Applying Usability and Transparency to Security – Hannah Sutor – ASW #311
Full Audio
View Show IndexSegments
1. Applying Usability and Transparency to Security – Hannah Sutor – ASW #311
Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures.
Segment resources
00:00 Welcome to Application Security Weekly! 01:49 Meet the Experts 03:28 What Are Non-Human Identities? 06:17 Balancing Security & Usability 08:24 MFA Challenges & Admin Security 12:09 Navigating Breaking Changes 16:05 Security by Design in Action 18:42 Identity Management for Startups 20:18 Secure by Design: Real Impact 24:03 Transparency After a Critical Vulnerability 31:39 Looking Ahead to 2025 32:45 Application Security in Three Words
Announcements
Want to shape the future of identity? Identiverse 2025 is looking for dynamic speakers like you to share groundbreaking ideas with over 3,000 identity and access management leaders. Join the most influential voices in IAM and help drive innovation in our industry. Submit your presentation proposal today at securityweekly.com/idvcfp
Guest
Hannah Sutor is passionate about all things digital identity and security. She currently works as a Principal Product Manager at GitLab, focusing on authentication and authorization in a DevSecOps context.
Hannah has spoken at various conferences on digital identity, privacy, cybersecurity, and devops workflows. She is passionate about balancing security and usability, and building secure software. She is a participant in OpenSSF working groups and serves on the board of IDPro. She lives outside of Denver, Colorado, USA, and decompresses with nature and vigorous workouts.
Hosts
2. Ancient Curl Bug, AWS re:Invent, Malware in NPM, Census III Report, MS OTP – ASW #311
Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more!
00:00 - Intro & Cyber Resilience Insights 01:20 - The 25-Year-Old Curl Bug Story 04:17 - Fuzzing for Security: A Missed Opportunity? 08:46 - AWS re:Invent Security Highlights 11:54 - NPM Malware Surge 16:33 - Small Packages, Big Risks in NPM 19:55 - Open Source Security Trends 24:27 - Microsoft MFA Vulnerability Explained 28:28 - Hardware Hacking & DMA Exploits 30:55 - Auditing Ruby’s Package Ecosystem 34:02 - Looking Ahead to 2025
Hosts
- 1. A twenty-five years old curl bug | daniel.haxx.se
- 2. Auditing the Ruby ecosystem’s central package repository | Trail of Bits Blog
- 3. Top AWS re:Invent Announcements for Security Teams 2024 | Wiz Blog
- 4. Open Source Usage Trends and Security Challenges Revealed in New Study
Download the report here
- 5. WorstFit!
Noting this because it falls into the category of parsing, defaults, and choosing between failure modes.
- 6. Open Source Malware Reaches More Than 778500 Packages, According to Sonatype Researchers
The report is behind a regwall. I've included it here to talk about the phrase, "...npm, exemplifies the risk contained in public repositories, representing 98.5% of the malicious packages Sonatype has identified in the past year."
- 1. Microsoft MFA found to be lax, bypassable
Folks at Oasis Security found out that Microsoft was allowing 3 minutes to accept a MFA token - 2.5 minutes longer than specified in RFC-6238. This gave attackers six times as long to attempt to brute force the value.
- 2. Getting PCIE memory access via SD card reader
This might be a little more hardware hacking than appsec, but is still a good read on some of the history of memory card interfaces and DMA attacks. End-of-day, they've created a custom board to insert into a SD card reader that provides access to the laptop's memory via PCI Express.
