I have published an updated version of the OWASP AppSensor Guide, the guide to application-specific real time attack detection and response.The v2.0.2 AppSensor Guide is available free of charge digitally in DOC and PDF formats, and in print at cost from Lulu.This is a minor update that includes:Reference the extensive work on the reference code implementati

Gartner has published an updated "magic quadrant" report about Web Application Firewall (WAF) vendors.Sixteen vendor offerings are assessed. To be included, the product has to be actively marketed, use techniques designed for web security, and not just use attack signature-based approach found in other devices such as next-generation firewalls and

There is a growing wave of websites and other web applications that are now moving to be TSL-only (transport layer security only, aka SSL-only).Apart from the web site being browsed using "https", the server can also send a policy instruction in the form of a HTTP Strict Transport Security (HSTS) header. There are of course considerations for HSTS

Following the release of PCI DSS v3.0 in November 2013, both the PCI SSC and Visa Europe sought to clarify the validation and reporting requirements for the e-commerce payment channel.The guidance from the PCI SSC (May 2014) and guidance from Visa Europe (July 2014) made it clear that either a full redirect or iframe method containing a hosted payment page (

Last Tuesday John Melton completed and announced the release of the AppSensor version 2.1.0 reference implementation.OWASP AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement application intrusion detection and automated response. The reference implementation allows developers to use these powerful

The UK's Financial Conduct Authority (FCA) has published updated guidance on reducing the risk of financial crime.Financial Crime: A Guide for Firms Part 1: A Firm's Guide to Preventing Financial Crime provides information to regulated firms on how to avoid financial crime. But many of the topics and guidance will be of use to a wider audience. The document

The SANS Institute has published this year's survey results about application security programmes.In a change to last year's report the authors of 2015 State of Application Security: Closing theGap have identified and broken down their analysis and reporting into two groups of survey respondents - builders and defenders.Jim Bird, Eric Johnson and Frank Kim a

AppSec EU 2015 begins in two weeks. It is being held in Amsterdam at the Amsterdam RAI exhibition and conference centre.With the news yesterday that the number of conference attendee bookings has surpassed 400, together with the training, capture the flag competition, university challenge, application security hackathon, computer gaming, networking and organ

Following the release of the Introduction for Developers in February, the OWASP AppSensor team has now created and published a new document aimed at Chief Information Security Officers (CISOs) and others with similar responsibilities.The CISO Briefing is a high-level overview, with pointers to the more detailed resources for specifiers, architects, developer

The Verizon annual Data Breach Investigations Report was published last week.The Data Breach Investigations Report (DBIR) summarises findings from the collection and analysis of almost 80,000 security incidents relating to over 2,000 confirmed data breaches, sourced from 70 contributing organisations.A breakdown by industry sector is provided. The 2015 DBIR

The European Union Agency for Network and Information Security (ENISA) has published guidance on what nations should take into account when evaluating the security compliance of public communications network and service providers.The requirements relate to Article 13a of the Framework Directive (2009/140/EC) and Article 4 of the e-Privacy Directive (2002/58/

The Financial Fraud Action UK (FFA UK) has published its latest figures about financial fraud in the UK.e-commerce card fraud losses increased from £190.1m in 2013 to £217.4m in 2014 — a 14 per cent riseIn a news release published at the end of March, the FFA UK states the increase is primarily due to a change in tactic by fraudsters who are deceiving custom

The Payment Card Industry (PCI) Security Standards Council (PCI SSC) has published another information supplement for PCI Data Security Standard (PCI DSS), this time on penetration testing. It would appear there has been a large variability in penetration tests being undertaken for PCI DSS.Information Supplement: Penetration Testing Guidance, v1 March 2015,

The Open Web Application Security Project (OWASP) is supporting a project summit during the two days prior to the main AppSec EU conference.A project summit on Tuesday 19th and Wednesday 20th May has been announced and information published on the AppSec EU 2015 web site. The concept of the summit is to work on improving and extending project outputs with ot

The UK's Financial Conduct Authority (FCA) is becoming more proactive in the online application space.Following last year's consultation on use of social media, the FCA has completed its review and has now confirmed its approach for financial promotions in social media.The finalised guidance has been published as FG15/4 - Social Media and Customer Communicat