HackDig : Dig high-quality web security articles

HTTP Strict Transport Security (HSTS) Preload Lists

There is a growing wave of websites and other web applications that are now moving to be TSL-only (transport layer security only, aka SSL-only).Apart from the web site being browsed using "https", the server can also send a policy instruction in the form of a HTTP Strict Transport Security (HSTS) header. There are of course considerations for HSTS
Publish At:2015-07-07 17:20 | Read:5009 | Comments:0 | Tags:administrative SSL preventative technical operation policies

Opinion on Data Protection in Mobile Health

The European Data Protection Supervisor (EDPS), responsible for protecting personal data and privacy and promoting good practice in the EU institutions and bodies, has published an opinion on Mobile Health.Opinion 1/2015 Mobile Health (mHealth) discusses the opportunities and potential benefits of the convergence of IT and the health sector, especially the u
Publish At:2015-06-02 19:55 | Read:4239 | Comments:0 | Tags:legislation administrative design technical privacy specific

FCA Guidance on Financial Crime

The UK's Financial Conduct Authority (FCA) has published updated guidance on reducing the risk of financial crime.Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime provides information to regulated firms on how to avoid financial crime. But many of the topics and guidance will be of use to a wider audience. The document
Publish At:2015-05-28 05:05 | Read:5139 | Comments:0 | Tags:requirements legislation physical administrative preventativ

Summary of Last Year's ICO Enforcement Action

PwC UK has published a summary of enforcement actions taken by the Information Commissioner's Office (ICO) in 2014.The Privacy and Security Enforcement Tracker 2014 summarises and comments on information originally published by the ICO on its web site concerning actions it has taken against organisations. This includes enforcement notices, monetary penalty n
Publish At:2015-04-28 06:00 | Read:5260 | Comments:0 | Tags:administrative privacy corrective identity data protection t

Data Breach Investigations Report 2015

The Verizon annual Data Breach Investigations Report was published last week.The Data Breach Investigations Report (DBIR) summarises findings from the collection and analysis of almost 80,000 security incidents relating to over 2,000 confirmed data breaches, sourced from 70 contributing organisations.A breakdown by industry sector is provided. The 2015 DBIR
Publish At:2015-04-21 10:35 | Read:5312 | Comments:0 | Tags:vulnerabilities administrative incidents threats operation t

London Insurance Markets and Cyber Risk Insurance

The UK government has published a report on the role of insurance markets in managing and mitigating cyber risk. UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk describes how insurance can be another mechanism for cyber risk reduction, encouraging steps to reduce risk through reduced premiums, and providing insight from claims an
Publish At:2015-04-17 08:35 | Read:5244 | Comments:0 | Tags:administrative technical corrective physical insurance

International Personal Data Transfers within AWS

The European Commission's Article 29 Working Party (Art. 29 WP) and lead authority the Luxembourg National Commission for Data Protection (Commission Nationale pour la Protection des Données – CNPD) have announced their descison of a review of Amazon Web Services in relation to the international transfer of personal data.The letter states that the lead autho
Publish At:2015-04-04 15:40 | Read:5518 | Comments:0 | Tags:administrative privacy data protection technical physical le

Financial Conduct Authority Update March 2015

The UK's Financial Conduct Authority (FCA) is becoming more proactive in the online application space.Following last year's consultation on use of social media, the FCA has completed its review and has now confirmed its approach for financial promotions in social media.The finalised guidance has been published as FG15/4 - Social Media and Customer Communicat
Publish At:2015-03-27 15:25 | Read:5941 | Comments:0 | Tags:administrative information assurance technical threats opera

Web Site Oops Roundup

Some news stories about web site security incidents caught my eye in the last week.These events outline some disappointing behaviour:The Association of Chief Police Officers (ACPO) say a contractor's error led to the existence of an unsecure (HTTP) connection on its website where sensitive personal data was submitted; the ICO was notifiedIntuit, the makers o
Publish At:2015-03-10 06:50 | Read:11501 | Comments:0 | Tags:administrative authentication SSL cryptography operation ide

Introduction to AppSensor for Developers

Following the recent v2.0 code release and promotion to flagship status there has been increased interest in the OWASP AppSensor Project concerning application-specific real-time attack detection and response.During the OWASP podcast interview with project co-leader John Melton, the idea of creating briefings for target groups was discussed by podcast host M
Publish At:2015-03-06 06:40 | Read:6369 | Comments:0 | Tags:corrective administrative specification technical threats op

User Interface Modifications to Combat Buyer Fraud

A paper published for the 2015 Network and Distributed System Security (NDSS) Symposium in February describes user interface modification techniques to address liar buyer fraud, and the results of experiments assessing the potential for these to reduce ecommerce fraud losses.Liar Buyer Fraud, and How to Curb It authors Markus Jakobsson, Hossein Siadati and M
Publish At:2015-03-03 14:50 | Read:4575 | Comments:0 | Tags:defense administrative preventative threats operation awaren

Two Factor Authentication for Many UK Domain Registrants

UK domain registry Nominet is offering increased identity authentication measures for access to its online services.Nominet has enabled optional two-factor authentication (2FA) for online log in. Some organisations have had their web site availability affected by compromise of the domain name, rather than the application or host systems. If your company owns
Publish At:2015-02-21 02:50 | Read:4360 | Comments:0 | Tags:domains administrative technical operation authentication

AppSensor Now A Flagship OWASP Project

I was extremely pleased at the release of the v2 AppSensor reference implementation inJanuary. Now I am excited that the Open Web Application Security Project (OWASP) has elevated the project's status.The completely voluntary OWASP project task force, led by Johanna Curiel, has been working through a backlog of project reviews. Over the last couple of years
Publish At:2015-02-17 04:00 | Read:5442 | Comments:0 | Tags:technical administrative preventative incidents threats oper

NIST SP 800-163 Vetting the Security of Mobile Applications

In the last of my run of three mobile app related posts, US standards body National Institute of Standards and Technology (NIST) has released Special Publication (SP) 800-163 Vetting the Security of Mobile Applications.SP 800-163 is for organisations that plan to implement a mobile app vetting process or consume app vetting results from other parties. It is
Publish At:2015-02-10 14:40 | Read:4993 | Comments:0 | Tags:corrective administrative preventative technical threats SDL

CMA Consultations on Consumer Data

The UK Competition and Markets Authority (CMA) has two current related consultations.Data Sharing and Open Data in BankingFollowing the publication of the report Data Sharing and Open Data for Banks in December 2014 which examined how financial technology firms can make better use of bank data on behalf of customers through application programming interfaces
Publish At:2015-02-02 20:10 | Read:4224 | Comments:0 | Tags:administrative technical threats requirements data protectio


Share high-quality web security related articles with you:)
Tell me why you support me <3