In this episode I catch up with Tanya Janca to discuss DevSecOps, AppSec, and Cloud Security.
You can listen to the full episode here:
https://cloudskills.fm/054
Tanya Janca is an application security consultant, helping people write more secure software and securing 'The Cloud'. Her obsession with securing software runs deep, from starting her consulting, to running her own OWASP chapter for 4 years and founding the OWASP DevSlop open-source and education project.
With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #MentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.
Resources from this episode:
- Tanya on Twitter: @SheHacksPurple
- Tanya on dev.to: dev.to/shehackspurple
- Tanya on Medium: medium.com/@shehackspurple
- Tanya on YouTube: youtube.com/shehackspurple
- Tanya’s Newsletter
Full Transcript:
Mike Pfeiffer:
Hey, what’s up everybody? It’s Mike Pfeiffer, welcome back to another episode. I am joined today by Tanya Janca. Tanya, thank you for coming on the livestream and the podcast today. I’m really excited to have you here.
Tanya Janca:
Thank you for having me. this is great.
Mike Pfeiffer:
Yeah, this is awesome. I just want to make sure, I kind of fumbled with the controls a little bit when I was getting started, I want to make sure that everybody that’s on the livestream can hear us, so if you guys are paying attention and listening, let us know if the audio sounds okay in the comments. I see Vivek and Muhammad and Michael, Sue Neil. Thanks for being here. Francisco, what’s up man? Good to see you. Mathias or Mathias, Joyce, good to see you again. Thanks a lot everybody for joining us. So, Tanya, for anybody that doesn’t know you, maybe we could get your backstory real quick.
Tanya Janca:
Yeah, absolutely. Hi everyone, I’m Tanya Janca. On the internet, I am known as SheHacksPurple and I’m a giant AppSec nerd. Basically I was a software developer. I got really obsessed with security, I became a pen tester because that is what everyone seems to want to do. But then as I got more into pen testing, I fell in love with the idea of solving the bigger problem, which is application security and ensuring we make secure software. And with that of course comes DevSecOps which is AppSec when you’re in a DevOps environment. I’m a proud OWASP WoSec, which is Women of Security, and I very recently started my own company called Security Sidekick. I do a lot of public speaking and basically being a nerd on the internet, yeah.
Mike Pfeiffer:
Oh, we definitely have that in common, for sure, so that’s awesome. Thanks everybody. Good to see you. It sounds like everybody can hear us okay, so congratulations, first of all, on starting your new company. I can definitely relate, I’ve done a couple of those along the way and I know how challenging that is. Has that been a pretty fun ride for you so far?
Tanya Janca:
So far it is ridiculously exciting. I’m absolutely astounded at how many people have reached out to me to try to help me. I didn’t realize that so many people would just be so happy about us starting a company and wanting to ensure that we can succeed and helping us tread water, making the correct introductions and advice and all of these things. It’s overwhelming, the amazing, amazing support. Even our direct competitors reaching out and trying to help us, they’re like, “Hey, look at this,” I’m like, “Oh, thanks guys.” People tell you business is cutthroat, but it would appear to be the opposite, so far. Or maybe people are like, “Oh, they’re harmless.” I don’t know, but everyone’s just being great.
Mike Pfeiffer:
Well, that’s awesome that people are being very supportive about it. And I think that it’s interesting because we’re living through a time now where it’s easier than ever to starting your own business. There’s so many tools and services online and it’s cool to see that people in the community are rooting for you. That’s really awesome. So what’s kind of… I guess working on a platform, is it more of a consulting type of service or what is it?
Tanya Janca:
We have made a product. Basically, Aaron Hnatiw, my co-founder and basically an inventor guy, he keeps creating cool new stuff and he’s open sourced a bunch of things before. He was doing R&D, he wanted to make a new product, and he kept iterating through all these things and we’re friends. So all of his ideas, we’d bounce them around and stuff. And then eventually he came up with this transparent proxy and he convinced me to come on after quite a while. I was like, “You should join Microsoft,” which is where I was working. And he’s like, “You should join me,” and I’m like, “You should join Microsoft.” “You should join me.” But eventually he won. Basically, when we both worked in AppSec, we had a lot of problems keeping track of all of the different pieces of software that we’re supposed to secure.
Tanya Janca:
So, like, “Oh, there’s a bunch of APIs,” or, “Oh, Bill from finance bought a subscription to this SaaS product, Software as a Service, and didn’t tell us,” or, “Oh, there’s all these legacy web applications that no one told us about because they’re like, ‘Oh, they’re old, and we don’t really update them, so they’re not a problem.’” They’re on the internet, I assure you they are a problem. And so what our tool does is it’s a transparent proxy, so things go through it. We can recognize webby things and we inventory them.
Tanya Janca:
Right now apparently inventory is really hot. My friend Clint Gibbler, he made this silly meme of The Fast and the Furious except for it’s about inventory, because for so many… I don’t know why, but I guess a lot of people realize it’s a problem. And then we perform security analysis. So, “Okay, we found your apps and this one has no security headers and this one is passing all the stuff in the URL parameters and we’re pretty sure it’s stuff you should not be passing there or [inaudible 00:05:05] security config,” and all those things. And it works. Oh, my God, it’s so exciting to actually make something and then you’re… it works. It’s cool to make a thing and now we’re just trying to get people to give us money for it, I guess.
Mike Pfeiffer:
Right. Yeah, that’s the tricky part, is to convince them to pull the credit card out, but that’s awesome. I think there’s actually a bunch of people in the comments that recognized you from your work in the community, which is really cool. I know that you spent a lot of time before you started this new company when you were at Microsoft going all over the place and speaking about security. So maybe a good way to start would just be what is the big low-hanging fruit of where people aren’t doing security right, especially when it comes to DevSecOps, and in this new world of getting software into production and these cloud platforms? Maybe we can start there. What’s the biggest pitfalls that you’ve seen out in the wild?
Tanya Janca:
Okay, biggest low-hanging fruit. Everyone just needs to do really good input validation and they need to patch and upgrade things. No more giant technical debt. So if you are using .NET, you should not be using 2.1 of the framework. You should be using the latest and greatest or one back, because all those old versions, almost all of them, have security flaws. It’s the same with your billions and billions of different DLLs, libraries, third-party components, your JavaScript library, all of that stuff. Use the new one, don’t use old ones. So like patching and upgrading those things and then input validation.
Tanya Janca:
If everyone did those two things, at least half or more of all the vulnerabilities would just disappear like that, we’d all be set. And if you’re using something like C or C++ people are going to get really upset when I say this, Michael, just to be clear, switch to REST because it’s memory safe and you can remove, according to Mozilla, 73% of all vulnerabilities. On the web where memory is safe, yes, not on the web, if you’re doing operating system, low-level stuff, if you have the option, if you’re writing something new, for the love of God, use REST, don’t use C or C++.
Mike Pfeiffer:
Interesting, that’s really interesting. That’s cool to know.
Tanya Janca:
Yeah. So, not web, excluding web, but almost all low-level programming things where you’re using C or C++, almost all vulnerabilities revolve around integer overflows, string copies and things like that, all of the things where you can overload something. You go into an unknown state and then that is where the hacker magic happens. And [inaudible 00:07:59] they’re like, “Yeah, I’m in an unknown state. I’m going to make it do my bidding.” But other than making pen testers or red teamers really happy, it’s very bad. So if we could do those two things, life would be great.
Mike Pfeiffer:
Yeah. And it’s hard to do that. I know that one of the struggles that we’ve had over the last couple of years automating stuff for companies, lots of customers in the enterprise are still using VMs, so it’s really easy to write automation, well, not easy, but it’s cool and you can go fast and automate stuff, but if you’re still using an old virtual machine image because you captured an image with all of your software baked in and then it’s like, “How do we keep this thing up to date?” And then just working in regular systems administration for so long back in the old days and trying to keep stuff patched is such a headache. But now that people are doing things more, actually implementing software practices towards their infrastructure and doing things like CI/CD pipelines and stuff, there’s a lot of talk about getting security in there, shifting left and that kind of stuff. Is that a conversation that comes up a lot when you’re doing your talks and working with customers?
Tanya Janca:
Yes. When I was working at Microsoft, I went on this thing called Microsoft Ignite the Tour where we went all around the world and it was super exciting and I got to see lots of cool things in Asia. My boss at the time, Steven Murawski, he’s awesome.
Mike Pfeiffer:
I remember him, yeah.
Tanya Janca:
So we were talking in [inaudible 00:09:27] and we would cover off on each other. Do you know what I mean? So we didn’t all both have to go to 17 countries. Right?
Mike Pfeiffer:
Yeah, yeah. That’s hard.
Tanya Janca:
Of course, that’s bad. So we shared. His infrastructure as code talk was so cool and I’m like, “The moment that this is over, I want to change it into a security as code talk.” So, I’m going to build the infrastructure, but here’s me flipping on this security thing and sharing that, automatically scanning it. But then I started my own company and got distracted. But I truly believe if you’re doing infrastructure as code, this is so magical because you can automatically turn on monitoring, turn on alerting. You can write custom scripts that alert you on things or even respond to incidents for you. You can train the cloud to recognize certain behaviors and call a server-less app and you can write whatever you want. Black hole, bad IP. Oh, it looks like there might be something happening with data exfiltration from my database.
Tanya Janca:
I don’t give a shit if it breaks prod, turn off that database. Close it down. I don’t give a shit. And then you can make Azure call you on the phone. I know, because it told on me to my boss. I was making a lesson for the OWASP DevSlop Project, this open source project I’m part of. I was making this lesson of putting your keys in your code, but it was fake keys and I put it through the CI/CD pipeline And then Azure was like, “No, those are credentials.” I’m like, “No, no, it’s okay.” And it’s like, “No”. So I went around everything and then it called my boss.
Mike Pfeiffer:
That’s really cool.
Tanya Janca: I know. And he’s like, “What are you doing?” Then I told him and he laughed. And then the incident response team called us and then it wasn’t funny anymore and we were in trouble.
Mike Pfeiffer:
Ooh, that’s-
Tanya Janca:
Yeah, I know, I know. The incident response team was like…
Mike Pfeiffer:
Yeah. Well, at least they’re there and catching stuff like that. But that’s a really good point because, in addition to just dropping stuff in that can scan, sometimes you’re building your own monitoring solutions or checks. I worked with a team and it seems like that’s maybe the direction where a lot of teams will end up where it’s like you have to go through the pipeline to do all your stuff. That way it’s validated and checked for not only security but all these other tests. But I worked with the team once where they were writing infrastructure tests to look at things like the ingress rules coming into the environment and all this kind of stuff. And if the infrastructure developer put the wrong thing in the rule set, it’s like, “Nope, that failed.” And now everybody on the team knows and now you’ve got to go fix it.
Mike Pfeiffer:
So it’s a really interesting model. Christian, in the comments, asks, and he’s a DevOps engineer already and he’s asking about the recommended path or any tips going from just kind of a regular DevOps engineering where you’re just working on software and stuff to DevSecOps? Do you have some advice there?
Tanya Janca:
Yeah. DevSecOps is basically the same thing as AppSec, but when you work in a DevOps environment, so if you’re in waterfall, you have to adjust to how the developers are doing their waterfall. So if you are in a DevOps environment, you have to adjust, or you’re those people that no one talks to and the code still gets released and you never see it. You have to get on board with them. So you’re already on board, which is awesome. You just need to learn about application security.
Tanya Janca:
The first thing that I would suggest, if you’re going to add something to your pipeline, would be something to check the third-party components. Like sneak Black Duck. Oh, the people that made All Day DevOps, Sonatype. There’s a whole bunch of things. There’s OWASP Dependency Check, which is free, but some sort of check for that because it’s lightning fast. It’s very, very, very quick and it’s a big win. It’ll even check your licenses. Like, if you’re using Azure DevOps, there’s something WhiteSource Bolt. WhiteSource makes a really cool product that does that, but WhiteSource Bolt is free, which I feel is very generous because it actually is really awesome. You just basically press a button and it will tell you like, “These licenses are questionable,” and, “We found this, you’re using this insecure version of that”.
Tanya Janca:
The most important part there is that it is lightning fast and a big win. But if you want to learn about DevSecOps, I would suggest, shamelessly, the OWASP DevSlop Project. My friends, Nancy, Francisca and Nicole and I were a bunch of nerds on the internet and we have a YouTube channel where we made, I don’t know, 25 30 videos and we have a blog on Dev.to and all of that where we talk about different ways and strategies to add security to DevOps. And then I have a bunch of videos. My friend Imran Mohammad, he started this company called Practical DevSecOps and it’s like this slow, online training course from home that you can follow a bit at a time. Right now he actually just gave away a free Docker course, like how to pen test Docker and how to make sure your Docker containers are secure, which I’m taking because it’s awesome. I’m taking it home and he’s giving it away free. So there’s like a bunch of different places where you can kind of start to learn, and also join your local OWASP chapter.
Mike Pfeiffer:
Yeah. So, OWASP, there’s probably a lot of people watching this livestream or listening in the podcast that aren’t really security focused and may not even know what that is. Maybe we could explain that and break it down real quick.
Tanya Janca:
Okay. So besides OWASP being like my best friend forever, OWASP, it stands for Open Web Application Security Project. It is a giant, giant community that is worldwide. We have 280-something chapters around the world. I used to be a chapter leader and I was a project leader until last week when I stepped down just because I’m busy. But we have, I think, 100 active projects where everyone just gives away things for free and efforts to help people learn how to make secure software. So there’s pen testing guides, there’s secure coding guides, there’s a bunch of different tools that you can use for free. All of it’s free. Every single thing to do with OWASP is free except for if you go to one of their giant conferences. They have conferences all over the world, but they also have monthly events and all of them are free. I met a lot of my friends over the past couple of years at OWASP.
Mike Pfeiffer:
Nice.
Tanya Janca:
Yeah. Oh, my gosh. It’s a really amazing, supportive community of people who are just really excited about the same things that I am, like how to secure software and how can I succeed in this area, what are good strategies, and it’s been invaluable to me.
Mike Pfeiffer:
That’s awesome.
Tanya Janca:
Yeah. As a software developer, it’s just so huge and the security’s a lot smaller and it’s nice that you can just meet up with a bunch of people in person every month. If you’re really stuck at work, you literally have a room full of experts willing to help. It’s cool.
Mike Pfeiffer:
Totally. Yeah. And that’s one of the reasons why I do this show and it’s one of the reasons why I started a user group way back 10 years ago and stuff like that is because the community aspect of all of this stuff is so vital. I think in the beginning of my career I tried to do everything by myself and tried to figure stuff out and I realized, hey, there’s a ton of people out here that are interested in sharing and learning and helping each other out. So, if you guys out there that are listening have seen resources on the internet. O-W-A-S-P, that’s exactly what we’re talking about here, if you’re brand new to that concept, so that’s really cool.
Tanya Janca:
Sorry to interrupt. I just realized my microphone… I had moved it away because I was drinking coffee and I didn’t want to spill anything on it. Now it’s closer to me so if it’s too loud you might want to adjust the sound.
Mike Pfeiffer:
That sounds really good, still, to me so I think we’re in good shape. That’s awesome. I’m just looking at some of the comments here. Karthik was saying, “Yeah, we need some information regarding cloud security but also some information about cloud build tasks.” You kind of alluded to that earlier where we were talking about Azure DevOps and dropping WhiteSource Bolt into a pipeline. Because, basically, after you go through the whole CI process, you can have that thing kick off very fast, which CI is supposed to be fast. You made the point that it is fast and that’s important so he’s probably getting at that. Is there anything else that kind of comes to your mind around that concept that might help Karthik a little bit? Or is that really more of what we’re focusing on is dropping stuff into the pipeline to do these scans and different things?
Tanya Janca:
Okay. There’s so many things there. One, I’m an Azure person and I put a workshop for free online about how to secure Azure, so I can give you a link after. It’s a two-hour workshop where I explain what is cloud native, and new strategies to secure that. We can do a bunch of exercises in Azure and all of it’s free. There’s a free trial that you can do in Azure. I’ll give you a link to that after and that’ll help give you a crash course, just intro securing the cloud, which is totally different than DevSecOps, which is more focused on apps and the DevOps… I don’t know. When I think of DevSecOps I talk a lot about apps. But, you’re right, ops is part of that.
Tanya Janca:
Okay. So, for DevSecOps, DevOps is sort of three things. It’s, one, that you want to get things out very quickly. Very, very, very quickly. And putting more and more stuff in your pipeline is not necessarily a recipe for that actually happening. Part of the things that I saw with the DevSlop Project is that some things were just brutal. A lot of AppSec companies are like, “Yeah, put our SAST tool in your pipeline.” I’m like, “Yeah, and then next week we’ll publish our code and all the developers will find me and not think I’m cool or friendly or nice anymore.” They’ll be like, “You broke our pipeline. You suck.” Right?
Mike Pfeiffer:
Yeah, totally. Yeah.
Tanya Janca:
And they’d be right. So putting everything in your pipeline is not necessarily the answer to that. And another thing, the second way is that you want to get really fast feedback and that’s why people put a lot of things in pipeline. For instance, like putting sneak or something like that in your pipeline and getting really fast feedback of that version of JavaScript that you’re using is a million years old. Don’t use that. That’s really insecure. That’s really fast. But someone doing… I’m sorry to pick on SAST, which is Static Application Security Testing, which is doing symbolic execution, going through and trying to figure out, parsing your code for security problems. It has tons of false positives. Everyone that works in SAST knows this is true.
Tanya Janca:
I know the sales person will tell you it has none. They’re lying. But SAST is slow. It takes forever. Sometimes it can take a whole day to scan one app because it’s so intense and amazing. It’s amazing. You can find things that you would not find with other tools, and that’s cool, but it’s not appropriate in a pipeline unless you’re just targeting one specific type of vulnerability or you really have to carve it down. So getting really fast feedback, awesome. If you’re going to put a SAST product in your app, you should only look for very, very specific targeted things, so you can get fast feedback as opposed to, “Why does our pipeline run 18 hours, Tanya, And it’s still not done?” That’s not acceptable.
Tanya Janca:
And then the third thing is learning, continuous learning. Again, if you put something in the pipeline that runs 18 hours, you better learn from that lesson and change it. Sometimes the answer is making another pipeline, testing it there before you subject your developers to it. Sometimes the lesson is going totally outside the pipeline. Sorry to get back to my product here, but we’re not in the pipeline. And everyone’s like, “Why not Tanya? You’re the DevSecOps person. You love DevSecOps.” I’m like, “DevSecOps is not just pipelines. It’s not, it’s more than that.”
Tanya Janca:
Security is code. Yes, you are putting it to the pipeline to release it, but it’s turning it into code that is the DevSecOps thing you’re doing, not that you’re putting it through the pipeline with the rest of your software. The fact that you’re being way more efficient, that you’re getting faster feedback, the fact that you’ve automated boring-ass work so you can concentrate on cool experiments and trying to get better and better and better. That’s the thing that you’re doing that makes it DevOps. So we looked at everything and I’m like, “I don’t want to be a slow-ass product that’s in the pipeline. I don’t want to be another step for them to get through. I want to be faster than that. And I don’t want to only see things when it goes through a pipeline.”
Tanya Janca:
Another problem I’ve seen is… I did a lot of pen testing. Companies would bring me in and they’d be like, “Hey, Tanya, test these two brand new apps.” I’d be like, “Okay.” And then they would be like, “Oh, and everything else is out of scope,” and I’d say, “Even that thing you built in the '90s that is wide open, that’s this giant door onto your network that looks so attractive to me?” And they’re like, “Especially that.” But, for bad guys, that’s not out of scope.
Mike Pfeiffer:
Totally.
Tanya Janca:
It’s not out of scope.
Mike Pfeiffer:
They’re looking at [crosstalk 00:23:00] when they see that.
Tanya Janca:
That’s the first thing they’re going to go for.
Mike Pfeiffer:
100%.
Tanya Janca:
I’m like, “Just let me do a little, passive scan.” And they’re like, “It might fall down.” “Then you shouldn’t have it on the Internet!” I’m sorry. I get excited.
Mike Pfeiffer:
No, that’s a good point.
Tanya Janca:
So a lot of companies, what they’re doing is they’re moving a few things into the pipeline and that’s super cool, but they have this pile of stuff that’s outside of the pipeline that’s like a dumpster fire. So it’s so important to me to push the whole industry forward. That’s part of what kind of drew me towards AppSec from pen testing. I would come in and I’d be the first person to look at security and I’d look really cool and smart. Like, “She’s a hacker.” I’m like, “Yeah.” But then I was like, what would make me feel better is showing all the developers how to scan their code with ZAP and fixing all the basic problems, even on the old stuff. And then our whole posture goes up instead of one app is like this there. I’m like, “So it’s in the camera and then everything else is still here? I’d rather bring everything like this so you’re more difficult to hack or breach or abuse than your neighbor, than the other company in your space, et cetera.”
Tanya Janca:
I want someone to have to work really hard to get into a place where I’m working. I want to be like China, not like some antisocial pissed off teenager in their parents’ basement. I want it to be totally out of their limit. I want to have advanced adversaries only. And if we only focus on one or two apps that are cool and new, those are not the ones, those aren’t the ones.
Mike Pfeiffer:
Yeah, it’s the ones they’ve been studying forever and, to your point, even talking about… You mentioned using REST versus C++. C++ has been around for decades so it’s easier to understand that world. It’s a really good point. And one of the things you said that I liked a lot was the nontechnical side. You mentioned learning culture being important. The biggest thing that we battle with, especially over the last 12 months, has been the human side, the culture side, the kind of, We’ve been doing it this way for 10 years, blah, blah, blah." What do you think?
Mike Pfeiffer:
Because I just saw a ZDNet article about Microsoft the other day about how they’re transforming their culture and it’s like propelling them into the next level. Obviously Amazon’s got really great culture and it allows them to go really fast. How are these guys, these companies, going to get their customers to play up to their level? Because it seems like almost every customer I deal with has that problem where it’s like they’re not embracing that learning culture. Are you seeing that? Have any ideas?
Tanya Janca:
Yes.
Mike Pfeiffer:
Good, good.
Tanya Janca:
Sometimes companies contract me to come in and speak to their employees and I like to do public speaking so I rile everyone up and get them really excited about DevOps or about AppSec or about whatever I’m really excited about. Because apparently I have an energy that can be a bit infectious, because I am excited because it’s real.
Mike Pfeiffer:
And, by the way, not to interrupt, but Ahmed was saying when you mentioned that earlier that you were excited, he’s like, “The only reason I’m still watching is because she’s so excited.” So that’s awesome. Thank you for bringing the energy. I appreciate it.
Tanya Janca:
Thank you. I think that sometimes seeing a person who feels it helps, also. I find if you can be creative with how you’re teaching and how you’re changing your culture. I got hired somewhere and the idea was that I was supposed to create a training program and standards and then also do pen testing because of course I would have two completely different jobs but get one paycheck. It’s very Canadian government. So looked at all of our stuff, all the scans and everything that happened before I got there. And it’s like, we are doing a lot of cross site scripting and we suck. We totally suck at security headers. We’re not using all the ones we should. We’re using them very sporadically. Everyone’s got different settings. No.
Tanya Janca:
So we made a standard on headers. And, cross site scripting, you don’t need a standard on that. It’s just, this is how to find it. This is how to fix it. Totally unacceptable. So I made this deep dive into cross site scripting and we had, I think, 400 developers. We had this lunch and learn and only 10 people came and my boss was so heartbroken. She was like, “Only 10 people came. It wasn’t that good.” I’m like, “No, it was great. Those 10 people seemed into it.” I’m like, “I’ll give this every month until no one shows up. I don’t care.”
Mike Pfeiffer:
Totally.
Tanya Janca:
“I don’t care. This is my job. I’m here anyway, eight, nine hours a day. I love speaking. If one person shows up, I will give this talk every month indefinitely.” So a few days later someone came up to me and he’s like, “Tanya, I need to tell you something. I went back to my office and then I showed the whole team how to look for it. And then we opened up a bunch of legacy apps and then we found it in every single app. So then we just totally put everything aside for the afternoon and we looked through 100% of our apps and 100% of our legacy apps had one or more cross site scripting. So we documented all of them. And then next week we’re doing a sprint of cross site scripting and we are going to eliminate that bug class from our apps. Thank you so much. I can’t wait for your next lesson.”
Mike Pfeiffer:
That’s awesome. Good win, totally [crosstalk 00:28:56].
Tanya Janca:
I told my boss and we did this little happy dance together and I was like, “And that guy is going to tell people on other teams and then it’ll just spread.” He was so excited and his excitement spread to his team and he’s like, “Yeah, screw you cross site scripting.” I’m like, “Yeah.” So you can build that. And we started building more things, and then Microsoft asked me to come work for them and I was like, “Oh, my gosh, sorry, I have to go.” And my boss was like, “Can I come with you?”
Mike Pfeiffer:
That’s awesome.
Tanya Janca:
Yeah. Yeah, she is wonderful.
Mike Pfeiffer:
That’s really cool. That’s such a good story because there’s a lot of lessons in there. I think, number one, don’t worry about the size of the audience that you’re sharing with. I think people overlook that and that’s a really important message. But, number two, just having the conversation and embracing something new. That’s really interesting how people push back on not changing. And our job is all about change, so it’s kind of interesting to get stuck in that pattern of getting comfortable and not wanting to change and then having to try to talk people into it or it seems like we’d all be embracing it. So it’s an interesting time.
Mike Pfeiffer:
And for folks that are in this world getting sucked into cloud, now they’re trying to think about security, as well. It’s easier than ever to totally leave something wide open. How can somebody start getting, in your opinion, more security conscious as a technical person, whether they’re ops or development-focused?
Tanya Janca:
I get this question so much that I wrote a blog post and it’s called Getting Started with AppSec. I’ll share the link after. It’s all free resources either that I wrote, but mostly ones that other people wrote that I use to learn AppSec. So there’s a course by this woman named Sunny Wear, out of Florida, and she’s a big OWASP person. She taught me the OWASP top 10. She’s amazing and her course is free and you can do it online, learning really abstract concepts that are extremely complex. Being able to slow down, watch that part of the lesson again, do the exercise, watch it again. It was invaluable to me to learn everything inside and out. I wrote a blog series called Pushing Left, like a boss, because I enjoy Dad jokes.
Tanya Janca:
It’s a whole series about what is application security? What are security requirements? What does threat modeling even mean and how does it work? So basically just like one at a time, I’ve just been trying to share all of the lessons I can. I also follow a bunch of application security people. So, joining your local OWASP chapter and following them on Twitter is great. Mostly OWASP, the foundation, tweets about our events. It doesn’t really tweet about AppSec very often, but following people. If you look at Twitter, you look on LinkedIn. I just look up OWASP and if they’re an OWASP leader, I’m like, “Hi, can we connect? I need to see what you’re sharing. Whatever you’re sharing, I want to read it.”
Tanya Janca:
And almost all of them said, “Yes.” I’m like, “I’m not creepy. I’m nice and friendly.” And OWASP people tend to be really, really friendly. If someone has OWASP in their description, they’re probably really nice. So then my LinkedIn feed and my Twitter feed is just awesome.
Mike Pfeiffer:
Nice. Yeah, it seems like there’s definitely lots of examples out in the community, different pockets, different topics. But if there’s a community there, what I’ve found is usually, nine times out of ten, even more than that, it’s supportive and there’s a lot of very generous people participating in these communities. So I would echo that. Get in the game of networking, get in the conversation, follow the hashtags on social. You don’t have to post, you just read maybe, but ask questions. It’s really important. I think that a lot of people might not be getting in because they don’t realize the value there, so I’m glad that we shined a light on that.
Tanya Janca:
Sorry, I have two more.
Mike Pfeiffer:
Yeah, go ahead.
Tanya Janca:
Okay, so one more. If you’re a woman or you identify at all as being a woman, you should consider joining WoSec, Women of Securities. It’s this big group. We have 32 chapters worldwide. We’re only a year and a half old, though, so that’s pretty good.
Mike Pfeiffer:
That’s great.
Tanya Janca:
Basically, we meet up and we hang out. We do women-only learning circles and then we attend other events as a group, so you are never the only woman there. I don’t know how to explain to you, Michael, how scary it is to go to a meetup. It’s on private property. You don’t know a single person. Every single person there is a man except you and they’re drinking alcohol. It’s terrifying. It’s like, “This is such a stupid idea, Tanya, you should not be doing this.” I’m like, “But I really want to learn Python.”
Tanya Janca:
So going as a group, it’s not scary at all anymore. It’s not intimidating at all. You’ve brought a bunch of friends. We crashed RSA last year, DevCon, all sorts of BSides. We call it crashing, but we go as a group. It’s super fun. And then the last thing is if you use Twitter, I use this hashtag every Monday and everyone can use it. It’s not for me, it’s for everyone else. It’s called Mentoring Monday. If you tweet on Mondays and you use it, I will retweet you. Basically, I’m trying to help connect people. So if you have a lot of experience in information security and you want to help someone learn, whether it be suggesting a book, meeting them online for a coffee to chat or taking them under your wing and meeting with them all the time.
Tanya Janca:
And for someone just joining, being told, “This is the book you need to start with,” or, “Let me introduce you to this person,” or, “Follow these three accounts because these are the ones you’d want.” I’ve connected so many people. The information security community has been out of this world amazing answering people. So when you look up the hashtag, you might think, “Oh, there’s only 30 or 50 or 60 tweets this Monday,” but there’s actually hundreds more of people secretly answering the people and talking with them. It’s amazing, and thank you to our community for basically helping people, giving them this helping hand into our community, our industry. It’s amazing.
Mike Pfeiffer:
Yeah, there was a lot there and that’s really, really valuable. I think it’s easy for us to… You get stuck in your own world and you start to forget about other people’s perspective. That’s, for me, a lot of what DevOps is all about is getting out of your head and think about it from somebody else’s point of view and then try to find a way to collaborate and squash the whole us versus them dynamic. But what you mentioned about this newer organization that you created, what was it?
Tanya Janca:
WoSec. Women of Security.
Mike Pfeiffer:
That’s awesome. Because, you’re right, usually the meetups and stuff are at night and, man, it’s just one of those things where it’s easy to just miss it off the radar if you’re not honed in on it. That’s awesome. I love the community stuff. If anybody’s thinking about certifications in this world, is there anything out there that’s sexy for people to have on their resume in terms of a certification?
Tanya Janca:
This is an ongoing thing constantly and InfoSec, I have no certifications, but I can just say, “Google me,” and then my qualifications are right there. And normal humans, that’s not the case. So I don’t feel like I can advise about certifications. Because I don’t have a positive feel on them. I know that a lot of government contracts demand that you have X number of certifications and then I’m like, “Well, I guess you can’t have me. Tough shit.” Because there’s 10,000 more jobs that will hire me. I know a lot of places ask for certifications because they don’t have the security knowledge to ask in-depth questions in order to figure out that you actually know what you’re doing.
Tanya Janca:
But I don’t have any advice on which ones are good ones, unfortunately. It’s an industry and, working for myself, I totally understand. I have bills to pay. I totally want to pay my mortgage every month, so I totally get that we need to charge money for these things. But I don’t feel like I have good or unbiased advice to give on this topic.
Mike Pfeiffer:
That makes sense. I’m kind of the same way. I think part of running your own company, for me, is being able to pick the projects you want to work on. To me, not so much building up this huge thing. So anyways, it just kind of depends on where you’re at. Also, I don’t have a ton of awareness around all the different security certifications that are out there. I know Azure just came out with a security certification that I need to do at some point. Have you looked at that one at all or seen anything around that? I haven’t spent much time really digging into it.
Tanya Janca:
I did not. However, my previous team at Microsoft, a bunch of them are planning to just do all of the certs. Like [crosstalk 00:38:15]
Mike Pfeiffer:
It seems like that one’s newer and it’s probably going to get more traction. Because I think right now it’s just focused on security services, not so much patterns and practices of the stuff that maybe you’ve shared on this episode.
Tanya Janca:
I people are interested in specifically Azure certifications, I suggest that they follow Sonya Cuff and Orin Thomas from my previous team at Microsoft, their Azure advocates, because those two are just crushing it. They are, they are. So they’re going to be tweeting how to pass the certs and lessons and blogs and stuff about it. Because-
Mike Pfeiffer:
Yeah, they share a lot and I see him out there a lot. They’re doing a really good job. Orin’s done tons of books, too. That guy’s a legend.
Tanya Janca:
42.
Mike Pfeiffer:
How many?
Tanya Janca:
- 42 books for Microsoft [crosstalk 00:39:05]
Mike Pfeiffer:
I think that would kill me, to be honest.
Tanya Janca:
Amazing. And he’s super fun to work with, too, actually. Yeah, he’s very funny.
Mike Pfeiffer:
Yeah, that’s awesome.
Tanya Janca:
He totally keeps that to himself. He doesn’t do it on Twitter. He’ll message me and then make me laugh my ass off. I’m like, “You should tweet that.” He’s like, “No. We’re all professional and stuff.” I’m like, “You know what? You’re so funny.”
Mike Pfeiffer:
We’ll never know. We have to go work at Microsoft to find out and work on his team. All right. Well, as we’re kind of wrapping up the show, what should we be talking about or looking at as we leave from here after this conversation? Where can we find you and what should we be paying attention to?
Tanya Janca:
Okay, so please follow me on Twitter at SheHacksPurple. If you read blogs, I have a blog on DEV.to and Medium, and they’re both called, SheHacksPurple. You can follow me on LinkedIn but I’m not allowed connecting with you. Sorry. I have too many connections and LinkedIn got angry with me.
Mike Pfeiffer:
I think I follow you on LinkedIn, right?
Tanya Janca:
Yeah.
Mike Pfeiffer:
Probably.
Tanya Janca:
Yeah. Because I have like two spots left. I had to kick someone out so I could connect with you this morning.
Mike Pfeiffer:
Oh, I’m very [crosstalk 00:40:20].
Tanya Janca:
There’s a maximum and they’re like, “No way, Tanya, stop that.” But I’d really love it if people would check out my company’s website, securitysidekick.dev. We have a Twitter handle, secsidekick, and we have a YouTube channel, which we have not posted anything to yet, but our plan is to release a lot of free educational content because that’s important to me. We want to move our industry forward. So if you could check out my company, that would be a wonderful favor to me. And read my blog. The end. Oh, and I’m on YouTube, too. It’s SheHacksPurple. Just look up SheHacksPurple and select, follow, follow, follow.
Mike Pfeiffer:
You really are all over the internet, aren’t you? That’s awesome.
Tanya Janca:
I am a nerd on the internet, that’s true.
Mike Pfeiffer:
The thing that’s funny is I knew that your handle was SheHacksPurple, but it took me 10 minutes of being on this live call to see the purple shirt and realize, oh, there’s a connection to the… And the purple-
Tanya Janca:
The purple hair.
Mike Pfeiffer:
That’s awesome.
Tanya Janca:
Yeah. Thank you.
Mike Pfeiffer:
It actually looks brown on the video that I’m looking at, but after you kind of moved in towards the camera, now I can tell that that’s purple. That’s so cool.
Tanya Janca:
It’s brown and then it slowly fades into purple, so it’s sneaky.
Mike Pfeiffer:
Got it. Very cool. I’m jealous that you have hair and I don’t. You look great.
Tanya Janca:
I know. Oh, my God, you’re weird.
Mike Pfeiffer:
I’m going to put in the show notes all the links that Tanya shared on this episode, her websites, the different tools we talked about, the different articles. I appreciate everybody being on the livestream today and, Tanya Janca, thanks so much. I really appreciate the time that you spent with us. Thank you.
Tanya Janca:
Thank you for having me. This has been great.
Top comments (2)
Going to both CyberSecurity and DevOps conferences I know both parties dislike the word "DevSecOps". We are starting to see "Ops" appended to everything.
We've updated the #MentoringMonday hashtag to #CyberMentoringMonday, please join us, every Monday.