‹ All episodes

We Hack Purple Podcast

We Hack Purple Podcast Episode 73 with Amanda Crawley

May 08, 2023 We Hack Purple!
We Hack Purple Podcast
We Hack Purple Podcast Episode 73 with Amanda Crawley
Info
We Hack Purple Podcast
We Hack Purple Podcast Episode 73 with Amanda Crawley
May 08, 2023
We Hack Purple!

In episode 73 of the We Hack Purple Podcast, host Tanya Janca talks to guest Amanda Crawley of 1Password! We talked about how developers need special tools to help them do their jobs, securely, then we chatted about several things that can help them, especially password managers! Developers are huge targets for malicious actors and Amanda shared TONS of ways devs can protect themselves, and their companies they work for:

• Keep everything up to date - phones, computers, routers, all software (apple just released an update to fix actively exploited vulnerabilities!)
• Use strong, unique passwords. Change passwords when:
  ◦ The respective service recommends a password change, or;
  ◦ The password has been shared with individuals who are no longer authorized to use the password, or;
  ◦ The password has been used for another service.
• Use encryption
• Follow your company’s security policies
• Don’t disable your operating system’s malware detection (Windows Defender, XProtect)
• Vet your third party libraries and dependencies, and then keep an eye on them to make informed decisions about updating
• Follow the principle of least privilege - people can’t be compromised for things they don’t have access to
• Consider non-SMS based 2FA (google authenticator, 1Password, yubikey), but any MFA is better than none
  ◦ Something you know (pin, password)
  ◦ Something you have (token, hardware key)
  ◦ Something you are (biometrics)
• Don’t store user data locally (if you need it, delete immediately after you’re done with it)

Things you can do today!
• Audit connected oauth apps (to social media platforms, github, etc)
• Delete old accounts
• Check haveibeenpwned.com
• Check your router for firmware updates (I did this yesterday)

Developer hack examples
https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
https://www.upguard.com/blog/what-caused-the-uber-data-breach
https://en.wikipedia.org/wiki/2017_Equifax_data_breach
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
https://www.synopsys.com/blogs/software-security/heartbleed-bug/

Links From Amanda:
· https://1password.com/developers
· https://1password.com/developer/student
· https://education.github.com/pack
· https://hashnode.com/hackathons/1password

Very special thanks to our sponsor: Women’s Society of Cyberjutsu!

Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting

Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here:

Share
Apple Podcasts Spotify Amazon Music Overcast Stitcher iHeartRadio +
Show Notes

In episode 73 of the We Hack Purple Podcast, host Tanya Janca talks to guest Amanda Crawley of 1Password! We talked about how developers need special tools to help them do their jobs, securely, then we chatted about several things that can help them, especially password managers! Developers are huge targets for malicious actors and Amanda shared TONS of ways devs can protect themselves, and their companies they work for:

• Keep everything up to date - phones, computers, routers, all software (apple just released an update to fix actively exploited vulnerabilities!)
• Use strong, unique passwords. Change passwords when:
  ◦ The respective service recommends a password change, or;
  ◦ The password has been shared with individuals who are no longer authorized to use the password, or;
  ◦ The password has been used for another service.
• Use encryption
• Follow your company’s security policies
• Don’t disable your operating system’s malware detection (Windows Defender, XProtect)
• Vet your third party libraries and dependencies, and then keep an eye on them to make informed decisions about updating
• Follow the principle of least privilege - people can’t be compromised for things they don’t have access to
• Consider non-SMS based 2FA (google authenticator, 1Password, yubikey), but any MFA is better than none
  ◦ Something you know (pin, password)
  ◦ Something you have (token, hardware key)
  ◦ Something you are (biometrics)
• Don’t store user data locally (if you need it, delete immediately after you’re done with it)

Things you can do today!
• Audit connected oauth apps (to social media platforms, github, etc)
• Delete old accounts
• Check haveibeenpwned.com
• Check your router for firmware updates (I did this yesterday)

Developer hack examples
https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html
https://www.upguard.com/blog/what-caused-the-uber-data-breach
https://en.wikipedia.org/wiki/2017_Equifax_data_breach
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
https://www.synopsys.com/blogs/software-security/heartbleed-bug/

Links From Amanda:
· https://1password.com/developers
· https://1password.com/developer/student
· https://education.github.com/pack
· https://hashnode.com/hackathons/1password

Very special thanks to our sponsor: Women’s Society of Cyberjutsu!

Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting

Opportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: