Recovering hacker extraordinaire and content creator Alissa Knight is a disruptor. Her videos and white papers from the perspective of an adversary exist to assist companies in determining the efficacy of their products. Join us as she talks about mobile app security, FHIR, and what it means to be a hacker.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
Today’s guest is Alissa Knight. With over 20 years of experience, Alissa calls herself a “recovering hacker.” She is a researcher and content creator specializing in cybersecurity. She goes on to describe herself as “a disrupter of the content marketing space” as she assists brands and market leaders in locating vulnerabilities in their unique Application Programming Interface (API) systems from the perspective of a potential adversary. She then creates strategies on how to better safeguard the cybersecurity of their users. In particular, Alissa has been focusing on mobile security and the potential flaws within mobile apps, specifically within the healthcare system. In her research, she explores the challenges that mobile developers face. In her efforts to transform the cybersecurity industry, Alissa reveals that many organizations have never undergone API penetration testing and how this puts mobile app users’ private health information at risk. Alissa is also an author and entrepreneur. She started and sold two cybersecurity companies and is the CEO of managed security service provider, Brier & Thorn.
In expressing his excitement to “geek out” with Alissa today, Mike starts off by asking Alissa about her recent mobile hacking paper in which she explores poor practices on behalf of mobile developers and healthcare developers. She breaks down her process of static code analysis, explaining how the continued use of hard coding usernames and passwords over the years has proved to be problematic in securing personal private information. She then explains how she implements network traffic interdiction to gain further insight into how the organization’s API system functions so she can better infiltrate the system during cybersecurity testing.
Mike inquires further about this topic asking why Alissa chooses to do traffic interdiction and why other apps aren’t doing “cert pinning,” otherwise known as certificate pinning. For listeners that are unfamiliar with this concept, Alissa explains certificate pinning as a means of telling your API system to only accept your certificate and to reject any alternate incoming certificates. With this in mind, Alissa then discloses how she goes about intercepting messages within the system in order to manipulate the incoming information within the API. She reveals that of all the systems tested, she found all were vulnerable to broken object level authorization and provides a real world example to demonstrate what those risks can look like.
The discussion shifts to what Alissa describes as “authentication versus authorization.” She believes the problem ultimately boils down to developers focusing on authentication while authorization often gets overlooked. She elaborates saying how these code challenges not only influence the vulnerability of patient medical records, but also extend into other areas such as the vulnerability of private financial and banking information and believes this to be an overall systemic issue in need of addressing.
Mike then focuses on solutions and asks Alissa for her insight as to how to overcome these code challenges in the mobile app space. Alissa reveals that she believes the answer is multidimensional but that it begins with secure code training. This includes doing away with hard coding credentials within the app and regularly undergoing penetration tests in an effort to hack into your own systems.
They conclude today’s episode by excitedly discussing Alissa’s passion for hacking and how it indeed is its own art form. Mike inquires about what’s next for Alissa and what her newest research entails. She discusses her new video titled, “Playing with FHIR” and how it explores vulnerabilities affecting FHIR API systems. More specifically, the vulnerabilities that can result from implementation as they will all be implemented differently. Before departing, she offers her personalized wisdom urging listeners that “security is in the eye of the implementer.”
00:14 – Host Mike Murray opens the show
00:52 – Mike introduces guest, Alissa Knight
04:50 – Poor practices on behalf of mobile developers and healthcare developers
07:08 – What defines a hacker
07:30 – Traffic Interdiction and why apps should use certificate pinning
10:12 – Authentication vs. Authorization
11:16 – Mike shares his experience working for a medical device manufacturer
12:27 – How to overcome code challenges in the mobile app space
16:28 – The art form of hacking
17:05 – Alissa’s work with FHIR API systems
21:45 – How to further connect with Alissa Knight
Go to the Scope Security website to learn more, sign up, and never miss another episode!
Follow Scope Security on LinkedIn and Twitter.
Learn more about Alissa Knight on her website.
Connect with Alissa on LinkedIn and Twitter.
Learn more about Alissa’s work by subscribing to her YouTube channel.
If you have ideas for topics, guests, or technical tips, contact [email protected]