https://securityblog.omegapoint.se en-us securityblog@omegapoint.se Mon, 04 May 2026 14:36 +0000 At Omegapoint we are strong believers in sharing our knowledge. On this site we have gathered blog posts and articles that represent our passion for cybersecurity and secure application development. https://securityblog.omegapoint.se/en/defense-in-depth/1-identity-modelling/ 2025-11-06 00:00:00 +0000 Virtually all of the systems we are building today share data via public networks. We rarely want that data to be available to everyone, so we restrict access to it. https://securityblog.omegapoint.se/en/defense-in-depth/2-claims-based-access-control/ 2025-11-06 00:00:00 +0000 In the previous article, we talked about what information we require to achieve strong access control. This article looks at how we transfer information on what scopes and audiences the user has approved, their identity and details on their login, plus rights we use for access control. https://securityblog.omegapoint.se/en/defense-in-depth/3-clients-and-sessions/ 2025-11-06 00:00:00 +0000 In the first two articles, we discussed how to design your system in order to build strong access control. We looked at how you can strike the right balance in terms of what information is associated with your access token, and we looked at balancing identity and local permissions. This article will take a look at how to configure a client in order to get a token, and how we handle sessions. https://securityblog.omegapoint.se/en/defense-in-depth/4-secure-apis/ 2025-11-06 00:00:00 +0000 Our first three articles were about designing and getting an access token. We also established a model for how we move from identity and scopes to the permissions that we base all further access control on. In this article, we discuss what you need to do when implementing your API in order to protect your functions and your data. https://securityblog.omegapoint.se/en/defense-in-depth/5-infrastructure-and-data-storage/ 2025-11-06 00:00:00 +0000 The first three articles covered modelling identity and the steps necessary to retrieve an access token. The fourth article showed how to validate an incoming request and build a fine-grained access control for our API. In this article we will discuss important security aspects regarding server-side infrastructure, necessary to deploy and operate the system we’ve described in the previous articles. We will also cover some important notes regarding data and account management. https://securityblog.omegapoint.se/en/defense-in-depth/6-web-browsers/ 2025-11-06 00:00:00 +0000 In the previous article we covered some important security aspects regarding server-side infrastructure. This article covers some of the challenges we face on the client-side, in particular when working with browsers. The browser is a very attractive target environment for distributing applications and systems to the user. It’s easy to access and requires no additional installation since most of today’s users have access to a modern browser. For the user it is, compared to installing and running a native application, a well-isolated and convenient environment for running applications. This allows users to be less careful regarding which sites they visit and are many times happy to have an online banking browser tab open at the same time as another tab is visiting a highly untrusted site. https://securityblog.omegapoint.se/en/defense-in-depth/7-summary/ 2025-11-06 00:00:00 +0000 This article summarizes the learnings from article series and highlight key security principles and recommended further reading. https://securityblog.omegapoint.se/en/cis-archive/cis-control-verifications-cloud-native-applications-2024-1-0/ 2024-06-04 00:00:00 +0000 *** THIS VERSION HAS BEEN ARCHIVED *** It is recommended to use the latest version of the Omegapoint CIS Control Verifications for Cloud Native Applications. https://securityblog.omegapoint.se/en/cis-control-verifications-cloud-native-applications/ 2025-11-06 00:00:00 +0000 This document interprets CIS Controls v8 IG 3 for a cloud-native system built, operated, and defended by a DevOps team. It references additional standards for guidance on implementation details, in example CIS Benchmarks and OWASP material. https://securityblog.omegapoint.se/en/how-to-choose-an-idp/ 2025-11-06 00:00:00 +0000 As independent security consultants we have had the opportunity and privilege to help our customers selecting and implementing a plethora of different solutions.In this article we aim to share with you some of the key factors to consider when selecting the right IdP solution for you, a central part of your architecture and IAM solution. https://securityblog.omegapoint.se/en/offensive-appsec/ 2025-11-06 00:00:00 +0000 This article gives an introduction to ethical hacking and web application penetration testing, and how it differs from for other types of penetration tests. We cover the basic principles of penetration testing and a simplified model for pentesting methodology. It will highlight key aspects of a high-quality security review, where the penetration test plays a big part, and the importance for developers to embrace a hacker's mindset (and vice-versa) https://securityblog.omegapoint.se/en/secure-apis-by-design/ 2025-11-06 00:00:00 +0000 This article will show how to implement our six-step model for building APIs highlighting key aspects for creating APIs that are secure by design. Example code is available on GitHub. https://securityblog.omegapoint.se/en/secure-architecture/ 2025-11-06 00:00:00 +0000 Secure architecture is a broad topic. This article highlights six important architectural decisions and patterns that fundamentally impact the overall security of this system. The article is also provides an overview and introduction to the seven part article series Defense in depth. https://securityblog.omegapoint.se/en/security-review-questionnaire/ 2025-11-06 00:00:00 +0000 This document defines a set of questions Omegapoint uses for security reviews. The purpose is to be able to cover many aspects of security for a cloud-native DevOps team, during a two-hour interview with the team. https://securityblog.omegapoint.se/en/test-driven-appsec/ 2025-11-06 00:00:00 +0000 This article presents a test-driven approach to application security and shows how we can write automated tests to prove that our defenses work as expected. https://securityblog.omegapoint.se/en/agent-driven-appsec/ 2026-03-31 00:00:00 +0000 This article presents an agent-driven approach to application security and shows how we can be supported by AI-agents when creating and reviewing code. https://securityblog.omegapoint.se/en/writeup-apigw/ 2023-09-19 00:00:00 +0000 In this blog, we'll dive deeply into two potential security issues that Omegapoint identified in AWS API Gateway authorizers. We reported these issues to AWS in November 2022 and January 2023. AWS rolled out mitigations to all AWS customer accounts in May 2023. https://securityblog.omegapoint.se/en/writeup-keycloak-cve-2023-6927/ 2024-01-11 00:00:00 +0000 CVE-2023-6927 Keycloak vulnerability allows bypassing redirect URI validation which can be used as a vector for stealing authorization codes, access tokens and be used to redirect victims to arbitrary hosts. https://securityblog.omegapoint.se/en/writeup-trufflehog/ 2024-03-06 00:00:00 +0000 This blog covers several potential security issues that were identified in TruffleHog v3; an open source secret scanner. The issues were reported to Truffle Security, the team behind TruffleHog in December 2023. https://securityblog.omegapoint.se/en/writeup-apache-syncope-cve-2024-45031/ 2024-12-20 00:00:00 +0000 CVE-2024-45031 in the IAM solution Apache Syncope allows a low-privileged attacker to inject an XSS payload in a self-registration/self-service portal. The payload executes in a high-privilege context of an administrative portal, enabling privilege escalation through session riding against system administrators. https://securityblog.omegapoint.se/en/writeup-authentik-cve-2024-52289/ 2025-01-31 00:00:00 +0000 A vulnerability in Authentik’s OAuth 2.0 implementation (CVE-2024-52289) allowed attackers to bypass redirect URI validation due to the insecure use of regular expressions. By exploiting this flaw, an attacker could redirect authentication responses to a malicious server, enabling account takeover. Authentik has addressed the issue in patched versions (2024.10.3 and 2024.8.5) by enforcing strict string matching for URI validation. https://securityblog.omegapoint.se/en/writeup-curity-haapi/ 2025-04-16 00:00:00 +0000 Writeup for the potential security issue that the HAAPI authorization flow sends a valid, signed JWT token to the front end. Since these HAAPI JWT tokens are exposed in the browser, a misconfigured API, which improperly accepts Curity tokens by only validating the signature of the JWT, enables an attacker to use the leaked JWTs to gain unauthorized access to the API. https://securityblog.omegapoint.se/en/writeup-stimulsoft-reports-cve-2025-50571/ 2025-04-17 00:00:00 +0000 The Stimulsoft Reports software component is vulnerable to remote code execution (RCE) by using the subreports feature. An RCE vulnerability can be used by an attacker to execute arbitrary code on the server which can be used to exfiltrate data, change or remove data as well as reduce the availability of the service. It can also be used to pivot to other resources within the environment as well as install arbitrary software. https://securityblog.omegapoint.se/en/writeup-apache-syncope-cve-2026-23794/ 2026-05-04 00:00:00 +0000 CVE-2026-23794 in the IAM solution Apache Syncope makes it possible to inject XSS payloads on the login page of Syncope Enduser. An attacker could send such a link to a victim and steal their password in plain text when they attempt to log in. https://securityblog.omegapoint.se/en/defense-in-depth 2025-11-06 00:00:00 +0000 Developing systems that expose sensitive information on the internet requires us as developers and architects to think about security at all times. The classic model with only a strong perimeter defense is no longer suitable for modern architecture. As a result of this our role has changed, and we need to shoulder a larger responsibility for the security of the APIs and applications we develop. With the contents gathered on this page we describe what you need in order to build a system with security controls in multiple layers according to the principles of defense in depth, least privilege and zero trust. https://securityblog.omegapoint.se sv-se securityblog@omegapoint.se Mon, 04 May 2026 14:36 +0000 At Omegapoint we are strong believers in sharing our knowledge. On this site we have gathered blog posts and articles that represent our passion for cybersecurity and secure application development. https://securityblog.omegapoint.se/sv/f%C3%B6rsvar-p%C3%A5-djupet/1-modellering-av-identitet/ 2023-09-19 00:00:00 +0000 Nästan alla system vi bygger i dag delar data över publika nätverk. Det betyder att de är tillgängliga för vem som helst. Det vill vi sällan att de ska vara, varför vi begränsar tillgången till dem. Ofta vill vi också kunna skilja på olika typer av användare och ge dem tillgång till olika typer av information. En användare på en nivå ska inte heller kunna skaffa sig tillgång till information på en annan nivå. Vi behöver också skydda våra system från riktade, externa attacker. Det här innebär att vi behöver bygga in säkerheten i flera delar och nivåer av systemet. Ett av våra viktigaste verktyg för att åstadkomma det är hur vi hanterar behörigheter. Hur och var vi inför dem påverkar både hur säkert vårt system blir, och hur enkelt det blir för oss att justera behörigheter i efterhand. Att säkra system enbart med hjälp av nätverkslösningar och andra former av skalskydd fungerar allt sämre i en modern arkitektur. För att bygga försvar på djupet med en stark behörighetskontroll behöver ett distribuerat systems olika delar självständigt verifiera identitet och rättigheter. https://securityblog.omegapoint.se/sv/f%C3%B6rsvar-p%C3%A5-djupet/2-claimsbaserad-beh%C3%B6righetskontroll/ 2023-09-19 00:00:00 +0000 I denna artikel går vi igenom hur vi överför informationen om vilka scopes och audiences som användaren godkänt, hennes identitet, samt detaljer kring inloggningstillfället, till rättigheter som vi använder för behörighetskontroll. https://securityblog.omegapoint.se/sv/f%C3%B6rsvar-p%C3%A5-djupet/3-klienter-och-sessioner/ 2023-09-19 00:00:00 +0000 Denna artikeln kommer handla om hur en klient kan konfigureras för att få tag på din token, samt hur vi hanterar sessioner. https://securityblog.omegapoint.se/sv/f%C3%B6rsvar-p%C3%A5-djupet/4-s%C3%A4kra-apier/ 2023-09-19 00:00:00 +0000 I denna artikel diskuterar vi vad du behöver göra i implementationen av ditt API för att skydda dina funktioner och ditt data. https://securityblog.omegapoint.se/sv/f%C3%B6rsvar-p%C3%A5-djupet/5-infrastruktur-och-lagring-av-data/ 2023-09-19 00:00:00 +0000 I denna artikel kommer vi att diskutera den infrastruktur som du använder för att driftsätta det system vi tagit fram så här långt. Vi kommer också att titta på vad du behöver tänka på när det gäller lagring av data. https://securityblog.omegapoint.se/sv/f%C3%B6rsvar-p%C3%A5-djupet/6-webbl%C3%A4sare/ 2023-09-19 00:00:00 +0000 I denna artikel kommer vi att diskutera de utmaningar vi har på klientsidan i allmänhet, och i webbläsare i synnerhet. https://securityblog.omegapoint.se/sv/f%C3%B6rsvar-p%C3%A5-djupet/7-sammanfattning/ 2023-09-19 00:00:00 +0000 När vi på Omegapoint genomför säkerhetsgranskningar hittar vi normalt sett fler sårbarheter ju mer komplext systemet är. Det är inte bara på grund av att komplexa system har fler funktioner och ger oss en större attackyta, utan även på grund av att de kan vara svåra att få grepp om. Många brister som vi hittar grundar sig i att teamet inte förstår sitt system fullt ut. Det kan till exempel handla om att teamet inte vet vilka API som är publika.