Posts

A couple of weeks back I had a very interesting meeting at work. After meeting a new development team and discussing security (testing), they commented on how great it was to work with a driven and interested security engineer instead of a nay-sayer. This got me thinking about the overall view of security professionals from others, and realised that we are often seen as a hindrance. This line of thinking arose once more after reading the “Report on the 2020 FOSS Contributor Survey” [1]. The report highlights that developers of FOSS (Free Open Source Software) have the same view, that security is a hindrance, a necessary evil that has to be done. Something to not spend more time on than absolutely necessary since its just annoying and boring, something that we must strive to change. ...

In the news lately I’ve seen multiple news stories where security breaches have been discussed. Most of them have followed sensitive data being disclosed after a company has been hacked. In cybersecurity usually categorise a vulnerability or incident based on its impact, and to do so we use the CIA triad. NO, CIA in this case does not stand for Central Intelligence Agency. In this case CIA stands for the three kinds of impact a vulnerability can have, Confidentiality, Integrity and Availability. ...

Far to often organisations do all their security work on the few systems that are exposed to the internet. This might be acceptable when you begin the structured and ongoing work with security, but you should try to move on to defence in depth as soon as possible. Defence in depth is where you do not leave security to one layer of an application (or solution), but instead validate the security every step of the way. A common example for this is that even if you have a network firewall you do not disable the firewall in the operating system. This can be transferred to software development as well. In a more complex system each component should get the same security controls. It should not only be the frontend API that validates the input, instead each component should validate the data as untrusted when it receives it from another component. By doing so the resilience of the solution as a whole is greatly improved, where a single issue have limited impact, and might not even be exploitable. ...

In my role I always have to balance how I should spend my time. I usually have one project I’m currently working on, and a couple that are in the planning phase for the future. In addition there are requests of different sizes that interrupt any schedule. I love this dynamic, but it isn’t always easy. I’ve been using a simple todo software for quite a while now, to keep track of my tasks. However, I have used the list in an ad hoc manner. Not having a routine in my task management meant that the list always was incomplete. About a month ago I had enough and began figuring out a better way to organise my life. Without having reached the final and optimal organisation routine I wish to share my thoughts so far. ...

In my years of working as an application security (appsec) penetration tester I’ve come to the conclusion that there are so much more value to be added than pure technical vulnerabilities. To deliver the most value you have to be willing and able to walk the extra mile. Before getting into what can be done to increase the value, let’s dig into the two most common types of vulnerabilities. Technical Vulnerabilities The technical vulnerabilities are the most common vulnerabilities we see. This is where the application is abused to do something it shouldn’t, for example by injecting code or abusing weak cryptography. Even though the vulnerability is technical, it is important for the reporter to describe how it will impact the business. Otherwise the receiving organisation might not have enough of an understanding to prioritise the issues, and handle them accordingly. Even though a code injection can be used to pivot to other machines, the main impact for the business can often be linked to the confidentiality, integrity and availability of the application. As a tester it can be hard to accept, but a dom based XSS might be an accepted risk if the only impact is defacing the sight by pasting code into the searchbox. ...