NorthSec 2021

Mitchell Cohen

Mitchell is Product Lead at 1Password, where he specializes in delivering usable security in the browser and on the desktop. Before he joined the joined the dark side and became a software developer, Mitchell followed a circuitous path through technical writing, journalism, and liberal arts. His interests span from operating systems, to UX, to linguistics, to the history of science and technology. Mitchell lives in a tiny Toronto apartment with his partner and cat. He will make you a great cup of coffee if you ask.

The speaker's profile picture

What is your title?

Product Lead

What is your company/affiliation(s)?

1Password

Twitter account (full URL)

https://twitter.com/mitchchn

GitHub account (full URL)

https://github.com/mitchchn

Moderator? – no

Sessions

05-20
11:25
40min
Application security
Laurent Desaulniers, Indiana Moreau, Dolev Farhi, Mitchell Cohen, Mansi Sheth

Q&A and discussion for the malware block, hosted and moderated by Laurent Desaulniers Questions will be gathered from the audience during the four prior talks.

Appsec
Main stream
05-20
10:15
30min
How to harden your Electron app
Mitchell Cohen

Let’s be honest — when you decided to build an Electron app, it wasn’t because of the framework’s stellar reputation for security. Like so many developers before you, you weighed your options and made a practical choice. But now you have to make the best of it and protect your users and their data.

Hardening your Electron app is not straightforward, but it is also not impossible. Through a combination of threat modelling, careful separation of concerns, and simply reading the docs, you can achieve the security goals for your app.

This talk is about how we built a secure password manager in a framework that’s infamous for being insecure. We’ll look at how the security model for our Electron-based frontend for 1Password, what pitfalls we encountered along the way, and how you can apply what we’ve learned to your own projects. We’ll also reveal our hardened Electron starter kit and invite you to see how it works — and try to break it.

Appsec
Main stream