An image depicting a chain with the sun shining behind it.

Supply Chain Security in Light of EU Regulations: A Practical Approach

Lately, I’ve been thinking about the complexity of securing the software supply chain. If there’s one lesson we’ve learned from incidents like the SolarWinds and Kaseya attacks, it’s that our supply chains are increasingly becoming the weakest link in our cybersecurity defenses. What makes it even more challenging is the regulatory landscape—particularly within the European Union (EU)—which is evolving to place more responsibility on organizations to secure their supply chains. ...

September 30, 2024 · 5 min · Oskar Edbro
A picture of a coastal landscape, blurry except for through a camera lens held up in the middle of the image.

Different Kinds of Cybersecurity

In the world of cybersecurity there is a lot of specific definitions, a type of insider lingo that we assume that everyone agrees on the definition of. However, herein lies the problem. We assume, without discussing. I have ended up in multiple discussions that occurs due to different interpretations of a definition. In this post I’ll give my view of one of the biggest differences of definition that I have seen, namely what we include in the term cybersecurity. ...

August 27, 2023 · 4 min · Oskar Edbro
A mysterious hooded person on a busy night street lit by mostly pink neon signs.

Threat Modelling and Threat Actors

As security professionals working with software components it is not always easy to prioritise what security raising actions should be prioritised. According to most security standards (such as ISO27000) require a risk based security approach. Regardless if we are building our own applications, or we are installing third party software in our network we need to understand what threats there are to our environment. After understanding what threats there are, we prioritise them and thereby also prioritise what actions we should take to minimise the risk. Many organisations use threat modelling to understand what threats they have in their environment. However, I have lately come to understand that the definition of threat modelling varies widely between organisations. There are two main variants: ...

July 2, 2023 · 3 min · Oskar Edbro
A businessman playing chess

Vulnerability Categories for Business

There are endless ways to divide vulnerabilities into different classifications. Each more granular than the other. However, there is also a need to for a simple divide, targeted to the business. That is the problem this post will solve. By using the same categories as in the post Security for Any Development Team I will break down security vulnerabilities into three categories. After reading this post, you will get an insight into why vulnerabilities may arise, and what can be done to minimise the risk. ...

November 5, 2022 · 5 min · Oskar Edbro

Learning (Security) by Communication

Anyone working in Cybersecurity can tell you that there are endless fields of specialisation. For example, helping R&D through AppSec, hacking companies through red-teaming, or responding to incidents in a CyberSecurity Incident Response Team (CSIRT). Regardless of speciality, there are skills you will have mastered, and ones you haven’t. In addition to the skills there are knowledge, ways of working etc. connected to each field. ...

July 25, 2022 · 4 min · Oskar Edbro