We Hack Purple Podcast

In episode 73 of the We Hack Purple Podcast, host Tanya Janca talks to guest Amanda Crawley of 1Password! We talked about how developers need special tools to help them do their jobs, securely, then we chatted about several things that can help them, especially password managers! Developers are huge targets for malicious actors and Amanda shared TONS of ways devs can protect themselves, and their companies they work for:
• Keep everything up to date - phones, computers, routers, all software (apple just released an update to fix actively exploited vulnerabilities!)
• Use strong, unique passwords. Change passwords when:
◦ The respective service recommends a password change, or;
◦ The password has been shared with individuals who are no longer authorized to use the password, or;
◦ The password has been used for another service.
• Use encryption
• Follow your company’s security policies
• Don’t disable your operating system’s malware detection (Windows Defender, XProtect)
• Vet your third party libraries and dependencies, and then keep an eye on them to make informed decisions about updating
• Follow the principle of least privilege - people can’t be compromised for things they don’t have access to
• Consider non-SMS based 2FA (google authenticator, 1Password, yubikey), but any MFA is better than none
◦ Something you know (pin, password)
◦ Something you have (token, hardware key)
◦ Something you are (biometrics)
• Don’t store user data locally (if you need it, delete immediately after you’re done with it)
Things you can do today!
• Audit connected oauth apps (to social media platforms, github, etc)
• Delete old accounts
• Check haveibeenpwned.com
• Check your router for firmware updates (I did this yesterday)
Developer hack examples
• https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
• https://www.upguard.com/blog/what-caused-the-uber-data-breach
• https://en.wikipedia.org/wiki/2017_Equifax_data_breach
• https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
• https://www.synopsys.com/blogs/software-security/heartbleed-bug/
Links From Amanda:
· https://1password.com/developers
· https://1password.com/developer/student
· https://education.github.com/pack
· https://hashnode.com/hackathons/1password
Very special thanks to our sponsor: Women’s Society of Cyberjutsu!
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting
Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here:

A We Hack Purple Live Stream with Matt Tesauro of Defect Dojo Inc (https://www.defectdojo.com/).
Join We Hack Purple Community to be invited to awesome events like one! https://community.wehackpurple.com
Description: You’re tasked with ‘doing DevSecOps’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo is an open source platform that can be your single pane of glass by aggregating, distilling, and automating your AppSec and DevSecOps tools. DefectDojo was created by DevSecOps people for DevSecOps people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your single pane of glass for discovered security vulnerabilities, report generation, aggregation of over 150+ different security tools, inventory of applications, tracking testing efforts / metrics on your AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo. About Matt: Matt Tesauro is a DevSecOps and application security (AppSec) guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement in open-source projects, presentations, trainings and new technology innovation. Matt thrives on tackling technical problems, but his economics background gives him a unique understanding of business constraints and incentives around security initiatives. As a versatile engineer, Matt’s background spans software development (primarily web development), Linux system administration, penetration testing and application / cloud security. Additionally, he offers more than 13 years of experience with the internationally recognized AppSec and open-source nonprofit OWASP Foundation. At OWASP, Matt has served on the global board of directors and conducted several highly successful open-source projects, including a web testing environment with 300,000+ downloads in a single year and the OWASP DefectDojo vulnerability management platform with 10 million+ downloads.
As a recognized thought leader, Matt has presented at conferences multiple times per year since 2009 and has facilitated training around the world. Some of his noteworthy speaking engagements include a DHS Software Assurance Workshop; OpenStack Summit; SANS AppSec Summit; and AppSec US, EU and LATAM. He has also taught computer security courses at Texas A&M and the University of Texas at the undergraduate and graduate level. Matt leads by example and rolls up his sleeves to help teams reach their goals. He is a supportive and collaborative leader who mentors and motivates others to realize their potential. Colleagues note that Matt is fiendishly clever when solving problems and refreshingly honest in his work. In 2021, Matt was recruited for the role of Distinguished Engineer at Noname Security. His priority is to evangelize Noname’s ground-breaking API security platform and API security in general. He works closely with the product team to ensure that Noname’s platform addresses the application and product security issues that impact customers. Before joining Noname, Matt rolled out AppSec automation at USAA and founded 10Security. His early career includes tenures as Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer at Duo Security, Senior Software Security Engineer at Pearson and Senior Product Security Engineer at Rackspace. Matt received a master’s degree in management information systems and a bachelor’s degree in economics from Texas A&M Univers

In episode 68 of the We Hack Purple Podcast host Tanya Janca dives into Domain Driven Design (and development) with Gagandeep Singh. Gagandeep is an avid blogger, and Tanya read his article on DDD and just had to interview him. We discussed if Design Driven design or development are those the same thing (they aren’t!), the security advantages of DDD, how Trusted Types and Content Security Policy Header come into play! We discussed the concept of having the security of a feature be part of the design and feature itself, and the huge security advantages we can expect to see. To hear more, you need to see the episode!

Gagandeep’s Bio:

Gagandeep Juneja is an experienced Information Security professional working in the Information Technology and Services Industry. Working in Application Security domain, security assessment, threat modeling, architecture review, DevSecOps and guidelines for security technologies to develop effective secure solutions. In his opinion if we focus on securing code which will result in fewer vulnerabilities in the solution. Domain Driven Design sets the bar higher for software development, providing an efficient way to designing and developing a more secure IT solution.

His blog: https://securityintelligence.com/posts/secure-coding-domain-driven-design/

Very special thanks to our sponsor: The Diana Initiative!

A conference committed to helping all those underrepresented in Information Security - Monday August 7, 2023 In-Person at The Westin Las Vegas Hotel & Spa

Join We Hack Purple!

We have new courses in the We Hack Purple Academy! Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 70 of the We Hack Purple Podcast Host Tanya Janca speaks with Meghan Jacquot, who she met at OWASP Global AppSec in Dublin, Ireland. Tanya talked her into being on the podcast, and all of us get to hear about threat modelling (horizontally and vertically!), how women choose which conferences to attend, how to reduce physical risks when traveling, how to do security research and perform ‘good’ at the same time (“Cyber for good”), any her countless volunteer efforts to make our industry more welcoming. Meghan will be giving a talk at RSAC about how “You Are Not an Island - Threat Model as a Team”. With all of that, we somehow still had time to talk about interest span versus attention span. This is an episode you don’t want to miss!

Meghan’s Bio:

Meghan Jacquot is a Security Engineer with Inspectiv and focuses on vulnerabilities and attack surface management. She is particularly interested in cloud security, threat intelligence, investigating vulnerabilities, and the ethical use of data. Meghan shares her research via conferences and publications. Throughout the year, she helps a variety of organizations and folks including DEF CON as a SOC GOON, Diana Initiative, OWASP, SANS, and WiCyS. To relax she also spends time visiting national parks, gardening, and hanging with her chinchilla. She’s happy to connect with others on LinkedIn and Mastodon.

Meghan’s Links:

Meghan on LinkedIn

WiCyS has just opened their mentor and mentee program for the year and the applications close on March 22.

Meghan’s talk at #RSAC: You Are Not an Island - Threat Model as a Team

Women in Cyber WiCYS – 2 hour workshop on Threat Modelling a Conference (attending as a woman), with Jessica Robinson and Sumara (Link to slides coming soon)

Very special thanks to our sponsor: Women’s Society of Cyberjutsu!

Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023

FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023

And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy . Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!