Methodology

As a penetration tester, you will inevitably find yourself involved in scoping engagements, navigating the challenges of aligning a client’s needs with their expectations. “Penetration testing” is a term that almost everyone believes they understand, yet it often carries vastly different interpretations. This ambiguity makes it more of an umbrella term, offering little insight into how the test will actually be executed or what it will cover. In this post, I’ll share my perspective on one approach to differentiating how penetration tests can be executed, helping both testers and clients clarify their expectations. ...

While looking into IT Service Change Management, and primarily in accordance with ITIL, there was one thing that stood out. There seems to be a disconnect between the the development point of view and how change management is implemented by operations. With that I mean that the implementations I have seems to be more applicable for finished product than with software developed in house. The change management processes works when a change is either adding a new product or installing a new version. When it comes to full software development, the change management process gets fuzzy and drawn out. This gets even more distinct when looking at the more agile or DevOps ways of working of development. ...

As security professionals working with software components it is not always easy to prioritise what security raising actions should be prioritised. According to most security standards (such as ISO27000) require a risk based security approach. Regardless if we are building our own applications, or we are installing third party software in our network we need to understand what threats there are to our environment. After understanding what threats there are, we prioritise them and thereby also prioritise what actions we should take to minimise the risk. Many organisations use threat modelling to understand what threats they have in their environment. However, I have lately come to understand that the definition of threat modelling varies widely between organisations. There are two main variants: ...

Anyone working in Cybersecurity can tell you that there are endless fields of specialisation. For example, helping R&D through AppSec, hacking companies through red-teaming, or responding to incidents in a CyberSecurity Incident Response Team (CSIRT). Regardless of speciality, there are skills you will have mastered, and ones you haven’t. In addition to the skills there are knowledge, ways of working etc. connected to each field. ...

Security Champions is a concept that gets more and more attraction. The function might go under another name, such as Security Masters, but the concepts are the same. In this post I will dig into what this role contains and how it can be applied to improve the security posture of an organisation. My experience with Security Champions is in Research and Development organisations, so my views are anchored in RnD. However I see no reason why Security Champions could not be applied in other kinds of organisations as well. ...