Security @figma. Previously, Dropbox and Berkeley Grad Student. Opinions are my own, and mostly wrong. Him/he.
Also on @devd@infosec.exchange
Feb 14, 2022 • 11 tweets • 3 min read
🧵 1/ @mdorsi suggested a follow-up thread on our experience switching to webauthn & so here goes. I will first start with the good parts before jumping into lessons that might be useful for other security teams. If you find this fun, come join us at figma.fun/seceng
2/ The Good: Not having to stress out about phishing or come up with "gotchu" phishing campaigns for your coworkers is a significant relief; I strongly recommend enforcing webauthn to every startup, VC firm, or anyone with a small security team.
Jul 19, 2021 • 10 tweets • 4 min read
1/ 🧵 🧵 Excited to share a new paper appearing at Usenix, focused on detecting lateral movement using machine learning, with @granthotweet , @l0ph3r , @TheSavageInMan, Vern Paxson, Geoff Voelker, and David Wagner arxiv.org/pdf/2105.13442… 🧵🧵
2/ Machine Learning for Security is often touted as this panacea that will find all attacks, but rarely lives up to its promise. Building a ML system that works on real-world data gave me a good checklist with which to evaluate ML+Security products/proposals
Apr 6, 2021 • 18 tweets • 3 min read
1/ Recently, we switched Figma's Okta to only allow phish-proof webauthn/FIDO MFA. I wanted to share a few things that helped us and might come in handy for any other security team.
2/ Moving to FIDO/Webauthn only is one of the most important risk reduction steps for any enterprise but transition is not easy. I am lucky that Figma leadership & IT team deeply cares about security & was immediately onboard with this change; otherwise, get them onboard first!
