Posts

When working with cybersecurity in any development organization it is inevitable that management asks the difficult question. The question that puts us in a very difficult position of grasping the current status of the organizations security efforts. The question I am talking about is as follows, or a version of: How far have we come in our work with cybersecurity? It is an understandable question. We need to see that the time and money put into security are adding value to the business. However assessing the progress in a comparable way is not always easy. As luck would have it there are standards for measuring the maturity level of cybersecurity. One of these models are OWASP Software Assurance Maturity Model, SAMM for short. As it is provided by OWASP it is an open source model that can be used by anyone free of charge, and the results are comparable both over time and between organizations. There are other models that do similar things, but due to the open nature of SAMM it’s a good starting point for any organization getting started. ...

Apple has recently released their plans for on device detection of Child Sexual Abuse Material (CSAM). For me as well as many others this has raised some flags, since it have the potential to greatly impact the privacy of Apple users. I will not comment on the overall security of the solution put forward by Apple, just summarize the description on how it works, as well as highlighting my concerns with the solution. Apple intends to roll out the detection in three stages. Firstly images shared through the messages app (AKA iMessage) will be screened for CSAM content. If it is detected (being either sent or received) the user and in applicable cases their parent will be warned about the detection. The second stage includes iCloud photos, where any photo will be matched against known CSAM (on device matching) before being uploaded. If there is a number of matches that meets a threshold Apple will be notified and after manual validation it will be forward to the relevant (American) authorities. The last step is to improve Siri and search, adding better support for reporting CSAM, or where to get support if you, or you think someone else is subject to sexual abuse. ...

In a previous post I shared my experience with moving my page from Github pages to Cloudflare. It is now time to follow up that post and comment on my experiences after approximately a quarter. The experience of publishing new posts is about the same as when hosting on Github, you just push an update to the specified branch and then a build is triggered that will be published upon completion. The main difference is that the build process is somewhat slower in Cloudflare than on Github. This means that a build can take about 5 minutes, instead of the previous 1. This is most likely due to the fact that Cloudflare pulls everything and builds locally, instead of using Jekyll remote themes. ...

When looking at the communications of the major players in the operating system market (for both computers and smartphones) there are one company that repeatedly talks about privacy more than the others. The company I am thinking about is Apple. Their continuous talk about privacy got me curious, how do they handle their users privacy. And when curious it’s time to investigate, so I dug into their Privacy Policy (Updated June 1, 2021), and my thoughts resulted in this blogpost. ...

This investigation should not be taken as a full review of the browsers, but wishes to highlight the differences that different browsers have in how they handle user privacy. The test aims to give an overview, not describe in detail what each browser does or does not do. Methodology To perform this test I created a new virtual machine based on Windows MSEdge win10 VM. In this VM I installed the browsers intended to be tested, using the default configuration. After that I configured BurpSuite as a proxy for the VM, so that all traffic is routed through it. This way it will document all the traffic that the browser in the VM is sending. ...