Biometric Frontiers: Unlocking The Future Of Engagement – Andras Cser, Enza Iannopollo – ASW #308
Full Audio
View Show IndexSegments
1. Biometric Frontiers: Unlocking The Future Of Engagement – Andras Cser, Enza Iannopollo – ASW #308
This week's interview dives deep into the state of biometrics with two Forrester Research analysts!
This discussion compares and contrasts regional approaches to biometrics; examine the security challenges and benefits of their implementation; and reveal how biometrics holds the keys to a range of engagement models of the future.
Andras Cser dives into the technical end of things and explains how biometrics can be resilient to attack. We can't replace our fingerprints or faces, but as Andras explains, there's no need to, thanks to how biometrics actually work. Then, Enza Iannopollo takes us through the latest on privacy in biometrics - a concern for both consumers, and businesses tasked with complying with privacy regulations and avoiding costly fines.
Finally, get a sneak peek into the upcoming Forrester Security & Risk Summit. Whether you're an industry professional or just curious about the implications of biometrics, this episode delivers insights you won't want to miss!
Guests
Andras serves security and risk (S&R) professionals. He is a leading expert on identity and access management (IAM); risk-based, biometric, and multifactor/passwordless authentication; user account provisioning; entitlement management; federation; and privileged identity management.
In the IAM domain, Andras currently covers customer-facing identity and access management (CIAM) as well as enterprise fraud management (EFM) and compliance (KYC, CDD, and AML). In the cloud security domain, Andras currently covers cloud workload security, software-as-a-service security posture management (SSPM) and cloud access security brokers, and infrastructure-as-a-platform native security (IPNS). He maintains an interest in evaluating the skill sets and core competencies of professional service providers in these spaces.
Prior to joining Forrester, Andras was a security architect with CA Technical Services through the Netegrity acquisition. Andras designed the architecture and led the implementation of Fortune 500 companies’ IAM and provisioning solutions. Previously, Andras managed business process reengineering projects.
Andras holds an MBA degree from the Technical University of Budapest and Heriot-Watt University, Edinburgh, UK. He also holds an MSc in computer science and electrical engineering from the Technical University of Budapest. Andras speaks English (fluent), German (advanced), Russian (basic), and Hungarian (native).
With almost a decade of experience in the fields of privacy and business technology, Enza contributes to shape and evolve Forrester’s point of view on Privacy & Risk. She has developed thought leadership and produced research on compliance with data protection rules, privacy as a competitive differentiator, ethics, and risk management. Working closely with clients, she helps them embed privacy and ethics in their strategic initiatives, through approaches that deliver business growth, while protecting customers’ and employees’ trust and their brand reputation.
Hosts
2. AI fixes everything, C++ the actual worst, IAM is hard – ASW #308
This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us.
We also discuss whether Secure by Design's goals are practical or not.
OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet.
Also, Watchtowr has some fun with Citrix VDI!
Announcements
Want to shape the future of identity? Identiverse 2025 is looking for dynamic speakers like you to share groundbreaking ideas with over 3,000 identity and access management leaders. Join the most influential voices in IAM and help drive innovation in our industry. Submit your presentation proposal today at securityweekly.com/idvcfp
Hosts
- 1. Lessons From OSC&R on Protecting Software Supply Chain
- 2. How Does AI Improve Digital Experience Monitoring?
If you read very closely... between the lines... you'll find it.
The magical thinking.
- 3. The US government wants devs to stop using C and C++
Good luck with that.
- 4. Prompt Injecting Your Way To Shell: OpenAI’s Containerized ChatGPT Environment
I was floored that this was possible, and then even more floored that OpenAI knows about it, and that it's not really a security issue.
It very much FEELS like a security issue, and that I'm playing around with command injection that shouldn't be allowed. As long as it doesn't break out of the sandbox that exists around every ChatGPT chat session though, they don't seem to care.
- 5. Zero Standing Privileges: Vendor Myths vs. Reality
A lot to talk about here, both in the practicality of security principals that require you to remove 100% of unnecessary privileges, and some of the excellent examples they include of situations where ZSP won't save your bacon (which is a kosher alternative to salted pork, according to AI).
- 6. Centrally managing root access for customers using AWS Organizations
I uh, need some tips here. For a friend. I'm hoping John has some advice. Again, for a friend, not me.
- 1. Insecure use of message queue results in RCE of Citrix Virtual Apps and Desktops
Another fun writeup from Watchtowr, where they pick a product they haven't explored before, did some thinking, decided something this complex probably has a vulnerability in it, and then find one.
- 2. Will prompt engineering replace software development?
To answer the title question - no. But interesting to think about how even going from chatgpt4 to o1 requires revisiting prompts and how they work with one's LLM of choice.
This whole space is very brittle...
- 3. US politician wants to eliminate CISA
I'll try to stay away from politics, and Mr. Paul's efforts do not have much chance of success, but he wants to "eliminate" CISA due not to their appsec work, but attempts to debunk myths around US presidential elections
- 4. Google using “hardened” libc++ to improve memory security in their codebase
Yes - another memory safety story, but really...I'm only sharing about 30% of those that I'm seeing right now; This is a really busy space at the end of 2024.
While we've seen some new standards for safe C, and several different compiler projects, Google is moving to use a hardened version of libc++ in their codebase. They're seeing only a 0.3% slowdown in performance - which isn't bad compared to some other projects claiming 2-5x reduction in speed.
