Home Tags Gotham

Tag: Gotham

Lego Batman Movie review: Na-na-na-na-na-na-na-na-no thanks (for grown-ups)

Batman gets much-needed shot in arm, but Lego Movie is hard shadow to stand near.

Crest welcomes Barclays CES certification

Not-for-profit technical information security industry certification body Crest has welcomed the first certification by a major organisation under the government’s Cyber Essentials Scheme (CES). Barclays achieved certification for its digital banking service under the guidance and certification scheme launched in June to ensure UK businesses get the basics of cyber security right and to give them a competitive advantage. Barclays was awarded the Cyber Essentials certification after an assessment by Gotham Digital Science (GDS), which is accredited for CES assessments by Crest. To demonstrate basic cyber hygiene and achieve certification, Barclays digital banking had to complete a cyber essentials questionnaire. This was validated by GDS, which carried out an external perimeter vulnerability scan, which is an additional requirement for Cyber Essentials certification. “For Barclays the process was straightforward because of the existing security processes it already had in place, along with ISO 27001 certification of the digital banking business,” said Justin Clarke, managing director of GDS. “The certification gives Barclays an opportunity to showcase its leadership in digital banking, and reinforces the importance the bank places on protecting customer assets and data.”  Barclays is now working with GDS towards the second level of certification, Cyber Essentials Plus. The first level of certification offers a basic level of assurance; the second offers a higher level of assurance through external testing of the organisation’s cyber security approach. “The CES is unique because it has been developed as a collaboration between the UK government and the very best cyber security professionals in the UK,” said Ian Glover, president of Crest. “These professionals utilised their years of experience and invested their own time to extract the security standards that should be applied to all businesses, regardless of size.” Glover believes it is important that large consumer-facing organisations like Barclays embrace the scheme. The CES is part of the UK’s National Cyber Security Strategy and provides an independent assessment of the essential security controls that organisations need to have in place to mitigate cyber risks. Systems within its scope include internet-connected devices such as desktop PCs, laptops, tablets and smartphones, and internet-connected systems including email, web and application servers. According to the government, by attaining Cyber Essentials certification, organisations lower their risk of serious data and financial loss. And by displaying the Cyber Essentials badge, organisations demonstrate to customers that they have taken steps to be fundamentally cyber safe. The UK government plans to implement the CES throughout the public sector and in the longer term to embed in procurement processes wherever possible. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Growing call for anonymity online, says Cambridge researcher

While it is extremely difficult to be completely anonymous on the internet, new technology is making it possible to protect users' privacy far better, says a Cambridge researcher. “The current default on the internet is no privacy, which makes it easy to track everyone all the time,” said Steven Murdoch, a Royal Society research fellow in the Cambridge University computer lab. “But there is a growing community of users, from the military and law enforcement officers to journalists, human rights workers and political activists, which is turning to anonymous internet communication for good reasons,” he said. Murdoch pointed out that strong internet privacy is also crucial to applications such as electronic voting and online healthcare. The most widely used open system to provide anonymity on the internet is the Tor Project, originally developed by the US Navy to protect government communications. It protects internet traffic via a series of computers selected from the volunteer-operated Tor network to disguise where the traffic is coming from and going to. Tor users are also recommended to use a customised web browser, based on Firefox, which helps to prevent tracing based on web browser characteristics. “In recent years, there have been dramatic changes in how anonymous communication systems have been built and how they have been used,” said Murdoch. “This includes the web taking over from email as the major means of communications and users of anonymous communication systems prioritising censorship-resistance over privacy.” According to Murdoch, commercial and political realities are also affecting how projects such as Tor are run and software is designed. He believes anonymous communication systems will have to adapt to changing circumstances and try to prevent malicious use of internet anonymity tools. “Law enforcement agencies already have a wide range of tools to detect and prevent internet crime and the vast majority of these will still work when anonymous communication tools are used,” he said. Murdoch will speak on the topic of anonymous communications at AppSec Europe at Anglia Ruskin University, Cambridge, on 23-26 June. The conference is organised by the Open Web Application Security Project (Owasp) Foundation, an open-source organisation with over 45,000 corporate, educational and individual participants. Owasp is a not-for-profit group that helps organisations develop, purchase and maintain software applications that can be trusted. The group runs annual AppSec conferences in North America, Latin America, Europe and Asia Pacific. Justin Clarke, Owasp London Chapter leader and director at Gotham Digital Science, said: “The AppSec conferences have become the focus for the industry to hear from the world’s leading experts, harness expert knowledge and stay abreast of the latest technology developments.” Some of the presentations will discuss the vulnerabilities highlighted in Owasp's recently compiled list of the top 10 methods of breaking into web applications. These include SQL injection, used by hackers to target Vodafone Iceland; cross-site scripting (XSS), which left Microsoft Office 365 open to attack; open redirects, which presents issues for Facebook; and insecure direct object references, which saw Yahoo's servers open to root access. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Boards need to get behind application security, says Owasp

Chief information security officers (CISOs) are more concerned about web application security than in the past, but this area of security is still immature, says the Open Web Application Security Project (Owasp). “Application security as a concept has been around for little over 10 years and still has a long way to go,” said Justin Clarke, Owasp London Chapter leader and director at Gotham Digital Science. “CISOs are becoming more aware, and Owasp is focusing on providing guidance for them, but application security still needs to be understood and tackled at the board level,” he told Computer Weekly. While network security is well-understood and well-funded, information security professionals struggle to make a business case for web application security because it is difficult to quantify the risk. However, Owasp and a growing number of security industry specialists recognise that web application exploits are relatively easy with readily available tools, making them a popular entry point for attackers. Information security professionals struggle to make a business case for web application security because it is difficult to quantify the risk Owasp is a non-profit, volunteer organisation that was set up in 2001 to help make web applications secure by educating users, developers, governments and business leaders. “Our mission is to make as many people as possible aware that there are tools and techniques businesses can use to ensure they avoid common security pitfalls in web applications,” said Clarke. Security must race to keep up with technology advances However, despite Owasp’s efforts, web application security remains a challenge in many organisations for several reasons. “The main problem is the fact that technology is moving so fast that most developers and organisations struggle to keep up,” said Clarke. “Since 2001, the web application market has grown exponentially and the security challenges have been further increased with the move to mobile platforms and the advent of the cloud,” he said. Clarke said an increasing number of web applications need to be able to accept HTML5 or rich content, and to do that securely is “really difficult” which is why even large organisations struggle to get it right. Added to that is the constant commercial pressure to be first to market with new types of web-based products and services. Consequently, key performance indicators tend to be based on speed of innovation, with little or no incentives linked to data security. “Most organisations have also abandoned traditional waterfall models of software development for agile approaches, but this makes involving security teams much more difficult,” said Clarke. While the largest of organisations typically have enough security experts to draw upon, smaller organisations struggle to get the required expertise within their agile development teams. “If bridges were built the way a lot of software is built, an awful lot of them would fall down,” said Clarke. “This is often because IT systems evolve over time and end up being made up of half a dozen things cobbled together as requirements change and functionality is added,” he said. Although Owasp is aimed at educating developers on web application security, Clarke believes one way forward is application development frameworks that prevent developers from creating insecure code. Ideally, he said, frameworks should take care of the difficult things so that developers are not tempted to take the easier, faster route to get things done, which is also often the riskier way of doing things. “Already, there are a few islands of progress where organisations or communities have standardised on custom-built or open source platforms like Microsoft’s LINQ to SQL and Hibernate,” said Clarke. Such platforms make it difficult to write code that is vulnerable to things like SQL injection or cross-site scripting (XSS) attacks, which feature in Owasp’s top 10 most critical web application security risks. “The problem is that use of such frameworks is in isolated pockets and there is no central way of pushing them out or driving adoption,” said Clarke. Share information across teams Owasp believes another way of tackling the problem is to ensure that the security practitioners and developers learn to communicate with each other more regularly. “Owasp’s AppSec conferences are the only ones that engage both security professionals and those who build software, and is aimed at getting together those who should be talking to each other,” said Clarke. In 2014, AppSec Europe is to be held in the UK for the first time in seven years and is scheduled to take place at Anglia Ruskin University, Cambridge, from 23-26 June. Speakers include Steven Murdoch of the University of Cambridge Computer Laboratory, Wendy Seltzer of the World Wide Web Consortium and Lorenzo Cavallaro of Royal Holloway, University of London. “The AppSec conferences have become the focus for the industry to hear from the world’s leading experts, harness expert knowledge and stay abreast of the latest technology developments,” said Clarke. Some of the presentations will discuss the vulnerabilities highlighted in Owasp's recently compiled list of the top 10 methods of breaking into web applications. These include SQL injection, used by hackers to target Vodafone Iceland; cross-site scripting (XSS), which left Microsoft Office 365 open to attack; open redirects, which presents issues for Facebook; and insecure direct object references, which saw Yahoo's servers open to root access. “Like the government’s recently launched Cyber Essentials Scheme, the Owasp Top 10 document is aimed at encouraging organisations to take the first step,” said Clarke. “Those organisations that are getting their arms around this issue are managing and reducing the risk, but my main concern is about those who have yet to take the first step,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK