AppSec Girl Power
RL chatted with the application security (AppSec) leader Tanya Janca about how her career embodies AppSec Girl Power — from her start as a software developer, up to now as a prominent voice in secure coding.
Subscribe to Tanya's newsletter here, and if you're an AppSec professional, take her survey here.
EPISODE TRANSCRIPT
Carolynn van Arsdale: [00:00:00] Hello everybody and welcome to the ConversingLabs podcast. My name is Carolynn van Arsdale. I create cybersecurity content here at ReversingLabs, and today I am thrilled to welcome on Tanya Janca. Tanya, also known as "She Hacks Purple," is a world renowned application security leader, author, speaker, and educator.
She's the bestselling author of Alice and Bob Learn Secure Coding, Alice and Bob Learn Application Security. And Tanya [00:01:00] also currently leads community and education for SemGrep, a software security firm. Over Tanya's 28 year IT career, she has won countless awards, she's spoken all over the world, and she's also a prolific blogger.
Tanya has trained thousands of software developers and IT security professionals through her online academies, but also in person. Throughout her impressive career, Tanya has performed counter-terrorism. She even led security for the 52nd Canadian general election, and she's developed or secured countless applications.
Tanya, it's a pleasure to have you. Welcome to the ConversingLabs Podcast.
Tanya Janca: Thank you so much for having me. I'm really excited to be here.
Carolynn van Arsdale: Awesome. We're thrilled to have you, Tanya. Tanya, for our listeners who don't know you, can you just tell us a little bit more about yourself and then also the work that you do for SemGrep?
Tanya Janca: Absolutely. So, I was a developer for a really long time. And I also played music in the evenings at bars and music festivals and released albums. And so if you're [00:02:00] like, why is there someone with the same name who looks a lot like you on Spotify? That was younger me.
Carolynn van Arsdale: Can I ask what instruments you played? Were you a singer-songwriter with the guitar?
Tanya Janca: So I did folk music, like singer-songwriter guitar playing. And then when I got older I learned drums and then I was in punk rock bands playing drums and singing and telling jokes, 'cause I decided to switch to comedy at one point 'cause I was like, how could I make less money?
But then I got fascinated with security 'cause I met this pen tester. 'Cause he was in a band and I was in a band and we became friends and he's like, you need to be a pen tester, you'd be really good at it. And I was like, no, I'm a software developer. I am the king of IT. I have the best job.
And he is like, no, this job's better. And then eventually I became his apprentice. Then I discovered I wasn't meant to be a pen tester. I was definitely meant to do AppSec, because I'm a little bit too extroverted and touchy feely. A pen tester needs to have a lot of patience. Me, not very good.
A pen tester has to be good with spending like a lot of time, essentially alone, just punching an app in the face [00:03:00] constantly, right? So they have to be very diligent, very detail oriented. I'd love to lie and say those things, but it's not true. Anyway, so AppSec is a lot more social. AppSec is a lot more like huge big strokes, education, giving a lot of advice, right?
And so I was like, yeah, that's where I'm supposed to be. And then I started speaking about it and I started getting sent plane tickets so I could speak more about it. I got recruited to Microsoft to do developer relations. I started my own company. I wrote some books. I did a lot of things. And right now I'm at SemGrep and SemGrep makes a bunch of AppSec tools.
So like static analysis, software composition analysis, secret scanning. They're all over your code. And what I do for them- so I actually just switched jobs, so since we booked this interview, I switched from being the director of community and DevRel and all that, and now I'm an individual contributor.
So I basically made them hire a boss for me, 'cause I'm sick of being the boss and I just wanna create more [00:04:00] content.
Carolynn van Arsdale: That's really relatable.
Tanya Janca: And as the team was getting bigger and bigger, I'm just like. I have to decide between, am I just gonna double down on management or am I gonna double down on creating content?
And I was just like. I think I'm a decent manager, don't get me wrong, but I'm like, I don't think that's my magic superpower, and I don't think you're getting the best bang for your buck. So it was like choices had to be made and I was like individual contributor. So I'm very pleased so far, I'm getting so much done.
Carolynn van Arsdale: That's great. I think it's really cool too, to hear your story about how you got started out and looking at what your skillset was. Looking at that, emotional IQ piece of, I'm an extroverted person, I'm also a badass at IT, so let's do AppSec instead of pen testing.
And same with now, you know that creating content's your jam, so that's really cool. Good for you.
Tanya Janca: I wish that more people looked at sort of their personality traits when they matched with a job so that they would [00:05:00] do something that fulfills them better. Because sometimes I'll see people.
And they're in a role and they're like always struggling and I'm like, so you're really smart, no one's questioning that, but like maybe this isn't the thing that like fills your cup. If it can fill your cup every day, like you're doing the right thing and if every day you're just like, maybe you're not doing the right thing.
Carolynn van Arsdale: It's a pleasure to talk to you today too because, we actually titled this episode "AppSec Girl Power" because it is Woman's History Month. Happy Woman's history month, by the way, Tanya. Very exciting.
Tanya Janca: You too!
Carolynn van Arsdale: Thank you. But it's really important, I think, to talk about your career, which really embodies AppSec girl power. Looking at, how you went and started as a software developer. I know you talked a little bit about it, but I am really curious about that switch from software developer, into AppSec. You talked a little about your mentor and how you got into it, and then your work with Microsoft.
Tanya Janca: Looking at that switch to AppSec, did you have leaders at the time or other folks [00:06:00] in the AppSec community that you could look up to and take reference from? And at the time too, was AppSec not as big as it is now, which I'm sure the answer is "yes." So I'd love to hear more from you on that.
So when I first switched into pen testing, I didn't even know AppSec was a job. I thought that you had to be the firewall guy, the pen tester guy or the governance risk compliance guy that always made me fill out forms. And I had not seen any women doing any of those jobs before. And so I was like pen testers the most technical.
Tanya Janca: So that's where I belong. I'll get really bored if I don't get to crunch things. But, basically, as I was becoming friends with that mentor, I also started becoming involved with OWASP, and very quickly my chapter leader, Sherif Koussa, who's still one of my mentors to this day, he's just like, oh, you wanna do a capture the flag contest? Cool. If you'll do the work, I'll support you. Like, you can do [00:07:00] anything within reason. So if you wanna have us do like a code review workshop, if you could find someone to run that, like I'm all about it. And he was super supportive when I was like, I wish there were more women, 'cause I was always the only woman.
And he's like, me too. How do we do it? Like, how do I do it in a way where I'm not being a creeper? Because if I go to other meetups as a dude and I'm like, I wish there were more chicks in OWASP, there's only creepiness vibes, so I need your help here. And so he was like- he still literally, he texted me this morning with him holding my book, because he just got it.
Carolynn van Arsdale: Full circle.
Tanya Janca: Yeah. I talk about him in the book. And so, he welcomed me into this community. He pushed me to speak. He pushed me to attend international conferences, 'cause I was like, oh, I'm just like this person from the middle of nowhere. No one cares what I have to say. He's like, yes, they do.
And so then I joined an open source project with this amazing woman named Nicole Becker. And basically OWASP just welcomed me in like I was a new [00:08:00] family member. So if you are interested in AppSec and you haven't discovered the Open Worldwide Application Security Project, yet, like their community has some of the best people in the world in it, according to me.
And yeah, I'm a big fan, so-
Carolynn van Arsdale: They do great work.
Tanya Janca: Yeah. So between the OWASP people just being like, yeah, come on, we'll show you how. And then also so at first when I was learning I was still doing software development full-time. Then I had switched. And I was working at elections and I just kept annoying the security team all the time.
I just kept bugging them and bugging them. And then eventually one day one of them came to my desk and sat down and he is like, so we're gonna open a security role. And I was like, oh my gosh, I'm gonna apply. He's like silly, obviously it's for you, right? There's, yes, you can apply, but no one else is getting that job.
Carolynn van Arsdale: It's all yours.
Tanya Janca: Yeah, exactly. And then they kept teaching me and supporting me and just [00:09:00] really encouraging me. And one of the bosses, Eric, he just taught me so much. 'Cause I used to be very anti taking notes in meetings. So I would take notes for myself, but I would never tell anyone because women get forced to take notes all the time.
And just like, when I get asked to make the coffee, even though I didn't drink coffee, I'm like, no, I'm not your servant. And so he's like, here's why you take notes, because then you can tell people what to do. I'm like, really? And so in your notes, you're just like, and then Tim agreed to do this, and Jan agreed to do that, and then you put it in bold and then you just told them what to do.
It's the best. So-
Carolynn van Arsdale: It's like I have the receipts, here's what we're doing.
Tanya Janca: And I've used those notes many times. I'm like, oh, here's where you agreed, remember? And, but, so I basically, I had a lot of different people, like from work to mentorship to the OWASP community of people just like cheering me on, teaching me, helping me, giving me [00:10:00] opportunities.
And from what I understand, that is not the normal way of things. You don't usually have a giant team of mostly men working their butts off, giving lots of free time, lots of support so that you can change careers. That's pretty rare and I'm very lucky. I'm very grateful. I have worked throughout since I've switched to try really hard to make that true for others.
By running like my cyber mentoring Monday program every Monday since 2018. I'm partnered with OWASP to run a mentoring matching program at the global events. We started doing that last year. We're doing it again in Barcelona and again in D.C. And it that has had some success and just like, you know, running academies, giving content away for free.
I'm very passionate about us eventually having a formal structure of how you get into security. 'Cause right now it's a law of guesswork, and I hate that. I want it to be like an accountant where it's I take this course, I do this apprenticeship, and boom, I am an AppSec professional, or [00:11:00] I'm a pen tester. And we know they're qualified, so that we can hire someone good.
And they feel qualified and confident and they know what they're doing in the go kick butt. So I'm trying hard to, figure ways out to make that happen for others.
Carolynn van Arsdale: Yeah, I completely agree. I really appreciate how you brought up the folks back at your time at OWASP and your other experiences, how they gave you that sense of belonging,
I think that's a really big part of this, especially getting into a career like application security. You talking about your experiences probably being the only woman in the room, the only woman doing it at a high level and teaching other people. There's a lot of power in that.
So having that validation from those around you, just that you do belong and you're supposed to be where you're meant to be. That's huge. So thanks for sharing that with us. Yeah, I definitely think that mentorship is also huge. I know that there are some really great groups out there like Black Girls Hack for example.
They have a great mentorship program. Really important because, how are folks, [00:12:00] looking at this industry that's, it's really hard to know, like what certifications you need, what kind of experiences different companies are looking for. So having that mentorship experience is really key. So thank you for all that great work you're doing.
Tanya Janca: Oh, my pleasure. It's not just me, right? There's so many people like Tennisha from Black Girls Hack, like she does amazing things. The whole Women's Cyberjutsu group, WISP like, when I started, none of those existed.
WISP might've existed. I'm not sure if they started right when I, 'cause I started security a long time ago.
WISP is OG. But yeah, when I started, there wasn't even a job called application security in the Canadian government. There wasn't even a name for it. And I was just like, I am the AppSec team. Yeah, me, I'm the whole team. Hi!
Carolynn van Arsdale: That's me.
Tanya Janca: And they're just like, she's the really weird dev that's on the security team. We just can't get rid of her.
Carolynn van Arsdale: And AppSec was born. No, that, that actually gets into my next question pretty [00:13:00] perfectly. I'm really curious. So when you did formulate that AppSec title, within the Canadian government doing security and whatnot, and then your other roles, what did you sense was the appetite for AppSec at that time, particularly from developers?
Were folks in your trainings looking at you with three heads, like, why is this important? Why should I be caring about this? What was it like in the beginning teaching folks about AppSec?
Tanya Janca: So the first job, I did not understand how easy I had it, because I had been their dev leader.
And so then I switched to security and it's oh, we've already hugged before. Like we've had beers or what, like lunch or whatever before. I have a relationship with pretty much everyone. And I remember one of them, I was like, I need you to do this. He's like, I'd follow you into a burning building, Tanya.
You just tell us boss. And everyone just nodded. And I was like, thank you guys. You guys are the best. But then I went to the next place that I worked I joined [00:14:00] pen testing, so that was a little different because I was more like as a consultant. So then I moved on to the next place, and I was their first AppSec hire.
They had two people that would run app scan that they had been in help desk, and they would press the scan button and then they would email the results. And that was their previous experience with AppSec was like, no communication, just receiving PDFs that didn't make sense to the devs. And it was a harder sell, and that is actually why I started doing public speaking.
So I did not want to do public speaking, which might sound weird as a person who's been on stage her whole life playing music and doing acting and comedy and stuff like that. But I was super terrified to give a presentation. I was like, but no one's drunk. Usually my audience is pretty hammered and I, and I can yell names at them if they shut up everyone.
I'm like, these people are professionals. They're my peers, they're sober. Oh my gosh, what if I'm wrong?
Carolynn van Arsdale: It's different when you [00:15:00] bomb in a presentation versus bombing in a pub, right?
Tanya Janca: Yes, exactly. And also this is my full-time job now. 'Cause like when I was doing music, it was this part-time job that was a bit out of hand.
But like it sounds weird, but I'm like, I always have my backup computer science career, so it's, I don't really have a backup to cyber at this point, unless you count farming. Um-
Carolynn van Arsdale: It's good skill to have, right?
Tanya Janca: Growing food, it's good. Maybe when the apocalypse comes, I'll be okay, but I feel like. It is- oh my gosh, I've totally lost the thread now. I'm so sorry.
Carolynn van Arsdale: No worries. I love a good sidebar, by the way. But to get us back on track, we were talking about just how with application security, what the appetite for it was at the time.
You said you had it pretty easy in your first gig, and then it got a little tougher from there, right?
Tanya Janca: Yeah. I feel like it can still be tough. I feel like most my students are still security people. [00:16:00] Even though I'm teaching secure coding, the person that buys it is 75% of the time the security team buying it for the dev team.
I dream of the day where the dev team's hiring me. Because they want it, because they will act differently if they have chosen it versus if it is chosen for them. I still have lots and lots of developers that follow me. Thank you for all of you. But I wrote the new book specifically because- so my first book's about AppSec and how to be an AppSec professional and how to build a program because I wanted to build more AppSec engineers.
And then I built my startup company, We Hack Purple, and I literally built new AppSec engineers and graduated them from my program and helped at first find them jobs and like just really wanted there to be a lot more professionals. So I wouldn't say I've solved that problem, but I've made a giant helpful dent.
And then, as I was doing that, I was like, I can't really get anywhere unless the developers on [00:17:00] are on board with this. And not every single AppSec person's gonna be skilled in public speaking. They're not gonna have the passion to do that, right? So I'm like, how can I help them reach devs? How can I help them convince devs?
And basically I was like, ah, darn, I have to write another book. This is gonna be a lot of work but I felt like that was necessary. And when I sold my business to SemGrep, I didn't, and I made my whole academy free with all the courses that I had available at the time. So I was like, no one's gonna call me for training anymore.
People still call me all the time, I still do training all the time and SemGrep is super supportive, which is really nice. But I didn't think people would want it when I'm, and I tell them, I'm like, you can get this for free on demand. They're like, it's not the same. If you show up, it will be different. And so then I was like, okay, I have to write another book now.
That's it. I don't have a choice.
Carolynn van Arsdale: That's it. That's actually, perfect segue into my next question. [00:18:00] Congratulations on your new book, Alice and Bob Learn Secure Coding. I did see that it was the number one new release for software development on Amazon. Congratulations! That is huge.
Tanya Janca: Thank you. It's like a real category.
Carolynn van Arsdale: Yes!
Tanya Janca: It's not like in cyber where there's just four of us hanging out in that genre. It's like there's real authors here.
Carolynn van Arsdale: Yes, a lot and you were the number one. So talk about AppSec girl power, it's really awesome. So I know that you talked a little bit about, what the premise of the book is, but could you dive deeper for us and tell us more about the book and why you wrote it?
Tanya Janca: Absolutely. Alice and Bob Learn is a series of books now where I try to apply- so I'm dyslexic and I have a ADHD 'cause that's fun. Um, and so sitting down and reading a textbook is super hard for me. And when I went to go learn French as a second language as an adult, I went to a special school for dyslexic adults and they told me, basically adults past a certain age- they all have a learning [00:19:00] disability because they haven't been learning actively for so long. They forget how. And so when we apply learning disabled types of like structures to them, they just do way better. And so any adult will learn better if we figure out how they learn best and then do it that way for them.
And so there's 21 different learning styles that they taught to me. So I built that into my teaching and I built it into the books with the idea of it. And it's funny 'cause in the reviews for my first book, this one guy's like, she explains this three times, like we get it already. And I'm like, I'm glad you understood it on the first try, but for complex, abstract concepts, the average adult needs it three times. They need it three different ways, and they need micro breaks and they need all of these other things in order for them to learn. So I have these two characters named Alice and Bob who are from cryptography, and cybersecurity people use Alice and Bob all the time, who throughout the book, they have health conditions, they have [00:20:00] families. Alice goes on dates with a pen tester and he's not ethical, so she dumps him. She is not put up with that crap. And then she meets a nice lady-
Carolynn van Arsdale: Juicy
Tanya Janca: Named Faith.
Carolynn van Arsdale: Love it. Okay. I gotta dig in.
Tanya Janca: But the idea is so quite often when I'll give a talk, someone will remember the story and then apply the concept at work. They don't remember the syntax I showed on a page, right? Like I'll tell people about security headers and I'll give them a cheat sheet with all of the syntax, 'cause me talking about where the semicolon goes is boring. But me explaining how this thing won't happen to you like it happened to Bob, that's the thing that people will actually bring up in their memory later. And so the way I structured the book is there's three parts and the first part is secure coding that applies to any language in any framework. So input validation, output in coding. I give lots of examples and I talk about the best practices, why to do it, what you're protected from, et cetera. And that's [00:21:00] quite extensive. And the second part of the book I get very specific and so I have a deep dive into 10 different programming languages and eight different frameworks.
I go over every category of vulnerability according to me. So we already have CVEs and CWEs and people know those, and that's great. But I try to explain it in a developer way, because they don't care that it's CVE number blank-blank-blank. And a lot of the ways that security folks explain it use security vocabulary.
And so I tried to explain this in a way that I as a developer had understood because I still, despite all my security experience, I was a dev way longer. Much more of my life I was programming professionally and I was coding as like a teenager. And when I was like a kid, my parents were trying to make me program. I come from a long line of software developers, so it's natural for us, anyway. Both sides we're nerds, right? [00:22:00] And I really wanted to explain vulnerabilities in a way that applied to them. And then I get into a bunch of different technologies like APIs, serverless, web sockets, et cetera, and like best practices for those.
So then we get into the third part of the book and it is a secure system development lifecycle from the developer's perspective. So I'm a dev. I've never been to a threat model before. What should I expect? How do I show up and look smart? What's expected of me after? Why on earth would I go to that?
I just had a pen test done. I got this report. Oh my gosh, what do I do with this crap? I have a backlog of trillion vulnerabilities. Ahh! And usually when we talk about the SDLC, we talk about the- or when security folks do, we talk about our part and what we do and how we need to do blank to them. And I wanted to explain it, I wanted to make it not scary.
I want to make them feel prepared and enabled and empowered. I want 'em to be able to look really [00:23:00] good so they get promoted. Because if you have a whole bunch of developers and you can promote only one to senior, the one that really has specialized in security like that is a big check mark towards senior developer and specialization, right? So it's like, how can you become a champion? How can you perfect your skills, et cetera. I wanted to make it about them rather than about us. And that's like my weird take on it, if that makes sense.
And then also like how you can learn more, how you can keep learning, if you wanna switch into security- options for that. So I wanted basically the book to be for them as opposed to for us. And they are the judge. So far I'm getting good reviews, it's only been out like two months, not even. We'll see how they feel about it in the long run, but so far people are telling me it's helpful and I'm like, yes, that's all I want.
Carolynn van Arsdale: Yeah, thank you for telling us more about that. I really love how you dove into alternate styles of learning, especially for adults, [00:24:00] because I think that's really validating for folks who, maybe in high school if they went to undergrad or if they did graduate school- for them, looking at standardized testing and they're like, oh my gosh, I'm not good at this. Clearly I'm not, somebody who can excel at really technical things because I didn't get so-and-so SAT score because I didn't get so-and-so GPA. That really sticks with a lot of people when they go into their adulthood and they look for careers.
Really important too, because cybersecurity, application security, people of all backgrounds, all learning styles- they should be able to be involved. They can probably do some really great work. The diversity of thought and how we learn is really important in this space. So I love that you set up the book in that way.
And then also the way you contextualized those really important lessons, I think is huge. And the way that you follow Alice and Bob through that journey. Very smart, very cool. I love to see it.
Tanya Janca: Thank you.
Carolynn van Arsdale: And I know you said that you've gotten some really [00:25:00] good feedback about the book so far, but how has the community been responding to it so far?
Tanya Janca: I got a letter yesterday from someone and he's like, I just got your book and I attended SemGrep- so SemGrep Academy is essentially We Hack Purple Academy with a facelift and then a whole bunch of new content. And so I just released a new course two days ago about security headers, 'cause I'm a giant nerd and my friend Scott Helme, we both love security headers. And so anyway, the rest is history. And he was just like, I wanna thank you on behalf of me and my team because we've taken all these courses and like we keep following your work and it's made us better as an entire team.
And I don't know where we would be without people like you 'cause we, maybe they can't afford to hire me to come in, but I've still made options for them. And he's I just wanted to write you and say thanks. And I was like, you made my whole week buddy. So that is good. I am having some people comment on, I put a bunch of very spicy takes in the book as well. So I have some strong [00:26:00] feels.
Carolynn van Arsdale: Yeah.
Tanya Janca: I have some strong feels about a bunch of things. So one thing is the Canadian government and their level of security. So I used to work for them. I have left, I have been petitioning them and lobbying them and I'm a giant pain in their butt. And so I talked about a few things that I have object to.
I talked about pen testers. So there are a lot of amazing human beings that are pen testers and there are a couple that are scum that will just click the scan button on Burp Suite and then copy that into a Word document and try to charge $10,000 bucks and say they did a pen test.
That's not pen test, that's a scan. And that's actually a lot more common than you realize. And so we have people who are giving their stamp of approval on things that aren't secure. And so like, how can you make sure you've hired a really good pen tester? And I actually put my email in the book and I'm like, if you're not sure, I will recommend people that I know do a really good job.
Carolynn van Arsdale: Wow.
Tanya Janca: And just because they're not on my list doesn't mean they're not great. But I've just seen [00:27:00] so many companies get ripped off and it really pisses me off. Like we're supposed to be the good guys. And so I have a bunch of things like that where I have tried to lift up the blanket and show people things that are happening.
'cause I want everyone to get good value for their money. I feel like cybersecurity costs too much right now. And don't get me wrong I really like money. I do. But I don't like it as much as compromising my ethics. My ethics, I like them even more. I want people to trust our industry, and part of that means we need to be transparent and honest.
And so I've had a couple people be like, oh, spicy Tanya. But I think that's important and it's my chance to have a voice, right? And so for instance, like I talk about privacy and respecting our users, and as a developer we can speak up in meetings. And I did that when I was a Dev. I'd be like, I wouldn't be cool if you did that with my data.
I can be a bit of a jackass sometimes, 'cause I'll speak my mind, which I found out is an ADHD thing where [00:28:00] our thoughts just come out of our mouth before we realize it. I did not know, I just thought that was part of me. I guess it is.
Carolynn van Arsdale: You're like, wow, it all makes sense now.
Tanya Janca: It does. Yeah. I was getting my son diagnosed and then I got diagnosed and it is apparently extremely common.
But I think it is important that all of us feel good and feel ethical about the work we do. And sometimes that means mouthing off in a meeting and by mouthing off, I mean saying I don't think this is cool, or would you be cool if someone sold your mom's information on the internet after they took a cruise with you?
I may have gone on a cruise and found out they sold my data after and got really angry. That's not in the book, 'cause that was after the book came out. But yeah, I'm learning a lot. I really want our industry to do better. That's it.
Carolynn van Arsdale: Yeah. I think also too, you raise a really good point because I think a lot about, small and medium sized businesses, when you know, the cybersecurity threat [00:29:00] landscape has just evolved so much and become more sophisticated, especially regarding software supply chain security and application security. So having books like yours is fundamental to people who, maybe they're the only person on their AppSec team working for their company, and they don't really know where to start, so it's really important stuff. I'm curious too, 'cause you talk a lot about the importance of secure coding in your work. I think it would be a missed opportunity to not talk about AI and machine learning and that impact it has on application security.
I'm really interested- I saw some great insights lately from Chris Hughes about vibe coding. I know that's a hot new term folks are talking about, and the security implications of that. That we have AI coding tools that are, I think there are what, like 26 popular ones plus in the market right now. I'm really curious what your thoughts are on AI's impact for AppSec and whether or not there's a net [00:30:00] benefit for the industry because you could use it both ways. I'd love to hear your thoughts on that.
Tanya Janca: So I actually just submitted a talk to DEF CON called Insecure Vibes, and guess what it's about?
Carolynn van Arsdale: Vibe coding!
Tanya Janca: I've read a bunch of books recently about behavioral economics and in my book, I talk about how we give a lot of perverse incentives to developers, but since then I've delved into- oh, so there is a giant section about how to use AI safely in the book. But since then I've delved into the idea of if we- so right now we apply these incentives that are bad for developers, like giving them deadlines and rewarding them based on features fixed, not bugs fixed, and other things like that, right?
And if people are gonna do vibe coding, we need to teach them how to do it safely and we need to teach them how to use AI safely. And [00:31:00] so I actually was doing a training last week and I had got ChatGPT to make an example for me. And I was vibe coding and I made this whole giant app just so I could demo Okta. And then after I was like, oh, and can you just make a short example for me of SQLI. So make a direct call to the database with concatenated data. Don't use the store procedure, don't validate, don't do anything. And so then I was like, yep, that's garbage.
All right. And then I had asked it to turn it into a stored procedure and I had been coding all day and I missed it. And it was not a stored procedure. It was still concatenated data. And so then I was teaching and I was like, this example's wrong. I'm so sorry, I'm so embarrassed. But if it can happen to me- and to be clear, there were something like 42 different examples in that training and one had an error and it had one error, but I'm still like, this is not acceptable. And if I can miss it after coding for like [00:32:00] over 30 years and writing a book, how do you think a junior devs gonna do? How do you think a dev that has had zero secure coding training or they had it like seven years ago, right?
How are they gonna do? And so we need guardrails. We need nudges in the IDE, we need nudges in inside the AI. I approached one of the big AI companies that will remain unnamed and I was asking them basically is there a way that we could train your model on my book? And they said, if there's not at least a million lines, nope.
Yeah. I'm working on solutions. I'm not there yet. I also, I don't own the license to my book. My publisher does, but they're happy to license it- if you're listening AI companies. 'Cause what they could do is do a reg server with that inside of it. Also, please don't break copyright and do that unless you pay the 25 cents or whatever that Wiley asks for.
But basically a reg server, what it is, the AI goes to that data first and [00:33:00] references that as true above all of its other learning. So if, because when I was researching my book, Carolynn, it was not good news. There was lots of example, like I read lots of blogs where I'm like, that's wrong.
And there were supposed to be secure coding blogs or they're like, do this, and I'm like, why? And their explanation was wrong, but the answer was right. I'm like, okay, there's a lot of misconceptions out there. And ChatGPT, Claud, et cetera, Tabnine- they all are doing the best they can, but who has a million lines of known secure code for them to train?
I don't have that, right? And who's willing to let them train on it? So we're in a bit of a catch-22 at the moment. But I am hoping people like me- I don't know if you've heard of Jim Manico, but he's awesome. He's amazing. He's been-
Carolynn van Arsdale: Take your word for it.
Tanya Janca: Yeah, he's shown me endless kindness. So he does secure coding training too, and he did a talk at [00:34:00] SNOWFROC recently and at NDC about how to prompt the model to get way better code out of it. I'm like, oh Jim, we need to hang out more. And so like between my research and his prompting, we could do something pretty amazing.
I feel like we need to have more nerdy researchers like him, me, there's so many. Scott Helme, Troy Hunt, there's so many people that are like hot into this. Get a whole bunch of them together and make some sort of overlay for the AI that just automatically secures you. I feel like that's a thing that needs to happen. Poor Jim. He's like-
Carolynn van Arsdale: Calling all nerds.
Tanya Janca: My ears are burning. Yeah.
Carolynn van Arsdale: Seriously.
Tanya Janca: But there's a bunch of people that are very interested in this and I know, like I've spoken to some people from Anthropic and they're like, oh yeah, security's very important to us, and like they're working on it, but it's not perfect yet.
So if you're a developer and you're listening, what can you do? Every single time, ChatGPT gives you something, you need to be [00:35:00] able to read and understand it. If you cannot read it and understand it, you should not be checking it into prod. A thing you can do if you don't understand is say, walk me through this, and it will, it'll sit there and walk you through and tell you what- and if you still don't understand, then you better not copy that code.
You can ask your peers to help you read it. If you can't understand it, that is the first step of no. So once you understand it, then have you applied the secure coding principles to it? So if you have read my book just use the summary of part one. So I made a checklist. I love checklists.
Carolynn van Arsdale: Me too. Have one every day.
Tanya Janca: Yeah. And I'm making it into a downloadable secure coding policy because that is how I roll. But anyway, go through that checklist and it's nine pages. See if everything applies like, if it follows those rules, you're probably pretty good. Then you'd wanna still run a static analysis tool, ideally in your IDE so you could just do it at the spot, you don't have to wait. But if you do it later, like after you check your [00:36:00] code in or in your CI, if you wanna do it later, I guess you can. I'm a control freak. I wanna do it myself, but to each their own and then consider checking it in. So if it passes all of those checks, but if you don't understand it, then it's dangerous, right?
It's the same as copying stuff off Stack Overflow. There's a ton of geniuses that post on Stack Overflow, but there's also one or two evil jerks and there's also a couple of people who just make honest mistakes. And just 'cause it's voted to the top does not mean it's safe. And the Stack Overflow people know this and they worry about it too. I've been contributing to their blog lately and they want people to write secure code. They do.
Carolynn van Arsdale: Yeah.
Tanya Janca: But it's hard with a giant forum with millions of posts and millions and millions of users. Yeah. So be cautious. Never trust, always verify. Just like you would if someone tried to upload a file to your server.
Carolynn van Arsdale: Be cautious.
Tanya Janca: For those listening, Tanya's making a disapproving mom face at you.
Carolynn van Arsdale: Just whip out that card, [00:37:00] just picture in your head. Yeah, so really good insights there. And I'm curious, do you feel as though there is this longing from the majority of the AppSec folks that you're working with- developers as well, but AppSec specifically- to focus on AI and ML security more than ever before?
Tanya Janca: Yes and no. So I feel like the average AppSec person's wildly overwhelmed. So I also submitted- so I've been writing talks the past two weeks, so I submitted another one called Crushed by the Backlog because we're being crushed by backlogs.
We have these tools that scan and they try to find everything under the sun and not everything it finds matters. If you sell juice, do you think there's a nation state that's gonna work really hard for months at a time to try to break through your TLS because you're using TLS 1.1 and technically that's broken?
No, no one gives a shit. Sorry for my language, but no one's gonna work that hard to hack the juice [00:38:00] company. And their juice is delicious, don't get me wrong. I'm sure they're doing a great job, but if all they do is give away recipes on their website and tell you where to buy their delicious juice, it's just, do we need to worry about TLS downgrade attack? We're fine.
And so tools focus on what's easy to find in an automated fashion, not necessarily what matters. So that is like a huge issue that our whole industry is facing right now, and we're overwhelmed by this. And so then you pile AI on top as this giant huge extra weight. And so I am hoping all of my AppSec colleagues will figure out how to use AI for themselves, so that it is their best tool instead of their worst enemy.
So at SemGrep, we did our performance reviews recently and we had to write self-reflections. I haven't had my review yet, but I wrote my self-reflection and they were like- Thank You. I feel pretty confident it's gonna be good, 'cause my boss tells [00:39:00] me I'm good. But anyway the HR team was like, you are responsible for what you submit, even if you're an idiot and just copy and paste it out of ChatGPT. So here's cool things you could do is so you write an answer and then you give the answer to ChatGPT and the question and say, did I fully answer this question? Or, what I like to do is I write out the answer in my super casual language and then so I used to have to do QBRs and not being the director anymore I don't have to do those. I hate QBRs, those are quarterly business reports. And when I as a CEO I loved receiving them, but I don't just say, I don't like writing them. Anyway and so I would write all of it out and get all my stats and everything, and then I would get ChatGPT to make it pretty.
I'm like, can you make this sound super formal and appropriate for QBR instead of, so that sucked. And so then it would help me format it so I had bullets and stuff like that, and just save me time with writing. When I was filling [00:40:00] out the applications, all of the calls for papers are like, is there anything else you want the board to know?
And I usually just leave it blank. And so I was like, ChatGPT, should I put something in there? And they're like, yeah, you should! Tell them why you think this talk matters. Tell them why you think it's worth them booking you. Tell them this, tell them that. I'm like, oh yeah, I should do that. Thanks.
Because I never knew what to write there. I was always like. Cool beans. I think your conference is nice. It'd be nice if you booked me like, I know that's not very productive, right? So sometimes it can give you, it can suss out an idea. I also like doing brainstorming with it, even though I always hate its ideas.
So when I write a blog post, I'll be like, oh, I wanna write a blog post about this. Do you have some ideas? And they're like, you should do this. I'm like, that's terrible. And then I'm like, I'll show you. And then I write my own thing completely. But now I never have a blank page, if that makes sense. And you can use it as a brainstorming partner, but it should never speak on your behalf. Everything you say, everything that comes out of your mouth, everything that you submit, you're [00:41:00] responsible for. So never let speak on your behalf. Just like you wouldn't let your administrative assistant write your-
this is you, it needs to be from you. So that is advice on your code, on everything. Wow. Sorry, I ranted a little bit. I have a lot of feels.
Carolynn van Arsdale: No, but I think that even if you, no matter what the use case is for AI, I think it always comes back to the coding use case of, you should be understanding what the output is.
You should be understanding what the goals are and how to use AI responsibly. I think it all comes back around. I actually had a funny conversation recently with a good friend of mine who is a therapist and she actually uses ChatGPT for therapy. For herself. And then also just posing ideas.
But obviously she's the therapist, right? She's the one with the MSW. She knows what she's saying. But just having that brainstorming, having that feedback, but just understanding the tool and the power of it, it's really important [00:42:00] stuff. So I think that's a good way to sum it up. So Tanya, do you have time for one more question?
Tanya Janca: Absolutely.
Carolynn van Arsdale: Awesome. So to close things out, and I know it's Women's History Month, we're talking AppSec Girl Power here. I really wanna hear what advice you might have, for folks who wanna get started in application security. But they're overwhelmed. They don't know where to start. They might need a mentor.
What are your thoughts for those folks? Not just women, but other marginalized identities too, breaking into this space?
Tanya Janca: Okay. I have a whole bunch of advice, one is that you wanna learn how to do your new job so that you feel competent and confident, right? Because if you show up competent and confident, it's pretty hard to doubt you, right?
No matter whether you are a straight, cis, white male, or you are a woman of color, whatever you are- showing up so that you know, that you know what you're doing. Then it just comes off of [00:43:00] you, the confidence. So places you can learn AppSec. So I'm gonna be super biased here. So I wrote a book, Alice and Bob Learn Application Security, that can help.
I have three free courses in SemGrep Academy called Application Security Foundations Level 1, 2, 3- very creative. And all of that is free and it'll teach you how to build a program and help you actually build one. So if you already work somewhere, it'll help you improve or build your first program.
So there's another book by Derek Fisher called The Application Security Handbook. That is also very helpful. That dude has a newsletter as well, which I subscribed to and it's recently got very CISO-ish, but 'cause he became a CISO. And I forgive you Derek, but I was just like, dude, this is my favorite blog.
I also follow Chris Romeo. I think that guy's really good. And I also subscribe to tl;dr sec by Clint Gibler, which is a summary section of new research and AI. So really get to know your subject matter, right? So that you show up [00:44:00] confident and competent. So then I personally have found huge success from getting a professional mentor.
You can find professional mentors through groups like Black Girls Hack, Women's Cyberjutsu, WISP. There's tons and tons of groups. There's Blacks In Cyber(security) and I run Cyber Mentoring Monday on Twitter, LinkedIn, Bluesky, and Mastodon every single Monday, which is free. If you can find a professional mentor, a person that you can trust that can give you advice, they can push you to the next level.
They open doors for you, they advocate for you, they pump you up. They help you just bounce ideas off of them. They're so valuable. And then lastly, I would join a community that has to do with the subject matter you want to excel in. So I highly recommend OWASP. There's also ISACA, ISSA, DEF CON chapters.
There's many different groups you can join. So join a technical one that you [00:45:00] like. I love OWASP. I'm super biased. I've been a member over 10 years. I'm a lifetime member. I'm a lifetime distinguished member now. But I know. I got that word in the mail yesterday and I'm still really excited.
Carolynn van Arsdale: Oh, congratulations!
Tanya Janca: Thank you.
Carolynn van Arsdale: I love OWASP too, so I'm biased as well. But congratulations.
Tanya Janca: But then also consider joining a community for whatever you are. So if you're a woman, if you're a person of color, if you are disabled, if you are from Chicago, join a Chicago group, so that you can have people that feel like you. So they feel like you're peer, they have the similar struggles to you.
And so by doing that, that helps you feel heard and seen. They can help you judge things better. So I'm part of a bunch of different women's groups and it's really helpful. So I remember I kept getting blocked on Reddit from various subreddits, for doing what I felt everyone else was doing. So I would share [00:46:00] articles. I wrote about the topic that did not sell a product, and then I would get banned or I'd have my thing taken down by the mods and then I'd see dudes do the same thing. And there's other users and they do it. Why is it bad when I do it?
And then I told like the women's group, they're like, yeah, Reddit has some sexism. Not every, so it depends on the mod. But they're like, yeah, that specific one, I'm banned from it too. And it turned out like a whole bunch of women were banned from the same one, and we'd all just done the same thing the male people had done.
And it was like, fuck. So it helped me see a thing that I wasn't seeing. 'Cause I was just like bashing my head like why is this a problem? And all my colleagues at Microsoft who happened to be men weren't having any issues and we just couldn't understand what the problem was.
Carolynn van Arsdale: Wow.
Tanya Janca: And the women were like, it's this. I was like, that explains a lot of stuff. It just had not occurred to me. And we help each other, et cetera. It can be really amazing to have someone that kind of gets you, if that [00:47:00] makes sense. And so that is my list of advice of, and oh, and try to get some experience. So experience can be working on an open source project.
So I had a friend, she wanted to be a pen tester, and so she just volunteered for the SPCA. She's like, I love animals, and so I just offered to do a free pen test for them. And I know it's not the best pen test, but it's way better than the no pen test they had before me. And so you can volunteer for an organization that matters for you and do work for them.
I did a bunch of work for the Canadian government for free to show them that I was qualified before I got my first pen testing role. Like one of my professional mentors helped me get my first bunch of contracts. They don't always help find you work. It is not their job to find you work, but sometimes they will, and that's really nice.
So getting experience can be really hard at first. And so sometimes volunteering is the way just to have something on your resume.
Carolynn van Arsdale: Definitely. That all makes total sense to me. Really important stuff. Thank you for sharing that, all those really great anecdotes. I'm sure a lot of people [00:48:00] look to you and we'll share Tanya's socials and everything. You can follow all the great stuff she's doing and I'm sure you post constantly about all of these really great organizations that folks can get a part of. So Tanya, is there anything else that I didn't ask you that you wanted to share with our listeners today before we close out?
Tanya Janca: So there are two things which I'm hoping we can put in the show notes, and one is if you join my newsletter and you bought my book, or even if you didn't buy my book, I'm doing free live streams for every chapter. I'm thinking I'm gonna start them at the end of June, and basically for every chapter of the book, I'm gonna do a free live lesson, which will then be recorded onto YouTube.
So if you missed it, don't worry. And I just invite a bunch of experts on, I did this for my first book and there's a zillion views. And so basically universities wanna pay you almost nothing if you're an adjunct professor. So I'm like, then I will get paid nothing and I will do it my way. So I'm gonna have 15 free lessons and everyone's invited.
And to receive the invites and notifications you need to go to [00:49:00] newsletter.shehackpurple.ca and sign up, which is totally free. And all I do is just give you all the content I make each month. So that is one thing. And the other thing, and this is just this morning, so you have really good timing.
I turned a whole bunch of my research, so I did this talk called Maturing Your AppSec Program. And in it I talk about, these are different models that I see that need improvement. And then here's cheap ways to improve those models. And so I turned it into an online survey. So you know how like you'll go to Cosmopolitan magazine or something and it's answer this personality test and then you get this.
So it's like that, but for your AppSec program. And I will include a link in the show notes. Or you will, I'll send it to you. But basically I got it. If you have an AppSec program and you feel like it needs some work, please come answer our survey and then we will give you a customized report for free.
And then also once enough people answer, then we're gonna release the results as well. Assuming, not only 10 people answer. We're hoping to get at least 100, but a 1000 would be [00:50:00] statistically significant. And so we're hoping to get lots of answers. So please consider answering that only if you actually work in AppSec or work at a place that has an AppSec program. Please don't answer just 'cause you like me. I appreciate the support. If you could just re-share it with someone that can do it, that would be better. Yeah, I would really love some participation so that I basically, so that I can do a lot more research and release a lot more content.
Carolynn van Arsdale: Love it. That's all great stuff. Yeah. So for folks who are watching, you can go to your favorite podcast streaming platform, look up the "ConversingLabs Podcast." We're gonna release the episode soon there, and you can find those show notes, find all that great information that Tanya just shared.
Tanya Janca, thank you so much for coming onto the ConversingLabs Podcast. It was a pleasure to speak with you. Thank you for sharing all these wonderful experiences that you went through. I learned a lot today. I'm sure many others did as well. Thank you.
Tanya Janca: Thank you so much for having me.
