uk/metrics
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/metrics
Requested by 54.91.93.213 on Sunday, 30 August 2015 at 16:52 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk