07 July 2015


Posts relating to the category tag "operation" are listed below.

07 July 2015

Hosted Payment Pages, the Payment Services Directive and PCI DSS Validation & Reporting

Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.

From the ECB's 'Guidelines on Internet Payments Security' on strong customer authentication in clause 7.5: 'PSPs offering acquiring services should require their e-merchant to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. based on a transaction risk analysis, or involving low-value payments, as referred to in the PSD.'

The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (HPP) would currently be acceptable for validation and reporting to SAQ A (or using those parts in a full report on compliance, depending upon transaction volumes or as required by a card scheme or acquirer).

But move on a year. The payment service provider (PSP) sector is coming under increasing regulation. PSPs are subject to the Payment Services Directive (PSD) which was implemented in the UK through the Payment Services Regulations 2009 (PSRs), which came into effect on 1st November 2009.

The PSRs affects firms providing payment services and their customers including banks, building societies, e-money issuers, money remitters, non-bank credit card issuers, and non-bank merchant acquirers. Thus whilst it is not directly applicable to e-commerce merchants (or emerchants as the PSD refers to them), the PSPs that provide e-commerce merchants with payment systems are affected.

Following an extensive consultation process, and a draft published in October last year, the European Banking Authority (EBA) published its final guidance in December 2014. This guidance is known as the Final Guidelines on the Security of Internet Payments and comes into effect next month on 1st August 2015.

This places obligations on PSPs to impose certain security requirements on e-commerce merchants. For example PSPs must require their ecommerce merchants to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet.

Furthermore the guidance requires PSPs to encourage merchants never to store "sensitive payment data", and places an obligation on PSPs to include requirements in their contracts and to carry out regular checks" of its ecommerce merchants:

From the ECB's 'Guidelines on Internet Payments Security' on protection of sensitive payment data in clauses 11.2 and 11.3: 'PSPs should ensure that when exchanging sensitive payment data via the internet, secure end-to-end encryption 20 is applied between the communicating parties throughout the respective communication session, in order to safeguard the confidentiality and integrity of the data, using strong and widely recognised encryption techniques.' and 'PSPs offering acquiring services should encourage their e-merchants not to store any sensitive payment data. In the event e-merchants handle, i.e. store, process or transmit sensitive payment data, such PSPs should contractually require the emerchants to have the necessary measures in place to protect these data. PSPs should carry out regular checks and if a PSP becomes aware that an e-merchant handling sensitive payment data does not have the required security measures in place, it should take steps to enforce this contractual obligation, or terminate the contract'

Perhaps of most note is the guidance that states PSPs should require e-commerce merchants to use a full redirect rather than any other type of architecture, and that this excludes any framed hosted payment page:

From the ECB's 'Guidelines on Internet Payments Security' on customer education and communication in clause 12.5: 'Acquiring PSPs should require e-merchants to clearly separate payment-related processes from the online shop in order to make it easier for customers to identify when they are communicating with the PSP and not the payee (e.g. by re-directing the customer and opening a separate window so that the payment process is not shown within a frame of the e-merchant)'

Whether this will actually filter through from PSPs to their e-commerce customers, or from the acquiring banks to their merchants is yet to be seen. The UK's Financial Conduct Authority (FCA) has stated it will not be able to comply with the guidance. Regardless of this, leading merchants that do not already use a full redirect are investigating what changes might be necessary to achieve this and the level of user experience possible. The reasons to move to a full redirect are to reduce the risk to cardholder data, to lower the risk of a cardholder data incident, and to change at a time of their choosing before it is imposed through a contractual obligation.

For some merchants this may entail moving to a different PSP that is able to offer suitable PSP-hosted templates and configuration to provide a suitable user interface (UI) for web desktop and mobile users that supports all the options the merchant requires, such as internationalisation.

Some nations, PSPs and acquiring banks may also be waiting for the implementation of the Payment Services Directive 2 (PSD2), possibly in 2017. The intention of PSD2 is to harmonise the approaches across member nation states, and also to reduce the inappropriate use of exemptions.

Posted on: 07 July 2015 at 10:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 July 2015

HTTP Strict Transport Security (HSTS) Preload Lists

There is a growing wave of websites and other web applications that are now moving to be TSL-only (transport layer security only, aka SSL-only).

Partial screen capture of Chrome's preload list with the entry for clerkendweller.uk highlighted

Apart from the web site being browsed using "https", the server can also send a policy instruction in the form of a HTTP Strict Transport Security (HSTS) header. There are of course considerations for HSTS deployment, not least the effect on other sub-domains.

Since the browser needs to make at least one request before it can read this HSTS policy, the user is still vulnerable to the use of a first non-TLS connection.

However, if a web site is TLS-only and has the HSTS header, with an expiry of at least eighteen weeks (10886400 seconds), has the "includeSubdomains" and "preload" attributes set, then the information can be hard coded into certain web browsers such that they will never request the site without using TLS, regardless of what a user types in or clicks on.

The machine readable HSTS preload lists are:

The entry for clerkendweller.uk in Chrome's list is illustrated above.

Once you have configured your website, use this form from Google to submit your information. The data is included with the preload lists for Safari and Firefox. Note the inclusion in the preload list is irreversible.

Posted on: 02 July 2015 at 07:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

23 June 2015

Docker Security Resources

Two recent publications provide security advice for Docker users.

Partial view of content from the CIS Benchmark for Docker Engine 1.6The Center for Internet Security (CIS) has published a Benchmark for Docker Engine 1.6. A related tool Docker Bench is a script that checks for all the automatable tests included in the CIS Docker 1.6 Benchmark.

In March, a white paper Introduction to Container Security was also published.

See also the Docker Security page.

Posted on: 23 June 2015 at 16:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 June 2015

The Value of Personal Information

The story that consumers and others are willing to give away information about their personal life to companies in exchange for some trivial benefit is often heard. A new research paper published in the United States undermines this belief.

Clubbers enjoying Carl Cox dj-ing in Ibiza

The Tradeoff Fallacy - How Marketers Are Misrepresenting American Consumers And Opening Them Up to Exploitation has been written by Joseph Turow and Michael Hennessy from the Annenberg Public Policy Center at the University of Pennsylvania and NoraDraper from the Department of Communication at the University of New Hampshire.

People often release information about themselves in ways that suggest little concern about disclosure and collection of their personal data.

The authors found that a large pool of Americans feel resigned to the inevitability of surveillance and the power of marketers to harvest their data. And people who are resigned do not predictably decide to give up their data. Additionally there was no statistical relationship found between being resigned to marketers' use of data and accepting or rejecting various kinds of supermarket discounts.

Read the paper and further analysis on Techcrunch.

Posted on: 16 June 2015 at 07:58 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 June 2015

AppSensor Code Version 2.1 and Beyond

Last Tuesday John Melton completed and announced the release of the AppSensor version 2.1.0 reference implementation.

Photograph of Hadrian's Roman Wall in Northumberland, England

OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response. The reference implementation allows developers to use these powerful concepts in existing applications and is provided under an MIT open-source licence.

Version 2.1.0 includes additional execution modes, additional emitters, enhanced documentation, a Maven upgrade dependency versions, and Spring Security integration. Additionally two demonstration applications have been added. The first example example application illustrates how to use AppSensor in local mode with the Spring Security integration. The second example shows the use of AppSensor for something other than application layer IDS — in this case, as an exception tracker.

The code can be downloaded from GitHub.

John is now hoping to move onto creating a user interface (UI) for the reference implementation, and is seeking feedback on the UI architecture and design. Please contribute your ideas by adding comments this week.

Posted on: 15 June 2015 at 07:06 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 June 2015

Website Vulnerability Statistics Report 2015

WhiteHat Security in the United States has published the 15th edition of its Website Security Statistics Report.

Partial view of one of the charts in the WhiteHat Website Security Statistics Report 2015' showing Frequency of Adhoc Code Review by Industry Sector

Website Security Statistics Report 2015 presents core data relating to:

  • Likelihood of a vulnerability existing in web applications
  • The number of days per annum applications have one or more serious vulnerabilities (window of exposure).

These are defined in aggregate and also by industry sector. But this year's report also provides a deeper analysis of how these numbers and security activities in the software development lifecycle relate to breaches, vulnerability prevalence, and remediation rates.

The report is available after registering from the WhiteHat website.

Posted on: 11 June 2015 at 17:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 May 2015

FCA Guidance on Financial Crime

The UK's Financial Conduct Authority (FCA) has published updated guidance on reducing the risk of financial crime.

Chapter header '5. Data security' in the FCA guidance 'Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime'

Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime provides information to regulated firms on how to avoid financial crime. But many of the topics and guidance will be of use to a wider audience. The document provides guidance regarding financial crime systems and controls, money laundering and terrorist financing, fraud, data security, bribery and corruption, and sanctions and asset freezes. Some of these are clearly sector-specific but there is generally applicable advice too.

Chapter 5 on data security draws on, and extends, guidance originally published in the former FSA's document Data Security, published in 2008.

Part 2 of the documents contains summaries of, and links to, thematic reviews of various financial crime risks. It includes the consolidated examples of good and poor practice that were included with the recent reviews' findings.

The guidance took effect on 27 April 2015.

Posted on: 28 May 2015 at 08:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 May 2015

SANS 2015 State of Application Security

The SANS Institute has published this year's survey results about application security programmes.

One of the charts from the SANS report '2015 State of Application Security: Closing the
Gap' showing the popularity of language and perceived security risk

In a change to last year's report the authors of 2015 State of Application Security: Closing the Gap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.

Jim Bird, Eric Johnson and Frank Kim analysed data from 435 respondents, a quarter of which came from financial services/banking. two-thirds of respondents worked in organisations with 1,000 or more people.

The report is full of useful information, that reflects the languages, frameworks and development practices utilised by the survey participants.The top challenges for builders and defenders are identified, drivers, practices, and also which standards, guidance, lifecycle models and other guidance are referenced by the organisations' own application security programmes.

A breakdown of the proportion of the overall IT budget spent on application security is also presented.

The report is free to access and download.

Posted on: 18 May 2015 at 09:09 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

15 May 2015

The Bad and the Good of Ecommerce Fraud Detection

Vendor ThreatMetrix has published a short document about how online fraud detection systems often mistreat customers like they are criminals, leading to increased costs and decreased income.

Photograph of customers in a high street shop paying for their purchases at checkouts

Problems with common systems of customer authentication are discussed in "Are You Treating Your Customers Like Criminals?", including failure to recognise existing customers, time-consuming or awkward re-authentication and the poor user experience of payment verification processes like 3DSecure (e.g. Verified By Visa, MasterCard SecureCode, American Express SafeKey).

These lead to basket abandonment, payment failures and brand damage. The document describes other problems created such as making it difficult to enter new markets, increasing the customer support overhead, wasting marketing spend, and rising fraud levels during peak trading periods when barriers are lowered, leading to elevated chargeback rates.

It is suggested that retails need to simplify authentication, improve the identification of real customers, and mitigate the business impact of fraudulent activity. Recommendations for activities to undertake in real-time are provided. These measures can be implemented directly in code, as well as using vendor products and services. Also remember a post in March, User Interface Modifications to Combat Buyer Fraud.

The document can be downloaded free of charge after providing contact details including a valid email address. ThreatMetrix also publishes a quarterly cybercrime attack report.

Posted on: 15 May 2015 at 11:20 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 May 2015

Lightning OWASP Project Presentations at AppSec EU 2015

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.

Partial screen capture from the OWASP wiki showing part of the extensive project inventory

With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organised social events, it looks like this year's event is shaping up very well.

As well as the project summit, some projects are being discussed in some of the main conference presentations.

When the call for papers was announced last year, I proposed having some sessions that gave the opportunity for a larger number of project leaders to explain their work, the target users, the benefits, and what materials are available. I am pleased to say the conference team liked the idea and allocated two 45-minute slots. These are being used to showcase innovation in OWASP projects to the main conference audience.

Both lightning talk sessions occur on Thursday 21st May. Each talk is 10 minutes long. The speakers and their projects are listed below.

14:30 - 15:15 hrs

    Hackademic Challenges, implementing realistic scenarios with known vulnerabilities in a safe, controllable environment.
  • Andrew VAN DER STOCK and Daniel CUTHBERT
    Application Security Verification Standard, providing a basis for assessing web application technical security controls, to establish a level of confidence in the security of web applications.
  • Jonathan CARTER
    Reverse Engineering and Code Modification Prevention, educating security architects, risks analysts, software engineers, and pen testers around binary risks from code integrity violation and reverse engineering.
  • Matteo MEUCCI
    Testing Guide, version 4 the de facto standard for performing web application penetration testing.

15:45 - 16:30 hrs

  • Jim MANICO
    Top 10 Proactive Controls, describing the most important control and control categories that every architect and developer should include in every project, and Cheat Sheet Series, providing a concise collection of high value information on specific web application security topics.
  • Tao SAUVAGE and Marios KOURTESIS
    Offensive Web Testing Framework (OWTF), making security assessments as efficient as possible by automating the manual uncreative part of pen testing, and providing out-of-box support for the OWASP Testing Guide, and NIST and PTES standards.
    Knowledge Based Authentication Performance Metrics, establishing standard performance metrics for knowledge based authentication (KBA) in alignment the NSTIC guiding principles - at the intersection of security, identity and privacy.
  • Sebastien DELEERSNYDER
    Software Assurance Maturity Model (OpenSAMM), an open framework to help organizations measure, improve and manage their software security practice that is tailored to the specific risks facing the organization.

I will introduce each session, the speakers and keep time. I hope you can join me to hear about these contributions to application security directly from the leaders themselves. We will have time after the sessions for further discussion and questions.

Posted on: 08 May 2015 at 09:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Operation : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/operation
Requested by on Tuesday, 7 July 2015 at 14:09 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk