• Home
• Services
• Methodology
• About Watson Hall
• Security resources
• Contact

Security reports

Key statistics and trends.

Data Breach Investigations Report 2009

Security breach information and analysis from Verizon.
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

The Internet in Britain 2009

Internet usage and demographics from the Oxford Internet Institute.
http://www.oii.ox.ac.uk/microsites/oxis/publications.cfm

Information Security Breaches Survey 2008

The Department for Business, Enterprise & Regulatory Reform's business information security survey, including controls, incidents and exposures; April 2008.
http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_survey_2008.html

Internet Security Threat Report Volume XIV, January-December 2008

Symantec's bi-annual analysis of internet attacks, vulnerabilities, malicious code, phishing, spam and security risks; April 2009.
http://www.symantec.com/business/theme.jsp?themeid=threatreport

Quarterly Trends Report, Q1-Q2 2009

Cenzic's overview of the web application security market, key findings, top 10 vulnerabilities, and breakdowns of Web application vulnerabilities.
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

Security Spending Benchmarks, Q2 2009

Benchmarking to justifying overall web application security spending from OWASP. This quarter's report has a special focus on cloud computing.
http://www.owasp.org/index.php/Category:OWASP_Security_Spending_Benchmarks

Security Threat Report 2009

Current and predicted cybercrime trends including some useful statistics on web site/server threats from Sophos.
http://www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-threat-report-jan-2009-na.pdf

State of Software Security Report - The Intractable Problem of Insecure Software, Volume 1, March 2010

Security intelligence derived from multiple testing methodologies on the full spectrum of application types and programming languages across the software supply chain.
http://www.veracode.com/reports/index.html

Web Application Security Statistics Project 2007

Compilation of web application security assessment project testing data to identify the prevalence and probability of different vulnerability classes and to compare automated and manual testing methodologies.
http://www.webappsec.org/projects/statistics/

Web Hacking Incidents Database

The Web Application Security Consortium's list of web application security incidents.
http://www.xiom.com/whid

Web Security Trends Report Q4/2008

Web threat trends and research findings.
http://www.finjan.com/Content.aspx?id=827

Training and awareness

See also security organisations.

Bank Safe Online

The UK banking industry's initiative to help online banking users stay safe. Good description of the types of scams, how to identify scams and how website users can help to protect themselves. Also facility to report a scam or request advice.
http://www.banksafeonline.org.uk/

CardWatch

Guidance, advice and tips for retailers and card holders on the types of debit and credit card fraud. Some information from the police and Home Office.
http://www.cardwatch.org.uk/

E-Victims

Practical advice for consumers in the UK who are victims of e-incidents such as e-crime.
http://www.e-victims.org/

Get Safe Online

Advice to UK consumers and small businesses on protecting their computer, their own and their family's privacy and computer systems when online. The excellent 10-minute guide for internet beginners should be read by all internet users.
http://www.getsafeonline.org/

Identity Theft

Home Office's guide to identity theft. Information on how to protect yourself and what to do if you think you are a victim.
http://www.identitytheft.org.uk/

Stay Safe Online

International (US) website like the UK Get Safe Online from the National Cyber Security Alliance (NCSA). Content quite North American orientated, but useful as a comparison.
http://staysafeonline.org/

Think U Know

Internet help and advice for young people, parents and teachers including ability to report abuse from the UK's Child Exploitation and Online Protection Centre (CEOP).
http://www.thinkuknow.co.uk/

Articles

Website white papers, research and other documents.

Automatic Security Scanning vs. OWASP Top Ten

Discussion of how automated scanning products can tackle common website vulnerabilities.
http://www.whitehatsec.com/home/resource/whitepapers/auto_scanning.html

Cloud Computing Benefits, Risks and Recommendations

ENISA's excellent analysis of cloud computing for SMEs.
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
November 2009

Finjan Malicious Page of the Month

Topical investigations and analysis of web threats.
http://www.finjan.com/Content.aspx?id=1367
Updated monthly

OWASP Top Ten

The most critical web application security flaws, published as one of the Open Web Application Security Project (OWASP) projects.
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
Updated periodically - new version due March 2010

The Psychology of Security

An essay on the difference between what we perceive as security and the reality.
http://www.schneier.com/essay-155.html
7th February 2007

SANS Top-20 Internet Security Attack Targets

Detailed information and references on the most common attack targets.
http://www.sans.org/top20/
Updated regularly

Security Guidance for Critical Areas of Focus in Cloud Computing

Security recommendations from the CSA
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
v2.1, December 2009

Security Economics and the Internal Market

Identification, assessment and analysis of the economic barriers to an e-communication internal market for ENISA.
http://www.enisa.europa.eu/pages/analys_barr_incent_for_nis_20080306.htm
29th January 2008

SPIT: Bringing Spam to Your Voicemail Box

Description of Spam over Internet Technology (SPIT).
http://voipforenterprise.tmcnet.com/feature/service-solutions/articles/4009-spit-bringing-spam-your-voicemail-box.htm
December 2006

Using Fuzzers in Software Testing

Fuzzers are automated testing programs used against applications to alter variable values to see if the application is susceptible to valid and invalid data which might allow unvalidated data input or cause generation of errors, buffer overflows and command execution. This article describes the concepts and identifies tools and additional resources.
http://www.qasec.com/cycle/usingfuzzers.shtml
21st January 2007

VoIP Security Challenges: 25 Ways to Secure your VoIP Network

Description and checklist of security tasks to be considered when deploying VoIP in an enterprise system.
http://www.voiplowdown.com/2006/12/voip_security_c.html December 2006

Vulnerability Scanners Review

Review of ISS Internet Security Systems, SSS Shadow Security Scanner, Retina eEye, Nessus, GFI Languard Network Security Scanner, Qualys, Nstealth Security Scanner, Nikto, Whisker, Infiltrator and Nscan.
http://www.askapache.com/2006/security/vulnerability-scanners-review.html
30th December 2006

Vulnerability Stack

Diagrammatic representation of where vulnerabilities occur in a system and a discussion of which automated tools address these.
http://jeremiahgrossman.blogspot.com/2006/11/vulnerability-stack.html
10th November 2006

Web 2.0 Security and Privacy

ENISA's recent position paper on the threats to photo sharing, wikis, social bookmarking and social networking, and from 'malware 2.0'.
http://www.enisa.europa.eu/act/it/oar/web2sec/report
December 2008

Web Application Logic Exploitation

Examples of how web application logic might be circumvented. A useful read for everyone, but especially relevant for development staff.
http://www.liquidinfo.net/webapps_logic.pdf
25th December 2006

Magazines and journals

Security related printed publications.

Card Technology Today

Smart card technologies, applications, manufacturers, legislation and industry initiatives.
http://www.elsevier.com/wps/find/journaldescription.cws_home/621017/description#description

Computer Fraud & Security

Monthly threat reports, news and technical features.
http://www.elsevier.com/wps/find/journaldescription.cws_home/405876/description#description

Financial Sector Technology (FST)

Business IT issues for the financial services sector, including regular items on compliance and risk.
http://www.fstech.co.uk/

Infosecurity

Print and digital editions with security news, features and comment.
http://www.infosecurity-magazine.com/

SC

Security news and product information with UK, US, Asia-Pacific and Australia-New Zealand editions, from Haymarket Publishing.
http://www.scmagazine.com/uk/

Other web application security resources

Web application security legislation, standards and codes of practice and organisations.

Act now

Watson Hall works with your business and information systems staff, partners and suppliers, including professional advisors such as accountants, auditors, insurers and solicitors. We guide, assist and build security and skills in organisations to reduce security risk.