An image depicting a chain with the sun shining behind it.

Supply Chain Security in Light of EU Regulations: A Practical Approach

Lately, I’ve been thinking about the complexity of securing the software supply chain. If there’s one lesson we’ve learned from incidents like the SolarWinds and Kaseya attacks, it’s that our supply chains are increasingly becoming the weakest link in our cybersecurity defenses. What makes it even more challenging is the regulatory landscape—particularly within the European Union (EU)—which is evolving to place more responsibility on organizations to secure their supply chains. ...

September 30, 2024 · 5 min · Oskar Edbro
An image depicting two contrasting approaches to IT change management, tailored to the themes of your blog post. On one side, it illustrates traditional IT change management with a formal, structured setting, and on the other, it shows a dynamic DevOps approach. This visual captures their shared goal of risk reduction.

Change Management in Development and Operations

While looking into IT Service Change Management, and primarily in accordance with ITIL, there was one thing that stood out. There seems to be a disconnect between the the development point of view and how change management is implemented by operations. With that I mean that the implementations I have seems to be more applicable for finished product than with software developed in house. The change management processes works when a change is either adding a new product or installing a new version. When it comes to full software development, the change management process gets fuzzy and drawn out. This gets even more distinct when looking at the more agile or DevOps ways of working of development. ...

May 11, 2024 · 2 min · Oskar Edbro
A picture of a coastal landscape, blurry except for through a camera lens held up in the middle of the image.

Different Kinds of Cybersecurity

In the world of cybersecurity there is a lot of specific definitions, a type of insider lingo that we assume that everyone agrees on the definition of. However, herein lies the problem. We assume, without discussing. I have ended up in multiple discussions that occurs due to different interpretations of a definition. In this post I’ll give my view of one of the biggest differences of definition that I have seen, namely what we include in the term cybersecurity. ...

August 27, 2023 · 4 min · Oskar Edbro
A mysterious hooded person on a busy night street lit by mostly pink neon signs.

Threat Modelling and Threat Actors

As security professionals working with software components it is not always easy to prioritise what security raising actions should be prioritised. According to most security standards (such as ISO27000) require a risk based security approach. Regardless if we are building our own applications, or we are installing third party software in our network we need to understand what threats there are to our environment. After understanding what threats there are, we prioritise them and thereby also prioritise what actions we should take to minimise the risk. Many organisations use threat modelling to understand what threats they have in their environment. However, I have lately come to understand that the definition of threat modelling varies widely between organisations. There are two main variants: ...

July 2, 2023 · 3 min · Oskar Edbro
A man looking through binoculars

Privacy in the European Union and the World

Lately there has been an increase in discussions about the use of end-to-end encryption for consumers. The most blatant attack on privacy I have read about is the so-called EU Chat Control. But there are other regulations as well, such as the UK Online Safety Bill. Chat Control (EU) Let’s begin with the European Union, and what is usually called Chat Control. This regulation aims to protect children from abuse by forcing both hosting and communications services to reduce the risk of the service being used for Child Sexual Abuse Material (CSAM) by ...

March 27, 2023 · 4 min · Oskar Edbro