Over the past few days, I have been working on an overhaul of transvasive.com. I’ve started using GitHub Pages for my safety-related blog, information-safety.org, and have found that I prefer that workflow to the more traditional approach of using a CMS, like WordPress, so I decided to migrate transvasive.com to GitHub. Today, I completed that migration by adding a custom domain and redirecting traffic to GitHub Pages.
As part of the migration, I edited all of the historical posts, fixing a few typos and restoring broken links. In some cases, the sites referenced are no longer active – those have been replaced with the page stored in the Internet Archive when available.
While I haven’t been posting to transvasive for a few years, I wanted to maintain the site as a historical record (mainly for myself) of my writings. It’s been interesting to read through the posts during the migration and see how ideas I had years ago have evolved and influenced my contemporary work. Although my focus has shifted to safety and resilience, I do have a couple of past presentations to post here, and will post any security-focused content here.
One final note: for a single-person blog, a static site generator is easy to use and much easier to secure. I’d recommend it both for the improved security and for the benefits of being able to manage your content using version control.
Last month I gave a talk at SIRAcon 2016, “STPA-Sec: stealing from safety engineering to improve threat modeling.” The talk was well received, and I want to thank both the organizers and attendees for an excellent conference.
The talk was the result of my attendance at the 2016 STAMP workshop. STAMP includes a couple of frameworks that are used within the safety profession, both for hazard analysis (STPA) and accident analysis (CAST). There are a handful of security researchers involved with the group (mainly from MIT Lincoln Labs) and they have developed a version that can be applied to security, STPA-Sec.
STPA has been shown to identify hazards more efficiently and effectively than traditional safety methods such as fault tree analysis, identifying more hazards in a shorter period of time, and I believe STPA-Sec can do
the same for information risk analysis, by more effectively identifying and communicating risks than existing threat modeling techniques. Even so, STPA-Sec is still a work in progress, and I found gaps in the model
when applying it to a simple banking application: it does not directly address confidentiality as that isn’t generally a safety concern.
Earlier this year, I spoke at CyberSecureGov
2016, after my proposed talk based on
the two years I spent working on large government projects was accepted.
Identity & Access Management has always been an interest of mine, ever
since my days supporting a security administration team, and I learned
quite a bit by working on projects setting up single sign-on for the
From the Abstract:
Building Identity & Access Management solutions can be difficult. This
presentation reviews lessons learned from designing and building IAM
solutions in multiple states, focusing on the unique challenges of IAM
in government, which must serve the needs of three separate groups:
the public, government agencies, and NGOs. Lessons drawn from
real-world experiences will demonstrate what works, what doesn’t, and
how to fix things when they go wrong.
Following the flow of a typical user’s experience, the presentation
will cover the successes, and failures of designing an IAM solution:
getting a user ID, logging in to the system, matching “me” as a public
user to “my data,” and getting access to the system. Along the way, we
will explore lessons about how design choices for each step can impact
Also covered are designs that were not implemented, sharing the vision
of how automated user-driven access requests, changes, and reviews can
both improve user experience and lower costs.
The key lesson for me was to understand that there are three key aspects
of enrolling users in a public website, that should be handled
separately: provisioning a user ID, identity matching, and identity
proofing. Making these separate processes solves many potential problems
and provides a better user experience.
One interesting thing I noticed in both talks is that there were a small
core of very interested attendees – most security professionals don’t
have to deal with Identity & Access Management, but those who do tend to
be very passionate about the topic, and could easily relate to the
problems we faced while building out large SSO solutions.
You can download a copy of the slides from the presentation
here. A video of my
talk at OWASP MSP
is available here.