Over the years, FINN.no has been doing a lot of different security assessments: from the classical one test per release to regular on-site review and testing by security professionals, and more extensive bi-yearly tests.

Still, last year we discovered that the average lifetime of vulnerabilities found in production was higher than expected. The average lifetime was several years, and the outliers had been in production for a decade! We realized that the way we had done security testing did not keep up with all the changes in FINN.

The “release test” made sense back in the day when we had few releases per year, but now we are pushing changes to production well over 1500 times a week, and the concept of a release test or bi-yearly tests makes little sense. Also, a lot of the vulnerabilities had survived previous security assessments, and that is probably not for lack of skills in the penetration testers, but proof that sufficiently large enough applications are hard to test with limited time and personnel. …

Intro: Black Hat vs DEFCON

Image for post
Image for post
Black Hat “Business Hall”

In August I attended the security conferences Black Hat and DEFCON in Las Vegas. The cons are organized back to back, with the Black Hat Briefings on the first two days of the week and then DEFCON from Wednesday till Sunday morning. …


Emil Vaagland

code & infosec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store