Innhold om Sikkerhet

“The s in IoT stands for security” is a joke as old as the shared code base used in your IoT web-camera. Usually we mock IoT for having little or bad security, but the real issue is perhaps that IoT can't have good security.

We've covered FIDO2 in this year's eleventh calendar post, and with FIDO2 available the internet has all the tools need to lighten the load of the password. One of its results is the Web Authentication(WebAuthn) API, simplifying FIDO2 authentication for web browsers. Here are the basics to get started with a wide range of authenticators on your website.

When hearing about security breaches and typically cybercrime, one is sometimes left wondering, where are these servers hosted and why can't they be stopped?

Reporting API. That sounds really cool! Or really boring you say? This is one of the W3C-drafts that may not have gotten the attention it deserves so let's take a look!

In a phishing attack the attacker will try to steal user data, e.g. login credentials. Reverse tabnabbing is a phishing method, and here we will try to explain what it is and how it can be prevented.

You double checked, triple checked, even quadruple checked, and it is really there! You have just found a vulnerability in someone else's system. Maybe you just got access to something you shouldn't have, you can prove that an attacker could easily take down the system, or you found your way around the payment process in a shop. Whatever the bug, you now need to disclose it, but in a responsible manner.

The Zed Attack Proxy (ZAP) is one of our go to tools for doing security assessments and testing applications. Tia Firing wrote about this last year, check it out. This year we were excited to learn that a new feature called Heads Up Display was introduced in the latest version.

After an eventful, or not, weekend, nothing beats listening to some fine entertainment while taking a walk, going skiing in the woods or while cranking out some code on your hobby research project. Today we are happy to share some of our favorite podcasts this year.

The Open Web Application Security Project (OWASP) maintain and release the well-known OWASP Top 10. It is a list of the most critical security risks in web-applications today. When developing mobile applications, security is of no less importance. However, the risks and vulnerabilities may be a little different. Therefore, OWASP developed another top 10 list, OWASP Mobile Top 10, which lists the 10 most critical security risks and vulnerabilities for applications running on a mobile platform. In 2018, NowSecure claimed that 85% of mobile applications available on the App Store or Google Play violated at lest one of the risks on the list. In this article, we will give you a brief summary and introduction to which risks we are talking about.

Some grocery stores in Norway use fingerprints for verifying the users age when buying an item that has age-restrictions. The security of this solution gets a thumb up 👍

Når vi surfer på nettet i dag er det meste av trafikken kryptert. Bruksstatistikk fra Google viser at ca. 90 prosent av nettstedene som lastes i nettleseren Chrome lastes over HTTPS. Selv om mye av innholdet vi laster opp og ned over internett er beskyttet, er det fortsatt mye annen informasjon om internettaktiviteten vår som er tilgjengelig for uvedkommende.

Okey, so you want to secure your app with a CSP-policy. Great! But where to start and what to do if some parts of your app is out of your control?

So, you would like to be one of the cool security researchers that find vulnerabilities in the most used websites in the world, saving millions from the bad guys, and maybe make some cash along the way? Well, this is your lucky day! It's time to learn about bug bounties!