[Owasp-ireland] Mandatory data breach reporting
rdarby at certificationeurope.com
Sun Mar 1 06:23:52 EST 2009
"Should we lobby our TD's for California style disclosure laws?"
As a lurker on this list, could I make my first response in answer to
this question. I strongly believe that the time is now right for Ireland
to make the first EU country move in this area. A working group has been
set up to look at the legal issues of mandatory data reporting -
Submissions may be made to dataprotectionreview at justice.ie by the
beginning of March 2009.
Sadly, no members of the information security community appear to have
been included on this list. I'm not sure if the deadline for submissions
is 1st March, but I would naturally encourage any submissions, however
brief from this group. The process of consultation seems to be quite
weak, I would have expected a draft paper to be produced and submissions
sought on the content of the paper and the wider implications. Perhaps
that will be done, but in the interim, there is this window of
opportunity to make the communities voice heard.
(State-accredited certification body for the ISO 27001 standard)
From: owasp-ireland-bounces at lists.owasp.org
[mailto:owasp-ireland-bounces at lists.owasp.org] On Behalf Of
owasp-ireland-request at lists.owasp.org
Sent: 28 February 2009 17:00
To: owasp-ireland at lists.owasp.org
Subject: Owasp-ireland Digest, Vol 27, Issue 12
Send Owasp-ireland mailing list submissions to
owasp-ireland at lists.owasp.org
To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
owasp-ireland-request at lists.owasp.org
You can reach the person managing the list at
owasp-ireland-owner at lists.owasp.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-ireland digest..."
1. Re: "More Than 500K Websites Hit By New Form Of SQL
In '08" (Conor Mc Goveran)
Date: Sat, 28 Feb 2009 09:37:20 +0000
From: Conor Mc Goveran <conor.mcgoveran at onformonics.com>
Subject: Re: [Owasp-ireland] "More Than 500K Websites Hit By New Form
Of SQL Injection In '08"
To: owasp-ireland at lists.owasp.org
<a31048f30902280137n53e3ee07p54a3a4158caada76 at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Actually it wasn't the report itself I was commenting on, rather the
on darkreading which was referencing the report. So apologies if it
was diminishing the report itself. The fact that the article didn't
the source and scope of the data leads you to believe that these are
statistics which are compiled from a large data pool.
The choice on which areas to concentrate current attention within web
application security is a valuable one. The OWASP top ten list for
is a good effort in this direction. What would make this approach all
more valuable would be good quality statistics on a wide data pool that
would help us all understand the nature of the threat environment and
therefore help us to defend our applications.
I thought the perhaps OWASP as an organisation could consider becoming
advocate/lobby group to goverenments and the EU for mandatory reporting
national data comissioners. These data comissioners could anonomously
compile the statistics and publish them at national or EU level. If this
data was available on this scale I think it would greatly help improve
overall level of threat knowledge. Just my two bits though (1,0).
2009/2/27 Eoin <eoin.keary at owasp.org>
> Point taken, one thing to remember is that Offer (CTO at breach) also
> organises the WSAC incident database.
> I believe much of the data in the breach report is from the WSAC (Web
> application security consortium) database and not procured by breach
> Many of the incidents are submitted by individuals.
> Breach have also been big supporters of OWASP but as you say such a
> does have some commercial aspect.
> 2009/2/26 Conor Mc Goveran <conor.mcgoveran at onformonics.com>
> I suppose not to do things in the singular I will make my second post
>> the list within an hour or so of my first. Here again as a community
>> here I am talking about the global OWASP community) we have an
>> to be volunteers and use our energise in a positive way. This report
>> report on a report from a commercial vendor (Breach) who collates
>> information from 'publically reported' breaches. So we are talking
>> about 80% of the 1% of reported breaches that Breach classify as
>> some form of SQL Injection, XSS or hybrid attack, maybe, perhaps,
>> ....... This is lazy journalism at best.
>> To better inform our training, education, techniques and methods of
>> we need REAL information based on REAL attacks and REAL incidents.
>> we begin to collate this information? I remeber that both SANS and
>> Focus (in conjuction with DShield) made brave efforts to collate
>> and firewall logs. Not a great strategy. We recieved information on
>> and trends which was useful for tuning IDS patterns to drop false
>> but not a lot beyond that.
>> What is the solution I have some ideas but as a community we need to
>> decide together. So I am throwing this bone out there. What is the
>> to capture, identify and report on statistical levels of attacks and
>> breaches so that we a community of web developers can produce secure
>> applications now and in the future? Who should collect this
>> Should we lobby our TD's for California style disclosure laws? Should
>> collate the information privately as a community? Now that the OWASP
>> asking us the community for subscriptions should we demand quality
>> timely information ...
>> 2009/2/26 Eoin <eoin.keary at owasp.org>
>> Document can eb founf here:
>>> 2009/2/26 davidrook <david.rook at realexpayments.com>
>>>> David Rook
>>>> Security Analyst
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>> Realex Payments Dublin:
>>>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin. Ireland
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538 |
>>>> Realex Payments London:
>>>> 1 Lyric Square, Hammersmith, London W6 0NB, United Kingdom.
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264 |
>>>> Realex Payments Paris:
>>>> 27 avenue de l'Op?ra, 75001 Paris. France.
>>>> t: +33 (0)1 70 38 51 37 | f: +33 (0)1 70 38 51 51
>>>> Visit our other Realex Payments websites:
>>>> Pay and Shop Limited, trading as Realex Payments has its registered
>>>> office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin,
Ireland and is
>>>> registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential
>>>> are intended for use by the addressee(s) only unless otherwise
>>>> you are not an intended recipient of this email, you must not use,
>>>> copy, distribute or retain this message or any part of it. If you
>>>> received this email in error, please notify us immediately and
>>>> copies of this email from your computer system(s).
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>> Eoin Keary CISSP CISA
>>> OWASP Code Review Guide Lead Author
>>> OWASP Ireland Chapter Lead
>>> OWASP Global Committee Member (Industry)
>>> Quis custodiet ipsos custodes
>>> Owasp-ireland mailing list
>>> Owasp-ireland at lists.owasp.org
>> Conor Mc Goveran,
>> Managing Director,
>> Onformonics Ltd.
>> Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
>> Company Reg: 45503
>> VAT: 9682767B
>> Ph: +353-14407576
>> Mobile: +353-872038598
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
> Eoin Keary CISSP CISA
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
> Quis custodiet ipsos custodes
Conor Mc Goveran,
Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
Company Reg: 45503
-------------- next part --------------
An HTML attachment was scrubbed...
Owasp-ireland mailing list
Owasp-ireland at lists.owasp.org
End of Owasp-ireland Digest, Vol 27, Issue 12
More information about the Owasp-ireland