Posts

Previously I’ve written a post about security for development teams, and now it’s time for the continuation. Just as for developer there are great benefits in performing security tests for administrators. However, the methodology when testing the infrastructure is not the same as when testing an application. In this post I’m going to introduce categories of testing for administrators in much the same way as I did for developers, allowing any team to begin thinking about security and performing basic security testing. The categories proposed can also be adapted to be used as requirements, more so than the ones used for developers. This is since they are easier to apply regardless of what solution is tested. ...

I’ve been looking around on how to get some statistics from my blog, especially regarding the number of visitors. Sadly the current solution (GitHub pages) does not seem to natively support this kind of statistics without adding third party tracking. After looking around for different solutions Cloudflare caught my attention. I know that among others, Troy Hunt writes about and uses Cloudflare, so I decided to give it a try. Migrating from GitHub pages to Cloudflare pages was as easy as configuring what GitHub repo to use in Cloudflare, picking Jekyll and then it just worked. Right after the page was built you see some basic statistics, such as the amount of request grouped by country. Below the first hours of traffic is shown in a map, as presented by Cloudflare. ...

There are very few, if any, development teams that introduces vulnerabilities into their software out of malicious intent. Instead it is mistakes that are introduced due to lack of time, awareness, or something alike. There are lots of materials out there that are either super detailed for a specific technology stack, or on such a high level it is hard to apply in the real world. With this post I will try to do the impossible, to describe how you work with security in a practical manner, regardless of what technology you use. I will highlight three categories of vulnerabilities, and describe them in a technology independent way. My hope with this is to allow any development team to have a think about security, and apply them to their specific technologies. ...

I’ve lately seen multiple bug bounty hunters on twitter (and other platforms) proudly exclaiming that hacking is not a crime. They are not wrong, but I think the answer needs to be a bit more nuanced. So here is my take on hacking. Hacking is not inherently a crime, but neither is it automatically never criminal. I would compare it with lighting a fire. There are instances where it is helpful and legal (eg. lighting a campfire), but there are at least as many ways of doing it illegally (eg. burning down a building). The act of lighting a fire can be good or bad, legal or illegal, ethical or unethical. Everything depends on how you do it. ...

I’ve gotten a bit curious about what data different companies are collecting about me. This have led to a couple of GDPR requests to companies to provide the data so I can analyse it. In this post I will share my thoughts about the content of the report I got from Spotify, and the process of fetching the data. The Download Process The process to get access to your data is quite straight forward. There are clear descriptions on how to download your data under privacy settings, where you can request a download. The collection process takes a while and an email is sent when your data is ready to be downloaded. In the email there are a link that allows you to download a zip archive containing your information. ...