Tag Archive for: finalized

More Details on the NIST SP800-53 Revision 5 Finalized Security and Privacy Framework

/in


 

The National Institute of Security and Technology (NIST), recently released Revision 5 of the SP800-53 Security and Privacy Framework, on September 23, 2020.  It is an important update, since SP800-53 hasn’t been updated since Revision 4 was released in April of 2013. While much of the press around this update has been around the privacy controls that have been updated, there are two important new additions to the framework in the area of application security that are important for enterprises and Federal government organizations to understand.  Two new security items added to the framework, are in:

  • SI-7 Software, Firmware and Information Integrity – Section 17: Runtime Application Self-Protection
  • SA-11 Developer Testing and Evaluation – Section 9: Interactive Application Security Testing.

As indicated by the abstract, “this publication provides security and privacy control baselines for the Federal Government.” In addition, it is estimated anywhere from 30 to 50 percent of enterprises also use this framework for their security architecture. NIST calls this an historic update to its security and privacy controls catalog.

These 2 updates give a new boost to the importance of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools. With these updates, application security gets new focus as part of the mainstream NIST framework and should help developers catch security flaws before an application is launched. If you are wondering how this new framework might affect you or your organization, here’s a recommendation from a recent article in the National Law Review:

Putting it Into Practice: Federal contractors should pay close attention to these guidelines as these new security and privacy baselines will be applied to any federal information system used or operated by a contractor on behalf of an agency, or another organization on behalf of an agency. Companies in the private sector should pay attention as well, as NIST guidance is often used as a basis for industry standards in security and privacy.

In this document we will be focusing on the…

Source…

Pointer Events finalized, but Apple’s lack of support still a deal breaker

/in

The Pointer Events specification, an API for Web developers to handle touch, mouse, and pen inputs in Web applications, has been published as a Recommendation by the World Wide Web Consortium. This is the Web standards group’s final, mutually agreed on version of the spec.

Pointer Events was first proposed by Microsoft as an alternative to another specification, Touch Events. Touch Events was born from Apple’s initial work to touch-enable Safari on the iPhone. W3C moved to standardize it without Apple’s involvement, and at one point during Touch Events’ development, it looked as if the spec would be covered by Apple-owned patents, with Apple unwilling to offer a royalty free grant for users of the spec. Had this situation continued, it would have precluded W3C from issuing the spec as a Recommendation.

Pointer Events avoided the patent issues. It was also a more general specification; while Touch Events was designed for touch and touch alone, Pointer Events allowed developers to use similar code to handle touch, stylus/pen, and mouse inputs. Pointer Events also addressed certain problems with Touch Events, such as a 300 millisecond delay before responding to taps in order to disambiguate between single and double taps.

Read 8 remaining paragraphs | Comments


Ars Technica » Technology Lab