The role as software security developer is a relatively new role, and has its origins from Bekk’s security initiative. But how does a software security developer differ from a “regular” software developer?
I started my career as a developer in 2011. Soon I came upon the problem of a user proving who they are, and what they’re allowed to do. Seemed hard, but I reasoned I would get the hang of it quickly. That didn’t really happen. Authentication is hard. Authorization is harder. But. New tools and services make things easier. And today I will share a tiny crazy Kotlin tidbit that made my day a bit easier.
Det meldes jevnlig om nye sikkerhetshendelser, og det er ingen tvil om at sikkerhet har fått fast plass på dagsorden. Likevel kan det være utfordrende å få prioritert sikkerhet i hverdagen. Som et steg i riktig retning, må vi begynne å bevege oss bort fra at sikkerhet ses på som en "av-og-til"-aktivitet og mot at det jobbes med kontinuerlig.
DMARC er eit av dei beste våpena me har mot spoofing. Det viser seg at norske aktørar må skjerpe seg. Sjå kor gode dei er på dmarcstatus.no.
Tidligere i mai mistet Norkart masse personinformasjon, inkludert fødselsnummer, om over halve Norges befolkning. Norkart gikk selv ut og anbefalte alle som var berørt om å sperre seg for kredittsjekk. Det er mange problemer med denne anbefalingen, men det største er at måten kredittsjekk fungerer på er utdatert, og det virker ikke som noen har planer om å gjøre noe med det.
Produktet du ikke vedlikeholder er en voksende sikkerhetsrisiko som fort kan utvikle seg til å bli en kostbar affære.
En god sikkerhetskultur er verdt en bunke med policies og litt til.
Lar du ferdige IT-prosjekter ligge og råtne fordi du ikke har råd til vedlikehold? Det kommer til å koste deg.
Let's take a look at Bloom Filters and how it works! Based on a talk and an article from Scott Helme.
In today's post I'll share key lessons from my journey in implementing Anonymous Tokens and integrating it in Norway's contact tracing app "Smittestopp". Privacy and transparency, especially in government IT, is vital for gaining citizens' trust - and is here to stay. Therefore I'll share some success factors and my takeaways with you.
The age of IoT (Internet of Things) is upon us, and it poses a real challenge to the security of our home networks. This post will look at some practical approaches you can take to isolate untrustworthy devices from the rest of your home network.
With more than a year since the Schrems-II verdict, I am wondering if it has really left us with any better privacy, or if it has actually been a net loss for European citizens.
Why you might want to use a "CLI-only" password manager, and how to do it.
Penetration testing is a popular topic within the security field. And being a penetration tester can be really fun since you get to act like an attacker without actually being bad. In this article, we want to give you a brief introduction of what penetration testing is, what to look for when starting out and some tips on how you can learn more.
«Vi må sørge for at folk ikke kan jukse» sa daværende statsminister Erna Solberg før innføringen av digitale koronasertifikater i Norge. Men myndighetenes teknologioptimisme hjalp ikke mot juks, forfalskning og manglende etterlevelse. Når skal vi forstå at teknologi ikke lever isolert fra samfunnet den brukes i?
Have you ever worried about the security of the application you are developing and wished for a way to ensure that it is good enough? In this article you will get an introduction to a very popular application security testing tool and some insight into how you can use it as a developer to create secure web applications.
It's easy to think of software security as something related to code, but we must remember that it is equally as much a question of people. Security must not become a purely technical exercise. The human factor is central, but can often be the most difficult thing to address. Let's look at how we can create a security culture, and how this can be an important part of your security work.
In the first article of this year's calendar, we gave a few tips to help making your applications a bit more secure. Now, as the countdown has come to an end, and we are ready to start the Christmas holidays, we want to give you a few more.
LiveOverflow is a german hacker running a very popular YouTube channel where he posts videos related to Capture The Flag competitions and IT security. I had the great honor and privilege of talking to him about his experiences with CTF competitions among other things.
In a chaotic, pandemic-ridden 2020, we've seen a heated debate on the need for efficient contact tracing that still respects privacy. There are many aspects to this debate — this blog post covers how one can submit data anonymously, while still providing a verifiably authentic upload token.
We discussed elliptic curves earlier this month. Today, we look at how to use those to make the internet a bit more user friendly.
Looking for some entertainment while you decorate the Christmas tree or order the latest Christmas gifts? Today we share some of our favorite podcasts.
Christmas is fast approaching, and with it, a new year. It’s time to leave bad security habits behind in 2020, set aside some time for a digital cleanup, and move forwards with a clean slate.
A CTF is a hacking competition. The participants compete for the highest score, by hacking intentionally vulnerable apps. It's a great deal of fun competing, but how does one host a CTF? This is the story of how I've been doing it, and how my CTF rig has evolved.
Critical infrastructures are, as the name suggests, critical to society and have in recent years become increasingly more digitalized. Such infrastructures include electric power, electronic communication, transport, as well as water supply and sewage. They are essential for the maintenance of societal functions that you and I depend on in our daily lives, and a disruption can paralyze a society and at worst lead to loss of life. Here, we will try to explain why critical infrastructures are especially difficult to secure against cyber attacks.
What is the state of your IoT (Internet of Things)-security in your home? Do you have any gadgets on your network that are vulnerable to exploitation? Maybe you have any devices you do not recognize? If you own an IoT-device then you should be curious about how it talks to the Internet and how security is taken care of.
Looking for some inspiration? Something to learn? Here we give you a list of interesting people we follow. These people are worth listening to.
Social media applications spy on you, and probably send home some data about you every second you use the app. But what about the applications that have another business model? Do you trust that your bus pass app, developed by your the municipality, or your smart vacuum cleaner is not sending your data back to the developers? Often, we have no idea, and until recently iOS-users had no good way of inspecting the traffic that was sent from their devices.
Ransomware is extremely costly and difficult to get rid of, and once your files are encrypted you may have lost that data permanently. Giving in to the ransom demand is expensive, gives no guarantee that your data will be restored, and only encourages cybercriminals to keep attacking and extorting money from individuals and companies alike. Clearly, the best way to deal with the increased rise in ransomware attacks is to implement solid preventative measures to avoid getting infected in the first place. And, if the worst should happen and all your files do get encrypted, to have alternative ways of restoring your data.
We live in a digital era where the most precious commodity no longer is oil or gold, but data. But what if this data, including personal files, customer lists and company data, flight traffic information, or even sensitive hospital records were stolen? What would you do, or pay, to get it back?
He sees you when you’re sleeping, he knows when your awake, he knows if you ‘we been bad or good so be good for goodness sake. This is a line of a popular Christmas song. It obviously refers to Santa Claus. However… What if this is true, not only for Santa, but for large companies worldwide. We’ll take a closer look on the data you give and the repercussions.
Simula har, sammen med FHI, fra starten prioritert sikkerhet og personvern svært høyt i utviklingen av appen. Ulike varianter av dette sitatet finner vi mange intervjuer om Smittestopp. Politikere, helsebyråkrater og utviklerne forsikrer at sikkerhet og personvern er ivaretatt. Kontrasten til Smittestopp-havariet er oppsiktsvekkende. Hvordan kan dette forstås?
Cryptography is the science of secret writing with the goal of hiding the meaning of a message. When a message is encrypted with a secure algorithm, i.e. an encryption cipher, no one should be able to read it without the decryption key. However, the promise of security falls apart if the encryption algorithm is weak, or if someone has created a backdoor. In this article we’ll examine the modern history of encryption. We’ll learn that while the mathematical underpinnings of modern encryption is stronger than ever, government agencies have a history of thwarting efforts to reach the goal of truly secure communication.
Zero Trust is a security model where each component has its own perimeter. This is different from a traditional security model where all components inside of a given perimeter are regarded as safe or trusted. It was introduced as a reaction to the traditional network security model as a measure against lateral movement after a breach.
We wrote about "Safe travels for the road warrior" last year. This year we offer one more trick, and expand our list for staying safe and secure on the road. Watch out for shoulder surfers, and protect your equipment if you have to leave it in for example your hotel room.
Elliptic curves are seemingly ubiquitous in modern cryptographic protocols, and may turn up again later this December. Let’s take this opportunity to gain insight on what they are and why they are used.
Today we are going to explore five big hacks that took place in 2020. First we'll cover two hacks that targeted Norwegian companies Sykehuspartner and NHH. Then we'll take a look at a hack that targeted the Danish company ISS. To wrap things up we'll cover what is probably the two most high profile hacks of 2020: the Twitter phish and the CWT ransom.
As developers, we usually use some sort of pipeline to build and deploy our code. Tools like Circle CI, Gitlab CI/CD and Github Actions are popular. Can your pipelines be a security vulnerability? Can you use your pipeline to create a more secure application?
Integrating security as a part of application development is desirable, but it's often forgotten or dismissed in practice. Dependabot is a Github feature that will help you keep all your dependencies invulnerable and up-to-date, and you can enable it in just a few clicks!
We are really excited to present this year's calendar, and hope that you will enjoy reading it as much as we enjoyed writing it. Security as a topic is hotter than ever. While we count down the days until Christmas Eve you will be given new, original security content each day. Enjoy the countdown together with us!
As you open the final post of this year's security.christmas, we logout of our social media accounts, shut down Slack (or mute it for a while at least) and put away our thin foil hats.
If you haven't lived under a rock the last couple of years, the term Ransomware isn't something new. It grinds the largest corporations to a complete halt and can take months to recover from. But how does it really work? And how should you protect yourself?
On one of the darkest Sundays of the year, we again take a step back, and give you another list of interesting people we follow. Today we pay respect to a few people that deserve to be listened to. Of course there are others, but these stand out.
In business travel, a road warrior is a person that uses mobile devices such as tablet, laptop, smartphone and internet connectivity while traveling to conduct business. The term spawns from the movie Mad Max 2, starring Mel Gibson.
We all know it; application security is a shared responsibility and everyone in the team should act according to the secure lifecycle development process. But our experience is that security is one of the first non-functional requirements that are dropped when deadlines approaches or when management is setting up a budget for the next period.
The Open Web Application Security Project, or OWASP, is mostly know for it's Top Ten Project which covers the most critical web application security risks. They als maintain one of most popular free security tool, the OWASP Zed Attack Proxy. But there is more, so much more. In this post we cover some of our favorite tools by the OWASP project and how we use them.
Does the US government sponsor the development of the darknet? What is The Onion Router project and why should you be anonymous on the internet?
“The s in IoT stands for security” is a joke as old as the shared code base used in your IoT web-camera. Usually we mock IoT for having little or bad security, but the real issue is perhaps that IoT can't have good security.
We've covered FIDO2 in this year's eleventh calendar post, and with FIDO2 available the internet has all the tools need to lighten the load of the password. One of its results is the Web Authentication(WebAuthn) API, simplifying FIDO2 authentication for web browsers. Here are the basics to get started with a wide range of authenticators on your website.
When hearing about security breaches and typically cybercrime, one is sometimes left wondering, where are these servers hosted and why can't they be stopped?
Reporting API. That sounds really cool! Or really boring you say? This is one of the W3C-drafts that may not have gotten the attention it deserves so let's take a look!
In a phishing attack the attacker will try to steal user data, e.g. login credentials. Reverse tabnabbing is a phishing method, and here we will try to explain what it is and how it can be prevented.
You double checked, triple checked, even quadruple checked, and it is really there! You have just found a vulnerability in someone else's system. Maybe you just got access to something you shouldn't have, you can prove that an attacker could easily take down the system, or you found your way around the payment process in a shop. Whatever the bug, you now need to disclose it, but in a responsible manner.
The Zed Attack Proxy (ZAP) is one of our go to tools for doing security assessments and testing applications. Tia Firing wrote about this last year, check it out. This year we were excited to learn that a new feature called Heads Up Display was introduced in the latest version.
After an eventful, or not, weekend, nothing beats listening to some fine entertainment while taking a walk, going skiing in the woods or while cranking out some code on your hobby research project. Today we are happy to share some of our favorite podcasts this year.
The Open Web Application Security Project (OWASP) maintain and release the well-known OWASP Top 10. It is a list of the most critical security risks in web-applications today. When developing mobile applications, security is of no less importance. However, the risks and vulnerabilities may be a little different. Therefore, OWASP developed another top 10 list, OWASP Mobile Top 10, which lists the 10 most critical security risks and vulnerabilities for applications running on a mobile platform. In 2018, NowSecure claimed that 85% of mobile applications available on the App Store or Google Play violated at lest one of the risks on the list. In this article, we will give you a brief summary and introduction to which risks we are talking about.
Some grocery stores in Norway use fingerprints for verifying the users age when buying an item that has age-restrictions. The security of this solution gets a thumb up 👍
Når vi surfer på nettet i dag er det meste av trafikken kryptert. Bruksstatistikk fra Google viser at ca. 90 prosent av nettstedene som lastes i nettleseren Chrome lastes over HTTPS. Selv om mye av innholdet vi laster opp og ned over internett er beskyttet, er det fortsatt mye annen informasjon om internettaktiviteten vår som er tilgjengelig for uvedkommende.
Okey, so you want to secure your app with a CSP-policy. Great! But where to start and what to do if some parts of your app is out of your control?
So, you would like to be one of the cool security researchers that find vulnerabilities in the most used websites in the world, saving millions from the bad guys, and maybe make some cash along the way? Well, this is your lucky day! It's time to learn about bug bounties!
In case you haven't noticed: Passwords suck. Fortunately alternatives to that age-old authentication scheme are finally becoming practical. Today we will look at SQRL (Secure Quick Reliable Login), which aspires to become the simple and secure solution for your every-day authentication needs.
Welcome to the annual Security Christmas Calendar. After weeks of research and writing we are super excited to finally be able to present this year's calendar.
It is soon Christmas, and you might get new shiny gadgets under your Christmas tree. Now it is important to install these new shiny gadgets securely.
When creating a web application, it is almost impossible to create it without relying on third party dependencies. But how do you know that the dependencies you use are secure?
Information sensitivity is a problem that can bring your organization to its knees. What do you do when disaster strikes?
When creating a web application, or a web site with more than one page, you will need to reference different resources. If you create a blog, you need to create unique paths to all the blog posts, like we are doing in this Christmas calendar. You see that the url is https://security.christmas/2018/20, where 2018 is a reference to the year, and 20 to the day of December. It is a fairly simple system, and you may have tried to skip ahead, but been met by a page saying you have to wait a bit longer?
There are numerous techniques for cracking passwords, and already cracked passwords are floating around the web waiting to be used by threat actors. How can we reduce the risks concerning passwords?
As the end of the year closes in, there are no shortage of tips on how to get your home ready for the festive season. We think you should take a time out, and consider which application should still have access to your social accounts.
Containers is the currently best way to build software for platform independence, and an orchestration service manages them, but how about that security?
Having unique passwords for every site and service presents us with the problem of remembering, or rather, storing our passwords in a safe but practical matter. How do we cope with hundreds of passwords?
How the browser and the webserver can join forces to protect both the user and the webserver: Enter security headers!
Use Content Security Policy (CSP) headers to prevent loading of untrusted resources and mitigate cross-site scripting (XSS) attacks
At the beginning, web pages were very static. They were written in HTML, and the web browser had one job, to render the HTML to a page filled with text, images and links. After a few years, the developers wanted more, and JavaScript got introduced.Together with JavaScript came a new breed of vulnerabilities, where the attackers could exploit the possibility to run code in browsers, this was called Cross Site Scripting or XSS.
If your API has sensitive endpoints which returns different HTTP-responses given user action A or B, then this information is enough to infer user information which can be exploited. Learning from Tinder, let's investigate why having non-deterministic HTTP-responses are important and try to make our most business-critical API-endpoints more secure.
Cross Origin Resource Sharing (CORS) is an important concept in modern webapplication security. We will try to explain what it is.
Do you want to try more hands on security testing, but you're not quite sure where to begin? Keep on reading!
Managing certificates, and rotating them in due time can quickly get out of hand.
Did you know that an attacker could inject code into your application, which could retrieve data or do something else that you did not anticipate?
Did you know that your application may be giving valuable clues to an attacker if an error occurs?
You have been told that two-factor authentication is important, but why, and what is it really?
Make an effort on User Experience and security awareness when implementing "Forgot password", and avoid exposing sensitive user information
Have you ever wondered how someone could steal money from your bank account while you browse certain sites, or post as you on Facebook? That is called Cross Site Request Forgery (CSRF), and we will try to explain what it is, and how you protect your website and users against it.
After grabbing your favorite double pumpkin spiced latte with soy milk, you get ready to lean back and browse the latest memes. But should you be connecting to the coffee shop WiFi? How dangerous can it really be?
Most developers will sooner or later have to deal with certificates. But what is a certificate, really? It's got something to do with authentication, right..? In this post we will try to explain what a certificate actually is!
This year we will prepare you for the Christmas celebration, by giving you small presents of knowledge every day, which will teach you about the world of security.