Applying Usability and Transparency to Security – Hannah Sutor – ASW #311
Practices around identity and managing credentials have improved greatly since the days of infosec mandating 90-day password rotations. But those improvements didn't arise from a narrow security view. Hannah Sutor talks about the importance of balancing security with usability, the importance of engaging with users when determining defaults, and setting an example for transparency in security disclosures.
Segment resources
00:00 Welcome to Application Security Weekly!
01:49 Meet the Experts
03:28 What Are Non-Human Identities?
06:17 Balancing Security & Usability
08:24 MFA Challenges & Admin Security
12:09 Navigating Breaking Changes
16:05 Security by Design in Action
18:42 Identity Management for Startups
20:18 Secure by Design: Real Impact
24:03 Transparency After a Critical Vulnerability
31:39 Looking Ahead to 2025
32:45 Application Security in Three Words
Hannah Sutor is passionate about all things digital identity and security. She currently works as a Principal Product Manager at GitLab, focusing on authentication and authorization in a DevSecOps context.
Hannah has spoken at various conferences on digital identity, privacy, cybersecurity, and devops workflows. She is passionate about balancing security and usability, and building secure software. She is a participant in OpenSSF working groups and serves on the board of IDPro. She lives outside of Denver, Colorado, USA, and decompresses with nature and vigorous workouts.
Want to shape the future of identity? Identiverse 2025 is looking for dynamic speakers like you to share groundbreaking ideas with over 3,000 identity and access management leaders. Join the most influential voices in IAM and help drive innovation in our industry. Submit your presentation proposal today at securityweekly.com/idvcfp
Ancient Curl Bug, AWS re:Invent, Malware in NPM, Census III Report, MS OTP – ASW #311
Curl's oldest bug yet, RCPs (and more!) from AWS re:Invent, possible controls for NPM's malware proliferation, insights and next steps on protecting top 500 packages from the Census III report, the flawed design choice that made Microsoft's OTP (successfully) brute-forceable, and more!
00:00 - Intro & Cyber Resilience Insights
01:20 - The 25-Year-Old Curl Bug Story
04:17 - Fuzzing for Security: A Missed Opportunity?
08:46 - AWS re:Invent Security Highlights
11:54 - NPM Malware Surge
16:33 - Small Packages, Big Risks in NPM
19:55 - Open Source Security Trends
24:27 - Microsoft MFA Vulnerability Explained
28:28 - Hardware Hacking & DMA Exploits
30:55 - Auditing Ruby’s Package Ecosystem
34:02 - Looking Ahead to 2025
Mike Shema
- A twenty-five years old curl bug | daniel.haxx.se
- Auditing the Ruby ecosystem’s central package repository | Trail of Bits Blog
- Top AWS re:Invent Announcements for Security Teams 2024 | Wiz Blog
- Open Source Usage Trends and Security Challenges Revealed in New Study
Download the report here
- WorstFit!
Noting this because it falls into the category of parsing, defaults, and choosing between failure modes.
- Open Source Malware Reaches More Than 778500 Packages, According to Sonatype Researchers
The report is behind a regwall. I've included it here to talk about the phrase, "...npm, exemplifies the risk contained in public repositories, representing 98.5% of the malicious packages Sonatype has identified in the past year."
John Kinsella
- Microsoft MFA found to be lax, bypassable
Folks at Oasis Security found out that Microsoft was allowing 3 minutes to accept a MFA token - 2.5 minutes longer than specified in RFC-6238. This gave attackers six times as long to attempt to brute force the value.
- Getting PCIE memory access via SD card reader
This might be a little more hardware hacking than appsec, but is still a good read on some of the history of memory card interfaces and DMA attacks. End-of-day, they've created a custom board to insert into a SD card reader that provides access to the laptop's memory via PCI Express.
