We Hack Purple Podcast Episode 71 with Ariel Shin
04/18/23 • 33 min
In episode 71 of the We Hack Purple Podcast Host Tanya Janca speaks to the Ariel Shin from Twillio! Ariel does product security, and as you might imagine, Tanya had at least 100 questions for her. We discussed threat modelling, influence, persuasion and other communication skills needed to be an effective #AppSec person (or any security professional, for that matter). The conversation got really interesting as we dove into how to communicate with an executive, versus an engineer, versus a non-tech person, and how we can communicate and advocate for security (effectively) in the process. She talked about breaking down an argument into multiple pieces, to ensure you get the message across the best possible way. If you are someone who has struggled with convincing the rest of IT to patch or fix bugs, she breaks down how to do this in a way Tanya plans to adopt from now on. Take a listen at the links below!
Ariel’s Bio:
Ariel Shin is a product security team lead at Twilio. Ariel started her career as a penetration tester, specializing in web and mobile security, before moving into the product security space. Ariel enjoys building relationships with developers through secure code reviews, threat modeling, security training, and vulnerability management. Currently, Ariel is working on rolling out and expanding Self-Service Threat Models for the Twilio Org.
Ariel’s Social Media: linkedin.com/in/arielshin/
Link to the great podcast episode Ariel spoke about: “Hacker Explains One Concept in 5 Levels of Difficulty” by WIRED Podcast, featuring Samy Kamkar.
Very special thanks to our sponsor: Women’s Society of Cyberjutsu!
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023
FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023
And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023
Join We Hack Purple!
Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
In episode 71 of the We Hack Purple Podcast Host Tanya Janca speaks to the Ariel Shin from Twillio! Ariel does product security, and as you might imagine, Tanya had at least 100 questions for her. We discussed threat modelling, influence, persuasion and other communication skills needed to be an effective #AppSec person (or any security professional, for that matter). The conversation got really interesting as we dove into how to communicate with an executive, versus an engineer, versus a non-tech person, and how we can communicate and advocate for security (effectively) in the process. She talked about breaking down an argument into multiple pieces, to ensure you get the message across the best possible way. If you are someone who has struggled with convincing the rest of IT to patch or fix bugs, she breaks down how to do this in a way Tanya plans to adopt from now on. Take a listen at the links below!
Ariel’s Bio:
Ariel Shin is a product security team lead at Twilio. Ariel started her career as a penetration tester, specializing in web and mobile security, before moving into the product security space. Ariel enjoys building relationships with developers through secure code reviews, threat modeling, security training, and vulnerability management. Currently, Ariel is working on rolling out and expanding Self-Service Threat Models for the Twilio Org.
Ariel’s Social Media: linkedin.com/in/arielshin/
Link to the great podcast episode Ariel spoke about: “Hacker Explains One Concept in 5 Levels of Difficulty” by WIRED Podcast, featuring Samy Kamkar.
Very special thanks to our sponsor: Women’s Society of Cyberjutsu!
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023
FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023
And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023
Join We Hack Purple!
Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
Previous Episode
We Hack Purple Podcast Episode 70 with Meghan Jacquot
In episode 70 of the We Hack Purple Podcast Host Tanya Janca speaks with Meghan Jacquot, who she met at OWASP Global AppSec in Dublin, Ireland. Tanya talked her into being on the podcast, and all of us get to hear about threat modelling (horizontally and vertically!), how women choose which conferences to attend, how to reduce physical risks when traveling, how to do security research and perform ‘good’ at the same time (“Cyber for good”), any her countless volunteer efforts to make our industry more welcoming. Meghan will be giving a talk at RSAC about how “You Are Not an Island - Threat Model as a Team”. With all of that, we somehow still had time to talk about interest span versus attention span. This is an episode you don’t want to miss!
Meghan’s Bio:
Meghan Jacquot is a Security Engineer with Inspectiv and focuses on vulnerabilities and attack surface management. She is particularly interested in cloud security, threat intelligence, investigating vulnerabilities, and the ethical use of data. Meghan shares her research via conferences and publications. Throughout the year, she helps a variety of organizations and folks including DEF CON as a SOC GOON, Diana Initiative, OWASP, SANS, and WiCyS. To relax she also spends time visiting national parks, gardening, and hanging with her chinchilla. She’s happy to connect with others on LinkedIn and Mastodon.
Meghan’s Links:
Meghan on LinkedIn
WiCyS has just opened their mentor and mentee program for the year and the applications close on March 22.
Meghan’s talk at #RSAC: You Are Not an Island - Threat Model as a Team
Women in Cyber WiCYS – 2 hour workshop on Threat Modelling a Conference (attending as a woman), with Jessica Robinson and Sumara (Link to slides coming soon)
Very special thanks to our sponsor: Women’s Society of Cyberjutsu!
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023
FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023
And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023
Join We Hack Purple!
Check out our brand new courses in We Hack Purple Academy . Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
Next Episode
We Hack Purple Podcast Episode 73 with Amanda Crawley
In episode 73 of the We Hack Purple Podcast, host Tanya Janca talks to guest Amanda Crawley of 1Password! We talked about how developers need special tools to help them do their jobs, securely, then we chatted about several things that can help them, especially password managers! Developers are huge targets for malicious actors and Amanda shared TONS of ways devs can protect themselves, and their companies they work for:
• Keep everything up to date - phones, computers, routers, all software (apple just released an update to fix actively exploited vulnerabilities!)
• Use strong, unique passwords. Change passwords when:
◦ The respective service recommends a password change, or;
◦ The password has been shared with individuals who are no longer authorized to use the password, or;
◦ The password has been used for another service.
• Use encryption
• Follow your company’s security policies
• Don’t disable your operating system’s malware detection (Windows Defender, XProtect)
• Vet your third party libraries and dependencies, and then keep an eye on them to make informed decisions about updating
• Follow the principle of least privilege - people can’t be compromised for things they don’t have access to
• Consider non-SMS based 2FA (google authenticator, 1Password, yubikey), but any MFA is better than none
◦ Something you know (pin, password)
◦ Something you have (token, hardware key)
◦ Something you are (biometrics)
• Don’t store user data locally (if you need it, delete immediately after you’re done with it)
Things you can do today!
• Audit connected oauth apps (to social media platforms, github, etc)
• Delete old accounts
• Check haveibeenpwned.com
• Check your router for firmware updates (I did this yesterday)
Developer hack examples
• https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
• https://www.upguard.com/blog/what-caused-the-uber-data-breach
• https://en.wikipedia.org/wiki/2017_Equifax_data_breach
• https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
• https://www.synopsys.com/blogs/software-security/heartbleed-bug/
Links From Amanda:
· https://1password.com/developers
· https://1password.com/developer/student
· https://education.github.com/pack
· https://hashnode.com/hackathons/1password
Very special thanks to our sponsor: Women’s Society of Cyberjutsu!
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting
Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here:
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/we-hack-purple-podcast-273079/we-hack-purple-podcast-episode-71-with-ariel-shin-33009547"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to we hack purple podcast episode 71 with ariel shin on goodpods" style="width: 225px" /> </a>
Copy