Security

As a penetration tester, you will inevitably find yourself involved in scoping engagements, navigating the challenges of aligning a client’s needs with their expectations. “Penetration testing” is a term that almost everyone believes they understand, yet it often carries vastly different interpretations. This ambiguity makes it more of an umbrella term, offering little insight into how the test will actually be executed or what it will cover. In this post, I’ll share my perspective on one approach to differentiating how penetration tests can be executed, helping both testers and clients clarify their expectations. ...

Lately, I’ve been thinking about the complexity of securing the software supply chain. If there’s one lesson we’ve learned from incidents like the SolarWinds and Kaseya attacks, it’s that our supply chains are increasingly becoming the weakest link in our cybersecurity defenses. What makes it even more challenging is the regulatory landscape—particularly within the European Union (EU)—which is evolving to place more responsibility on organizations to secure their supply chains. ...

In the world of cybersecurity there is a lot of specific definitions, a type of insider lingo that we assume that everyone agrees on the definition of. However, herein lies the problem. We assume, without discussing. I have ended up in multiple discussions that occurs due to different interpretations of a definition. In this post I’ll give my view of one of the biggest differences of definition that I have seen, namely what we include in the term cybersecurity. ...

As security professionals working with software components it is not always easy to prioritise what security raising actions should be prioritised. According to most security standards (such as ISO27000) require a risk based security approach. Regardless if we are building our own applications, or we are installing third party software in our network we need to understand what threats there are to our environment. After understanding what threats there are, we prioritise them and thereby also prioritise what actions we should take to minimise the risk. Many organisations use threat modelling to understand what threats they have in their environment. However, I have lately come to understand that the definition of threat modelling varies widely between organisations. There are two main variants: ...

There are endless ways to divide vulnerabilities into different classifications. Each more granular than the other. However, there is also a need to for a simple divide, targeted to the business. That is the problem this post will solve. By using the same categories as in the post Security for Any Development Team I will break down security vulnerabilities into three categories. After reading this post, you will get an insight into why vulnerabilities may arise, and what can be done to minimise the risk. ...