Tag Archives: Education

New report from WhiteHat Security reinforces that organisations must focus on risk

WhiteHat Security has issued its eleventh annual Web Applications Security Statistics Report. Compiled using data collected from tens of thousands of websites, the report reveals that the majority of web applications exhibit, on average, two or more serious vulnerabilities per application for every industry at any given point in time.

The Report’s findings are based on the aggregated vulnerability scanning and remediation data from web applications that use the WhiteHat Sentinel service for application security testing. The research shows that no industry has mastered application security. Of the 12 industries analysed, the IT, education and retail industries suffer the highest number of critical or high-risk vulnerabilities per web application (at 17, 15 and 13 respectively).

The findings also highlight that the IT and retail industries struggle to remediate in a timely manner. It takes approximately 250 days for IT and 205 days for retail businesses to fix their software vulnerabilities.

InternetSecurity2

According to the ‘Window of Exposure’ data contained in the report, another key metric organisations need to pay attention to is the number of days an application has one or more serious vulnerabilities open during a given time period. Across all industries, a substantial number of web applications remain always vulnerable.

A few key highlights of the report include: 

  • Information Technology (IT): 60% of web applications are always vulnerable
  • Retail: Half of all web applications are always vulnerable
  • Banking and financial services: 40% and 41% (respectively) of web applications are always vulnerable
  • Healthcare: 47% of web applications are always vulnerable

“We’ve observed that organisations have hundreds, if not thousands, of consumer-facing web applications, and each of these web apps has anywhere from five to 32 vulnerabilities,” said Tamir Hardof, chief marketing officer at WhiteHat Security. “This means that there are thousands of vulnerabilities across the average organisation’s web applications. While this number is overwhelming, risk ratings can really help security teams prioritise which vulnerabilities they work on fixing first. Unfortunately, what this year’s report tells us once again is that organisations are not really relying on risk levels as a baseline to inform their application security strategies.”

Remediation rates

The report also captures data on vulnerabilities that are fixed once they’re discovered. Generally, the more critical the vulnerability, the more complex they are to understand and remediate.

For nine of the 12 industries analysed, remediation rates are below 50%. In IT, less than 25% of open vulnerabilities are remediated, while vulnerabilities in this industry have an average age of 875 days. The average time-to-fix for vulnerabilities varies by industry, from approximately 15 weeks in the energy industry to 35 weeks in IT.

Key trends from 2013-2015 include the following:

  • Remediation rates declined significantly in IT, which saw a drop from 46% to 24%, and in banking, which dropped from 52% to 42%
  • Financial services and retail saw modest increases in their remediation rates, from 41% to 48% for financial services, and from 42% to 48% for retail
  • The greatest improvement was in the food and beverage industry, where remediation rates quadrupled from 17% to 62%
  • In manufacturing, rates almost doubled from 34% to 66%, while healthcare and insurance increased from 26% to 42%, and from 26% to 44% respectively

“Since 2013, the average time to fix vulnerabilities has trended upward overall, but we’ve seen some great successes with customers who’ve embedded security into the software development process,” said Ryan O’Leary, vice-president of the Threat Research Centre and technical support for WhiteHat Security.

“Discovering vulnerabilities in development is key to reducing vulnerabilities when the application is staged. Introducing source scanning, or SAST, has the potential to eliminate 80%-90% of well-known vulnerabilities. We look forward to seeing how this report will evolve as security and development teams work together more closely around shared security and risk management goals.”

Leave a comment

Filed under Risk UK News, Uncategorized

The Security Institute announces endorsement relationship with iSMTA

The Security Institute has unveiled the detail of a new endorsement relationship with iSMTA, the International Secure Minds Training Academy.

Speaking at The Security Institute’s recent Annual Conference, the organisation’s managing director David Thorp announced that, in furtherance of its ambition to become a byword for educational quality within the security sector, the Institute has now reached its first endorsement agreement with a training organisation.

“We want to work with education and training providers who share our vision of an apprenticeship-to-Boardroom, full career education model for this profession and the International Secure Minds Training Academy meets that criterion,” asserted Thorp.

“In addition, iSMTA has been a strong supporter of our Manifesto for Professional Security and its championing of life-long learning, the promotion of standards of excellence at all levels within the profession and the promulgation of career pathways that help people entering the profession see clearly the pathways, options and opportunities that are open to them as they develop their careers.”

Tony Maher, the head of iSMTA, supports these comments. Maher added: “We’re excited about this new relationship. Education is crucial when it comes to climbing the professional career ladder, and we’ve developed an e-learning based model that offers people with limited time and who may be geographically remote to study for a qualification featuring state-of-the-art learning materials using the most up-to-date learning platform.”

Maher concluded: “The Institute could see the value of this in helping to develop the next generation of security professionals. In other words, future members of The Security Institute”

Leave a comment

Filed under Risk UK News

IFSEC International 2015: ASSA Abloy reports on a successful event highlighting integrated security solutions

ASSA Abloy used the platform of IFSEC International 2015 to showcase integrated security solutions and access control technology from its leading brands.

At ExCeL London between 16-18 June, the company revealed how its future-proof solutions enable customers to have the correct level of access across a wide range of end user markets, including the commercial, education, healthcare, transport and retail sectors.

Also demonstrated was the flexibility of the available solutions which is enabled through ‘open’ communication technology. Products from ASSA Abloy, Abloy, Mul-T-Lock, Traka and Yale were showcased.

The company’s stand featured an Integration Zone detailing how the group’s access control products offer “an unrivalled proposition” through the use of open communication protocols that are easily scalable and which can be integrated with most security systems (as well as being compatible with all major OEMs).

ASSA Abloy benefited from a successful IFSEC International 2015

ASSA Abloy benefited from a successful IFSEC International 2015

In essence, the Integration Zone showcased the group’s breadth of product offerings and global capability.

Chris Bone, vice-president of access control solutions for the EMEA region at ASSA Abloy, said: “IFSEC International 2015 proved to be a hugely important show for us, not only allowing us to showcase our latest product innovations but also providing the business with an excellent platform to display our ability to operate as a global solutions partner.”

Bone continued: “There was a constant stream of visitors to our stand, all of whom had the opportunity to hear first hand from our partners about why they choose to work with ASSA Abloy and to see the Integration Zone that successfully displayed the flexibility provided by our open communications systems.”

Leave a comment

Filed under Risk UK News

Skills for Security Common Core NOS reviewed and renamed: ‘Essential Employability’

Skills for Security, the sector’s skills and standards setting body, has announced that the revised suite of standards for Essential Employability (previously known as Common Core) have been approved by the United Kingdom Commission for Employment and Skills.

The revised suite of standards may be accessed via the Skills for Security website.

As with all National Occupational Standards developed by Skills for Security on behalf of the sector, the NOS for Essential Employability will also be freely available on the National Occupational Standards Database (which can be accessed via: http://www.ukstandards.org.uk/)

Leave a comment

Filed under IFSECGlobal.com News

Skills for Security courses to commence in the Middle East

Skills for Security has announced the extension of its scope to the Middle East, with a new partnership set to deliver accredited security training in the region.

SGW Consulting Group – a well-established and reputable training provider with existing consulting operations in the United Arab Emirates – has agreed a partnership with Skills for Security which will see the company delivering a number of accredited short courses in the GCC region of the Middle East throughout 2014.

Beginning in March, the first group of courses will focus on search, armed robbery and security surveying. This planned to coincide with the popular International Security and National Resilience Exhibition and Conference in Abu Dhabi.

Further courses are also planned in Dubai later in the year.

This announcement follows the results of some exploratory research performed by SGW Consulting, which assessed the demand for security training courses in the Middle East region.

Jayne Sale: head of commercial services at Skills for Security

Jayne Sale: head of commercial services at Skills for Security

Jayne Sale, head of commercial services at Skills for Security, commented: “SGW’s research revealed the high regard in which Skills for Security certification is held among security personnel in the region, with the majority of respondents reporting that such certification would make them ‘much more interested’ in enrolling in a training programme.”

Sale added: “We’re delighted to be working with SGW Consulting to widen our scope into the growing market in the Middle East, which British Security Industry Association research recently revealed to be a key target market for UK security suppliers. Working with such an established company will help us capitalise on the growing overseas interest in UK solutions and training. We look forward to expanding on this further as the year progresses.”

Commenting on the new partnership, Simon Whitehouse (managing director of the SGW Consulting Group) said: “We experienced high demand for externally accredited safety and security training programmes during 2013. Post-course delegate feedback from our previous Middle East courses shows tremendous interest for occupational standards and recognised qualifications in this sector. We’re delighted to be working in partnership with Skills for Security in international locations.”

A full course calendar for 2014 will be announced by both partners later this month.

Leave a comment

Filed under IFSECGlobal.com News

Skills for Justice Awards and IQ to collaborate with historic agreement

Skills for Justice Awards – the specialist awarding organisation for the justice and community safety, police and law enforcement, custodial, legal, fire and armed services sectors – and mutual awarding organisation Industry Qualifications (IQ) have entered an agreement to co-operate and establish collaborative working on a wide range of issues across the justice and community safety and private security and safety sectors.

The groundbreaking agreement will result in each organisation becoming a co-ordinating quality (hub) centre of the other, offering the awards of the other that are relevant to their own sector/customer footprint.

The two organisations will also co-operate on product development, technical and IT matters as well as international issues where appropriate.

Raymond Clarke: CEO at Industry Qualifications

Raymond Clarke: CEO at Industry Qualifications

Seamless interface for qualifications

Raymond Clarke, CEO of IQ, explained: “This is an exciting development which creates a seamless interface for qualifications across both the wider justice family and areas involved with the
management and mitigation of risk, such as fire safety.”

Clarke continued: “The agreement will allow each organisation to expand the range of products available to its centres and we expect to be able to work together on the development of qualifications and learning support products where there’s a shared interest.”

Adrian Jackson, managing director at Skills For Justice Awards, said: “Both ourselves and IQ are fully committed to providing sector-specific qualifications of the highest quality. The relationship is a comfortable fit. The agreement ensures that each organisation can harness its own specialist expertise for the benefit of the relationship and our customers.”

The two organisations have already begun to work on responding to a number of international opportunities, and have established the detailed mechanisms for the operation of quality hub centre
arrangements.

Skills for Justice Awards will also adopt IQ Functional Skills within the coming months.

Requests for further information

Further information is available by contacting Raymond Clarke at IQ on tel: 01952 457452 or Adrian Jackson at Skills for Justice Awards on (tel) 0114-231 7397.

Industry Qualifications (IQ) provides a new approach to the operation of an awarding organisation and is approved by UK qualifications regulators (including Ofqual).

It’s a mutual awarding organisation that is owned by its members working across a range of economic sectors. IQ values partnership and enjoys a world class reputation for the integrity of its assessment, governance and relationship with stakeholders.

Skills for Justice Awards is part of the Skills for Justice Group. For the last decade, the organisation has been working with employers, Governments of the UK and agencies within the skills system to better equip workforces with the right skills for the present and the future.

Leave a comment

Filed under IFSECGlobal.com News

Learn about converged security risks at The Security Institute’s Masterclass

The Security Institute’s next Masterclass will focus on the topic of converged security risk, and explore various high-impact scenarios that can result from advanced and persistent threats.

Taking place between 10.00 am and 4.00 pm on Tuesday 24 September at The Crystal Building in London (home of Siemens), over the duration of the day dedicated speakers will provide anecdotal evidence about priorities for security measures and approaches to dealing with converged threats.

Confirmed speakers include Mike O’Neill CSyP, Dan Solomon, Azeem Aleem and Peter Fraser-Hopewell.

Mike O'Neill CSyP: key speaker at The Security Institute's Masterclass on convergence

Mike O’Neill CSyP: key speaker at The Security Institute’s Masterclass on convergence

They will illustrate a range of scenarios that best demonstrate converged vulnerabilities or attacks. In a plenary session, attendees will be asked to tackle the implications for security and planning.

The Security Institute’s latest Masterclass will conclude with an interactive Q&A session, in particular designed to consider Best Practice in managing/organising a converged security set-up for both preventative and reactive functions, doctrinal concepts that should be adopted and a methodology for the conduct of appropriate internal security.

Azeem Aleem: expert on cyber threats and defending against them

Azeem Aleem: expert on cyber threats and defending against them

Book your place now

Cost of attendance is £95 for Institute members and £145 non-members.

Date: 24.9.2013
Venue: The Crystal, 1 Siemens, Brothers Way, Royal Victoria Docks, London E16 1AD

Opened in the autumn of 2012, Siemens’ £30 million centre for urban sustainability is located in the Royal Victoria Docks. The Crystal is a striking glass-faceted structure built as a permanent showcase for sustainable technologies and is an excellent conference and seminar venue.

For further information on The Security Institute’s Masterclass contact Vickie Bailiss (events co-ordinator at The Security Institute) on (tel) 08453 707717 or via e-mail: vickie@security-institute.org

To book your place online click here

Leave a comment

Filed under IFSECGlobal.com News

The Security Institute set to launch The Knowledge Centre

The Knowledge Centre is intended to be a key research and professional development resource for Institute members wishing to increase their knowledge base on specific security subject subjects, while also serving as an essential tool to support the studies of student members.

Headed up by director Angus Darroch-Warren CSyP, The Knowledge Centre will provide members with information sources including research papers, articles, dissertations and links to websites.

It’s recognised by The Security Institute that ‘Security’ covers a broad and diverse set of specialisms relating to: “The protection of people, information and other assets through the prevention, elimination and mitigation of risks and threats”. This includes intelligence gathering, research and information technology.

The Security Institute: pioneering education for security professionals

The Security Institute: pioneering education for security professionals

On that basis, The Knowledge Centre will be structured around the following 16 categories, reflecting the parameters and scope of contemporary security practice:

• Business Management
• Business Resilience
• Counter Terrorism
• Counter Fraud
• Crime and Criminology
• Critical National Infrastructure
• Defence and International Security
• Governance and Compliance
• Information Security
• Investigations
• IT and Cyber Security
• Law and Legislation
• Personnel Security
• Physical Security
• Security Professionalism
• Security Risk Management

These categories will provide a framework for the development of the new Research Directorate and its services, as well as providing new learning resources for the Institute’s vocational courses.

Gus Darroch-Warren CSyP

Gus Darroch-Warren CSyP

The Knowledge Centre will be launched in phases and, much like any learning platform, it will be continuously developed as additional information is added or existing material (or web links) are updated.

Launch timetable for The Knowledge Centre

Launch of the 16 front pages of the new website takes place on 31 July. This will allow the Institute’s membership to see how the website is structured, including documents under the following headings: ‘Useful websites’, ‘Published Academic and Research Sources’, ‘Theses and Dissertations’, ‘Government and Organisational Reports’, ‘Legislation, Standards and Guidelines’, ‘Editorials and Commentaries’ and ‘Additional Resources’.

Dr Alison Wakefield

Dr Alison Wakefield

The Knowledge Centre is a key project of The Security Institute’s new Research Directorate which is being run by Dr Alison Wakefield (Head, Internal and External Research), Jerry Woods CSyP (Good Practice Guides), Mike Gillespie (Cyber Research/Strategy) and Angus Darroch-Warren (The Knowledge Centre).

Jerry Woods

Jerry Woods CSyP

It fits both with the objectives of the Institute and the Register of Chartered Security Professionals with regard to education of the membership and the sector as a whole. In particular those studying for the The Security Institute’s Certificate and Diploma (as well as undergraduate and post-graduate students at the various universities and colleges) will benefit from a centralised information resource.

The Knowledge Centre provides exciting additional benefit to the membership, particularly student members, and will demonstrate the expertise that The Security Institute holds within its membership. It also represents one of the first efforts by the security profession on the international stage to define what constitutes security in the new millennium, in turn conveying this to the members and the wider security community.

Want to be involved as a volunteer in The Knowledge Centre Project?

A number of ‘Champions’ from among The Security Institute’s membership have been identified and appointed to lead each of the categories, but the Institute is still looking for members to become involved in this exciting project.

Many of those ‘Champions’ have completed, or are undertaking, doctoral level research in their area of expertise, and will be in a position to communicate their knowledge of key information resources to the membership.

Future development will see each category, headed by its appointed ‘Champion’, broken down into sub-categories and further web pages, matching the above structure. These may be specific to an industry (eg oil and gas, pharmaceuticals, financial services) or form a subset within an existing section (eg physical security may require separate sections on detection systems, CCTV or access control).

Management of a category is not considered to be onerous and represents an ideal opportunity for members to contribute to an Institute project, particularly those who are unable to participate in other events and activities or who are based internationally.

It offers the opportunity to gain valuable CPD points under the ‘Other Contributions’ banner without the cost of travel.

If you’re interested in becoming involved with this project, please contact Helen Corbett (The Security Institute’s senior administrator) on (tel) 08453 707717 or via e-mail at: helen@security-institute.org to register your interest

Leave a comment

Filed under IFSECGlobal.com News