16 April 2015

Threats

Posts relating to the category tag "threats" are listed below.

10 February 2015

NIST SP 800-163 Vetting the Security of Mobile Applications

In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.

One of the tables from NIST SP 800-163 'Vetting the Security of Mobile Applications' showing top level general categories of iOS app vulnerabilities

SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is also intended for developers that are interested in understanding the types of software vulnerabilities that may arise in their apps during the software development life cycle (SDLC). The report is grouped into planning, testing and app approval/rejection sections:

  • Planning
    • Security requirements
    • Understanding vetting limitations
    • Budget and staffing
  • Testing
    • General app security requirements
    • Testing approaches
    • Sharing results
  • App approval/rejection
    • Report and risk auditing
    • Organisation-specific vetting criteria
    • Final approval/rejection.

The guidance is practical and highlights risks that are mobile app specific as well as general application security risks. Appendices B & C provide helpful categorised lists of Android and iOS mobile app vulnerability types respectively.

Posted on: 10 February 2015 at 07:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 February 2015

CMA Consultations on Consumer Data

The UK Competition and Markets Authority (CMA) has two current related consultations.

Photograph of a yellow pendant flag flying on a mask against a blue sky

Data Sharing and Open Data in Banking

Following the publication of the report Data Sharing and Open Data for Banks in December 2014 which examined how financial technology firms can make better use of bank data on behalf of customers through application programming interfaces (APIs) and open data, the government is now seeking views on how an open API standard could be delivered in UK banking.

The call for evidence describes evidence is sought from banks, consumer groups, financial services providers, card schemes, payment institutions, financial technology firms and app and software designers. In particular views are sought about how the recommendations in the report should be developed, what benefits more open data in banking could bring to consumers and how an open API standard in UK banking could best be delivered.

The Data Sharing and Open Data in Banking call for evidence closes on 25th February 2015. Responses can be sent by email to Datasharing.CfE@hmtreasury.gsi.gov.uk or by post to Data Sharing and Open Data in Banking, Banking and Credit Team, HM Treasury, 1 Horse Guards Road, London SW1A 2HQ.

The Commercial Use of Consumer Data

The CMA is also seeking information on the commercial collection and use of UK consumers' data, and the implications (benefits and risks) for firms and consumers.

The briefing document details the scope as UK consumer data collected both inside and outside the UK in the context of the internet and more widely; collected directly by businesses as well as by appliances, applications and cloud services; collected at any time, both with and without the knowledge of consumers; includes both data on specific transactions for goods and services (including paid for and free-at-use services) as well as data not specific to such transactions; and used by firms dealing directly with consumers (for instance to target groups and individuals with offers), and third party firms (using data sourced from firms dealing directly with consumers) who analyse this data to provide commercial services to other firms.

The consultation on Commercial Use of Consumer Data closes at 5pm on Friday 6 March 2015. Responses can be submitted using the online form or by completing a form and returning to ConsumerData@cma.gsi.gov.uk or by post to Consumer Data Call for Information, Competition and Markets Authority, 7th floor Victoria House, 37 Southampton Row, London WC1B 4AD.

Posted on: 02 February 2015 at 10:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 January 2015

OWASP AppSensor Code v2.0.0 Final Release

I was extremely pleased to read yesterday that the final version of the new AppSensor reference implementation has been published following three previous release candidates.

Screen capture from the AppSensor microsite developed by John Melton for the OWASP AppSensor Project

The OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response.

John Melton with the help of other code contributors and feedback from the project's code development mailing list have finished a complete overhaul of the previous code. In the words of the version 2.0.0 announcement, the most significant changes are:

  • Client-server architecture supporting multiple communication modes including: REST, SOAP, Thrift, local (shared JVM, java-only)
  • Any language can be used on the client application. The only requirement is that the language selected must support the communication protocol of the execution mode that is configured (i.e. if using REST as the execution mode, the language must be capable of making HTTP requests.) The server-side components are Java, but this places no restriction on the client applications themselves
  • There is no longer a hard dependency on [OWASP] ESAPI. AppSensor is a standalone project, though it can be integrated with projects that also use ESAPI if desired
  • The core components of the system have been renamed and now follow the AppSensor v2 book naming conventions, which is based on standard IDS terminology for clarity
  • Basic user correlation is supported so that client applications that share a user base (SSO) can share attack detection/response information.

John also created a special AppSensor microsite.

This is all free to use (see code licence). Begin using the new code with the getting started information.

Posted on: 30 January 2015 at 08:26 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 December 2014

Business Failure at the Speed of Software

This week we saw two events where the automated nature of processes lead to major business failures.

Partial extract from the RepricerExpress showing some of the liability clauses in its terms and conditions of service published at http://www.repricerexpress.com/terms-and-conditions/

On Friday, a number of Amazon retailers were affected by a pricing problem. Those that had chosen to subscribe to the third-party RepricerExpress service that automatically adjusts prices to match or better competitors, found their products were being sold for as little as 1 pence. Those organisations that despatched their own goods were able to spot the problem themselves, but those that used Amazon to stock and ship product, were affected more seriously because Amazon simply carried on regardless for some time.

The cause of the hour-long issue has been fixed. RepricerExpress's clients are outraged, and of course for some of them this could put them out of business. I am sure RepricerExpress will be reminding its clients what they agreed to in the RepricerExpress end user licence agreement (partial screenshot in the image above). Including for example that the maximum liability "shall be limited to a sum equal to the total Licence Fees paid to the Licensor in the period of 12 months considered retrospectively from the date the cause of action arose". So, how much would you pay for something that can reduce your product prices by almost 100%? £20-70 per month apparently seems to be the answer.

Express indeed.

Then on Monday, taxi-like company Uber, which had another PR disaster last month, managed to incense everyone by rapidly escalating its prices in Sydney as "demand increased" i.e. people attempted to leave the city during the dreadful cafe hostage event. Later reacting to pressure, Uber cancelled the change and offered some free services instead and a refund to those affected by its pricing.

These have a common factor of automated software making unmoderated changes to pricing that would clearly be perceived as unreasonable to a human. And doing it fast.

Superfast fail.

Automation is good — but enumerate all the possibilities, and implement limits, checks and alerts. And monitor these. And more importantly, check your contracts and who is liable for what. Then do a risk assessment and make sure someone senior reviews this and makes some decision about the risks. Can you survive the unexpected?

Posted on: 17 December 2014 at 17:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

12 December 2014

I'm in a Top 10 List!

I was pleasantly surprised to find my blog mentioned in someone else's top 10 list.

Partial screen capture of the Cooke & Mason '10 Top Cyber Security News & Resources Every Business Should Visit'

Cooke & Mason has published a 10 Top Cyber Security News & Resources Every Business Should Visit. I'm not sure if it's in order, but this blog is listed sixth on the page.

Perhaps I have mentioned "cyber" and "insurance" quite often, but those other references are big names and big hitters.

Posted on: 12 December 2014 at 08:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 December 2014

Some Other Security Games

If you're not into card and board games like Cornucopia security requirements or Snakes and Ladders risks and controls, why not try a couple of new online hacking games?

Screenshot from the Game of Hacks

Try these:

  • HACKvent 2014 is an online advent calendar with a difference. There are 24 challenges - one each day - which started on 1st December (sorry this is a bit late). All the challenges are available until 31st December, and additional points can be earned for writing up detailed solutions.
  • Game of Hacks tests your application hacking skills as an individual or against someone you know, with beginner, intermediate and advanced skill levels.

And back to the physical games, Adam Shostack, inventor of the Microsoft Elevation of Privilege threat modelling card game, edited the OWASP Cornucopia wiki page to add a link to a list of tabletop security games and related resources he maintains. I've ordered a couple of those for the break.

Good luck.

Posted on: 10 December 2014 at 18:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 December 2014

Application Security At Scale and At Speed

Contrast Security has published a new guide about their ideas about building application security into development processes that are reproducible and can be automated as much as possible.

The title page from Contrast Security's 'Continuous Application Security Handbook'

The authors call this continuous application security (CAS) and unlike traditional approaches, applies continuous real-time security verification. Their Continuous Application Security Handbook describes eight steps to implement CAS. I am interested in this approach, but particularly because it touches on some aspects of application-specific intrusion detection (see my favourite OWASP project AppSensor of which I am a co-project leader). The eight steps are summarised as:

  1. Instrument everything
  2. Make security visible
  3. Take control of security
  4. Implement strong defenses
  5. Know your enemy
  6. Hack yourself
  7. Expect failure
  8. Think security.

In the seventh step "expect failure", the handbooks says "[this] means that you are prepared for a successful attack, are monitoring for attacks, and have captured enough information to make a thoughtful response possible". This includes attack detection and incident response and explicitly recommends AppSensor-like behaviour "applications can and should detect their own attacks" and "attempts to detect application layer intrusions from the outside, typically in some kind of perimeter device, are doomed to failure". Bravo!

In contrast, the first step "instrument everything" describes a different type of application instrumentation. The handbook recommends "sensors run on a continuous basis, verifying both positive and negative security aspects of software" and "positive sensors model correct behavior of an application, whereas negative sensors model vulnerable behavior". In this regard, the process of instrumenting an application for CAS has some similarities with the considerations for adding detection points in AppSensor.

However, AppSensor detection points are designed to log malicious (user) behaviour in order to identify an attack, rather than either correct (development) behaviour or vulnerable (development) behaviour. CAS sounds orthogonal to AppSensor in that it assists the prevention of vulnerabilities, whereas AppSensor helps detect malicious intent before an attacker can identify any vulnerabilities present. And the CAS handbook says "the investment necessary to build and deploy many sensors is often minimal, similar to the effort required to perform a single penetration test for that issue" and "some complex security defenses may require more complex sensors" — rather like AppSensor detection points then too.

Please read the concise 26-page document and consider the ideas yourselves. Registration is required to download the document. See also the presentation AppSec at DevOps Speed and Portfolio Scale and Introducing Continuous Application Security by Jeff Williams at AppSec USA 2013 and 2014 respectively.

Posted on: 09 December 2014 at 07:53 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 December 2014

The Problems with Security Badges, Seals and Marks

A paper presented at this year's Association for Computing Machinery (ACM) Conference on Computer and Communications Security discusses why security-related third-party seals are poor indicators of site security, and how in some cases can actually assist attackers to compromise the web sites.

Partial view of the content in the paper 'Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals'

Problems with one of the privacy seal providers have been in the news recently, and the paper Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals assesses the effect on a web site's security by including a security seal from service providers Norton Secured, McAfee Secure, Trust-Guard, SecurityMetrics, WebsiteProtection (provided by GoDaddy), BeyondSecurity, Scan Verify, Qualys, HackerProof, and TinfoilSecurity.

The paper's authors Tom Van Goethem, Frank Piessens, Wouter Joosen and Nick Nikiforakis examined the guarantees offered by these schemes, and the realities. Their findings were:

  • There is a lack of thoroughness, meaning insecure websites being certified as secure
  • Malware hosted on a certified web site can trivially evade detection
  • Some attacks can be facilitated by the seal scheme
  • Phishing attacks can be aided by the use of seals
  • The seals can be used to help attackers find vulnerable web sites.

The message is to concentrate on building and operating secure web sites, rather than using a seal to create the illusion of security. Application security through the software development life cycle (SDLC).

Posted on: 05 December 2014 at 08:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

28 November 2014

Game On at OWASP Cambridge and London

Next week I will be attending two free United Kingdom OWASP events, and providing a full talk at one of them.

Part of the OWASP Snakes and Ladders game board

Cambridge

On Tuesday 2nd December, I will speak for the first time at OWASP Cambridge about OWASP Cornucopia, the ecommerce website security requirement card game. Jerome Smith will present a second talk about a SSL Checklist for Pentesters.

Also at the event in Cambridge I will briefly mention the somewhat less serious application security awareness board game OWASP Snakes and Ladders and will be handing out free copies to everyone attending, kindly paid for by the OWASP Cambridge chapter. We will have time after the presentations to play both Cornucopia and Snakes and Ladders. On the subject of Snakes and Ladders, this week volunteers Yongliang He, Cédric Messeguer, Riotaro Okada and Ivy Zhang have generously translated the game for web applications into Chinese, French and Japanese.

Please register in advance for the free event in Cambridge The meeting will be held in the Lord Ashcroft Building, Room LAB003; 17:00 for a prompt start at 17:30 hrs.

London

On Thursday 4th December, OWASP London is holding its final event of the year in Skype's offices at 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST, 18:00 for 18:30 hrs start. Christian Martorella will be talking about Offensive Open-Source Intelligence (OSINT) — the process, techniques and how attackers are using it to prepare their cyber attacks. Afterwards project leader Matteo Meucci will speak about the new OWASP Testing Guide v4.

Then, as in Cambridge, I will mention OWASP Snakes and Ladders, with printed copies available for everyone, but this time paid for by the London chapter.

Please remember to register for OWASP London on Thursday 4th December.

Elsewhere

There are numerous other UK OWASP chapters — join their mailing lists to be informed of future meetings.

Seeking a bigger application security event? In January OWASP London will be organising a cyber security week, and AppSec EU 2015 is being held in Amsterdam next May. The call for research, papers and trainers for the latter are now open.

Posted on: 28 November 2014 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 November 2014

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.

OWASP Snakes and Ladders Mobile Apps

Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects of good and evil, or virtues and vices. In this OWASP version, the virtuous behaviours (ladders) are secure coding practices and the vices (snakes) are application security risks. I have created two versions so far:

I created the game to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, I use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

OWASP Snakes and Ladders Web Applications

The game might be a useful transition from learning about the OWASP Top Ten Risks and before moving into the Top Ten Proactive Controls in a PCI DSS developer training session for example.

Snakes and Ladders Web Applications is available in German and Spanish, as well as in (British) English. Translations to Chinese, Dutch and Japanese are also in progress. The OWASP volunteers who are generously translating the text and performing proof reading are:

  • Manuel Lopez Arredondo
  • Tobias Gondrom
  • Martin Haslinger
  • Riotaro Okada
  • Ferdinand Vroom
  • Ivy Zhang

Print-ready PDFs have been published - these are poster sized A2 (international world-wide paper sizes). But the original files are Adobe Illustrator, so these are also available for anyone to use and improve upon. OWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence.

Just print out the sheet as large as you can make them. It is better to play using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

You can also follow two mock games on Twitter which upload a position image every hour:

Please enjoy and share.

Further information, and all the PDFs and source files, are available on the Snakes and Ladders project website. Please keep in touch by joining the project mailing list.

Posted on: 06 November 2014 at 08:31 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Threats : Application Security and Privacy
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Requested by 54.166.102.61 on Tuesday, 21 April 2015 at 10:49 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk