infosec

Security Champion

I’ve been interested in all things related to cyber security for many years. In private I’ve played around with things like Wireshark and Burp Suite, explored a few CTF’s, and taken various courses from among other sources, Pluralsight and Cybrary (I’ve even contributed some written material as a paid training assistant for the latter). I’ve also been listening to security-related podcasts on and off for years (“Risky Business” anyone?), and tried to keep up with at least the biggest headlines in the field. For whatever reason though, I’ve never really worked with security in my professional career – at least not beyond dealing with a few things like security certificates and basic authentication and authorization solutions while coding.

A few weeks ago I was given the role of “Security Champion” for the team I’m currently working on, which means I’ll have an excuse for a little extra responsibility for making sure the teams maintains a good security posture.

So what does that mean? Well, it means I get to spend some time thinking not only about how we can make our products more secure, but also about how we can be prepared in case something does go wrong. Hopefully I will get to work on everything from threat modelling and pen-testing up to planning for disaster recovery, and fiddle around with a couple of interesting tools and frameworks along the way. I’ve consumed a substantial amount of theory about security of the last few years, so it will be nice if I can actually apply some of it in my daily work.

I’m really looking forward to this, and I hope I can find the time and inspiration to write a little more about it here as I go along.

We’ll see how it goes…

Cheers!

MasterCard’s new biometric security

I came across this announcement today. Apparently Master Card is applying biometrics in an attempt to make online shopping faster and safer. My impression of the current state of biometrics is that it is not great. Some technology may be considered reliable (a relative term in any case), but it is generally expensive, and typically consists of invasive things like retina scanning, which requires a person to physically lean close or right up to a specialized piece of equipment. General consumer technology like the fingerprint scanners on phones and the like are easily fooled, and may give a false sense of security.

So what is Master Card using? Well according to articles from biometricupdate.com and mobileworldlive, they’re experimenting with fingerprint scans and short video shots of faces (facial recognition) as replacements for passwords when authenticating payments. CNN Money has this video demonstrating the facial recognition solution.

The motivation behind this is to make security less of a hassle for customers, to keep them from abandoning purchases at the final step. I think this  is an interesting and admirable effort, and the solutions seem pretty cool. A number of questions come to mind though:

Continue reading