Scroll to see more

Security

4 min read – Security

A day in the life of a software security developer

The role as software security developer is a relatively new role, and has its origins from Bekk’s security initiative. But how does a software security developer differ from a “regular” software developer?

3 min read – Kotlin, Security

Auth is hard and Kotlin is crazy!

I started my career as a developer in 2011. Soon I came upon the problem of a user proving who they are, and what they’re allowed to do. Seemed hard, but I reasoned I would get the hang of it quickly. That didn’t really happen. Authentication is hard. Authorization is harder. But. New tools and services make things easier. And today I will share a tiny crazy Kotlin tidbit that made my day a bit easier.

2 min read – Security

Bli en sikkerhetsutvikler!

Det meldes jevnlig om nye sikkerhetshendelser, og det er ingen tvil om at sikkerhet har fått fast plass på dagsorden. Likevel kan det være utfordrende å få prioritert sikkerhet i hverdagen. Som et steg i riktig retning, må vi begynne å bevege oss bort fra at sikkerhet ses på som en "av-og-til"-aktivitet og mot at det jobbes med kontinuerlig.

6 min read – Security

Norsk DMARC-status

DMARC er eit av dei beste våpena me har mot spoofing. Det viser seg at norske aktørar må skjerpe seg. Sjå kor gode dei er på dmarcstatus.no.

2 min read – Security

Intro to code scanning with CodeQL

4 min read – Security

Alt som er galt med kredittsjekk — og hvordan vi kan fikse det

Tidligere i mai mistet Norkart masse personinformasjon, inkludert fødselsnummer, om over halve Norges befolkning. Norkart gikk selv ut og anbefalte alle som var berørt om å sperre seg for kredittsjekk. Det er mange problemer med denne anbefalingen, men det største er at måten kredittsjekk fungerer på er utdatert, og det virker ikke som noen har planer om å gjøre noe med det.

6 min read – Security

Luksusfellen for utviklere er å ignorere sikkerhetsgjeld

Produktet du ikke vedlikeholder er en voksende sikkerhetsrisiko som fort kan utvikle seg til å bli en kostbar affære.

6 min read – Security

Sikkerhetskultur spiser policy til frokost!

En god sikkerhetskultur er verdt en bunke med policies og litt til.

6 min read – Security

Uansvarlig produktutvikling vil straffe seg

Lar du ferdige IT-prosjekter ligge og råtne fordi du ikke har råd til vedlikehold? Det kommer til å koste deg.

6 min read – Security

Definitely Maybe with Bloom Filters

Let's take a look at Bloom Filters and how it works! Based on a talk and an article from Scott Helme.

6 min read – Security, Privacy

Key learnings from working on privacy in contact tracing

In today's post I'll share key lessons from my journey in implementing Anonymous Tokens and integrating it in Norway's contact tracing app "Smittestopp". Privacy and transparency, especially in government IT, is vital for gaining citizens' trust - and is here to stay. Therefore I'll share some success factors and my takeaways with you.

10 min read – Security

Segment your home network today!

The age of IoT (Internet of Things) is upon us, and it poses a real challenge to the security of our home networks. This post will look at some practical approaches you can take to isolate untrustworthy devices from the rest of your home network.

3 min read – Security

Schrems-II – At what cost?

With more than a year since the Schrems-II verdict, I am wondering if it has really left us with any better privacy, or if it has actually been a net loss for European citizens.

4 min read – Security

Using pass to share secrets in a team

Why you might want to use a "CLI-only" password manager, and how to do it.

8 min read – Security

Penetration Testing 101

Penetration testing is a popular topic within the security field. And being a penetration tester can be really fun since you get to act like an attacker without actually being bad. In this article, we want to give you a brief introduction of what penetration testing is, what to look for when starting out and some tips on how you can learn more.

3 min read – Security

Koronasertifikater - Vi må sørge for at folk ikke kan jukse!

«Vi må sørge for at folk ikke kan jukse» sa daværende statsminister Erna Solberg før innføringen av digitale koronasertifikater i Norge. Men myndighetenes teknologioptimisme hjalp ikke mot juks, forfalskning og manglende etterlevelse. Når skal vi forstå at teknologi ikke lever isolert fra samfunnet den brukes i?

4 min read – Security

An introduction to Burp Suite for web developers

Have you ever worried about the security of the application you are developing and wished for a way to ensure that it is good enough? In this article you will get an introduction to a very popular application security testing tool and some insight into how you can use it as a developer to create secure web applications.

7 min read – Security

Creating great security culture

It's easy to think of software security as something related to code, but we must remember that it is equally as much a question of people. Security must not become a purely technical exercise. The human factor is central, but can often be the most difficult thing to address. Let's look at how we can create a security culture, and how this can be an important part of your security work.

3 min read – Security

Merry Christmas!

In the first article of this year's calendar, we gave a few tips to help making your applications a bit more secure. Now, as the countdown has come to an end, and we are ready to start the Christmas holidays, we want to give you a few more.

0 min read – Security

Talking CTFs with LiveOverflow

LiveOverflow is a german hacker running a very popular YouTube channel where he posts videos related to Capture The Flag competitions and IT security. I had the great honor and privilege of talking to him about his experiences with CTF competitions among other things.

4 min read – Security

Anonymous Tokens for Private Contact Tracing

In a chaotic, pandemic-ridden 2020, we've seen a heated debate on the need for efficient contact tracing that still respects privacy. There are many aspects to this debate — this blog post covers how one can submit data anonymously, while still providing a verifiably authentic upload token.

4 min read – Security

Privacy Pass: Anonymous Tokens on the Web

We discussed elliptic curves earlier this month. Today, we look at how to use those to make the internet a bit more user friendly.

1 min read – Security

Our favorite podcasts

Looking for some entertainment while you decorate the Christmas tree or order the latest Christmas gifts? Today we share some of our favorite podcasts.

5 min read – Security

Are you vulnerable to privacy attacks and identity theft?

Christmas is fast approaching, and with it, a new year. It’s time to leave bad security habits behind in 2020, set aside some time for a digital cleanup, and move forwards with a clean slate.

7 min read – Security

How to host a CTF?

A CTF is a hacking competition. The participants compete for the highest score, by hacking intentionally vulnerable apps. It's a great deal of fun competing, but how does one host a CTF? This is the story of how I've been doing it, and how my CTF rig has evolved.

4 min read – Security

Why is securing critical infrastructure so difficult?

Critical infrastructures are, as the name suggests, critical to society and have in recent years become increasingly more digitalized. Such infrastructures include electric power, electronic communication, transport, as well as water supply and sewage. They are essential for the maintenance of societal functions that you and I depend on in our daily lives, and a disruption can paralyze a society and at worst lead to loss of life. Here, we will try to explain why critical infrastructures are especially difficult to secure against cyber attacks.

5 min read – Security

IoT Security at home

What is the state of your IoT (Internet of Things)-security in your home? Do you have any gadgets on your network that are vulnerable to exploitation? Maybe you have any devices you do not recognize? If you own an IoT-device then you should be curious about how it talks to the Internet and how security is taken care of.

6 min read – Security

Hacking Like it's 1996 - a short history of the stack buffer overflow.

2 min read – Security

People we follow

Looking for some inspiration? Something to learn? Here we give you a list of interesting people we follow. These people are worth listening to.

3 min read – Security

Spy back on the apps spying on you

Social media applications spy on you, and probably send home some data about you every second you use the app. But what about the applications that have another business model? Do you trust that your bus pass app, developed by your the municipality, or your smart vacuum cleaner is not sending your data back to the developers? Often, we have no idea, and until recently iOS-users had no good way of inspecting the traffic that was sent from their devices.

6 min read – Security

Ransomware – How to stay one step ahead of the cybercriminals

Ransomware is extremely costly and difficult to get rid of, and once your files are encrypted you may have lost that data permanently. Giving in to the ransom demand is expensive, gives no guarantee that your data will be restored, and only encourages cybercriminals to keep attacking and extorting money from individuals and companies alike. Clearly, the best way to deal with the increased rise in ransomware attacks is to implement solid preventative measures to avoid getting infected in the first place. And, if the worst should happen and all your files do get encrypted, to have alternative ways of restoring your data.

7 min read – Security

Ransomware - a Devastating Form of Digital Extortion

We live in a digital era where the most precious commodity no longer is oil or gold, but data. But what if this data, including personal files, customer lists and company data, flight traffic information, or even sensitive hospital records were stolen? What would you do, or pay, to get it back?

8 min read – Security

The data you give

He sees you when you’re sleeping, he knows when your awake, he knows if you ‘we been bad or good so be good for goodness sake. This is a line of a popular Christmas song. It obviously refers to Santa Claus. However… What if this is true, not only for Santa, but for large companies worldwide. We’ll take a closer look on the data you give and the repercussions.

9 min read – Security

Personvern != Sikkerhet

Simula har, sammen med FHI, fra starten prioritert sikkerhet og personvern svært høyt i utviklingen av appen. Ulike varianter av dette sitatet finner vi mange intervjuer om Smittestopp. Politikere, helsebyråkrater og utviklerne forsikrer at sikkerhet og personvern er ivaretatt. Kontrasten til Smittestopp-havariet er oppsiktsvekkende. Hvordan kan dette forstås?

6 min read – Security

The secretive history of modern cryptography

Cryptography is the science of secret writing with the goal of hiding the meaning of a message. When a message is encrypted with a secure algorithm, i.e. an encryption cipher, no one should be able to read it without the decryption key. However, the promise of security falls apart if the encryption algorithm is weak, or if someone has created a backdoor. In this article we’ll examine the modern history of encryption. We’ll learn that while the mathematical underpinnings of modern encryption is stronger than ever, government agencies have a history of thwarting efforts to reach the goal of truly secure communication.

3 min read – Security

Zero Trust for application developers

Zero Trust is a security model where each component has its own perimeter. This is different from a traditional security model where all components inside of a given perimeter are regarded as safe or trusted. It was introduced as a reaction to the traditional network security model as a measure against lateral movement after a breach.

4 min read – Security

Handy tips for staying secure on the go

We wrote about "Safe travels for the road warrior" last year. This year we offer one more trick, and expand our list for staying safe and secure on the road. Watch out for shoulder surfers, and protect your equipment if you have to leave it in for example your hotel room.

8 min read – Security

From Coils to Curves - A Primer on Elliptic Curve Cryptography

Elliptic curves are seemingly ubiquitous in modern cryptographic protocols, and may turn up again later this December. Let’s take this opportunity to gain insight on what they are and why they are used.

4 min read – Security

Five big hacks of 2020

Today we are going to explore five big hacks that took place in 2020. First we'll cover two hacks that targeted Norwegian companies Sykehuspartner and NHH. Then we'll take a look at a hack that targeted the Danish company ISS. To wrap things up we'll cover what is probably the two most high profile hacks of 2020: the Twitter phish and the CWT ransom.

4 min read – Security

How secure is your build pipeline?

As developers, we usually use some sort of pipeline to build and deploy our code. Tools like Circle CI, Gitlab CI/CD and Github Actions are popular. Can your pipelines be a security vulnerability? Can you use your pipeline to create a more secure application?

4 min read – Security

Github Security: Getting started with Dependabot

Integrating security as a part of application development is desirable, but it's often forgotten or dismissed in practice. Dependabot is a Github feature that will help you keep all your dependencies invulnerable and up-to-date, and you can enable it in just a few clicks!

5 min read – Security

Welcome to the Security Christmas Calendar!

We are really excited to present this year's calendar, and hope that you will enjoy reading it as much as we enjoyed writing it. Security as a topic is hotter than ever. While we count down the days until Christmas Eve you will be given new, original security content each day. Enjoy the countdown together with us!

2 min read – Security

Merry Christmas

As you open the final post of this year's security.christmas, we logout of our social media accounts, shut down Slack (or mute it for a while at least) and put away our thin foil hats.

10 min read – Security

Ransomware, an introduction

If you haven't lived under a rock the last couple of years, the term Ransomware isn't something new. It grinds the largest corporations to a complete halt and can take months to recover from. But how does it really work? And how should you protect yourself?

2 min read – Security

People we follow

On one of the darkest Sundays of the year, we again take a step back, and give you another list of interesting people we follow. Today we pay respect to a few people that deserve to be listened to. Of course there are others, but these stand out.

4 min read – Security

Safe travels for the road warrior

In business travel, a road warrior is a person that uses mobile devices such as tablet, laptop, smartphone and internet connectivity while traveling to conduct business. The term spawns from the movie Mad Max 2, starring Mel Gibson.

2 min read – Security

Who is your security champion?

We all know it; application security is a shared responsibility and everyone in the team should act according to the secure lifecycle development process. But our experience is that security is one of the first non-functional requirements that are dropped when deadlines approaches or when management is setting up a budget for the next period.

4 min read – Security

OWASP, but there is more

The Open Web Application Security Project, or OWASP, is mostly know for it's Top Ten Project which covers the most critical web application security risks. They als maintain one of most popular free security tool, the OWASP Zed Attack Proxy. But there is more, so much more. In this post we cover some of our favorite tools by the OWASP project and how we use them.

4 min read – Security

Tor, the onion router

Does the US government sponsor the development of the darknet? What is The Onion Router project and why should you be anonymous on the internet?

3 min read – Security

The problem with IoT and random

“The s in IoT stands for security” is a joke as old as the shared code base used in your IoT web-camera. Usually we mock IoT for having little or bad security, but the real issue is perhaps that IoT can't have good security.

3 min read – Security

WebAuthn - The simplest way to 2FA

We've covered FIDO2 in this year's eleventh calendar post, and with FIDO2 available the internet has all the tools need to lighten the load of the password. One of its results is the Web Authentication(WebAuthn) API, simplifying FIDO2 authentication for web browsers. Here are the basics to get started with a wide range of authenticators on your website.

3 min read – Security

Stuff we read - sunday reading

3 min read – Security

Bulletproof hosting

When hearing about security breaches and typically cybercrime, one is sometimes left wondering, where are these servers hosted and why can't they be stopped?

4 min read – Security

Get your client side reports together!

Reporting API. That sounds really cool! Or really boring you say? This is one of the W3C-drafts that may not have gotten the attention it deserves so let's take a look!

2 min read – Security

Reverse tabnabbing

In a phishing attack the attacker will try to steal user data, e.g. login credentials. Reverse tabnabbing is a phishing method, and here we will try to explain what it is and how it can be prevented.

6 min read – Security

FIDO2 - the Answer to the World's Password Problem

5 min read – Security

Responsible disclosure

You double checked, triple checked, even quadruple checked, and it is really there! You have just found a vulnerability in someone else's system. Maybe you just got access to something you shouldn't have, you can prove that an attacker could easily take down the system, or you found your way around the payment process in a shop. Whatever the bug, you now need to disclose it, but in a responsible manner.

4 min read – Security

Heads-Up, ZAP!

The Zed Attack Proxy (ZAP) is one of our go to tools for doing security assessments and testing applications. Tia Firing wrote about this last year, check it out. This year we were excited to learn that a new feature called Heads Up Display was introduced in the latest version.

3 min read – Security

Stuff we listen to

After an eventful, or not, weekend, nothing beats listening to some fine entertainment while taking a walk, going skiing in the woods or while cranking out some code on your hobby research project. Today we are happy to share some of our favorite podcasts this year.

7 min read – Security

OWASP Mobile Top 10

The Open Web Application Security Project (OWASP) maintain and release the well-known OWASP Top 10. It is a list of the most critical security risks in web-applications today. When developing mobile applications, security is of no less importance. However, the risks and vulnerabilities may be a little different. Therefore, OWASP developed another top 10 list, OWASP Mobile Top 10, which lists the 10 most critical security risks and vulnerabilities for applications running on a mobile platform. In 2018, NowSecure claimed that 85% of mobile applications available on the App Store or Google Play violated at lest one of the risks on the list. In this article, we will give you a brief summary and introduction to which risks we are talking about.

3 min read – Security

Here, have my biometric data, I don´t care.

Some grocery stores in Norway use fingerprints for verifying the users age when buying an item that has age-restrictions. The security of this solution gets a thumb up 👍

4 min read – Security

Kryptert DNS

Når vi surfer på nettet i dag er det meste av trafikken kryptert. Bruksstatistikk fra Google viser at ca. 90 prosent av nettstedene som lastes i nettleseren Chrome lastes over HTTPS. Selv om mye av innholdet vi laster opp og ned over internett er beskyttet, er det fortsatt mye annen informasjon om internettaktiviteten vår som er tilgjengelig for uvedkommende.

2 min read – Security

CSP - done right

Okey, so you want to secure your app with a CSP-policy. Great! But where to start and what to do if some parts of your app is out of your control?

5 min read – Security

Bug Bounty - The modern treasure hunt

So, you would like to be one of the cool security researchers that find vulnerabilities in the most used websites in the world, saving millions from the bad guys, and maybe make some cash along the way? Well, this is your lucky day! It's time to learn about bug bounties!

7 min read – Security

Secure Quick Reliable Login (SQRL)

In case you haven't noticed: Passwords suck. Fortunately alternatives to that age-old authentication scheme are finally becoming practical. Today we will look at SQRL (Secure Quick Reliable Login), which aspires to become the simple and secure solution for your every-day authentication needs.

2 min read – Security

The annual Security Christmas calendar

Welcome to the annual Security Christmas Calendar. After weeks of research and writing we are super excited to finally be able to present this year's calendar.

3 min read – Security

Secure and Merry Christmas

3 min read – Security

Secure your local network

It is soon Christmas, and you might get new shiny gadgets under your Christmas tree. Now it is important to install these new shiny gadgets securely.

3 min read – Security

Scanning Vulnerable Dependencies

When creating a web application, it is almost impossible to create it without relying on third party dependencies. But how do you know that the dependencies you use are secure?

3 min read – Security

When developers disclose information

Information sensitivity is a problem that can bring your organization to its knees. What do you do when disaster strikes?

3 min read – Security

Insecure Direct Object Reference

When creating a web application, or a web site with more than one page, you will need to reference different resources. If you create a blog, you need to create unique paths to all the blog posts, like we are doing in this Christmas calendar. You see that the url is https://security.christmas/2018/20, where 2018 is a reference to the year, and 20 to the day of December. It is a fairly simple system, and you may have tried to skip ahead, but been met by a page saying you have to wait a bit longer?

3 min read – Security

Best practice for passwords

There are numerous techniques for cracking passwords, and already cracked passwords are floating around the web waiting to be used by threat actors. How can we reduce the risks concerning passwords?

2 min read – Security

Time to clean up your social logins

As the end of the year closes in, there are no shortage of tips on how to get your home ready for the festive season. We think you should take a time out, and consider which application should still have access to your social accounts.

3 min read – Security

Security in containers and orchestrations

Containers is the currently best way to build software for platform independence, and an orchestration service manages them, but how about that security?

3 min read – Security

Secure password storage - for users

Having unique passwords for every site and service presents us with the problem of remembering, or rather, storing our passwords in a safe but practical matter. How do we cope with hundreds of passwords?

4 min read – Security

Security headers

How the browser and the webserver can join forces to protect both the user and the webserver: Enter security headers!

3 min read – Security

Content Security Policy

Use Content Security Policy (CSP) headers to prevent loading of untrusted resources and mitigate cross-site scripting (XSS) attacks

4 min read – Security

Cross Site Scripting (XSS)

At the beginning, web pages were very static. They were written in HTML, and the web browser had one job, to render the HTML to a page filled with text, images and links. After a few years, the developers wanted more, and JavaScript got introduced.Together with JavaScript came a new breed of vulnerabilities, where the attackers could exploit the possibility to run code in browsers, this was called Cross Site Scripting or XSS.

3 min read – Security

Predictable HTTP-responses

If your API has sensitive endpoints which returns different HTTP-responses given user action A or B, then this information is enough to infer user information which can be exploited. Learning from Tinder, let's investigate why having non-deterministic HTTP-responses are important and try to make our most business-critical API-endpoints more secure.

3 min read – Security

Cross Origin Resource Sharing

Cross Origin Resource Sharing (CORS) is an important concept in modern webapplication security. We will try to explain what it is.

4 min read – Security

OWASP ZAP

Do you want to try more hands on security testing, but you're not quite sure where to begin? Keep on reading!

3 min read – Security

Revoking of certificates

Managing certificates, and rotating them in due time can quickly get out of hand.

3 min read – Security

Injections

Did you know that an attacker could inject code into your application, which could retrieve data or do something else that you did not anticipate?

3 min read – Security

Error messages and information leakage

Did you know that your application may be giving valuable clues to an attacker if an error occurs?

4 min read – Security

Two-factor authentication

You have been told that two-factor authentication is important, but why, and what is it really?

4 min read – Security

Forgot password - your chance to shine, or fail

Make an effort on User Experience and security awareness when implementing "Forgot password", and avoid exposing sensitive user information

3 min read – Security

Cross Site Request Forgery

Have you ever wondered how someone could steal money from your bank account while you browse certain sites, or post as you on Facebook? That is called Cross Site Request Forgery (CSRF), and we will try to explain what it is, and how you protect your website and users against it.

4 min read – Security

Public Wifi

After grabbing your favorite double pumpkin spiced latte with soy milk, you get ready to lean back and browse the latest memes. But should you be connecting to the coffee shop WiFi? How dangerous can it really be?

3 min read – Security

Public key certificates

Most developers will sooner or later have to deal with certificates. But what is a certificate, really? It's got something to do with authentication, right..? In this post we will try to explain what a certificate actually is!

2 min read – Security

Celebrate a more secure Christmas this year

This year we will prepare you for the Christmas celebration, by giving you small presents of knowledge every day, which will teach you about the world of security.