Since last August 29th, Internet Security Auditors opens new offices in Madrid. Our new contact details are:

Calle Arequipa, 1
E-28043 Madrid (Spain)
Tel.: +34 91 763 40 47
Fax: +34 91 382 03 96

With these new offices, Internet Security Auditors adapts to the growth which is experiencing and expects to continue meetings customers needs as it has done from its beginnings.

Internet Security Auditors will attend the conference No cON Name 2011 which will be held on September 16th and 17h in the CosmoCaixa Theater in Barcelona.

No cON Name (NcN), a non-profit organization, organizes each year this conference which has become a must for many researchers and responsibles in information security. The organization aims to build a free and open forum where we can share expertise, debate and free speech.

Among the papers selected by the organization, a member of the sales team at Internet Security Auditors will present a lecture entitled: "Return on Investment in aligning with the PCI DSS."

The other selected papers as well as a description of all conference details is available on NcN website.

Continuing the study of social networks security which we have been doing in recent months, Vicente Aguilera, Audit Manager of Internet Security Auditors, has discovered a serious security vulnerability that affects Facebook.

This Facebook new vulnerability is a case of phishing that allows a Facebook user share a malicious link. This link seems to be a URL belongs to the domain facebook.com yet redirects the victim to an external website without notice. This external website can introduce viruses into the victim's PC or steal private data (like passwords) taking advantage of the breach of trust achieved by using the domain facebook.com.

The detailed description of the vulnerability is available in our advisories section.

El País (one of the most Spanish newspapers) echoed the vulnerability discovery and published an article about it. The article can be downloaded, in pdf format, at our download section.

The past June 21st and 22nd in Barcelona and Madrid, respectively, Internet Security Auditors participated as an expert in the event Respuestas SIC. This time the event title "Web Application Security: Where the roads cross" brought it up one of the most critical points in today's ICT security: the applications security.

Our participation influenced in the development of applications following the concept of hack-resilient. The importance of knowing the threats and to adopt an initiative of security throughout the software life cycle. Finally the framework OWASP ASVS (Application Security Verification Standard) was introduced as well as key areas in applications security.

The presentacion is available in our download area.

As we have done in previous years last June published the training schedule for the second semester. Again, the agreements reached with major international institutions allows us to offer a variety of courses relating to IT security. ISC2, Ec-Council and BSI training programs to enable our students to achieve the certifications on the rise in the ever changing field of information security.

This year we have also planned, both in Madrid and Barcelona, several training sessions on security standards for payment cards: PCI DSS and PA DSS. The great success with which students have received in the past, these courses have prompted us to increase the supply of available sessions.

All course information (contents, schedules, dates, costs, etc ...) is available on our training section.

In the latest issue of the journal SIC (No. 95) for the month of June 2011, published an article by members of the sales team at Internet Security Auditors. The article entitled "ROI of PCI DSS."

Throughout the article describes how to calculate the ROI of an implementation of the PCI DSS using the concept of ROSI (return on security investment). The calculation of this indicator can provide would argue in defending the implementation of these rules of payment card security. An analysis of how economic risk reduction provided by the adjustment to the PCI DSS exceeds, in economic terms, the costs associated with a potential incident involving payment cards.

The papper is available in our download section.

In mid-May, Indra Sistemas, hand in hand with Internet Security Auditors, passed the certification process of a platform for issuing tickets for public transport under the new PCI PA-DSS v2.0, becoming the first application of a Spanish manufacturer to exceed the stringent quality requirements that marks the PCI SSC.

Internet Security Auditors thus becomes the first Spanish company to certify an application as PA DSS compliance.

PA DSS (Payment Application Data Security Standard) is a security standard that defines the set of requirements to be met by applications or electronic payment products sold to third parties. Its purpose is to reduce fraud related to payment cards deficiencies caused by possible use in applications that businesses, service providers and acquiring entities enhancing the security of this data.

Internet Security Auditors was the first Spanish company in getting PA QSA certification allowing us to perform implementation consulting and PA DSS certification audits.

VII Meeting OWASP Spain chapter was held in Barcelona last April 15th. Internet Security Auditors attended to event twice. Vicente Aguilera, director of Internet Security Auditors audit deaparment, performed opening and closing of the session in his role as President of the Spanish chapter of OWASP.

Also, among the speakers at the event, was Marc Segarra, a member of Internet Security Auditors consulting team, who made a presentation to demonstrate how the adoption of methodologies such as OWASP provide much of the compliance required by the PA DSS standard. Additionally, Marc explained the PA DSS certification process. The certificate guarantees the security mechanisms in the applications that handle cardholder data from payment cards, in which the risk of fraud is very high and for which there are numerous illegal networks that use these data for illegitimate use and benefit.

Presentation is available in our download section.

In the context of traditional IT security sector dinner that the SIC publication has been organizing annually, last April 13th presented the eighted awards Information Security (SIC) awards.

Internet Security Auditors was awarded "for excellence in providing audit, consulting, managed security and training services, with special reference to specialization in the areas of PCI/PA DSS."

Daniel Fernandez, Commercial Director of Internet Security Auditors received the award on behalf of the company. In his speech thanked the SIC magazine and congratulated the publishers on its twentieth anniversary. Daniel also thanked customers who have trusted Internet Security Auditors when working in the most demanding security projects. Finally, Daniel stressed the importance of Internet Security Auditors human team and extended the award to the entire company personal.

In the last issue of SIC (No. 94) published an article describing the main technical security controls for protecting web applications.

Article was written jointly by Vicente Aguilera, OWASP Spain Chapter Leader, and Daniel Fernandez, Commercial Director of Internet Security Auditors.

The article pinpoints a number of security projects in developing web applications developed by including project OWASP ASVS (Verificatin Application Security Standard), the OWASP Development Guide and the OWASP Enterprise Security API. Internet Security Auditors use these and other OWASP projects in all services related to Application Security.

The paper is available at our download area.

Next June 21th in Barcelona and 22th June in Madrid, SIC magazine organizes the XVII edition of its Respuestas SIC conferences. This time the session will address the tests, inspections and current technologies for the protection Web applications.

Internet Security Auditors has been invited to these meetings as an expert in the field of Web Application Security. Our experience in Web Applications security audit as well as in Development Life Cycle Security implantation will be the framework upon which the presentation will be developed that include a consultative approach and prescription. The aim of the session will provide the keys with regard to controls and measures to iimprove web application security.

Vicente Aguilera, partner and audit director at Internet Security Auditors, participated last February 24 at the congress ADWYS WITH 2011. The conference, held at the University of Cadiz, is to disseminate knowledge related to Web Engineering and Security.

ADWYS Association Web Design and Security of the University of Cadiz, has revealed in a practical way the latest trends and advances in the technologies belonging to both camps.

The presentation which was gave by Vicente Aguilera, as President of OWASP Spanish Chapter, toured around the TOP TEN of web application vulnerabilities published by OWASP. This TOP TEN includes the 10 most critical risks existing today in Web applications. Presentation also included a demonstration of an evasion of security controls in a real environment using certain vulnerability existing in Gmail authentication system.

Presentation is available in our download section.

OWASP Spanish chapter is preparing its VII Meeting. This event will take place in the emblematic Ateneu Barcelonès (where OWASP spanish chapter has already celebrated one of its events). The chosen date is next Friday, April 15th.

Internet Security Auditors retains its sponsorship to OWASP Spain, thus developing its commitment to open projects on Information Security and in this specific case, on Web Application Security.

OWASP Spanish Chapter website will go picking updates on meeting agenda. Registration for this event is open and free.

From 8 to February 11 OWASP SUMMIT 2011 was held in Lisbon (Portugal). More than 180 experts in application security, coming from 30 countries joined their efforts during these days to plan, build and implement programs to improve the security of software applications.

The OWASP SUMMIT 2011 did not have the classic approach of lectures and/or conference presentations static but instead chose a more open and dynamic format that allowed participants, in a more informal way, could write documents, prepare draft standards, launch new projects and even create software.

In the OWASP website you can find the main findings of OWASP SUMMIT 2011 and a summary of all activities conducted therein.

In December 2010 and after many years of waiting, the ISECOM (Institute for Security and Open Metholodiges) released version 3 of its OSSTMM (Open Source Security Testing Methodology).

The main objective of the OSSTMM is to provide a scientific methodology to characterize the accuracy of security by examining and correlating test results consistently and reliably. This manual fits almost any type of auditing information security including penetration tests, ethical hacking, security assessments, vulnerability assessments, etc...

You can download the manual v3 OSSTMM through this link.