Risk

A couple of weeks back I had a very interesting meeting at work. After meeting a new development team and discussing security (testing), they commented on how great it was to work with a driven and interested security engineer instead of a nay-sayer. This got me thinking about the overall view of security professionals from others, and realised that we are often seen as a hindrance. This line of thinking arose once more after reading the “Report on the 2020 FOSS Contributor Survey” [1]. The report highlights that developers of FOSS (Free Open Source Software) have the same view, that security is a hindrance, a necessary evil that has to be done. Something to not spend more time on than absolutely necessary since its just annoying and boring, something that we must strive to change. ...

In the news lately I’ve seen multiple news stories where security breaches have been discussed. Most of them have followed sensitive data being disclosed after a company has been hacked. In cybersecurity usually categorise a vulnerability or incident based on its impact, and to do so we use the CIA triad. NO, CIA in this case does not stand for Central Intelligence Agency. In this case CIA stands for the three kinds of impact a vulnerability can have, Confidentiality, Integrity and Availability. ...

Technical debt has become a common term when discussing the quality and maintainability of code. There are a lot of definitions of the debt, but they all have some things in common, that debt are the things in the solution that should be fixed but haven’t been fixed yet. This could include everything from lack of documentation or test coverage to code complexity. The debt might not have been there from the beginning, but rather been introduce while the solution grows. Another common denominator is that the debt will increase the cost of continued development within the solution. This can be seen in several different ways, for example adding a feature to a complex codebase would require more time than adding the same feature to the simple. ...

One of the most common tips you hear in regard to security is to not click links, but how malicious can a link be in this day and age? In this article I’ll discuss the risks I see and what impact they may have, to initiate a discussion about these risks. The thing about the internet today is that everything is links, and many sites such as twitter and bit.ly use link shortening to track usage and hide the original address. This makes it hard to know beforehand if the link is legit, and thus might increase the risk, but the impact will be the same. Here are four risks that I see when clicking a link. ...