{"id":18532,"date":"2023-07-28T08:38:50","date_gmt":"2023-07-28T06:38:50","guid":{"rendered":"https:\/\/mjolner.dk\/uncategorized\/saadan-integrerer-du-sikkerhedsanalyse-i-agil-softwareudvikling\/"},"modified":"2025-04-29T14:33:03","modified_gmt":"2025-04-29T12:33:03","slug":"how-to-integrate-security-analysis-in-agile-development","status":"publish","type":"post","link":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/","title":{"rendered":"How to Integrate Security Analysis in Agile Software Development"},"content":{"rendered":"<h1>\n<div data-testid=\"loading-message\" tabindex=\"-1\">\n<div>\n<div id=\"chatMessageResponser1c7\" class=\"largeReply-280 marginBottomZero-281\" aria-live=\"assertive\">\n<div class=\"___xqw1q30 f22iagw f1vx9l62 fk15e71 f1k953kz f137keqj f1rncccw f1u2sqi3 f10xb48y f12pyrfg f1azb3i3 fx8cdsv fj3tc4q f16nlwsl f1eookvz f1fedlzk f1tp5txv fhajzam fimndk6 fs04lb0 fnyr3u fslfk0p f15mlbov f10tnejs f7atpcy fb1rn9k f59wlhv f1xmfh30 f18yf5o5 fmr6chf f1vn8kl6 f1ylezt4 fdl415d fy2cpfv f4m5pd7 fkviipj ff161sd f1qr7t77 f1yyogn1 foogchg f196hbyj fi3w8hx f6o647d f163iwuh fjbx52l f13w457t frgez73 f1tpb8gf f1hdgrc8 f1sgo639 fk9mzm8 fag1408 f1n7ykj8 f8ulodq fzhmll8 f12xko6h f1bmkuty f15nr33j f15tsse3 fy0b8hm f1g2633v fx4kvgi fkvolse f1gxrt3a f1os76ua f1js9cnw f1g87ej0 freluf8 f1yggaq6 f2i3chp f1151osp florpoh f35kzfz ftp9m57 f1e288vi fz62hnz fixvuys f1nmofwh fc1c6mv f18a2er7 fhvkrdl fhxnn68 f1oce4bo fvhlfan f7tc0t0 fdzt6ez fft62i4 fpgrczl f1pb07xx f1crb5np f1h4zxqa f1ax9ccn foyidwb fjt0kvb f13tjaqe f18i63iw fpmjg28 f1jgv2gh f13df0ge f3w566c f1yunp2u f32qbcu f1orsfbc f794cn4 f121jrqm fg1dn8l f1h4b5p f1ls9w7j f1tqg9mw fneavw5 f1txa982 fdaub28 f1rl6jc4 f8qqnqf f1fd1yro f1688dth f72je4p f13hbkb2 f1vf9tmw ffztbc3 fppzzgz f9nsmg4 fa3nl03 f1jzb8fs f1ynixk2 fjintaz f1v00z98 fel8lpt f12ld0jw fm8va5n fxt1tk4 fcuwef7 f1aiyzcz f1tpm9bv fiqcn8d f1arfl7b f17h9hdp f1ytw594 f13zpkng f7unjfp f8p1rz fzu6h1w f1i1bi6h f1smo7hi f1sk1xod f1kgogdq fe7os45 f1gjktkp ft608jz fg3xr24 f1blwj6 f1wbw34i flgxis0 fg4b9ou flb4lo fdicbfk fgwcyh1 f1jbds0d f1fb9uea f1stuka4 fcrtu6g fwqh0xn f11w66yg f6e0e65 f1vvgu0 f1607507 fmgifz4 f1m9bycv fz3v333 f1ntoah8 f1b694rt faql4r2 fpjuhzh f4phq6h f1ynby5y\">\n<p><strong>How to Integrate Security Analysis in Agile Software Development<\/strong><\/p>\n<\/div>\n<\/div>\n<div><\/div>\n<\/div>\n<\/div>\n<\/h1>\n<div>\n<p><strong>Code reviews have long been an integral part of the development process, but significantly less often is a security analysis included as an integral part of the development in a project. Often, security is omitted until the end of a project, where attempts are made to patch things up by, for example, setting up a firewall. This is rarely enough to make the system secure. At the same time, since May 25, 2018, companies have had an additional responsibility for users&#8217; data in the form of <a href=\"https:\/\/gdpr.eu\/\">GDPR<\/a>*.<\/strong><\/p>\n<p><span>But then it must be good enough to consider security at the start of the project and then conduct a final security analysis at the end of the process, right?<\/span><\/p>\n<p><span>The answer is, in principle, yes, but it presents some challenges:<\/span><\/p>\n<ul>\n<li><span>Projects tend to change along the way, so assumptions made at the start may no longer hold.<\/span><\/li>\n<li><span>You cannot think of all security details at the start of a project.<\/span><\/li>\n<li><span>Even if you catch all security flaws in the final analysis, it will be more expensive and time-consuming to fix the flaws than if you had found and mitigated them during the project.\u00a0<\/span><\/li>\n<li><span>If flaws are only discovered in the final analysis, it can lead to decisions to accept risks that could otherwise have been avoided.<\/span><\/li>\n<li><span>It can be expensive to conduct a large upfront analysis, which may result in no funds being left to implement the identified problems.<\/span><\/li>\n<\/ul>\n<p><span>One solution is to include security analysis more frequently and optimally as an integrated part of the development process. This can be done in several ways. For example, by having a dedicated security expert on the project who ensures the process and continuously conducts code reviews. However, this is not always possible \u2013 either because the project does not have the budget for it or because the number of security experts is limited.<\/span><\/p>\n<p><span>You can also divide the final analysis into smaller parts along the way and summarize at the end. Another approach can be to use what Jim Gumbley describes as<\/span>\u00a0<a href=\"https:\/\/martinfowler.com\/articles\/agile-threat-modelling.html\">agile threat modelling<\/a>, <span>which naturally fits into the Scrum methodology&#8217;s sprints. This is the approach we focus on here.<\/span><\/p>\n<h3>Why is security important at all?<\/h3>\n<p><span>In these modern times, your company will often use some more or less intelligent IT in connection with performing a piece of work. It could be a computer, an <a href=\"https:\/\/mjolner.dk\/en\/our-services\/internet-of-things\/\">IoT<\/a> device, an intelligent combine harvester, etc. It is likely connected to the internet, and even if it is not, the code that constitutes the circuit in, for example, the combine harvester has probably been available via the internet at some point.<\/span><\/p>\n<p><span>It could be that a competitor wants to put you out of business. It could be that an organization wants to use your IoT device as part of a <\/span><a href=\"https:\/\/www.zdnet.com\/article\/5-nightmarish-attacks-that-show-the-risks-of-iot-security\/\">botnet<\/a>. Maybe it is just someone playing with hacking and using you as a playground. If you have many users, you could be a stepping stone to get hold of users&#8217; passwords, which they have probably reused elsewhere. So even if you do not think you have interesting data, it may very well be the case.<\/p>\n<p><strong>The point is: If you own something of value, it can be worth attacking.<\/strong><\/p>\n<h3>Agile Threat Modelling<\/h3>\n<p>Agile threat modelling is a framework that aims to enable the execution of a security analysis in a relatively short time by utilizing a predefined scope for each session, ensuring the necessary focus.<\/p>\n<p>Threat modeling may sound fancy and difficult, but it is essentially about finding vulnerabilities in your system based on a model that shows the system without introducing unnecessary complexity. The agile aspect consists of limiting oneself to smaller parts of the system and possibly reviewing the same part multiple times during the project if that part changes enough.<\/p>\n<p><strong>Agile threat modelling aims to enable the average developer to consider security in any system.<\/strong><\/p>\n<h2>Execution of threat modelling<\/h2>\n<p>When performing threat modeling, you should at a minimum ask yourself these three questions:<\/p>\n<ol>\n<li>What are we building?<\/li>\n<li>What can go wrong?<\/li>\n<li>What should we do about it?<\/li>\n<\/ol>\n<p>The following sections will provide ideas on how the different aspects of these questions can be addressed.<\/p>\n<h3>Scope<\/h3>\n<p>Regardless of the approach used, you should consider what scope you use for your analysis. Your scope defines the framework for the analysis and thus also what you should <strong>not<\/strong> analyze. Without a defined scope, it is easy to try to consider all the attacks the world can throw at you. This often results in losing details and not delving into technical problems.<\/p>\n<p>Once you agree on the scope of the analysis, you can begin. Try to frame a scope that matches the feature or epic that the next sprint will focus on.<\/p>\n<p>Do not forget to use a more high-level scope occasionally to catch potential problems in the system that may only be discovered by looking at the architecture more abstractly.<\/p>\n<h3>Outcome<\/h3>\n<p>The result of the analysis should be a series of points that potentially need to be added to the backlog. This can be done either practically with a series of post-its or by entering them into an issue tracking system such as Jira. Regardless, there should be a decision-maker who determines which mitigation strategies should be added to the backlog and which security issues to accept the risk of.<\/p>\n<h3>Who should Perform the Threat Modelling?<\/h3>\n<p>The classic approach is for a security expert to perform the analysis with the help of selected individuals who know the system well from the necessary perspectives for the analysis.<\/p>\n<p>In this agile approach, we will turn it around a bit and argue that the security expert is not a critical resource but just another facet of the analysis. We suggest including as many roles as practically possible. This ensures the spread of knowledge to the entire team and specifically to decision-makers, who will gain a better understanding of why the identified problems are important to address. Therefore, remember to include non-technical roles in the analysis work.<\/p>\n<h3>What are we building?<\/h3>\n<h4>Low-level architecture drawing<\/h4>\n<p>Start by drawing the systems that interact with each other on a whiteboard. Also, draw all data flows as defined by the scope and the people involved. It could look like Figure 1. Here, the red arrows are data flows, green is the division of authorization boundaries, and blue are relevant assets for the given scope.<\/p>\n<div class=\"mceTemp\">\u00a0<\/div>\n<\/div>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/2023\/06\/Billede-26.06.2023-kl.-14.49.jpeg\" alt=\"Figure 1: Low-level drawing of scope architecture\"><\/p>\n<div>\n<h4>Assets<\/h4>\n<p>Next, identify the assets that may be relevant to the scope and that the data flows affect. An asset is something important to the company using the product. This can include data (sensitive personal data, system-critical data, key material, etc.), involved persons (biometric login), or physical objects such as USB keys.<\/p>\n<h3>What can go wrong?<\/h3>\n<h4>Attacks<\/h4>\n<p>Now for the fun part! Put yourself in the attacker&#8217;s shoes and try to find as many vulnerabilities in the system as the timeframe allows.<\/p>\n<p><strong>Focus on the technical issues.<\/strong><\/p>\n<p>To ensure we do not go down a rabbit hole, we suggest focusing only on technical issues rather than trying to protect against large organizations or intelligence agencies. This will likely quickly lead to the conclusion that no system is secure enough, and we might as well give up in advance.<\/p>\n<p>Instead, think a bit cynically:<strong> We just need to make sure we are difficult enough to attack so that others are easier targets.<\/strong><\/p>\n<p>If you need inspiration, ask your security expert if they are present. Otherwise, you can use the following options:<\/p>\n<ul>\n<li>Focus on the asset that matters most and follow data flows to where an attacker might be in the system.<\/li>\n<li>Use the CIA approach (Confidentiality, Integrity, and Availability). Consider each of the three and how attacks can be carried out if one of the three is not present.<\/li>\n<li>Use <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/ee823878(v=cs.20).aspx\">STRIDE<\/a> and review the system for each category of threats.<\/li>\n<li>Find inspiration in <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\">OWASP\u2019s top ten<\/a> or their <a href=\"https:\/\/cheatsheetseries.owasp.org\/\">cheat sheets<\/a>.<\/li>\n<li>Think outside the box. For example, there may be a data flow you have not drawn.<\/li>\n<\/ul>\n<p>Note each possible attack in a brainstorming style and move on to the next potential attack.<\/p>\n<p>When you run out of possible attacks, use a risk assessment methodology to determine the extent of the attack. We suggest taking inspiration from <a href=\"https:\/\/owasp.org\/www-community\/OWASP_Risk_Rating_Methodology\">OWASP\u2019s risk rating methodology.<\/a> Here, each attack is given an overall score from 0-9 in terms of likelihood and impact, which together determine the extent of the attack.<\/p>\n<p>Find the method that works best for you, so it does not take too long, but where you still consider all the important factors. A few examples of attacks based on Figure 1 could be:<\/p>\n<ul>\n<li>The database does not use encryption at rest, and credentials for the external system can therefore be read if access to the database is forced.<\/li>\n<li>The connection from the Angular App to the backend only uses HTTP, which allows the JWT to be stolen and the user to be impersonated by an attacker.<\/li>\n<\/ul>\n<h3>What should we do about it?<\/h3>\n<h4>Mitigation<\/h4>\n<p>Last but not least, we need to find ways to prevent the attacks. Consider how to defend against them and preferably consider several different ways. The project will likely want the cheapest solution, but make it clear if some solutions have shortcomings. Also, consider whether the solution creates new vulnerabilities.<\/p>\n<p>Make these solutions available to the decision-maker and ensure they have all the prerequisites to make the right choices. There is no problem in not fixing all vulnerabilities as long as the decision is made with open eyes.<\/p>\n<\/div>\n<p><img decoding=\"async\" src=\"\/wp-content\/uploads\/2023\/06\/KLD-Software-Developer.jpg\" alt=\"\"><\/p>\n<div>\n<h3>Do you need help with your project&#8217;s security analysis?<\/h3>\n<p>Do you need help with your project&#8217;s security analysis? Or would you like to hear more about how we help our clients with it? Feel free to contact:<\/p>\n<p>Kasper Damg\u00e5rd, <span>Senior Software Developer<\/span><span>: <a href=\"mailto:kld@mjolner.dk\">kld@mjolner.dk<\/a><br \/><\/span><\/p>\n<\/p>\n<p>To comply with GDPR, you should use the design principle <a href=\"https:\/\/iapp.org\/media\/pdf\/resource_center\/pbd_implement_7found_principles.pdf\">Privacy By Design<\/a>, but that&#8217;s a discussion for another time.<\/p>\n<\/div>\n<p><!--more--><br \/>\n<!-- {\"type\":\"layout\",\"children\":[{\"type\":\"section\",\"props\":{\"image_position\":\"center-center\",\"style\":\"default\",\"title_breakpoint\":\"xl\",\"title_position\":\"top-left\",\"title_rotation\":\"left\",\"vertical_align\":\"\",\"width\":\"default\"},\"children\":[{\"type\":\"row\",\"children\":[{\"type\":\"column\",\"props\":{\"image_position\":\"center-center\",\"position_sticky_breakpoint\":\"m\"},\"children\":[{\"type\":\"headline\",\"props\":{\"content\":\"\n\n<div data-testid=\\\"loading-message\\\" tabindex=\\\"-1\\\">\\n\n\n<div>\\n\n\n<div id=\\\"chatMessageResponser1c7\\\" class=\\\"largeReply-280 marginBottomZero-281\\\" aria-live=\\\"assertive\\\">\\n\n\n<div class=\\\"___xqw1q30 f22iagw f1vx9l62 fk15e71 f1k953kz f137keqj f1rncccw f1u2sqi3 f10xb48y f12pyrfg f1azb3i3 fx8cdsv fj3tc4q f16nlwsl f1eookvz f1fedlzk f1tp5txv fhajzam fimndk6 fs04lb0 fnyr3u fslfk0p f15mlbov f10tnejs f7atpcy fb1rn9k f59wlhv f1xmfh30 f18yf5o5 fmr6chf f1vn8kl6 f1ylezt4 fdl415d fy2cpfv f4m5pd7 fkviipj ff161sd f1qr7t77 f1yyogn1 foogchg f196hbyj fi3w8hx f6o647d f163iwuh fjbx52l f13w457t frgez73 f1tpb8gf f1hdgrc8 f1sgo639 fk9mzm8 fag1408 f1n7ykj8 f8ulodq fzhmll8 f12xko6h f1bmkuty f15nr33j f15tsse3 fy0b8hm f1g2633v fx4kvgi fkvolse f1gxrt3a f1os76ua f1js9cnw f1g87ej0 freluf8 f1yggaq6 f2i3chp f1151osp florpoh f35kzfz ftp9m57 f1e288vi fz62hnz fixvuys f1nmofwh fc1c6mv f18a2er7 fhvkrdl fhxnn68 f1oce4bo fvhlfan f7tc0t0 fdzt6ez fft62i4 fpgrczl f1pb07xx f1crb5np f1h4zxqa f1ax9ccn foyidwb fjt0kvb f13tjaqe f18i63iw fpmjg28 f1jgv2gh f13df0ge f3w566c f1yunp2u f32qbcu f1orsfbc f794cn4 f121jrqm fg1dn8l f1h4b5p f1ls9w7j f1tqg9mw fneavw5 f1txa982 fdaub28 f1rl6jc4 f8qqnqf f1fd1yro f1688dth f72je4p f13hbkb2 f1vf9tmw ffztbc3 fppzzgz f9nsmg4 fa3nl03 f1jzb8fs f1ynixk2 fjintaz f1v00z98 fel8lpt f12ld0jw fm8va5n fxt1tk4 fcuwef7 f1aiyzcz f1tpm9bv fiqcn8d f1arfl7b f17h9hdp f1ytw594 f13zpkng f7unjfp f8p1rz fzu6h1w f1i1bi6h f1smo7hi f1sk1xod f1kgogdq fe7os45 f1gjktkp ft608jz fg3xr24 f1blwj6 f1wbw34i flgxis0 fg4b9ou flb4lo fdicbfk fgwcyh1 f1jbds0d f1fb9uea f1stuka4 fcrtu6g fwqh0xn f11w66yg f6e0e65 f1vvgu0 f1607507 fmgifz4 f1m9bycv fz3v333 f1ntoah8 f1b694rt faql4r2 fpjuhzh f4phq6h f1ynby5y\\\">\\n\n\n<p><strong>How to Integrate Security Analysis in Agile Software Development<\\\/strong><\\\/p>\\n<\\\/div>\\n<\\\/div>\\n\n\n<div><\\\/div>\\n<\\\/div>\\n<\\\/div>\",\"title_element\":\"h1\"}},{\"type\":\"text\",\"props\":{\"column_breakpoint\":\"m\",\"content\":\"\n\n<p><strong>Code reviews have long been an integral part of the development process, but significantly less often is a security analysis included as an integral part of the development in a project. Often, security is omitted until the end of a project, where attempts are made to patch things up by, for example, setting up a firewall. This is rarely enough to make the system secure. At the same time, since May 25, 2018, companies have had an additional responsibility for users' data in the form of <a href=\\\"https:\\\/\\\/gdpr.eu\\\/\\\">GDPR<\\\/a>*.<\\\/strong><\\\/p>\\n\n\n<p><span>But then it must be good enough to consider security at the start of the project and then conduct a final security analysis at the end of the process, right?<\\\/span><\\\/p>\\n\n\n<p><span>The answer is, in principle, yes, but it presents some challenges:<\\\/span><\\\/p>\\n\n\n<ul>\\n\n\n<li><span>Projects tend to change along the way, so assumptions made at the start may no longer hold.<\\\/span><\\\/li>\\n\n\n<li><span>You cannot think of all security details at the start of a project.<\\\/span><\\\/li>\\n\n\n<li><span>Even if you catch all security flaws in the final analysis, it will be more expensive and time-consuming to fix the flaws than if you had found and mitigated them during the project.\\u00a0<\\\/span><\\\/li>\\n\n\n<li><span>If flaws are only discovered in the final analysis, it can lead to decisions to accept risks that could otherwise have been avoided.<\\\/span><\\\/li>\\n\n\n<li><span>It can be expensive to conduct a large upfront analysis, which may result in no funds being left to implement the identified problems.<\\\/span><\\\/li>\\n<\\\/ul>\\n\n\n<p><span>One solution is to include security analysis more frequently and optimally as an integrated part of the development process. This can be done in several ways. For example, by having a dedicated security expert on the project who ensures the process and continuously conducts code reviews. However, this is not always possible \\u2013 either because the project does not have the budget for it or because the number of security experts is limited.<\\\/span><\\\/p>\\n\n\n<p><span>You can also divide the final analysis into smaller parts along the way and summarize at the end. Another approach can be to use what Jim Gumbley describes as<\\\/span>\\u00a0<a href=\\\"https:\\\/\\\/martinfowler.com\\\/articles\\\/agile-threat-modelling.html\\\">agile threat modelling<\\\/a>, <span>which naturally fits into the Scrum methodology's sprints. This is the approach we focus on here.<\\\/span><\\\/p>\\n\n\n<h3>Why is security important at all?<\\\/h3>\\n\n\n<p><span>In these modern times, your company will often use some more or less intelligent IT in connection with performing a piece of work. It could be a computer, an <a href=\\\"\\\/en\\\/our-services\\\/internet-of-things\\\/\\\">IoT<\\\/a> device, an intelligent combine harvester, etc. It is likely connected to the internet, and even if it is not, the code that constitutes the circuit in, for example, the combine harvester has probably been available via the internet at some point.<\\\/span><\\\/p>\\n\n\n<p><span>It could be that a competitor wants to put you out of business. It could be that an organization wants to use your IoT device as part of a <\\\/span><a href=\\\"https:\\\/\\\/www.zdnet.com\\\/article\\\/5-nightmarish-attacks-that-show-the-risks-of-iot-security\\\/\\\">botnet<\\\/a>. Maybe it is just someone playing with hacking and using you as a playground. If you have many users, you could be a stepping stone to get hold of users' passwords, which they have probably reused elsewhere. So even if you do not think you have interesting data, it may very well be the case.<\\\/p>\\n\n\n<p><strong>The point is: If you own something of value, it can be worth attacking.<\\\/strong><\\\/p>\\n\n\n<h3>Agile Threat Modelling<\\\/h3>\\n\n\n<p>Agile threat modelling is a framework that aims to enable the execution of a security analysis in a relatively short time by utilizing a predefined scope for each session, ensuring the necessary focus.<\\\/p>\\n\n\n<p>Threat modeling may sound fancy and difficult, but it is essentially about finding vulnerabilities in your system based on a model that shows the system without introducing unnecessary complexity. The agile aspect consists of limiting oneself to smaller parts of the system and possibly reviewing the same part multiple times during the project if that part changes enough.<\\\/p>\\n\n\n<p><strong>Agile threat modelling aims to enable the average developer to consider security in any system.<\\\/strong><\\\/p>\\n\n\n<h2>Execution of threat modelling<\\\/h2>\\n\n\n<p>When performing threat modeling, you should at a minimum ask yourself these three questions:<\\\/p>\\n\n\n<ol>\\n\n\n<li>What are we building?<\\\/li>\\n\n\n<li>What can go wrong?<\\\/li>\\n\n\n<li>What should we do about it?<\\\/li>\\n<\\\/ol>\\n\n\n<p>The following sections will provide ideas on how the different aspects of these questions can be addressed.<\\\/p>\\n\n\n<h3>Scope<\\\/h3>\\n\n\n<p>Regardless of the approach used, you should consider what scope you use for your analysis. Your scope defines the framework for the analysis and thus also what you should <strong>not<\\\/strong> analyze. Without a defined scope, it is easy to try to consider all the attacks the world can throw at you. This often results in losing details and not delving into technical problems.<\\\/p>\\n\n\n<p>Once you agree on the scope of the analysis, you can begin. Try to frame a scope that matches the feature or epic that the next sprint will focus on.<\\\/p>\\n\n\n<p>Do not forget to use a more high-level scope occasionally to catch potential problems in the system that may only be discovered by looking at the architecture more abstractly.<\\\/p>\\n\n\n<h3>Outcome<\\\/h3>\\n\n\n<p>The result of the analysis should be a series of points that potentially need to be added to the backlog. This can be done either practically with a series of post-its or by entering them into an issue tracking system such as Jira. Regardless, there should be a decision-maker who determines which mitigation strategies should be added to the backlog and which security issues to accept the risk of.<\\\/p>\\n\n\n<h3>Who should Perform the Threat Modelling?<\\\/h3>\\n\n\n<p>The classic approach is for a security expert to perform the analysis with the help of selected individuals who know the system well from the necessary perspectives for the analysis.<\\\/p>\\n\n\n<p>In this agile approach, we will turn it around a bit and argue that the security expert is not a critical resource but just another facet of the analysis. We suggest including as many roles as practically possible. This ensures the spread of knowledge to the entire team and specifically to decision-makers, who will gain a better understanding of why the identified problems are important to address. Therefore, remember to include non-technical roles in the analysis work.<\\\/p>\\n\n\n<h3>What are we building?<\\\/h3>\\n\n\n<h4>Low-level architecture drawing<\\\/h4>\\n\n\n<p>Start by drawing the systems that interact with each other on a whiteboard. Also, draw all data flows as defined by the scope and the people involved. It could look like Figure 1. Here, the red arrows are data flows, green is the division of authorization boundaries, and blue are relevant assets for the given scope.<\\\/p>\\n\n\n<div class=\\\"mceTemp\\\">\\u00a0<\\\/div>\",\"margin\":\"default\"}},{\"type\":\"image\",\"props\":{\"image\":\"wp-content\\\/uploads\\\/2023\\\/06\\\/Billede-26.06.2023-kl.-14.49.jpeg\",\"image_alt\":\"Figure 1: Low-level drawing of scope architecture\",\"image_border\":\"rounded\",\"image_svg_color\":\"emphasis\",\"margin\":\"default\"}},{\"type\":\"text\",\"props\":{\"column_breakpoint\":\"m\",\"content\":\"\n\n<h4>Assets<\\\/h4>\\n\n\n<p>Next, identify the assets that may be relevant to the scope and that the data flows affect. An asset is something important to the company using the product. This can include data (sensitive personal data, system-critical data, key material, etc.), involved persons (biometric login), or physical objects such as USB keys.<\\\/p>\\n\n\n<h3>What can go wrong?<\\\/h3>\\n\n\n<h4>Attacks<\\\/h4>\\n\n\n<p>Now for the fun part! Put yourself in the attacker's shoes and try to find as many vulnerabilities in the system as the timeframe allows.<\\\/p>\\n\n\n<p><strong>Focus on the technical issues.<\\\/strong><\\\/p>\\n\n\n<p>To ensure we do not go down a rabbit hole, we suggest focusing only on technical issues rather than trying to protect against large organizations or intelligence agencies. This will likely quickly lead to the conclusion that no system is secure enough, and we might as well give up in advance.<\\\/p>\\n\n\n<p>Instead, think a bit cynically:<strong> We just need to make sure we are difficult enough to attack so that others are easier targets.<\\\/strong><\\\/p>\\n\n\n<p>If you need inspiration, ask your security expert if they are present. Otherwise, you can use the following options:<\\\/p>\\n\n\n<ul>\\n\n\n<li>Focus on the asset that matters most and follow data flows to where an attacker might be in the system.<\\\/li>\\n\n\n<li>Use the CIA approach (Confidentiality, Integrity, and Availability). Consider each of the three and how attacks can be carried out if one of the three is not present.<\\\/li>\\n\n\n<li>Use <a href=\\\"https:\\\/\\\/msdn.microsoft.com\\\/en-us\\\/library\\\/ee823878(v=cs.20).aspx\\\">STRIDE<\\\/a> and review the system for each category of threats.<\\\/li>\\n\n\n<li>Find inspiration in <a href=\\\"https:\\\/\\\/owasp.org\\\/www-project-top-ten\\\/\\\">OWASP\\u2019s top ten<\\\/a> or their <a href=\\\"https:\\\/\\\/cheatsheetseries.owasp.org\\\/\\\">cheat sheets<\\\/a>.<\\\/li>\\n\n\n<li>Think outside the box. For example, there may be a data flow you have not drawn.<\\\/li>\\n<\\\/ul>\\n\n\n<p>Note each possible attack in a brainstorming style and move on to the next potential attack.<\\\/p>\\n\n\n<p>When you run out of possible attacks, use a risk assessment methodology to determine the extent of the attack. We suggest taking inspiration from <a href=\\\"https:\\\/\\\/owasp.org\\\/www-community\\\/OWASP_Risk_Rating_Methodology\\\">OWASP\\u2019s risk rating methodology.<\\\/a> Here, each attack is given an overall score from 0-9 in terms of likelihood and impact, which together determine the extent of the attack.<\\\/p>\\n\n\n<p>Find the method that works best for you, so it does not take too long, but where you still consider all the important factors. A few examples of attacks based on Figure 1 could be:<\\\/p>\\n\n\n<ul>\\n\n\n<li>The database does not use encryption at rest, and credentials for the external system can therefore be read if access to the database is forced.<\\\/li>\\n\n\n<li>The connection from the Angular App to the backend only uses HTTP, which allows the JWT to be stolen and the user to be impersonated by an attacker.<\\\/li>\\n<\\\/ul>\\n\n\n<h3>What should we do about it?<\\\/h3>\\n\n\n<h4>Mitigation<\\\/h4>\\n\n\n<p>Last but not least, we need to find ways to prevent the attacks. Consider how to defend against them and preferably consider several different ways. The project will likely want the cheapest solution, but make it clear if some solutions have shortcomings. Also, consider whether the solution creates new vulnerabilities.<\\\/p>\\n\n\n<p>Make these solutions available to the decision-maker and ensure they have all the prerequisites to make the right choices. There is no problem in not fixing all vulnerabilities as long as the decision is made with open eyes.<\\\/p>\",\"margin\":\"default\"}}]}]},{\"type\":\"row\",\"props\":{\"layout\":\"1-2,1-2\"},\"children\":[{\"type\":\"column\",\"props\":{\"image_position\":\"center-center\",\"position_sticky_breakpoint\":\"m\",\"width_medium\":\"1-2\"},\"children\":[{\"type\":\"image\",\"props\":{\"image\":\"wp-content\\\/uploads\\\/2023\\\/06\\\/KLD-Software-Developer.jpg\",\"image_border\":\"rounded\",\"image_svg_color\":\"emphasis\",\"margin\":\"default\"}}]},{\"type\":\"column\",\"props\":{\"image_position\":\"center-center\",\"position_sticky_breakpoint\":\"m\",\"width_medium\":\"1-2\"},\"children\":[{\"type\":\"text\",\"props\":{\"column_breakpoint\":\"m\",\"content\":\"\n\n<h3>Do you need help with your project's security analysis?<\\\/h3>\\n\n\n<p>Do you need help with your project's security analysis? Or would you like to hear more about how we help our clients with it? Feel free to contact:<\\\/p>\\n\n\n<p>Kasper Damg\\u00e5rd, <span>Senior Software Developer<\\\/span><span>: <a href=\\\"mailto:kld@mjolner.dk\\\">kld@mjolner.dk<\\\/a><br \\\/><\\\/span><\\\/p>\\n\n\n<p><\\\/p>\\n\n\n<p>To comply with GDPR, you should use the design principle <a href=\\\"https:\\\/\\\/iapp.org\\\/media\\\/pdf\\\/resource_center\\\/pbd_implement_7found_principles.pdf\\\">Privacy By Design<\\\/a>, but that's a discussion for another time.<\\\/p>\",\"margin\":\"default\"}}]}]}]}],\"version\":\"4.4.2\",\"yooessentialsVersion\":\"2.2.14\"} --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to Integrate Security Analysis in Agile Software Development Code reviews have long been an integral part of the development process, but significantly less often is a security analysis included as an integral part of the development in a project. Often, security is omitted until the end of a project, where attempts are made to [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":18533,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[403],"tags":[419,413,420],"class_list":["post-18532","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-development-en","tag-agile-threat-modeling","tag-it-security","tag-security-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Integrate Security Analysis in Agile Software Development - Mj\u00f8lner<\/title>\n<meta name=\"description\" content=\"Include security analysis as an integrated part of the development process. We explain how and why you should do it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"S\u00e5dan integrerer du sikkerhedsanalyse i agil softwareudvikling\" \/>\n<meta property=\"og:description\" content=\"Inklud\u00e9r sikkerhedsanalyse som en integreret del af udviklingsprocessen. Vi forklarer hvordan, og hvorfor du skal g\u00f8re det.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/\" \/>\n<meta property=\"og:site_name\" content=\"Mj\u00f8lner\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/MjolnerInformatics\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-28T06:38:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-29T12:33:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1365\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"aidup\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"S\u00e5dan integrerer du sikkerhedsanalyse i agil softwareudvikling\" \/>\n<meta name=\"twitter:description\" content=\"Inklud\u00e9r sikkerhedsanalyse som en integreret del af udviklingsprocessen. Vi forklarer hvordan, og hvorfor du skal g\u00f8re det.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg\" \/>\n<meta name=\"twitter:creator\" content=\"@mjolnerdk\" \/>\n<meta name=\"twitter:site\" content=\"@mjolnerdk\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"aidup\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/\"},\"author\":{\"name\":\"aidup\",\"@id\":\"https:\/\/mjolner.dk\/en\/#\/schema\/person\/effbb491578853256db55ded96bdd02e\"},\"headline\":\"How to Integrate Security Analysis in Agile Software Development\",\"datePublished\":\"2023-07-28T06:38:50+00:00\",\"dateModified\":\"2025-04-29T12:33:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/\"},\"wordCount\":1658,\"publisher\":{\"@id\":\"https:\/\/mjolner.dk\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg\",\"keywords\":[\"Agile Threat Modeling\",\"IT-security\",\"Security Analysis\"],\"articleSection\":[\"Software Development\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/\",\"url\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/\",\"name\":\"How to Integrate Security Analysis in Agile Software Development - Mj\u00f8lner\",\"isPartOf\":{\"@id\":\"https:\/\/mjolner.dk\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg\",\"datePublished\":\"2023-07-28T06:38:50+00:00\",\"dateModified\":\"2025-04-29T12:33:03+00:00\",\"description\":\"Include security analysis as an integrated part of the development process. We explain how and why you should do it.\",\"breadcrumb\":{\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage\",\"url\":\"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg\",\"contentUrl\":\"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg\",\"width\":2048,\"height\":1365},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Hjem\",\"item\":\"https:\/\/mjolner.dk\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Integrate Security Analysis in Agile Software Development\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/mjolner.dk\/en\/#website\",\"url\":\"https:\/\/mjolner.dk\/en\/\",\"name\":\"Mj\u00f8lner\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/mjolner.dk\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/mjolner.dk\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/mjolner.dk\/en\/#organization\",\"name\":\"Mj\u00f8lner\",\"url\":\"https:\/\/mjolner.dk\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mjolner.dk\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/mjolner.dk\/wp-content\/uploads\/2017\/11\/logo-white-8.svg\",\"contentUrl\":\"https:\/\/mjolner.dk\/wp-content\/uploads\/2017\/11\/logo-white-8.svg\",\"width\":1,\"height\":1,\"caption\":\"Mj\u00f8lner\"},\"image\":{\"@id\":\"https:\/\/mjolner.dk\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/MjolnerInformatics\/\",\"https:\/\/x.com\/mjolnerdk\",\"https:\/\/www.linkedin.com\/company\/mjolner-informatics-as\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/mjolner.dk\/en\/#\/schema\/person\/effbb491578853256db55ded96bdd02e\",\"name\":\"aidup\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/mjolner.dk\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/df85cd744349773704e5a6c28777e3e6314bcbb138b6f78da8c9a7032f647035?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/df85cd744349773704e5a6c28777e3e6314bcbb138b6f78da8c9a7032f647035?s=96&d=mm&r=g\",\"caption\":\"aidup\"},\"url\":\"https:\/\/mjolner.dk\/en\/author\/aidup\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Integrate Security Analysis in Agile Software Development - Mj\u00f8lner","description":"Include security analysis as an integrated part of the development process. We explain how and why you should do it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/","og_locale":"en_US","og_type":"article","og_title":"S\u00e5dan integrerer du sikkerhedsanalyse i agil softwareudvikling","og_description":"Inklud\u00e9r sikkerhedsanalyse som en integreret del af udviklingsprocessen. Vi forklarer hvordan, og hvorfor du skal g\u00f8re det.","og_url":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/","og_site_name":"Mj\u00f8lner","article_publisher":"https:\/\/www.facebook.com\/MjolnerInformatics\/","article_published_time":"2023-07-28T06:38:50+00:00","article_modified_time":"2025-04-29T12:33:03+00:00","og_image":[{"width":2048,"height":1365,"url":"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg","type":"image\/jpeg"}],"author":"aidup","twitter_card":"summary_large_image","twitter_title":"S\u00e5dan integrerer du sikkerhedsanalyse i agil softwareudvikling","twitter_description":"Inklud\u00e9r sikkerhedsanalyse som en integreret del af udviklingsprocessen. Vi forklarer hvordan, og hvorfor du skal g\u00f8re det.","twitter_image":"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg","twitter_creator":"@mjolnerdk","twitter_site":"@mjolnerdk","twitter_misc":{"Written by":"aidup","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#article","isPartOf":{"@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/"},"author":{"name":"aidup","@id":"https:\/\/mjolner.dk\/en\/#\/schema\/person\/effbb491578853256db55ded96bdd02e"},"headline":"How to Integrate Security Analysis in Agile Software Development","datePublished":"2023-07-28T06:38:50+00:00","dateModified":"2025-04-29T12:33:03+00:00","mainEntityOfPage":{"@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/"},"wordCount":1658,"publisher":{"@id":"https:\/\/mjolner.dk\/en\/#organization"},"image":{"@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage"},"thumbnailUrl":"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg","keywords":["Agile Threat Modeling","IT-security","Security Analysis"],"articleSection":["Software Development"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/","url":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/","name":"How to Integrate Security Analysis in Agile Software Development - Mj\u00f8lner","isPartOf":{"@id":"https:\/\/mjolner.dk\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage"},"image":{"@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage"},"thumbnailUrl":"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg","datePublished":"2023-07-28T06:38:50+00:00","dateModified":"2025-04-29T12:33:03+00:00","description":"Include security analysis as an integrated part of the development process. We explain how and why you should do it.","breadcrumb":{"@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#primaryimage","url":"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg","contentUrl":"https:\/\/mjolner.dk\/wp-content\/uploads\/2023\/07\/KLD-Software-Developer.jpg","width":2048,"height":1365},{"@type":"BreadcrumbList","@id":"https:\/\/mjolner.dk\/en\/blog\/software-development-en\/how-to-integrate-security-analysis-in-agile-development\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Hjem","item":"https:\/\/mjolner.dk\/en\/"},{"@type":"ListItem","position":2,"name":"How to Integrate Security Analysis in Agile Software Development"}]},{"@type":"WebSite","@id":"https:\/\/mjolner.dk\/en\/#website","url":"https:\/\/mjolner.dk\/en\/","name":"Mj\u00f8lner","description":"","publisher":{"@id":"https:\/\/mjolner.dk\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mjolner.dk\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/mjolner.dk\/en\/#organization","name":"Mj\u00f8lner","url":"https:\/\/mjolner.dk\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mjolner.dk\/en\/#\/schema\/logo\/image\/","url":"https:\/\/mjolner.dk\/wp-content\/uploads\/2017\/11\/logo-white-8.svg","contentUrl":"https:\/\/mjolner.dk\/wp-content\/uploads\/2017\/11\/logo-white-8.svg","width":1,"height":1,"caption":"Mj\u00f8lner"},"image":{"@id":"https:\/\/mjolner.dk\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/MjolnerInformatics\/","https:\/\/x.com\/mjolnerdk","https:\/\/www.linkedin.com\/company\/mjolner-informatics-as\/"]},{"@type":"Person","@id":"https:\/\/mjolner.dk\/en\/#\/schema\/person\/effbb491578853256db55ded96bdd02e","name":"aidup","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/mjolner.dk\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/df85cd744349773704e5a6c28777e3e6314bcbb138b6f78da8c9a7032f647035?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/df85cd744349773704e5a6c28777e3e6314bcbb138b6f78da8c9a7032f647035?s=96&d=mm&r=g","caption":"aidup"},"url":"https:\/\/mjolner.dk\/en\/author\/aidup\/"}]}},"_links":{"self":[{"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/posts\/18532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/comments?post=18532"}],"version-history":[{"count":17,"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/posts\/18532\/revisions"}],"predecessor-version":[{"id":18848,"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/posts\/18532\/revisions\/18848"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/media\/18533"}],"wp:attachment":[{"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/media?parent=18532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/categories?post=18532"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjolner.dk\/en\/wp-json\/wp\/v2\/tags?post=18532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}