#220 Tanya Janca from dev to PenTester to purple security expert
Transcript
⚠ The following transcript was automatically generated.
❤ Help us out, Submit
a pull-request to correct potential mistakes
Tanya Janca 0:00
I feel like understanding why do you have to do it that way is really important. Like, why do you have to use parameterize queries? Well, because when you do that, those parameters that come in are treated as data. And they're never treated as code. And the way injection happens is You've tricked an interpreter into thinking some of your data is actually code. And they think it's your code. So they should trust it. And they should, like, run it. We don't want that because that's an attackers code. That's obviously a potential disaster. And so parameterize query takes all the power away from it, and isolates it to only be treated as data. And then you've just destroyed any sort of attack. And oh, I have no idea. I thought they just wanted it that way. And so when you explain all the reasons behind something, it becomes more important.
Tim Bourguignon 0:48
Hello, and welcome to developer's journey to podcast, bringing you the making of stories of successful software developers to help you on your upcoming journey. I'm your host team building your own this episode 220, I receive Tanya Jhankar. Tonya is the author of Alice and Bob learn application security. She is the Director of developer relations and community at Bright security. And she's the founder of we hack purple, an online learning community revolving around teaching everyone to create secure software. Tanya has been working for over 25 years coding, working nights, or simply being busy securing all the things. Tanya, welcome to the afternoon.
Tanya Janca 1:36
Thank you so much for having me. This is great.
Tim Bourguignon 1:39
Yes, it is. We've been laughing already for 15 minutes. I'm really pleased that this discussion is gonna be awesome. But before we come to your story, I want to thank the terrific listeners who support the show every month, you are keeping the dev journey lights up. If you would like to join this fine crew and help me spend more time on finding phenomenal guests, then editing audio tracks, please go to our website, Dev journey dot info and click on the Support me on Patreon button. Even the smallest contributions are giant steps toward a sustainable dev journey. journey. Thank you. And now back to today's guest. Tanya, as you know, the show exists to help listeners understand what your story look like and imagine how to shape their own future. So as as usual on the show, let's go back to your beginnings. Where would you place the start of your debt journey?
Tanya Janca 2:38
I would say it started when I was eight or nine years old. So my son, I have three uncles that are computer scientists and two aunts that are computer scientists. Wow. Everyone in my family. Yeah, everyone coded. And unlike most little girls who are born in the 70s, they didn't usually have a whole bunch of role models to look up to that were women that were into computer science and programming and stuff. And so I remember my uncle made us a computer. And he programmed it in its name was Mikey. And he programmed it so that it would say hello, my name is Mikey, what is your name, and then we would type in our name. And it would say hello to us. And we could do this little tiny program within have our computer talk to us. And most people didn't even have a home computer at that point. So it's pretty amazing. We had one and that it could speak. And so then when I got to high school, my parents said, you know, you just want to take one programming class, you don't have to take more, but you have to take one just to see if you like it. And then I loved it. And then I took the next one and the next one. And I really, I thought it was so amazing, that could create something out of nothing. And so I remember I wrote a math program to test all the math students but so that every person in the class could have a different test. And that it would automatically mark them and give them their value. And I made it with my friend who I'm still friends with today. And we made it so that if you failed, it would go beep, beep, beep, and then we flashed lose or loser. So it was so so I tried and then I made one like how to play guitar and how to do all these other things. And so I started working at Nortel, which was a giant telecommunication company in Canada, the moment I was 18. I was like, let's get started now. So that was 1997. So it was a while ago. And then I decided, you know, I took another year of computer science in high school. And I was really lucky to have this teacher who was super passionate so he would stay after school with me because I obviously had to program all sorts of crazy things like everything I could think of, and he encouraged me so much. So I think having a family that encouraged it and then having a teacher that really was super passionate about it. And then I went to college and I remember the first year the guy was like why are you even taking first year you should just start saying tenure. This is ridiculous. Well, boy, I'm like, I want easy A's. And I learned a lot of things like how you should comment and formatting and all these other things that they didn't teach me in high school and like, how to write an app that other people could read, and other people could actually maintain when you're not there. Because in high school, it's just like, Hey, it works. Oh, my gosh. But in college, it's like, Did you test it? Did you cop dark? Like, did you write documentation? Did you follow a system development lifecycle? Nice, like, what's that? So I got to learn all those things. And I'm extremely extroverted, which is not very common in computer science. So I was the class president, oh, four years in a row. And I had an apartment next to my college. So I'd have these huge parties. And so I knew lots of people. And I just like, this is the best. And so then I graduated, exactly when the bubble burst for it for the yaw rate in 2000, the worst time ever. And so I ended up working at a, like, I started my own company, and it failed. So I started working at a computer repair shop for a year, which I found very humbling, because I am that unusual person, like I've never worked at like Subway, or McDonald's or in the food industry, or doing like I started immediately in it. And that's highly unusual to just like start sort of at the top, if that makes sense. And to find software development jobs, like as young as 18 years old, and then like, start my own company for the first time at 23. Like, that's not the normal progression for a lot of people. And so I found working at a computer repair shop with every single person who comes to see you is ticked off. So I got really good at delivering bad news and a good way and my de escalating things. And I learned a lot about Apple computers because there's an Apple computer repair shop. And so then I you know, finally things picked up, I got another programming job. And then I just did software development forever. I just loved it. I thought it was really great. And so on top of that I was a professional musician. So I programmed during the day, and then I play at bars. Not necessarily every single week, but at least once a month, if not a few times per month, and I released a bunch of solo albums, and then a bunch of albums with different bands. It's I play guitar, drums and sing, and I did punk rock, like I played on the Vans Warped Tour in 2005. But then I did like all this folk singing when independent like singer songwriter stuff. And so that ties in later. So that was like this passion that I had on the side. And then I met this pen tester. So he is a security dude. And he has an abandoned eyes in a band. And so he was working at my office doing a pen test. And I was like, Hey, I'm Tanya, and I'm in a band. And I heard you're in a band. And he's like, yeah, man, I do prog rock. And I was like, we do power pop, but it's like comedy power pop. And he's like, cool, what's up and like, so my band wrote this song called Mandatory dance party. And the idea, we want to make a mobile app, where if two people have the mobile app, it'll just randomly start, if they're physically close to each other, it'll be like Beep, beep, beep, mandatory dance party, and you have to have a dance party, right then on the spot, or you'll lose. And then we'll figure out how much the foam wiggles and whoever wiggles the most will win. And then it's like, we declare this person the winner, and then it just turns off, and that's the end of that. And he's like I am. So in, obviously, I must design this mobile app with you. And so we became friends. And then obviously, your parents had to play together and all the cool band stuff that happens, I went to see his band, he went to see my band. And then after about a year of knowing each other, he's like, You should become a penetration tester. And I was like, No, I am the king of it. I do software development. Everything revolves around us in our industry, we are Gods. He's like, No, if you're a hacker, you're above that. And I was like, Sure, like at this point, I'd been in a senior dev position for like, eight or nine years. And it's not as exciting anymore. Like even though I still loved writing code. I was just like, I wasn't impassioned by it in the same way. And he's like, Well, let me show you some stuff. And so he did a talk for my dev team. And then he invited this really awesome guy named Krim Natsu. And he showed us how to reverse engineer malware. And then this other amazing human named Sharif Kusa came and he showed us like, how to do code review, and all these like, so unbeknownst to me, like every InfoSec professional that did public speaking, he introduced me to and I became friends with all them guys, like, You guys are so amazing. This is so awesome. And then after a year and a half, he's like, dammit, you've got to become a pen tester. I want to be your mentor. I'll teach you everything I know. And so for a year, I did this informal apprenticeship and he got me my first job like doing pentesting on the side and then I ended up doing All sorts of things. So I had worked full time for the government. So I switched full time into IT security. And I was the seaso, who ran the election security for Canada, in 2015, where we have, you can't see my gesture, but I'm like putting my hands through my hair when we voted and Justin Trudeau, because he's got such great hair, like, just like the comment I get the most often from people that are from Canada. But yeah, like got to run the security all across the entire country, which was super amazing. I got to pen test the Prime Minister's website, I got to just do all these really cool things and other things I'm not talking about, like counterterrorism stuff. And I just I was like, this is really awesome. But the government doesn't have a very good budget for training. And I started getting really frustrating because I saw, so they're like, there's a bunch of companies that do it. But I really wanted to take this course from a company called sands. And I was like, it's so cool. But with the Canadian American exchange, it was approximately 10,000 Canadian dollars. And when you're a government worker, and you're at the top, you make like maybe 100, but then you pay 50% in tax. So I'm like, that's 20% of my take home for the entire year. Just like others, no way I could ever possibly afford this. And my boss when I had asked, he literally started laughing because he thought I was making a joke. And I was like, Can I save my training budget for five years? So I can go and he's like, No, he's like, You want me to take the entire team's budget away? So just use, like, that's really selfish. And I was like, Oh, that is I'm sorry. So then he's like, be more creative. And so I submitted a conference, talk to a conference because you get a free ticket. And my boss was like, That's thinking outside the box. So I just started speaking at conferences, so I could get in for free. And at the same time, I joined this amazing community called OWASP. So the Open Web Application Security Project, oh, wasp? Is that an awful acronym? Yes, it is. But is it a wonderful community? Yes, it is.
Tanya Janca 12:03
And so I became a chapter leader in the city, I was living in Ottawa. And so there's this amazing human named Sharif Kusa, and he was running it. And I helped him run it. And then one day, he's like, did you know that if you're a chapter leader, you get a free ticket to one of the trainings, if you can fly yourself to the place and find your hotel to stand, you can get in free for there's two seats for chapter leader in every training. And I was like, oh, but I'm not a leader is like, Yes, you are. And you have been for years, Tanya, I'm just telling you the title now, but you've been a leader from day one. And it was like this a wonderful, beautiful moment in my career. And so then I got to go, I got to speak. And then I got to do training for free. And then I just started applying to every single conference. And this is where all my musical performing of 17 years constantly, professionally and professional, being an actress and doing comedy, and all these things suddenly took place. Because I'm really good at public speaking because I've spoken in front of 1000s and 1000s of people before except for then one, I had to play guitar at the same time. And to add to sing and key I'm like, I just have to talk. This is so easy. And no one stroke and throwing things. This is great.
Tim Bourguignon 13:21
I'm sure by now you have a talk about security with a guitar singing and
Tanya Janca 13:28
I should Well, one of my bands actually was called the Zero Day Reapers. And we actually did all of our songs about cybersecurity. And so what sound like I was talking about, you know, something personal, like a boy breaking up with me or something. But really, it's a song about the Heartbleed vulnerability, etc. And so like, it was always like this, you think I'm talking about romance? But really, I'm talking about like open source intelligence gathering, etc.
Tim Bourguignon 13:55
Yeah, that's awesome. Well, how can you do that? Well, yeah, sure, good.
Tanya Janca 14:02
There's more than I started, like speaking at conferences all the time. And then Microsoft called me and they're like, Hey, we thought you might be good for this thing called developer advocacy. We're looking for a security developer advocate. And I just like what the guy was explaining, will basically you talk at conferences, you can like write blog posts, and you, you know, make positive comments about things on social media, and you'd like help represented Microsoft in a positive way. And like, share your security research. And so just when you go to conferences, you just have to say you're from Microsoft. And I was like, oh, and he's like, an, it's it's a job, like, it's a full time job and like, we'll pay for your travel and we'll pay your salary. I was like, shut up. Like, who told you to call me and make this crap up? That's not a job. That's my hobby. And he's like, No, so he spent 15 minutes convincing me it's a real job. And he was not messing with me. I was like, Oh, this sounds cool. And he's like, why don't you come down to Seattle. And you can meet the team. And there are all these famous people on the team that I really looked up to, like, just for Zelly and Ashley Wilson, and just all these other people that I follow on social media that I admired. And so I got some meet them, which is amazing. And they're just like, Yeah, so like, we don't have a security advocate, and like, you're already doing what we need you to do. Like, how about it? And I was like, okay, yeah. And so then eventually, I left Microsoft, I started my own company named, we hack purple. And we made all these app sec and secure coding and Azure Security courses, and as giant online community. And this leads to how I met you. So a few months ago, we were acquired by bright security, which is basically my friend's company, I was already their advisor for quite a while. And they're just like, What if our two companies, we're just one company, like we know. So I've always wanted, this might sound silly, and not very business like, but I always wanted to give away all my information for free. Like, that's why I want to do conference talks, like I get in for free. But I also I really want to make the world more secure. And so because I was running, we have carpal and I have employees to pay and bills to pay. I charge money for the courses, but they're like, We will agree to give all your courses away for free if you come and do developer relations with us. And so keep doing what you're doing. But say you're from bright, keep publishing blog posts, but also publish it on our blog, and like, help make new dev rel people like help mentor people so they can do it too. And then you can spread your message even further. And I was just like, well, that sounds kinda awesome. And then Brian introduced me to you. And
Tim Bourguignon 16:45
that is an awesome start. I'd love to come back to one thing you said you were you were already some kind of deep in your career. So eight, nine years. I think you said and I interpret I'm not sure you say that but kind of getting not bored but but less excited about what's coming. And this colleague or this friend came up and say, Okay, now you should really do pen testing and been nagging you for for a few times. Really? What really convinced you that that was the time for you and you had the skills to do this the mindset and to give it a try was just just to talk to you. Okay, let's do this. Oh, this was a more
Tanya Janca 18:08
so I was reading this Lunch and Learn program for my dev team. So I, I had been a senior dev for eight years, maybe nine years at that point, but I've been a software developer for 17 years at that point, okay, right. And as a bit size, working in the government, I was a bit frustrated, because they didn't want to do DevOps. They didn't want to move fast and break things. They're very, very, very conservative. And the training budgets were really tiny. And so I was like, Listen, I need to get my devs modernized. I want them to learn new things. And so I started this Lunch and Learn program where basically, I would just go to meetups all the time and see a cool talk. And I'd be like, your talk was so cool. Will you come and talk to my team? I'll buy you lunch, right are and they would Oh, they would always do it for free. They're just like, Yeah, I'd love to come and talk. And so someone, you know, talk to us about Team Foundation Server and how to automate a bunch of cool stuff. Someone talked to us about SharePoint. And my team got more passionate about work, they just got more engaged. They were a lot happier, morale went up. And so I asked the bosses, I was like, listen, you're everyone seems really happy. Can I have off topic topics? And they're like, like, what I'm like, Well, I run a lot like, then I was super into running. Now. I'm doing other physical activities. But it's like I'm super into running and turns out like a bunch of team keep asking me about my running. What if I brought in a running coach to teach us, you know, paths we could do from here at lunch, how to make sure you're not that stinky guy in the meetings in the afternoon, etc. And so someone came in for that for nutrition for all sorts of different topics, but was still it constantly all through it. And we opened it to more than just my team, like all of it could come and eventually the whole department could come and then another department reached out to us and they're like what you're doing is amazing. Can we stream it across? Like entire Canadian government, and I was like, Okay, that sounds cool. And I just like kept doing this on top of my regular job. And then basically this guy who became my mentor, he was like, Well, I want to teach you about SQL injection. So he gave us this talk. And he took one of our apps. And he did an injection on the login screen, and he got past the login screen with no password. And I was like, nope. How did that happen? This is not acceptable. My acts are perfect. This cannot be so I was like, I must know. And so then he showed us another thing the next time, I'm like, No, I must master this as well. I must know all the things. And so then I just kept like, as he showed, so then, you know, his his friend came, and he taught us about malware. And the other guy came in and showed us like how to do physical security on your technology. So like, he taught, he had like a router that had like a fake malicious SSID and bla bla, and like, how to scan your network and all this. And it just unbeknownst to me, I was like cycling through every single security speaker in Ottawa. And like meeting this core part of the community in it, firstly, because I was like, Do you have a friend that knows how to do this? They're like, Oh, yeah, that guy's name they deem, he's so great. And they were so so ridiculously, like, welcoming are so excited about my excitement. And like, I found out later, a lot of them charge 1000s of dollars, and they're like, but you were so cute. You're so excited, and you're so passionate, and they're like, she just clearly wants to learn so much. I'm not even gonna tell her a speaker's fee. I'm just gonna do it for free. And like, some of them, I would like, buy them a coffee and a piece of cake to say thank you. And I'd be like, $6. And they'd be like, Thank you, sweetheart. That's very nice. But, and then like, Oh, awesome. I was just like, Man, I can organize talks about anything I want. I don't even need my works permission. So we can like hack stuff. And it can be longer than lunchtime. It could be like two hours. And so then I helped lead that chapter for around six years. And I just started going to every other meetup and presenting I'm like, does you know this? Isn't this cool? Come on JavaScript, people come during a loss. And our chapter went from Around 100 people to Around 1200 people. And we will, yeah, in our chapter, like I remember complaining to the organizer. I was like, why is our chapter only old white men? Why are there younger people? Why are there women? Why are there like, like Ottawa is very multicultural. It is not just white people. It's not just straight people. It's not just old people. It's like every type of person where they all curious, like, I don't know, Tonya, go get them and bite them, tell them we want them. Like, what can we do to make it better. And so we did a lot of outreach to all these other community groups. And like, I went and spoke at every single women's meet up and was like, come on down. It's awesome. And we want you and we just started having more and more people. And the way I started public speaking was every year, we had only male speakers, and I would invite five women, 10 women, all of them would say, Oh, I don't know enough. And some of them had been doing their job like 20 years. And they're like, I don't know enough. And I'm like, Are you kidding? You're amazing. And so every one of them kept saying no, no, no. And so finally, Sharif was like, Tanya, if you want a female speaker, I think it needs to be you. I think maybe if you're the first one, then other women will feel less shy. And then they might be willing to do it, because they saw you do it. And so I was like, Well, I don't know what to talk about. And he's like, Well, what did you learn recently, that was super cool. And I'm like, Oh, I learned how to scan my apps with his desk scanner, like a dynamic web app scanner, and then fix the things I found. And I've been showing everyone at work. And he's like, Well, why don't you make a presentation about that? Like, are you a dev? Do you want to make sure your app is secure? And like look smart from your security team? That's how you do it. And so I made a presentation. And then I subjected so many community members to it. Isaac, could you just sit still for one hour while I teach us to you could tell me like if it's good or bad, I'm speaking too fast. And then I subjected every dev team at work to it. And then finally I was like, Okay, I'm gonna do it for OWASP. And I remember I was standing there like getting ready, hyperventilating, basically, I'm gonna give this talk and there's this community member named Alex who's so nice. And he's like, Why are you nervous? I'm like, because you guys are my peers. Like your opinion is literally the most important to me. My team network and you guys. I really care. Like if I speak at the JavaScript meetup. Those are strangers. Who cares what they think you guys are the ones I value like you guys are the ones that know more about this than me. And he's like, we love you. You're our leader. If you go up there and drooled, we tell tell you, it's pretty good. Like, don't worry, everyone here wants you to succeed so much. We're so excited that you're taking this chance with us. And so then we started making our community a place specifically for people to give their first talk, and we started encouraging people and mentoring people and giving them an opportunity. Like do you just want to give a five minute talk about, you know, a vulnerability that came out. And you give this short briefing, and this is your chance to try public speaking. And so yeah, we took my experience and tried to make that for everyone, the super supportive helpful, like positive feedback type of loop for them. And so we got so many new speakers is really amazing. And I've tried to emulate this and we have purple as much as possible, giving people the chance. Like, we know you have no experience. Everyone has to start somewhere. Start with us. And so yeah, I had like the most welcoming, ever experience into InfoSec. I think. Aspen, Ottawa like just wonderful humans all around.
Tim Bourguignon 25:43
This is absolutely awesome. I wish it was like this everywhere.
Tanya Janca 25:49
Yes, exactly. That's, it's
Tim Bourguignon 25:51
truly amazing. Do you work? Yeah, it's a loaded question. But I knew that I had some kind of change of mindset when I started seeing the world in, how can I break this instead of how can I build this? Did you see this? Well, you're nodding heavily here. That's why it was probably your question. How did your colleagues react to all this talks that you were imposing on them at first, and probably you were so eager to see to see them afterwards, when you started showing them how, let's break things first. And let's see the words for these breaking lens?
Tanya Janca 26:25
Well, I feel like, again, I had a bit of a unique experience. So I had joined Elections Canada as a dev lead. And they had a project that wasn't going very well. And my specialty became as a dev leader, writing projects that were off course, I became really good at rescuing projects. And just being like you this, you that cut this, do this, and just making sure we made it to the finish line. And so I had helped the team make it to the finish line months in advance of the election. So that was awesome, because we're worried we weren't going to make it. And we it's a special application that has to run, even in the Arctic on a 32 kilobit. modem. So it had to be extraordinarily fast. And so we did a lot of super cool stuff. And once I had that in line, I basically told my director, you know, I really want to switch to the security team. And the security team knew my feelings, because I kept reporting security problems to them. I fixed every single security bug, I hired the pen tester, I did all the scoping, like every single security thing I would do it. And I was like constantly bugging them and talking to them and suggesting things and they're like, Yes, God, Tanya, we know. And so one of them had come up to me and said, so we just got one new staffing position. And we're looking for a junior security person, do you know anyone who might be interested? And I remember, like, George was like, in a chair in my office, like, leaning back with his arms behind his head. He's like, you might know someone. And I was like, Oh, he's like, could you possibly be and I'm like, yeah. But then we had to convince my director because she really didn't want to lose me. And he's like, she completed the project, the project's done, she's rocked all of the stuff, you know, she really wants this for her career progression, you know, that she's, you know, hacking and doing all these things online all the time leaving this community, you know, this is where she belongs. And so eventually, my director is like, this is Bear for Tanya, even though I think it sucks, she's leaving. I'm like, I'm just sitting on the other side of the big office, really, I'm still here, she's like, go on and go to the other team. Yeah. And so so then when I originally just started doing incident response, and doing like, general it, security things and learning very quickly. And then because I'm, I am extremely organized, potentially, in a retentive type of person, I'm very type A. And so very quickly, I was actually put in charge of running the organization of the security events for the election. And it, I wasn't expecting it, but they're just like, you're gonna be the CISO and the head incident responder, because you're the most organized, because I like because I'm like, I'm very strict and very on time. And they're like, we know you don't know the most about security on this team. But we know that you always take into account all of the advice you're getting, and you make good decisions. And so we're gonna have you read this. So the technical people can do the technical thing. And so I did a really good job of that we got nominated for a big award, it was really cool. And election day went so well, we were not in the news at all for anything other than election results, which is exactly what you want. And so then after I still had five or six months left in this two year contract, and I said, Okay, so I did analysis of all the incidents we had, and 26% of them were related to our software. And we don't have a formal OpSec program. And we should and here's the return on investment. I can promise you, if you let me do X, Y and Z in the next five months, you have to pay me anyway. So why not pay me to secure all your apps? And everyone was like, oh, you know, that's the thing she really wants to do. And so, you know, they approved it. And I got to launch my first app SEC program. And I made a security champions program. And I taught them whole How to know what people can do with the data scanners and fix all the bugs. And basically, our security posture went up from a software perspective, quite a bit RAM, like, all our apps are officially respectable, because if you've never scanned them before, you don't know where you're at, right? And some of them were great. And some of them needed a bit of some polishing and shining. And so when I was presenting the thing, I remember the first email I sent out, I said, I'm gonna break into a bank at lunch, who wants to watch. And then I sent that to the 100. And they're like, telling ya, you know, what are you doing? And then I sent another email, Mike, PS, I have curbs, doughnuts and bagels or something. And I was like, come join us. And then I taught that I'm like, this is a fake bank. That's from an intentionally vulnerable website from Oh, us. And we're going to scan it and see, we found these problems. And look, this is bad. We don't want this to happen to us. And I'm like, I need your help. And because I was their peer, because I have been on the dev team for so long. So everyone knew me. I'm like, I eat lunch with you, please help me. And so it went really, really well. It was when I went to other companies. And I didn't already know the devs. And they didn't realize, Oh, I'm one of you. But I sit on the security team. But inside my heart, I am a developer. And so you have to make a whole new relationship when you join a new organization, and then build trust. But all the devs are already like, oh, it's Tonya head nerd. What's up, right? It's like a different, like, you already have this great relationship with them. They're like, she's the boss, the one that made us get that stuff done. But it was it was really great. And it's quite frankly, a really lovely place to work. Like people who work in elections feel very passionately about democracy and fair elections and fighting voter suppression and stuff. So it's, I don't know, if you've ever worked at a place where everyone truly believes inside their core at the work you do every day. It's very, very nice. Nice to be a part of that.
Tim Bourguignon 32:23
It is so energizing and giving you a really love everyday thing for what you do. You almost answered the question I wanted to ask you Well, I'm going to ask you anyway to you or your your your former company or still company, I'm sure if you're still running associate hex verbal, a we have purple, purple is obviously full of blue and red, the teams for the red teams attacking a system and the blue team defending the system. And you really chose to be in the middle. So as you say, there is there is tremendous advantage in being on both side and really bringing the the knowledge of the red team into the blue team and helping the blue team understand what the red team is doing, etc. But are there some drawbacks at being in the middle as well?
Tanya Janca 33:02
There are always drawbacks of signing up for too much work. I like love the word yes. And I'm really bad at saying the word no. So there's definitely that. But I would say so I'm actually I just started writing my next book, Alice and Bob learn secure coding. And I did this big poll on Twitter. So this is a question for devs only? Do you want to just learn about all the defenses? Or do you want me to go into deep detail about vulnerabilities? Because so when I was at we had purple, I designed training, and I studied a lot about how people learn, and how people who have been outside of school learn, like so if you've been outside of school for a long time, your learning muscles are weak, if that makes sense if you haven't been teaching yourself things and keeping up on that. And so I learned about learning. And I learned about how to get messages across. And I also asked a lot of people's advice and opinions over and over and over again about other trainings. So I was like, you know, you you Dev, you took all this training about how to hack networks. Did you feel that made you a better Dev? And they're like, No, I'm like, you know, you took this penetration course? Did this make you? Like, did this make you write more secure coding, or like, almost all of them said, no, they're like, it was cool. It was super nifty. I like did SQL injection. And that felt awesome. I'm like, It's been four weeks. Do you remember how they're like, No, we just copied and pasted the thing? And I was like, Okay, I'm like, do you feel you know how to write more secure SQL now, or to make calls to the database in a more secure way? They're like, Oh, they briefly brushed over that we're supposed to use parameterised queries, and I'm like, Okay. Do you feel like that was the best way for you to learn and there's this company in Cincinnati that I worked with a lot that I won't name because I don't know if they want me to name them, but they were really great. Their head of OpSec was named Josh and he did so many need different surveys for me with his Deb's? And so I would provide some training. And then he would survey them. Like, was Tanya funny? Was this lesson too long? Like, what did you want more of? What did you want less of? Was this good? Was it long enough? Did you learn the things you wanted? And then I would update it and train more of his depth. And you like, he's so great. And he's like, Well, I want to know this from my dad's anyway. So if we work together, like because he had paid like a fortune for training the year before. So all of the devs could learn the OWASP, top 10. And how to hack the OWASP, top 10? And he's like, yeah, like six months later, I was like, Do you know how to still hack anything? Or like, No, we've never practiced, why would we? That's our job. He's like, do you feel you write more secure code? And they're like, maybe. And so I wanted to design a secure coding course where people know the reason why they're doing the thing, but concentrate on how to write awesome code. Does that make sense? Yes. And so like, if you're gonna do this, here's the best way to do it. Here's all the reasons it's the best way to do it. Here's how to do it. Here's examples of what could go wrong. And then I have really silly quizzes where I'm like, anyway, I my quizzes are very silly. And sometimes they're passive aggressive, like, Did you do the homework assignment? Tanya can see everything? It's like, Yes, I did the homework assignment. No, I didn't. And I feel bad about it. I'm gonna do it later. I promise, Tanya, please don't leave me alone. I feel like understanding why do you have to do it that way is really important. Like, why do you have to use parameterize queries? Well, because when you do that, those parameters that come in are treated as data. And they're never treated as code. And the way injection happens is You've tricked an interpreter into thinking some of your data is actually code. And they think it's your code. So they should trust it. And they should, like, run it. We don't want that because that's an attackers code. That's obviously a potential disaster. And so parameterised query takes all the power away from it, and isolates it to only be treated as data. And then you've just destroyed any sort of attack. And you're like, Oh, I had no idea. I thought they just wanted it that way. And so when you explain all the reasons behind something, it becomes more important. I, I feel like if you don't understand the why you're less likely to do the extra work to make it happen. But I I don't think necessarily that you have to be a really great hacker to know how to write good code. I feel like it's a different skill set. But you're right, though, when I switch to security at first, my I remember the very first pen test I did by myself where I was the boss, my mentor kept saying, take off your dev hat, stop trying to fix things and make them work. Put on your black hat. And what can you do? What can you force it to do that it should not do Tanya, and just push it, push the avatars you can try to work around things try to take control. And I was like how he's like, that's your job. And you have eight hours left on this contract to figure it out. And I destroyed that thing.
Tim Bourguignon 38:08
I'd like to come back to the training piece, though. Where do you draw the line? Or how do you draw the line? One thing that I've been seeing again, and again, his okay, you explain the why you explain the techniques, you explain everything. But then the people so there was nothing in pentesting or security my in my in my case was more on the on the for instance, a TDD side. So how do you do test driven development? And people understand and they're happy, and they're, they're great with the exercise and do the quizzes, right? And then you ask them two weeks later, and you apply this? Now, it doesn't work with all code. And it always blew up in my mind. Like they're saying, Well, no, in our case doesn't work. Yes, it does. But you have to, to work around the first limitations, you have, probably to refactor your code a little bit, because it becomes it's not testable in the first place. And so I don't know if it's a big word, but I think it probably applicable you have to do parameterize queries. And if the system is reluctant in letting you do this in the first place, then you cannot just come out of the training and start doing parameterised crazy on your on your code. You have to refactor it, you have to make it available able to do this and then you can apply the the learnings. So how deep do you go in those trainings? Do you also get hands on with their software? I say okay, let's roll up my sleeves. Let's see what we have. Oh, yes, it's gonna be fun. And start refactoring with them to show them? Yes, it's possible. Do you do this?
Tanya Janca 39:30
Well, in the On Demand training online, we do not do that. There is not really a space for that. Yeah. When when I was developing, we had purple, I had to decide if I wanted to create an online training platform. And I was like, then I have to do fundraising. And then I have to bring in investors and do like a whole bunch more stuff if I'm going to create my own platform. So there's just code review, where you look at the code and obviously things are missing or improperly implemented. But when I do live enterprise training, so I still do live enterprise training on the side. Do we often like in advance, I want to know what their tech stack is. So I can give them some best practices. And we can talk about specific things and, and we sign a nondisclosure because at some point, someone's like, Well, what about this? And they tell me basically a disaster that's currently happening. And it's like, how do we fix this? I'm like, Okay, let's press the pause button on the slides and all the other things we're doing, and then let's solve this problem together, right? And there's usually at least one per training. And which is good, though. It's good, because it's quite often it's that they don't know what questions to ask the security team, or they're worried they'll get in trouble. And so then I bring up the thing, and they're like, well, like, you know, we're supposed to keep it in a secret management tool. But we asked for one, and the security team said they're going to do it. But then they said it was too expensive. And they can that project, and we don't know where to put our secrets. And I was like, Where are the secrets right now? Yeah, basically. So then we had to come up with a problem solving. Basically, the manager of the IT security team had no idea that like a junior person had canned that project a year ago. And so there's like a lot of things that if you'll come up live as for like, getting my hands dirty, and coding with them, I don't think there's usually time for that, and like a training time, but I've done consulting quite a bit. And sometimes it gets to that kind of depends, like, whenever I've done full time OpSec, you end up doing that, because you have the time, because you're full time. But if you're in there for eight hours, or 16 hours of training or something, and that's all you've got, it's like if I start rolling up my sleeves, and we do this, like, everything else is done, right, like we're not going to finish the training, and I'm not going to complete the project. And so you're sort of stuck between a rock and a hard place. I feel like I see a lot of training right now, where the secure coding training, it's almost always, this is a vulnerability. And these are the ways you could solve this one vulnerability. Well, I've like flipped that on its head where I'm like, these are the things you need to do to secure your code. So if you do proper input, validation, and you do it like this, and you do it on in all of these situations, you will prevent this, this, this, this, this, this, this, if you do put in coding in these situations, and you do it in this way, you'll prevent this, this that, right? So I feel like one defense can actually solve many vulnerabilities if done properly and completely. And so I feel like I don't know, I've looked at a lot of other people's training. And I'm like, I don't want to just make the same training everyone else is doing. And so that's my viewpoint. And that's the way I go about it. And I find a lot of places, they're like we do secure coding training, and it's all just hacking. And I I personally enjoy that and think it's fun. But I guess I've decided to look at it from a different perspective. And when I write the book, it's going to be from a defensive perspective, like how do I write really kick ass code? And then these are the things you're protecting against, but also your codes better now, it's safer, it's more efficient. And it's going to work this way every single time and not sometimes do this weird, crazy thing if people put in a single quote?
Tim Bourguignon 43:01
Do you still do a fantastic on the site?
Tanya Janca 43:04
No, theoretically, I don't. But I did. I did want to November, but I'm not supposed to anymore. One of my clients bought a company and they're like, almost done the acquisition. And they're just like, could you just do like a quick look and tell us how scary it is. So we can renegotiate the price. So I did. But theoretically, as part of my new quality time, I'm going to spend with braid security for the next two years, I do not do pentesting on the side, only secure coding training. Because they, they want my full attention, which is extremely reasonable. It's totally reasonable.
Tim Bourguignon 43:39
Indeed, it is. Indeed, just before we start wrapping up, I just wanted to mention Alice and Bob, I realized actually not so long ago, that there is actually 25 More personas in the realm of Alice and Bob. So Edison bulbs are two very well known persona as when we speak about about security. And if you go to the Wikipedia page, there is 25 others how how really coin characters with their personality traits and what they're doing, how they should be called, et cetera. It's really worth a look, I really encourage everyone to go there and have a look at it. And then you have personas to name in your code and your examples. I'm gonna take mark, and I don't remember who were there. Exactly. You probably know them by heart. But few had one advice to give to developers who haven't dipped their toes into blue and red yet. They are really, developers yet like like you were and like I'm still and say okay, you should start stepping into the security realm and you don't have a ton yet in your team organizing lunches every week and bringing the whole security aspects of Vancouver, your company. Where should it start?
Tanya Janca 44:48
I would say there's two communities I would recommend and I'm super biased because one of them's mine. So I would recommend joining the we have purple community which is free and taking some of our free courses. And, you know, coming to sound very free event. So like everything in the community is free, including the events and the training, and just checking it out and talking to people. And then another thing I would suggest is if you have OWASP in your city, so there's over 300 chapters around the world, check that out. And if you don't have an oft chapter in your city, that's okay. Because they have an online component. And so they have a YouTube channel with hundreds of absolutely outstanding talks and presentations. They like, they're just amazing. There's so much content, it's absolutely unbelievable. And then actually, I have a third thing. So last one. Every Monday on Twitter, I do this thing. It's a hashtag cyber mentoring Monday. So every Monday since 2018, I run this hashtag. And the idea of the hashtag is it's to try to help people find professional mentors. And so you can use this hashtag to call out and ask for help, essentially, and say, I want like, I'm new to cyber, and I'm really interested in learning, blah, and people will reach out to you. So make sure your direct messages are open. And basically, they'll reach out to you and say, oh, you should read this book, this book changed my career, or Oh, want to meet up for a virtual coffee and talk about this, or oh, what interests you about this, okay, have you considered this or there's this course, or there's this or that. And professional mentors really helped me get to the next level and helped me focus a lot more. And note because like, I went to the library and checked out every single book on cyber, read all of them. And then I was like, I'm just confused now. Because this person really didn't help and I just didn't know where to start. And I feel like one of those three places is a really fantastic way to start.
Tim Bourguignon 46:46
That is an awesome answer. Thank you very, very much. And I'll add links to all of this in the show notes. So you'll just scroll down and click on it and you're gonna get there. Tanya, where would be the best place to continue the discussion with you?
Tanya Janca 46:58
Oh, definitely. So if you look up she hacks purple all one word. That's me. So if she asks purple dots here, so that's my website. I have a newsletter. I am constantly on Twitter tweeting silly silly things like memes of Bruce Willis being on fire and talking about cyber. I have a podcast that we hacker podcast, but basically if you just look up she hacks purple on any platform. That's me and you could probably reach me there. The only place like you really can't reach me is Facebook because I don't like it but my marketing team made me make an account. So if you want to talk to my intern
Tim Bourguignon 47:32
so I'll add all the links including the Facebook dogs here.
Tanya Janca 47:38
She's really nice. Actually, she graduated so I guess she's not an intern anymore. But anyway, if you want to talk to Amanda go to my Facebook page.
Tim Bourguignon 47:47
Tanya, it's been a blast listening to stories. Thank you very much.
Tanya Janca 47:51
Thank you so much for having me Tim. This has been great.
Tim Bourguignon 47:54
Awesome, and this has been another episode of developer's journey stick around to after the credits to hear the song Tonya spoke about hard lead from those Euro day reapers and we'll see each other next week
Unknown Speaker 48:37
you kill
Tim Bourguignon 48:53
you
Unknown Speaker 49:00
you again
Tanya Janca 49:12
well reg catch you
Tim Bourguignon 49:49
oh crap
Tanya Janca 50:00
because that's my self destructs
Unknown Speaker 50:29
You