Awareness

There are very few, if any, development teams that introduces vulnerabilities into their software out of malicious intent. Instead it is mistakes that are introduced due to lack of time, awareness, or something alike. There are lots of materials out there that are either super detailed for a specific technology stack, or on such a high level it is hard to apply in the real world. With this post I will try to do the impossible, to describe how you work with security in a practical manner, regardless of what technology you use. I will highlight three categories of vulnerabilities, and describe them in a technology independent way. My hope with this is to allow any development team to have a think about security, and apply them to their specific technologies. ...

A couple of weeks back I had a very interesting meeting at work. After meeting a new development team and discussing security (testing), they commented on how great it was to work with a driven and interested security engineer instead of a nay-sayer. This got me thinking about the overall view of security professionals from others, and realised that we are often seen as a hindrance. This line of thinking arose once more after reading the “Report on the 2020 FOSS Contributor Survey” [1]. The report highlights that developers of FOSS (Free Open Source Software) have the same view, that security is a hindrance, a necessary evil that has to be done. Something to not spend more time on than absolutely necessary since its just annoying and boring, something that we must strive to change. ...

In the news lately I’ve seen multiple news stories where security breaches have been discussed. Most of them have followed sensitive data being disclosed after a company has been hacked. In cybersecurity usually categorise a vulnerability or incident based on its impact, and to do so we use the CIA triad. NO, CIA in this case does not stand for Central Intelligence Agency. In this case CIA stands for the three kinds of impact a vulnerability can have, Confidentiality, Integrity and Availability. ...