11 June 2015

SDLC

Posts relating to the category tag "SDLC" are listed below.

11 June 2015

Website Vulnerability Statistics Report 2015

WhiteHat Security in the United States has published the 15th edition of its Website Security Statistics Report.

Partial view of one of the charts in the WhiteHat Website Security Statistics Report 2015' showing Frequency of Adhoc Code Review by Industry Sector

Website Security Statistics Report 2015 presents core data relating to:

  • Likelihood of a vulnerability existing in web applications
  • The number of days per annum applications have one or more serious vulnerabilities (window of exposure).

These are defined in aggregate and also by industry sector. But this year's report also provides a deeper analysis of how these numbers and security activities in the software development lifecycle relate to breaches, vulnerability prevalence, and remediation rates.

The report is available after registering from the WhiteHat website.

Posted on: 11 June 2015 at 17:14 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

08 May 2015

Lightning OWASP Project Presentations at AppSec EU 2015

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.

Partial screen capture from the OWASP wiki showing part of the extensive project inventory

With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organised social events, it looks like this year's event is shaping up very well.

As well as the project summit, some projects are being discussed in some of the main conference presentations.

When the call for papers was announced last year, I proposed having some sessions that gave the opportunity for a larger number of project leaders to explain their work, the target users, the benefits, and what materials are available. I am pleased to say the conference team liked the idea and allocated two 45-minute slots. These are being used to showcase innovation in OWASP projects to the main conference audience.

Both lightning talk sessions occur on Thursday 21st May. Each talk is 10 minutes long. The speakers and their projects are listed below.

14:30 - 15:15 hrs

  • Spyros GASTERATOS
    Hackademic Challenges, implementing realistic scenarios with known vulnerabilities in a safe, controllable environment.
  • Andrew VAN DER STOCK and Daniel CUTHBERT
    Application Security Verification Standard, providing a basis for assessing web application technical security controls, to establish a level of confidence in the security of web applications.
  • Jonathan CARTER
    Reverse Engineering and Code Modification Prevention, educating security architects, risks analysts, software engineers, and pen testers around binary risks from code integrity violation and reverse engineering.
  • Matteo MEUCCI
    Testing Guide, version 4 the de facto standard for performing web application penetration testing.

15:45 - 16:30 hrs

  • Jim MANICO
    Top 10 Proactive Controls, describing the most important control and control categories that every architect and developer should include in every project, and Cheat Sheet Series, providing a concise collection of high value information on specific web application security topics.
  • Tao SAUVAGE and Marios KOURTESIS
    Offensive Web Testing Framework (OWTF), making security assessments as efficient as possible by automating the manual uncreative part of pen testing, and providing out-of-box support for the OWASP Testing Guide, and NIST and PTES standards.
  • Ann RACUYA-ROBBINS and Luis ENRIQUEZ
    Knowledge Based Authentication Performance Metrics, establishing standard performance metrics for knowledge based authentication (KBA) in alignment the NSTIC guiding principles - at the intersection of security, identity and privacy.
  • Sebastien DELEERSNYDER
    Software Assurance Maturity Model (OpenSAMM), an open framework to help organizations measure, improve and manage their software security practice that is tailored to the specific risks facing the organization.

I will introduce each session, the speakers and keep time. I hope you can join me to hear about these contributions to application security directly from the leaders themselves. We will have time after the sessions for further discussion and questions.

Posted on: 08 May 2015 at 09:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 April 2015

AppSensor CISO Briefing

Following the release of the Introduction for Developers in February, the OWASP AppSensor team has now created and published a new document aimed at Chief Information Security Officers (CISOs) and others with similar responsibilities.

Cover of the 'AppSensor CISO Briefing'

The CISO Briefing is a high-level overview, with pointers to the more detailed resources for specifiers, architects, developers and operators.

The document's content was partially taken from the introductory sections of the AppSensor Guide and the AppSensor Microsite. This was then edited and changed by myself, John Melton and Louis Nadeau.

I incorporated several quotations from industry analysts, reports and standards to help set the context in the current security environment. The quotations are all publicly available but are mostly not OWASP AppSensor specific — instead they illustrate current trends and concerns about attack visibility, real-time detection, the need for automation, runtime application self-protection (RASP), and active defences.

The 12 pages comprise the following:

  • Defending Software Applications
  • Detect and Respond to Attacks From Within the Application
  • Benefits For Organizations and Users
    • Lower information security risk
    • Improved compliance
    • Reduced impact of attacks and breaches
    • Increased system survivability
  • Enterprise Ready
    • Extremely low false positives
    • Intelligence driven security
    • Low system resource overhead
    • Machine-speed response
  • Next Steps
  • Additional AppSensor Resources
  • About OWASP.

The CISO Briefing can be downloaded free of charge as a PDF, or purchased at cost in hardcopy from Lulu.com. There will also be some copies available during the CISO track at the AppSec EU conference in May.

Posted on: 24 April 2015 at 08:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

31 March 2015

Participate in the OWASP Project Summit in Amsterdam

The Open Web Application Security Project (OWASP) is supporting a project summit during the two days prior to the main AppSec EU conference.

Photograph of a sign mounted on a door in Amsterdam which reads in Dutch and English 'Denk aan de buren a.u.b. - Please mind the neighbours'

A project summit on Tuesday 19th and Wednesday 20th May has been announced and information published on the AppSec EU 2015 web site. The concept of the summit is to work on improving and extending project outputs with other volunteers, and as such requires active participation and contribution.

Across all the sessions there are a wide range of inputs needed including requirements specification, architecture review, coding, testing, documentation/wiki writing and review, user interface design, planning, graphical design, video creation and translation. Full details, timings and objectives of each session are provided on the summit's wiki pages.

There are many projects participating, including sessions for projects I am actively involved in. My own parts of the summit are

Tuesday 19th May

  • 10:30-12:00 hrs OWASP Codes of Conduct - Document Review
    The current Codes of Conduct were developed primarily during the last major OWASP Summit in Portugal. They cover: Government Bodies Educational Institutions Standards Groups Trade Organizations Certifying Bodies Development Organizations This 1.5 hour session will review, edit, update and release v1.2 of each document. Participants should be interested in how external entities can be encouraged to support OWASP's mission, read the existing Codes of Conduct in advance, and come with suggestions for changes. The session agenda is 1. Introduction; 2. Joint review and edit (15 mins each document); 3. Publish updated documents to wiki (PDF and Word).
  • 13:00-15:00 hrs OWASP AppSensor (Documentation) - Guide Review
    The AppSensor Guide v2 was published in May last year, and has had two minor updates, the last one mainly due to the important release of the v2 code implementation. This session is to edit and improve the guide, since many of the chapters have not been fully reviewed. Participants should read a chapter or two in advance of the summit (chapter 5 onwards, but choose randomly/what is of interest) and bring their edits/comments to the session, where the guide will be updated. All participants will be acknowledged in the guide and on the project wiki page. The session agenda is 1. Briefing; 2. Live editing; 3. Publication updated PDF.
  • 15:30-16:30 hrs OWASP Snakes and Ladders - Dutch Translation
    OWASP Snakes and Ladders (web applications) has been translated into 5 other languages already, and Portuguese is in progress. But so far not Dutch. This rapid session will ask participants to translate the 900 words or so into Dutch, so that a PDF and Adobe Illustrator version can be created. It will also be possible to help remotely, as it will be set up on Crowdin. The session agenda is 1. Meet; 2.Translate; 3. Create Illustrator and PDF output; 4. Publish.

Wednesday 20th May

  • 09:00-12:00 hrs OWASP Cornucopia - Ecommerce Website Edition - Video
    The objective is to create a short "how to play the Cornucopia card game" video during this half-day session. Cornucopia is a card game that helps identify security requirements, but people may not be familiar with how easy it is to get started. Participants for this session are needed to be players, to create a narrative, to video the game being played, and if there is time and anyone has the skill, to edit the video and sound into a release version. It is preferable if participants are already a little familiar with the game and/or threat modelling. If there is time, we will also discuss alternative game strategies like a Jeopardy format. The session agenda is 1. Storyboarding; 2. Game play recording; 3. Editing; 4. Soundtrack; 5. Publish video.
  • 13:30-17:00 hrs OWASP AppSensor (Code) - Dashboard
    The AppSensor v2.0.0 code implementation final release was undertaken in January. One of the tasks to continue with is the development of a reporting dashboard. This session is to brainstorm ideas and layouts for the dashboard, and identify what tools/libraries can assist in the creation of the dashboard. Bring ideas, energy, URLs, paper and pens! The outputs will be dashboard mockups. The session agenda is 1. Introductions and objectives; 2. Information requirements; 3. User stories; 4. Information design; 5. Code libraries and frameworks.
  • 17:00-18:00 hrs OWASP Automated Threats to Web Applications - Website Owner Experiences
    The OWASP Automated Threats to Web Applications Project is undertaking research and will publish its outputs immediately prior to AppSec EU 2015. This meeting seeks input from training and conference attendees on their own organisations' experiences of automated attacks: What types of automated attacks occur and with what frequency? What were the symptoms? How are they detected? What incident response measures were taken? What steps were undertaken to prevent or mitigate such attacks? Participation/contribution can be anonymous or otherwise. The intention is to update the published documents during the session and if possible create additional sector-specific guidance.

Registration

Attendance at the project summit is free, but everyone is a participant to help achieve the objectives. Please register to let the team know who will be attending. Join as many or as few of the sessions as you like.

The summit is co-loacted at the Amsterdam RAI as the chargeable training courses running on the same days. Why not sign up for those and the conference at the same time?

I look forward to seeing some of you there.

Posted on: 31 March 2015 at 13:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 February 2015

Register Today for OWASP AppSec EU 2015 in Amsterdam

The leading application security training and conference event is being held in Amsterdam from 19th to 22nd May 2015. Register today.

Photograph of houses overlooking boats on a canal in Amsterdam - the location for OWASP AppSec EU 2015

OWASP AppSec EU 2015 is being held in the Amsterdam RAI Convention Centre just a single train stop from both Schiphol Airport in one direction, and central station in the other.

AppSec EU 2015 comprises:

It looks like it will be a superb event. Thanks to the event team for their work to date.

And of course, there is everything else Amsterdam has to offer.

Registration is open, but the price increases on 1st March (this Sunday), and there is another higher charge for tickets bought at the door. Amsterdam RAI Hotel and Travel Service is the official accommodation partner of OWASP AppSec EU 2015. Lastly, there are still a few sponsorship packages available.

Posted on: 27 February 2015 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 February 2015

Report on an Evaluation of Application Security Assessment Vendors

Forrester Research published an evaluation of a dozen application security vendors in December.

Figure 1 Evaluated Vendors: Product Information from the The Forrester Wave Application Security, Q4 2014, listing Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortify, IBM, Qualys, Quotium, Trend Micro, Veracode, Virtual Forge and WhiteHat Security

The researchers reviewed the market to identify application security assessment vendors that offer multiple capabilities, provide easy deployment and integration, are used by other Forrester clients and have competitive offerings.

Their selection was Beyond Security, Checkmarx, Contrast Security, Coverity, HP Fortify, IBM, Qualys, Quotium, Trend Micro, Veracode, Virtual Forge and WhiteHat Security.

The vendors offer mixed approaches in static analysis (SAST), dynamic analysis (DAST), and instrumented/ interactive technologies (IAST) techniques in order to detect weaknesses and vulnerabilities in general code, web applications, mobile applications, and commercial off-the-shelf (COTS) products. Their current product offerings, strategy and size of market presence were compared.

The brief report is available for an eye-watering $2,495 if you are not an existing client of Forrester. Alternatively, you can request a free copy from either IBM or WhiteHat Security (business details required).

Posted on: 24 February 2015 at 08:05 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 February 2015

Software Assurance Maturity Model Practitioner Workshop

The OWASP Open Software Assurance Maturity Model (Open SAMM) team are holding a summit in Dublin at the end of March.

Extract from the Open Software Assurance Maturity Model (Open SAMM) document that describes the four business functions - governance, construction, verification, and deployment

As part of the two-day Open SAMM Summit 2015 a full day is being allocated to software assurance practitioners and those who want to learn about using the vendor-neutral and free Open SAMM to help measure, build and maintain security throughout the software development lifecycle.

Open SAMM helps organisations formulate and implement a strategy for software security that is tailored to the specific risks facing the organisation. The resources provided by SAMM assist:

  • Evaluating an organisation's existing software security practices
  • Building a balanced software security programme in well-defined iterations
  • Demonstrating concrete improvements to a security assurance program
  • Defining and measuring security-related activities within an organisation.

There seems to be plenty activity in the project. Keep up-to-date by following or joining the mailing list.

The users day, on Friday 27th March, is a combination of presentations, workshops and round-table discussions to help explain the approach, to make best use of a maturity model, to show how SAMM is being used by other companies, and to describe some upcoming project initiatives. The user day runs from 08:00 for 09:00 hrs through to 17:00 hrs, and is followed in the evening by an optional social event. Attendance is limited to the first 40 people who register and costs 150 EUR + VAT (21%). Travel, accommodation, subsistence at your own cost.

The following day, the SAMM project team, and any other volunteers who want to participate, will be working on creating outputs for the project.

The event is being held at The Gibson Hotel at Point Village Dublin 1, Ireland.

Posted on: 20 February 2015 at 09:59 hrs

Comments Comments (2) | Permalink | Send Send | Post to Twitter

10 February 2015

NIST SP 800-163 Vetting the Security of Mobile Applications

In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.

One of the tables from NIST SP 800-163 'Vetting the Security of Mobile Applications' showing top level general categories of iOS app vulnerabilities

SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is also intended for developers that are interested in understanding the types of software vulnerabilities that may arise in their apps during the software development life cycle (SDLC). The report is grouped into planning, testing and app approval/rejection sections:

  • Planning
    • Security requirements
    • Understanding vetting limitations
    • Budget and staffing
  • Testing
    • General app security requirements
    • Testing approaches
    • Sharing results
  • App approval/rejection
    • Report and risk auditing
    • Organisation-specific vetting criteria
    • Final approval/rejection.

The guidance is practical and highlights risks that are mobile app specific as well as general application security risks. Appendices B & C provide helpful categorised lists of Android and iOS mobile app vulnerability types respectively.

Posted on: 10 February 2015 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 January 2015

NISTIR 8018 - Public Safety Mobile Application Security Requirements Works

The previously mentioned draft NIST Interagency Report (NISTIR) 8018 has now been released in final version.

he public safety mobile application security effort focuses on improving the mobile application development process, specifically the mobile application testing tools, by understanding and collecting the security requirements relevant to the public safety community.

The consultation of the previous draft closed on 13th September 2014. The final NISTIR 8018 (23 January 2015) captures security requirements for public safety mobile applications from the workshop between the Association of Public-Safety Communications Officials (APCO) International, the first responders' network FirstNet and the US Department of Commerce.

NISTIR 8018, PDF download.

Posted on: 27 January 2015 at 09:13 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

21 January 2015

London Cyber Security Summit for Startups

OWASP London Chapter is helping host next week's Cyber Startup Summit in conjunction with techUK, PixelPin and Sonatype.

Banner for the summit that reads 'Cyber Startup Summit - 28th-30th January 2015, IDEALondon/Google Campus'

The primary focus of the Cyber Startup Summit is to promote innovation across cyber security. It intends to enable collaboration between enterprise security leaders, security startups, creative entrepreneurs, students and academics to discuss, connect and hack the hot topics within the world of cyber security. The summit comprises three events:

  • Secure Startup (Wednesday 28th morning) at IDEALondon, London EC2A 2BB
    Talks/workshops for generic startups to better understand how to develop secure products, secure existing products and secure the business assets/IP/data.

    9.00 Arrive
    9.30 Introduction & morning overview
    10.00 Interactive talks (15mins x4)
    - Developing Secure Fintech MVPs (cryptocurrency/mobile) - Marco Morana
    - Open Source Risk - David Jones
    - Securing your IP/Ideas - Mike Loginov
    - Securing Existing Tech (MVP/Product) - Justin Clarke
    11.00 Talk: Security by Design - Angela Sasse
    11.40 Talk: Good and Sanity - David Jones
    12.00 Leader Panel on "Securing Business Q&A"
    13.00 Finish

  • Cyber Innovation (Wednesday 28th afternoon) at IDEALondon, London EC2A 2BB
    Talks and security leader discussions on key topics discussing the now and future of cyber security innovation and how new cyber startups may have a part to play.

    13.30 Arrive
    14.00 Introduction & afternoon overview
    14.15 Talk: Nurturing Cyber Startups - Andy Williams
    14.30 Talk: Cyber Investment in FinTech - Ian Dowson
    14.45 Talk: Future of Cyber Innovation - Mike Loginov
    15.15 Talk: Think Secure, Now or Never - Amar Singh
    15.45 Talk: Risk, Regulation, Reputation - John Elliott
    16.30 Leader Panel on "Cyber Innovation Q&A" - Marco Morana, Amar Singh, Angela Sasse, Mike Loginov, John Elliott
    18.00 Finish (+drinks)

  • Hackathon (Thursday 29th and Friday 30th) at Campus London, London EC2A 4BX
    A two day hackathon for developers, students and the security community so work on new ideas that will either create a cyber security product or a product that has security at core.

    Day 1 - Thursday 29th January
    09.00 Participants arrive (+breakfast)
    09.30 Introduction & hackathon overview
    10.00 Participants with current ideas given 1 minute to present them to everyone
    11.00 Teams formed and the Hackathon begins.

    Day 2 - Friday 30th January
    09.00 Breakfast
    12.00 Lunch
    14.00 Presentations start - 3min presenting & 2min Q&A
    15.30 Break
    17.00 Winners announced
    17.30 Networking inc food and drink
    19.00 After Party at Silicon Drinkabout

Book a free place for the Secure Startup and Cyber Innovation events.

The hackathon is dedicated to ideas for new security (or secure) products. Participants can utilise available resources to create new security prototypes. Mentors will be on site. The hackathon is free but booking is required.

Posted on: 21 January 2015 at 08:40 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

SDLC : Application Security and Privacy
https://www.clerkendweller.uk/sdlc
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/sdlc
Requested by 54.92.157.138 on Sunday, 5 July 2015 at 14:16 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk