[Owasp-ireland] Mandatory data breach reporting

Richard Darby rdarby at certificationeurope.com
Sun Mar 1 06:23:52 EST 2009


"Should we lobby our TD's for California style disclosure laws?"

As a lurker on this list, could I make my first response in answer to
this question. I strongly believe that the time is now right for Ireland
to make the first EU country move in this area. A working group has been
set up to look at the legal issues of mandatory data reporting -
http://www.justice.ie/en/JELR/Pages/WP09000015

Submissions may be made to dataprotectionreview at justice.ie by the
beginning of March 2009.

Sadly, no members of the information security community appear to have
been included on this list. I'm not sure if the deadline for submissions
is 1st March, but I would naturally encourage any submissions, however
brief from this group. The process of consultation seems to be quite
weak, I would have expected a draft paper to be produced and submissions
sought on the content of the paper and the wider implications. Perhaps
that will be done, but in the interim, there is this window of
opportunity to make the communities voice heard. 

Richard Darby
Certification Europe
(State-accredited certification body for the ISO 27001 standard)

-----Original Message-----
From: owasp-ireland-bounces at lists.owasp.org
[mailto:owasp-ireland-bounces at lists.owasp.org] On Behalf Of
owasp-ireland-request at lists.owasp.org
Sent: 28 February 2009 17:00
To: owasp-ireland at lists.owasp.org
Subject: Owasp-ireland Digest, Vol 27, Issue 12

Send Owasp-ireland mailing list submissions to
	owasp-ireland at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.owasp.org/mailman/listinfo/owasp-ireland
or, via email, send a message with subject or body 'help' to
	owasp-ireland-request at lists.owasp.org

You can reach the person managing the list at
	owasp-ireland-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-ireland digest..."


Today's Topics:

   1. Re: "More Than 500K Websites Hit By New Form Of SQL
Injection
      In '08" (Conor Mc Goveran)


----------------------------------------------------------------------

Message: 1
Date: Sat, 28 Feb 2009 09:37:20 +0000
From: Conor Mc Goveran <conor.mcgoveran at onformonics.com>
Subject: Re: [Owasp-ireland] "More Than 500K Websites Hit By New Form
	Of SQL	Injection In '08"
To: owasp-ireland at lists.owasp.org
Message-ID:
	<a31048f30902280137n53e3ee07p54a3a4158caada76 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Actually it wasn't the report itself I was commenting on, rather the
article
on darkreading which was referencing the report. So apologies if it
seemed I
was diminishing the report itself. The fact that the article didn't
qualify
the source and scope of the data leads you to believe that these are
statistics which are compiled from a large data pool.
The choice on which areas to concentrate current attention within web
application security is a valuable one. The OWASP top ten list for
example
is a good effort in this direction. What would make this approach all
the
more valuable would be good quality statistics on a wide data pool that
would help us all understand the nature of the threat environment and
therefore help us to defend our applications.
I thought the perhaps OWASP as an organisation could consider becoming
an
advocate/lobby group to goverenments and the EU for mandatory reporting
to
national data comissioners. These data comissioners could anonomously
compile the statistics and publish them at national or EU level. If this
data was available on this scale I think it would greatly help improve
the
overall level of threat knowledge. Just my two bits though (1,0).
Regards,
 Conor.

2009/2/27 Eoin <eoin.keary at owasp.org>

> hi,
>
> Point taken, one thing to remember is that Offer (CTO at breach) also
> organises the WSAC incident database.
> http://www.webappsec.org/projects/whid/
>
> I believe much of the data in the breach report is from the WSAC (Web
> application security consortium) database and not procured by breach
> themselves.
> Many of the incidents are submitted by individuals.
> Breach have also been big supporters of OWASP but as you say such a
report
> does have some commercial aspect.
>
> ek
>
>
>
> 2009/2/26 Conor Mc Goveran <conor.mcgoveran at onformonics.com>
>
> I suppose not to do things in the singular I will make my second post
to
>> the list within an hour or so of my first. Here again as a community
(and
>> here I am talking about the global OWASP community) we have an
opportunity
>> to be volunteers and use our energise in a positive way. This report
is a
>> report on a report from a commercial vendor (Breach) who collates
incident
>> information from 'publically reported' breaches. So we are talking
here
>> about 80% of the 1% of reported breaches that Breach classify as
based on
>> some form of SQL Injection, XSS or hybrid attack, maybe, perhaps,
kind of
>> ....... This is lazy journalism at best.
>>
>> To better inform our training, education, techniques and methods of
design
>> we need REAL information based on REAL attacks and REAL incidents.
How can
>> we begin to collate this information? I remeber that both SANS and
Security
>> Focus (in conjuction with DShield) made brave efforts to collate
global IDS
>> and firewall logs. Not a great strategy. We recieved information on
patterns
>> and trends which was useful for tuning IDS patterns to drop false
positives
>> but not a lot beyond that.
>>
>> What is the solution I have some ideas but as a community we need to
>> decide together. So I am throwing this bone out there. What is the
right way
>> to capture, identify and report on statistical levels of attacks and
>> breaches so that we a community of web developers can produce secure
web
>> applications now and in the future? Who should collect this
information?
>> Should we lobby our TD's for California style disclosure laws? Should
we
>> collate the information privately as a community? Now that the OWASP
is
>> asking us the community for subscriptions should we demand quality
and
>> timely information ...
>>
>> Conor.
>>
>>
>> 2009/2/26 Eoin <eoin.keary at owasp.org>
>>
>>  Document can eb founf here:
>>>
>>>
>>>
http://www.breach.com/resources/whitepapers/downloads/WP_WebHackingIncid
ents_2008.pdf
>>>
>>> 2009/2/26 davidrook <david.rook at realexpayments.com>
>>>
>>>
>>>>
http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid
=O050UZ0A2SBO0QSNDLOSKH0CJUNN2JVN?articleID=214600046
>>>>
>>>> --
>>>> David Rook
>>>> Security Analyst
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>>
>>>> Realex Payments Dublin:
>>>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin. Ireland
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  |
www.realexpayments.com
>>>>
>>>> Realex Payments London:
>>>> 1 Lyric Square, Hammersmith, London W6 0NB, United Kingdom.
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>>>> www.realexpayments.co.uk
>>>>
>>>> Realex Payments Paris:
>>>> 27 avenue de l'Op?ra, 75001 Paris. France.
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>>>>
>>>> Visit our other Realex Payments websites:
>>>> www.airlinepayments.com
>>>> www.sepa.ie
>>>>
>>>> Pay and Shop Limited, trading as Realex Payments has its registered
>>>> office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin,
Ireland and is
>>>> registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential
and
>>>> are intended for use by the addressee(s) only unless otherwise
indicated. If
>>>> you are not an intended recipient of this email, you must not use,
disclose,
>>>> copy, distribute or retain this message or any part of it. If you
have
>>>> received this email in error, please notify us immediately and
delete all
>>>> copies of this email from your computer system(s).
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>>
>>>
>>>
>>>
>>> --
>>> Eoin Keary CISSP CISA
>>> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>>>
>>> OWASP Code Review Guide Lead Author
>>> OWASP Ireland Chapter Lead
>>> OWASP Global Committee Member (Industry)
>>>
>>> Quis custodiet ipsos custodes
>>>
>>> _______________________________________________
>>> Owasp-ireland mailing list
>>> Owasp-ireland at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>
>>>
>>
>>
>> --
>> Conor Mc Goveran,
>> Managing Director,
>> Onformonics Ltd.
>>
>> Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
>> Company Reg: 45503
>> VAT: 9682767B
>>
>> Ph:        +353-14407576
>> Mobile:  +353-872038598
>>
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>
>>
>
>
> --
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> Quis custodiet ipsos custodes
>



-- 
Conor Mc Goveran,
Managing Director,
Onformonics Ltd.

Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
Company Reg: 45503
VAT: 9682767B

Ph:        +353-14407576
Mobile:  +353-872038598
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090228/eed
1eccb/attachment-0001.html 

------------------------------

_______________________________________________
Owasp-ireland mailing list
Owasp-ireland at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-ireland


End of Owasp-ireland Digest, Vol 27, Issue 12
*********************************************


More information about the Owasp-ireland mailing list