Privacy Policy Review: Apple

When looking at the communications of the major players in the operating system market (for both computers and smartphones) there are one company that repeatedly talks about privacy more than the others. The company I am thinking about is Apple. Their continuous talk about privacy got me curious, how do they handle their users privacy. And when curious it’s time to investigate, so I dug into their Privacy Policy (Updated June 1, 2021), and my thoughts resulted in this blogpost. ...

June 16, 2021 · 2 min · Oskar Edbro

Privacy in Browsers

This investigation should not be taken as a full review of the browsers, but wishes to highlight the differences that different browsers have in how they handle user privacy. The test aims to give an overview, not describe in detail what each browser does or does not do. Methodology To perform this test I created a new virtual machine based on Windows MSEdge win10 VM. In this VM I installed the browsers intended to be tested, using the default configuration. After that I configured BurpSuite as a proxy for the VM, so that all traffic is routed through it. This way it will document all the traffic that the browser in the VM is sending. ...

May 29, 2021 · 8 min · Oskar Edbro

Security for Any Administrator Team

Previously I’ve written a post about security for development teams, and now it’s time for the continuation. Just as for developer there are great benefits in performing security tests for administrators. However, the methodology when testing the infrastructure is not the same as when testing an application. In this post I’m going to introduce categories of testing for administrators in much the same way as I did for developers, allowing any team to begin thinking about security and performing basic security testing. The categories proposed can also be adapted to be used as requirements, more so than the ones used for developers. This is since they are easier to apply regardless of what solution is tested. ...

May 8, 2021 · 3 min · Oskar Edbro

Security for Any Development Team

There are very few, if any, development teams that introduces vulnerabilities into their software out of malicious intent. Instead it is mistakes that are introduced due to lack of time, awareness, or something alike. There are lots of materials out there that are either super detailed for a specific technology stack, or on such a high level it is hard to apply in the real world. With this post I will try to do the impossible, to describe how you work with security in a practical manner, regardless of what technology you use. I will highlight three categories of vulnerabilities, and describe them in a technology independent way. My hope with this is to allow any development team to have a think about security, and apply them to their specific technologies. ...

March 5, 2021 · 5 min · Oskar Edbro

Security Professionals Have to be More than Nay-Sayers

A couple of weeks back I had a very interesting meeting at work. After meeting a new development team and discussing security (testing), they commented on how great it was to work with a driven and interested security engineer instead of a nay-sayer. This got me thinking about the overall view of security professionals from others, and realised that we are often seen as a hindrance. This line of thinking arose once more after reading the “Report on the 2020 FOSS Contributor Survey” [1]. The report highlights that developers of FOSS (Free Open Source Software) have the same view, that security is a hindrance, a necessary evil that has to be done. Something to not spend more time on than absolutely necessary since its just annoying and boring, something that we must strive to change. ...

December 15, 2020 · 2 min · Oskar Edbro