We Hack Purple Podcast Episode 73 with Amanda Crawley

05/08/23 • 51 min

In episode 73 of the We Hack Purple Podcast, host Tanya Janca talks to guest Amanda Crawley of 1Password! We talked about how developers need special tools to help them do their jobs, securely, then we chatted about several things that can help them, especially password managers! Developers are huge targets for malicious actors and Amanda shared TONS of ways devs can protect themselves, and their companies they work for:
• Keep everything up to date - phones, computers, routers, all software (apple just released an update to fix actively exploited vulnerabilities!)
• Use strong, unique passwords. Change passwords when:
◦ The respective service recommends a password change, or;
◦ The password has been shared with individuals who are no longer authorized to use the password, or;
◦ The password has been used for another service.
• Use encryption
• Follow your company’s security policies
• Don’t disable your operating system’s malware detection (Windows Defender, XProtect)
• Vet your third party libraries and dependencies, and then keep an eye on them to make informed decisions about updating
• Follow the principle of least privilege - people can’t be compromised for things they don’t have access to
• Consider non-SMS based 2FA (google authenticator, 1Password, yubikey), but any MFA is better than none
◦ Something you know (pin, password)
◦ Something you have (token, hardware key)
◦ Something you are (biometrics)
• Don’t store user data locally (if you need it, delete immediately after you’re done with it)
Things you can do today!
• Audit connected oauth apps (to social media platforms, github, etc)
• Delete old accounts
• Check haveibeenpwned.com
• Check your router for firmware updates (I did this yesterday)
Developer hack examples
• https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
• https://www.upguard.com/blog/what-caused-the-uber-data-breach
• https://en.wikipedia.org/wiki/2017_Equifax_data_breach
• https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
• https://www.synopsys.com/blogs/software-security/heartbleed-bug/
Links From Amanda:
· https://1password.com/developers
· https://1password.com/developer/student
· https://education.github.com/pack
· https://hashnode.com/hackathons/1password
Very special thanks to our sponsor: Women’s Society of Cyberjutsu!
Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting
Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here:

Previous Episode

We Hack Purple Podcast Episode 71 with Ariel Shin

In episode 71 of the We Hack Purple Podcast Host Tanya Janca speaks to the Ariel Shin from Twillio! Ariel does product security, and as you might imagine, Tanya had at least 100 questions for her. We discussed threat modelling, influence, persuasion and other communication skills needed to be an effective #AppSec person (or any security professional, for that matter). The conversation got really interesting as we dove into how to communicate with an executive, versus an engineer, versus a non-tech person, and how we can communicate and advocate for security (effectively) in the process. She talked about breaking down an argument into multiple pieces, to ensure you get the message across the best possible way. If you are someone who has struggled with convincing the rest of IT to patch or fix bugs, she breaks down how to do this in a way Tanya plans to adopt from now on. Take a listen at the links below!

Ariel’s Bio:

Ariel Shin is a product security team lead at Twilio. Ariel started her career as a penetration tester, specializing in web and mobile security, before moving into the product security space. Ariel enjoys building relationships with developers through secure code reviews, threat modeling, security training, and vulnerability management. Currently, Ariel is working on rolling out and expanding Self-Service Threat Models for the Twilio Org.

Ariel’s Social Media: linkedin.com/in/arielshin/

Link to the great podcast episode Ariel spoke about: “Hacker Explains One Concept in 5 Levels of Difficulty” by WIRED Podcast, featuring Samy Kamkar.

Very special thanks to our sponsor: Women’s Society of Cyberjutsu!

Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023

FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023

And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

Next Episode

We Hack Purple Podcast Episode 74 with Ray Espinoza

In episode 74 of the We Hack Purple Podcast, host Tanya Janca talks to guest Ray Espinoza from Inspectiv! During the podcast we honed in on how to build a positive security culture, which has several important ingredients; Security Champions, Empathy, explaining ‘the why’, sharing information in both technical and non technical formats, and storytelling! We talked about training, we talked about metrics, we talked about how to get your point across in an effective way, without scaring people’s pants off. If you want to hear about creating a successful security champions programs, how to ‘win’ more often, and what pitfalls to avoid, this episode is especially helpful!

We ended the conversation with several calls to action for audience members abounding including more people in cyber. Young people, old people, new-to-cyber people, every race of people, every gender; we really mean EVERYONE. Ray also (very generously) offered listeners to connect with him online so he could help them find mentors and meet people. This episode was great!

A bit more about Ray:
Ray Espinoza is Vice President and Chief Information Security Officer at Inspectiv, Inc. With over 15 years of both tactical and security leadership experience, Ray has a proven track record of successfully building effective security programs for top companies that include eBay, Cisco, Amazon and Cobalt.io.

Prior to joining Inspectiv, Ray served as VP of Cloud Security at Medallia where he was responsible for developing and executing Medallia’s multi-cloud security strategy. Outside of work, Ray is the head strength and conditioning coach and an assistant football coach at Camas High School.

Where to find Ray!
LinkedIn - https://www.linkedin.com/in/ray-espinoza-b399821/
Twitter - https://twitter.com/RayEspinozaSec

Causes and Groups Ray (and Tanya) supports:
• Raîces Cyber
• Black Girls Hack
• Black Girls in Cyber

Very special thanks to our sponsor: Day of Shecurity! This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it’s very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!
View the agenda here: https://guides.dayofshecurity.com/view/314270378/
If you’re not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.

Join We Hack Purple!