A leader in application security, our guest has spent the past few years travelling the globe teaching teams to integrate security practices into their development process. At SheHacksPurple.dev, Tanya continues to teach teams that security doesn't have to be difficult. In this episode, we'll explore her tips and tricks for developing a security mindset.
- Tanya Janca, Founder, Security Trainer, and Coach at SheHacksPurple.dev
This episode was original streamed on Tue, 20-Apr-2020 to multiple platforms. You can watch the streams (along with the comments) on-demand on:
- Tanya's excellent website, SheHacksPurple.dev
- Follow Tanya on Twitch, where she regularly streams live
- Tanya writes regularly on Medium
- A collection of fantastic security videos on Tanya's YouTube channel
- Be sure to follow Tanya DEV.to
- The DevSlop OWASP project. This project helps teach teams about DevSecOps
- OWAPS Cheat Sheets
- Pushing Left, Like a Boss, by Tanya
- AllTheTalks.online virtual conference where Tanya is giving the talk, "Purple is the New Black; Modern Approaches for Application Security"
- Security is Everyone's Job from OWASP Ottawa in July 2019
- Security Learns to Sprint: DevSecOps from B-Sides SF 2020
- All Day DevOps 2020 where Tanya is presenting, "Purple is the New Black; Modern Approaches for Application Security"
- Tanya is the keynote speaker for HellaConf 2020 by HellaSecure
Mark: All right, thank you for, joining us. We appreciate, you being patient while we're getting a few things ironing ... ironed out here. The challenges of live streaming are always never ending.
And it's almost like being on stage again, giving live demos, and just waiting for that hammer to hit 'cause you know, something is not going to work.
But I think we're up and running. We're good. We seem to be, live across all our platforms. As a reminder for Let's Talk Cloud, we'll go live on LinkedIn, YouTube, as well as on Twitter, so please feel free to join the con-, discussion there.
[00:06:01] And we've got a great team, in the background monitoring the comments to bring them up so that, myself and our guests can, interact with you and bring your commentary and answer your questions. so please don't be shy, commenting there. and on that note, my name is Mark Nunnikhoven. I'm the VP of Cloud Research at Trend Micro.
But you're not here to listen to me. You're here to listen to, yet another fantastic guest this week, we are, honoured to have Tanya Janca join us. She is better known as SheHacksPurple. She is the founder, security trainer, CEO amazing person, wizard. Anything you can throw that is a positive adjective, that describes Tanya in a nutshell.
[00:06:35] I'm gonna flip over. Give me two seconds 'cause this is a first time we've been Zooming, for one of these streams.
[00:06:47] Tanya: Thank you for having me. so I'm Tanya Janca. I am a giant nerd that is obsessed with the security of software. And a lot of software lives in the cloud. So then I became obsessed with cloud security. And, I teach and train and coach at my own little startup that I started this year called, SheHacksPurple.dev.
And yeah, basically, I just really obsessed with how helping people make more ... create more secure software across the planet. [silence]
[00:07:38] Mark: there we go. I think we're good now. yeah, perfect. Okay, so, just double checking again, live streaming. You gotta love it. and-
[00:07:44] Tanya: Yes.
[00:07:44] Mark: ... you know, I'm sure you've experienced some challenges, in the, live demos. but now you're training on your own. You wanna give a quick plug in, we'll add the link to your stuff , in the show notes.
[00:07:54] Tanya: Yeah, yeah.
[00:07:54] Mark: but just so what- what did you spun up at, SheHacks, Purple.dev.
[00:07:58] Tanya: Okay, so we only started in February. So we're going pretty quick. [laughs] And so right now we have a membership club where it's $7, and you get regular content from me. And the content is about, you know, for instance, like a new vulnerability that's happening quite a lot and how to secure your systems, or how to learn enough to get a job in InfoSec.
Or just basically, once or twice a week, I'm having live streams and people ask questions, and then it turns out lots of people wanna know the answer to that, and all those become blog posts.
[00:08:32] But quite soon at the end of this month, in fact, I'm going to be giving my first two courses live virtually. And then those courses are going to become courses you can do at home from my site.
So at virtual... The virtual version of the OS global AppSec Conference, so they're calling it AppSec days. I will be giving an introduction of how to build an Application Security program.
[00:08:57] So we're gonna set goals, we're gonna list out activities to get you to those goals, we're gonna talk about how to scale your team so that you can get to those goals, exact training and learning that you need to do so you can kick the crap out of those goals. [laughs].
[00:09:10] And basically, like we spend the whole day planning out your AppSec program, and teaching you about AppSec, the whole way through, I'm so excited. And then I'm also going to be teaching for the Dev contractor in Toronto.
[00:09:23] Mark: Okay.
[00:09:24] Tanya: I suppose to show up there in person, and that's gonna be this big surprise. But now clearly that- that can't happen. So I'm gonna be giving, hack the things with GitHub actions like for hours. We're gonna build a pipeline. And then-
[00:09:38] Mark: Okay.
[00:09:38] Tanya: ... this really insecure, [awful.net 00:09:56] app that I've made and we're going to find secrets in it. And we're gonna find in vulnerable dependencies, and then we're gonna fix them. 'Cause I mean, and I make people fix problems.
And then we're gonna do all that, and we're gonna publish to Azure and be like, "Look at our crappy app. Yes."
[00:09:55] So we're just gonna automate lots of security tests. And they're like, how many tests do you have? And like, how much time do we have.
[00:10:01] Mark: [laughs].
[00:10:02] Tanya: Because I literally have enough to do days a day. But we're gonna try to fit it into like, two- two hour slots of[inaudible 00:10:24].
[00:10:10] Mark: Nice, I like it. And you know what I gotta say-
[00:10:12] Tanya: [crosstalk 00:10:28] become a ... that- that will become a course on the site, too.
[00:10:15] Mark: Yeah.
[00:10:15] Tanya: But I'm just gonna keep building upon it. Yeah, I'm pretty excited to automate all the things.
[00:10:20] Mark: It's great. And I find those are almost the most fun things to write when you're purposely trying to make them bad, right?
[00:10:28] Tanya: [laughs].
[00:10:28] Mark: When you're purposely trying to figure out how to make this insecure, it is so much fun, 'cause it's such a contrast to what we normally try to do. and that's fantastic. And I think we're gonna touch on a few more things as we go on to this conversation of what you're up to online. because it's awesome that we've been able as a community to shift a lot of stuff that was in person into, virtual events for people to be, participating in.
But one of the things I know, you know, having watched your talks over the last few years, and seeing, you know, all the fantastic content you're putting in, you mentioned the word modern a lot with respect to security. can you maybe kick us off by telling us, what does modern application security mean to you?
[00:11:03] Tanya: Okay, it means two things to me. So one is that a lot of developers and dev shops and operations folks have moved towards DevOps, and they're not doing waterfalls, and they're not doing Agile, and Agile seems to be a moving target as to its definition.
So a lot of shops are actually doing DevOps. And then some of them are doing kind of partway where they're like, we have a pipeline, but we don't do any of the other things.
[00:11:28] So modern application security, is a security team actually adjusting themselves. So they actually also do DevOps. So none of this-
[00:11:36] Mark: Okay.
[00:11:36] Tanya: ... we're just gonna keep trying to do the old security model and just break all your DevOps process. And like manually stop your pipeline partway through because we feel we need three weeks for a code review. It's like, "That's not happening anymore. I'm sorry. Like, that's really cute, Go home. Go home, you're drunk." [laughs].
[00:11:53] But the other, the other thing with modern apps is that the way apps have been ... are being built is totally different now, like when I started, you would have interior architecture.
Interior meant you had a database and it was on one server, and then you had your web s-, your web server and your web app was there. And then that was the end. [laughs],
[00:12:10] And now you're like microservices, you have, you know, containers that might be orchestrated. And you have one page web apps, where traditional security tools, they just do nothing, they just spit out nothing.
[00:12:24] Mark: Yeah.
[00:12:25] Tanya: and so we need to adjust the way that we are doing security if we are going to secure modern applications. And that means looking at things...
Basically, like some of the old things still apply like you still always, always no matter what you're doing you need to do awesome input validation. If every single person on the planet could just learn that we will be off to the races [laughs].
[00:12:48] Mark: [crosstalk 00:13:08]
[00:12:48] Tanya: Yes, yes, exactly. Follow your hardening guides, et cetera. So like all the normal things, but then there's new things like if you're going to have lots of API's, then you should have a gateway, you should have a service mash, you should, ... Oh my gosh, there's just so many things.
[00:13:02] Mark: Mm-hmm [affirmative].
[00:13:03] Tanya: Like the list just goes on and on. And I think that if we're going to do modern apps, like we need to make sure that we are securing them properly, like the way that they need to be secured, it's different.
Like for API's, for instance, like you want to throttle them, right? Like if no person tries to log in 500 times that human is not doing that, right? So like, as more bots happen, we need harden our apps against those. Anyway, I'll talk all day. So that's what it means-
[00:13:30] Mark: That's good.
[00:13:30] Tanya: ... to me those two things. [laughs].
[00:13:34] Mark: It's fine. I mean, that's, you know, going ... that's the whole point of this is to get you know, your expertise out here. And I love, you know, that, explaining, you know, not just the security needs to change but the way we built, applications changes, which actually leads into one of my favorite, of your talks. you do a great talk called Pushing Left Like a Boss, rright? I love it.
It's not just pushing left. No, no, that's fine. You got to do it like a boss, right? And one of those things that you talked about one of the key pillars in that talk, and you kinda, you know, you hinted at it here, is really about, getting security thinking earlier in that development process. Why is that such a key to success.
[00:14:12] Tanya: So, if you look at the system development lifecycle, the further left you push the earlier you are, we both know this, but the further left you push ... so the earlier you are in the system development- development lifecycle-
[00:14:26] Mark: Mm-hmm [affirmative].
[00:14:26] Tanya: ... the cheaper it is. So if I wanna add a new bathroom to my house, if I wanna do it now, like when I live in the apartment, that's gonna cost a fortune.
[00:14:36] Mark: Mm-hmm [affirmative].
[00:14:37] Tanya: And they're gonna have to sacrifice another room, we're gonna have to figure out how to run the water etc. But if we were building this house, which like is a few, I don't know 50 or 60 years ago, way before I was born [laughing] I was not ... that was no digs. There is no digs there.
[00:14:56] Mark: I didn't say-
[00:14:56] Tanya: There's not-
[00:14:56] Mark: Go and get more and more grain[inaudible 00:15:22] this is ... this conversation goes by the end of it I'm just gonna be tiny in the corner but I get you, I- I know where you're going with that.
[00:15:05] Tanya: [laughs]. But- but the ... if you wanna add a bathroom then and you're designing it, I ... that's easy.
[00:15:12] Mark: Yeah.
[00:15:12] Tanya: That's totally easy, right? And in the middle when you're building it, you can still do it 'cause everything you know the walls are open, you're doing the water still. It's more expensive. It's still costly, right?
[00:15:24] Mark: Mm-hmm [affirmative].
[00:15:24] Tanya: But now adding a bathroom like "No, no, no, miss this is not possible," or it is but I mean, do I wanna lose my office where I do all these cute recordings. No. And so-
[00:15:36] Mark: Well-
[00:15:36] Tanya: [inaudible 00:16:00] number of bathrooms that I have.
[00:15:39] Mark: Yeah, I mean, I think the- the- the key there is like ... the implication there is that it changes the value proposition right? When you go, yeah, I really want that extra washroom, but if it's gonna take ripping the house apart, and it's gonna cost, you know, 30x what it normally would have when I was designing this place, it's not as bad, I can live without it, right?
[00:15:57] Tanya: Right.
[00:15:57] Mark: Like I can go without that.
[00:15:58] Tanya: [00:15:58] Exactly.
[00:15:59] Mark: ... it's interesting.
[00:16:00] Tanya: And when we find a security bug, so about like a vulnerability or even worse, a design flaw that is so expensive to fix later.
And when they have, this chart from the Ponemon Institute of how much it costs, so there's a bunch of different places online and they all say a different amount.
[00:16:18] Mark: Mm-hmm [affirmative].
[00:16:18] Tanya: But after it's in production, the cost is- is quite a bit higher, I would say almost 100 times higher. However, if there's an incident ... So if I noticed the vulnerability or flaw in production, or one of my clients notices and reports to me that's fine.
But if you know bad guys incorporated finds it, that could be an exponential, like just add squared cubed, et cetera, onto that number that you originally had. Because it- it can be out of this world the cost of an incident. Like you don't even know and also could damage your reputation, et cetera. Right?
[00:16:57] And then all those resources that are completely diverted from all the other work you were doing, yeah, so that's why we need to start security earlier because of money and because of quality, because you ... yeah, you build a quality[crosstalk 00:17:35].
[00:17:09] Mark: I think that's a key rule, and I- I love, I love that you said quality 'cause I think that's a that's a language that development teams and businesses, well development teams for sure businesses getting there when it comes to IT, that's something they understand.
So, you know, relating that security in, and is treating it you know, the same impacts as quality failures, makes it easier to- to bridge that gap. But you know, the bathroom analogy is- is perfect too, right? 'Cause there's this ...everybody sitting in their house, especially now.
Going like I would have loved to take that wall down. But you look at the money and you go, "Yeah, I'm not gonna spend that much to do that." Whereas, you know, when we were building it or when you were looking at the place, you would have selected something different, that met your requirements, if you knew you're going to be stuck here, 24/7 for the next, you know, few months.
[00:17:49] Tanya: Yes. [laughs].[inaudible 00:18:19] so correct.
[00:17:51] Mark: so that's, that's great and ... [laughs] And so that talk just for the audience, everybody, tuning in, and we've got people from around the world, which is great. And, you know, we put up the show notes and everything I'm referencing here of Tanya's work is in the show notes.
So you can see the recording of, Pushing Left Like a Boss, there. and the team will put the link, to the, to the show descriptions in the chats on LinkedIn, YouTube and Twitter, so you guys don't have to frantically Google stuff in the background. we made it easy and pulled stuff together and I'll add whatever comes up.
[00:18:18] But one of the things, also, Tanya is you're super, super active, with OWASP. globally, you know, and, locally, wherever you end up being, you know, so now moving out into the West Coast, being there. where do you think, you know, having been in a loss for quite a long time and seen a huge change over the last few years.
[00:18:34] Tanya: Mm-hmm [affirmative].
[00:18:34] Mark: Where do you think OWASP was had the most success?
[00:18:38] Tanya: The most success? Well, the most famous thing we're known for is the OWASP, Top 10.
[00:18:44] Mark: Mm-hmm [affirmative].
[00:18:45] Tanya: And I feel we've had quite a bit of success with that, because it has brought awareness to the fact that security is a problem.
[00:18:53] Mark: Yeah.
[00:18:54] Tanya: And, for instance, in the most recent version, process request forgery was taken off the top 10 because we brought so much attention to it, that several of the major frameworks just wrote it into the framework, like .net wrote it in and just automatically passes the token for you and-
[00:19:09] Mark: [crosstalk 00:19:40].
[00:19:10] Tanya: ... developers like all the way laughed, like that is a dream come true, right? So I- I do believe we've really helped bring attention to it. And I do believe we've helped a lot of people solve a lot of problems like the Cheat Sheet Series, for instance, she is my favourite project including of my project.
[laughs] And it's less just the ... it's the answers to everything. So if you're, you're ... you wanna test cross [00:19:40] site scripting, you just like look up the cross site scripting, and then they actually have it filter evasion cheat sheet. So you could do the best testing ever. [laughs].
[00:19:48] Mark: Perfect.
[00:19:48] Tanya: It's just so cool, right? I also think that the community building has been really beautiful. So we in the past year have gone from 250 to over 300 chapters. I think that has a lot to do with our new executive director-
[00:20:02] Mark: Mm-hmm [affirmative].
[00:20:03] Tanya: ... who kind of decided to emphasize that O, and OWASP, which stands for open.
[00:20:08] Mark: Yep.
[00:20:09] Tanya: so that's really good. The community was a bit divided before we didn't have an executive director for a really long time. and then we had one for a while but was at friction with the community for quite a bit, so that person left and now we have someone where everyone there kind of click.
[00:20:26] Mark: Yeah.
[00:20:26] Tanya: If that makes sense.
[00:20:27] Mark: Yeah. That- that makes a huge difference, especially when it's volunteer driven, right?
[00:20:30] Tanya: Mm-hmm [affirmative].
[00:20:30] Mark: You need that vibe in there. you mentioned your project. Do you wanna give us a little rundown of what your OWASP project is?
[00:20:37] Tanya: so, my friend, Nicole Becker, and I decided we would start a project called DevSlop, Sloppy DevOps. Because we wanted to know 'cause back then we're both penetration testers and watch know, how do you do penetration testing on modern apps?
How do you do penetration testing most effectively in a DevOps environment and not break all the things and still be someone they wanna hire back after.
[00:21:01] And so she made this wildly insecure app with some micro services, and we started giving workshops, then I created ... so we decided the project would have multiple modules.
[00:21:12] Mark: Mm-hmm [affirmative].
[00:21:12] Tanya: So the project could just never end. [laughs] So I made this giant pipeline with like nine tools in it. And then I would demonstrate it at places and like, make videos of me actually building things live-
[00:21:24] Mark: Mm-hmm [affirmative].
[00:21:25] Tanya: ... and then smashing things and then adding new tools. and then we had the DevSlop Show, which is now I mean, twice a month right now on Sundays-
[00:21:34] Mark: Mm-hmm [affirmative].
[00:21:34] Tanya: ... at 1 PM. Eastern Standard Time and 10 AM my time Pacific. and, we have guests on and just interview them and ask them stuff. So last week, we had Teri Radichel on and she's a cloud pen tester. And we're just like, "How do you smash all the things?" She's like, "Yeah."
[00:21:51] Mark: Yeah.
[00:21:51] Tanya: and so there's four of us that are part of the project. So there's, Francisca, who's a laugh expert.
[00:21:55] Mark: Mm-hmm [affirmative].
[00:21:56] Tanya: So she actually wrote a bunch of the core rules set for ModSecurity.
[00:22:01] Mark: Okay.
[00:22:01] Tanya: And so she's created four different pipelines now that have a laugh in it. And then your app ... and then, a bunch of scanners attacking the laugh and tuning it automatically in your pipeline so that you can tune your laugh and release it.
[00:22:17] Mark: Nice.
[00:22:17] Tanya: So cool, right?
[00:22:19] Mark: Yeah, yeah.
[00:22:19] Tanya: So we just build weird [inaudible 00:22:56]. That's what we do. And then Nancy is one of the project leaders and she's si- ... sort of like the overarching organizer making sure that we actually [laughs][inaudible 00:23:05]. She's very ... politely she's like, "Come on cats."[inaudible 00:23:10]
[00:22:34] Mark: Yeah. Yeah, well 'cause-
[00:22:35] Tanya: [crosstalk 00:23:11].
[00:22:36] Mark: The problem is, it's easy to go down the rabbit hole, right? Especially when you're doing something super cool. So like that laughs tuning the auto tuning with scanners, you could spend months on that just going to be like, "Oh, and I could do this. And I could do that. And I can do this."
[00:22:47] Tanya: Right.
[00:22:47] Mark: And then I could, you know, automatically vulnerability scan based on that result back here and push this and you just go nuts, right? Which is a good thing.
But you need to strike a balance at some point. So having somebody, you know, crack the whip to hurt the cats is- is important.
[00:23:00] Tanya: He is so important. Oh my gosh, it was a mess before. [laughing].
[00:23:05] Mark: Very cool. So I wanna ask something maybe a little more controversial or a little pushbacky-
[00:23:09] Tanya: Hmm.
[00:23:10] Mark: ... on this. so you mentioned the OWASP Top 10 I think everyone pretty much knows the Top 10. You know, they've been going over a decade now with three major revisions. What I find interesting is that over those three big revisions over the 10 years, there wasn't a huge amount of change.
So there was stuff up and down and cate- categories got merged together, there wasn't like massive like, "Hey, we wiped this one off." Like injection was injection then SQL injection, then it's back to injection. But it's still the same principle. Do you think that's mainly because, ... Well, let me phrase this in- in a more, sort of Jerry Springer kind of way.
[00:23:45] Tanya: Okay.
[00:23:45] Mark: Is that because we failed an AppSec? Or is that just because of the nature of, things, are getting more complicated? There's more people coming. There's more cyber criminals, there's more of everything.
So you know, it the progress we make of pushing that stuff left into the frameworks around different types of attacks, new stuff pops up, because things are more complicated than ever. What's, what's your opinion on that lack of change around the top 10?
[00:24:07] Tanya: So there's two things. One is that we're still having a lot of problems and we're still finding a lot of the same problems over and over. And we are as an industry, in my opinion, not winning. Like we're not winning yet. We're working on it. but right now, we're not winning, in my opinion.
[00:24:28] But the second thing is, is that it's not a data driven list. it's supposed to be in the most recent one, they had some data, but previously, just one company gave them data. And then it was just the people on the list, who use their personal or their professional experiences to form the list.
[00:24:46] So the first list was just written with like some guys in a bottle wine. And they're like, what do you see all the time? What's the worst shit? And then they made a list of what they wish every developer would know.
And the things they just keep finding over and over and over that they know are very damaging. Like they're experts. They have ... I think they have almost 20 years experience in AppSec.
[00:25:07] So they like basically started the existence of our industry. So who knows better than them, but most companies won't give any data. Like when they do the data call, no one gives any data. So how are they supposed to have an accurate list?
The people who give, who- who give data, guess who they are? The ones that built the scanners. And lo and behold, they only find the shit that their scanners find.
[00:25:30] Mark: Yep. Yeah.
[00:25:31] Tanya: Right?
[00:25:31] Mark: Which is ... I mean, and it's not them trying to be biased, but it's just, you know-
[00:25:34] Tanya: Yeah.
[00:25:34] Mark: ...this is the data they have. And it's incomplete. And it ... Yeah, I get it. you know, and that's part of the challenges, you know, and we see that constantly with, breaches and cyber crime in general.
[00:25:43] Tanya: Yeah.
[00:25:43] Mark: It’s like companies don't want to, which is why, you know, they don't wanna report, which is why it's interesting in Canada, for us, at least, there's far more stringent mandatory reporting.
[00:25:52] Tanya: Hmm.
[00:25:52] Mark: So it'll be interesting at the end of this year to see the first official government stats of every breach that people know about above a certain point, will actually have some reasonable data not perfect, but, you know, I get it that is a constant challenge to make decisions based on no data. Right?
[00:26:10] Tanya: Yeah.
[00:26:10] Mark: It's, you know, we, I'm giving so I'll give myself a plug here, 'cause it leads to 'cause it leads to a plug for you. is that tomorrow as part of all the talks, done online, the big virtual conference that Snyk is pushing, and-
[00:26:23] Tanya: Hmm.
[00:26:23] Mark: ... coordinating and wrangling us all into. So I'm giving a talk on risk decisions. And that's one of the biggest points is like we were making decisions based on no data whatsoever.
Most of the risk assessments are either high, medium, or low, which is like the ... and then they have fake math and the assessments which I love, like high, times medium equals bad, you're like, okay, that's like ... that doesn't mean anything.
[00:26:44] But, at that conference, this leads in to the next thing I wanna ask you. so, part of the talk ... part of the conference tomorrow, 8:45pm Eastern, so, 5:45 Pacific, I think is your time slot, on the 15th. So Wednesday, the 15th.
[00:26:56] Tanya: Yeah.
[00:26:56] Mark: You're giving a talk purple Is The New Black, modern approaches for application security.
[00:27:02] Tanya: Yes.
[00:27:02] Mark: Why purple besides the fact that it's your absolute favorite color?
[00:27:06] Tanya: [laughs] so when I, when I started doing security, I started as a pen tester and pen testers are attackers, they're offensive security, and they are considered red team. And, I was briefly, considering moving to the red team for Canada. But then I got an AppSec offer.
And I thought about it. And it turns out I love AppSec more than I love breaking things, which was a hard choice as a surprisingly hard choice like the super, super super prestigious, I'm a badass job. Or that I'm gonna do the thing that I love and makes my heart pitter-patter job.
[00:27:41] Mark: Mm-hmm [affirmative].
[00:27:42] Tanya: So I took the AppSec job and- and you do a lot of defending an AppSec and defending is blue team. And so people were saying, "Oh, well, you're a pen tester, but you're also our AppSec person. And you're also our incident responder."
And like, Yes, I'm a te- ... I am a whole team.
[00:27:57] Mark: [00:27:57] Mm-hmm [affirmative].
[00:27:58] Tanya: ...they're like, "Oh, you're blue team, and you do red team." They're like, "I guess you're the purple team." And it just kinda stuck. And so everyone kept saying like, "Oh, yeah, she does, she does the purple team stuff 'cause she'll do both for us."
[00:28:10] Mark: Mm-hmm [affirmative].
[00:28:11] Tanya: And that became my shtick. And when I went to make my Twitter handle, 'cause I only got Twitter, I guess, not quite three years ago.
[00:28:20] Mark: Okay.
[00:28:20] Tanya: And I had gone to a conference and WannaCry had broken out at the conference. so like on stage, someone got an email and then read it to us. And we all freaked out and all went-
[00:28:34] Mark: Mm-hmm [affirmative].
[00:28:34] Tanya: ... to respond to incidents. but they were like, "You should get Twitter so you know what's going on." And I was gonna put She Hacks Computers, because my email used to be like, she plays guitar. And-
[00:28:44] Mark: Mm-hmm [affirmative].
[00:28:44] Tanya: ... I was like, Oh, she hacks computers. That's what she does, right?
[00:28:47] Mark: Yeah.
[00:28:47] Tanya: But that was too long. There's one character too long. So I was like, forget it. I'll just put purple 'cause that's shorter.
[00:28:54] Mark: Mm-hmm [affirmative].
[00:28:54] Tanya: Who knew how important that would become as time went on, right? [laughs].
[00:28:59] Mark: Exactly.
[00:29:00] Tanya: And it just like built in, built in, built and then now my company is named that last minute decision. [laughs].
[00:29:06] Mark: Mm-hmm [affirmative]. Hey, and you know, it's working for you. But I also I like the fact that you know, combining the two colors makes sense and one of the things…so not to give away the talk 'cause you're, you're obviously giving it tomorrow and it's available on demand I think on your YouTube channel as well.
[00:29:20] Tanya: Yeah.
[00:29:21] Mark: but one of the things you've talked about in that talk and you know for the audience this isn't like the first 30 seconds, so I'm not ... there's no spoilers here.
[00:29:27] Tanya: Yeah.
[00:29:27] Mark: is you're talking about empathy, and soft skills. do you wanna give us a little bit of your perspective on that because you think you know, okay, defending and attacking I'm just talking technology here I'm, you know, man in hoodie with fingerless gloves in a basement hacking things, and people running around insane in a corporate office defending things.
Where- where's empathy come in, and communication come in on that side?
[00:29:49] Tanya: I feel like in tech, we have given a lot of excuses to people with very few social skills, and people who act with arrogance, or rudely or insensitively where like, oh, boys will be boys, including- including women that act like that.
And we're just like, oh, like tech, people don't really have social skills. But the ones that rise to the top, those are always the one with social skills. Not necessarily like the most charming person you'll meet, but a person that knows how to communicate clearly like, no, I really need you to come to this meeting with me because we need your perspective.
[00:30:27] Mark: Mm-hmm [affirmative].
[00:30:27] Tanya: Or I appreciate that you wanna do that. That's against policy, can we brainstorm a way together so you can get the thing done, you need doing but I can't have you run off and roll your own encryption, or whatever the thing is that you were gonna do.
[00:30:43] Mark: [laughs] Yeah.
[00:30:43] Tanya: It is not acceptable to policy, like do you want me to explain why and the risks 'cause I'll tell you. But we have a lot of people that just that aren't very good at communicating. And soft skills are about communicating and also about professionalism.
[00:31:01] Mark: Mm-hmm [affirmative].
[00:31:02] Tanya: Since I've switched to software development to InfoSec people are gonna get upset but I have had so many instances of wildly unprofessional things that I've never had in- in software.
[00:31:13] Mark: Yeah.
[00:31:13] Tanya: Like, just especially working with other pen testers, like the ridiculousness. Like if you would watch a movie of people like gossiping and saying bad things about each other like that would be like maybe a quarter of the pen testers that I'd worked with were like, at first, I was cute, and I wasn't a threat.
But then I wanna contract instead of someone else. And it's like, "Let's go get her."
[00:31:36] Mark: Mm-hmm [affirmative].
[00:31:38] Tanya: [laughs] It's like, maybe I got it, because that's they want a softer, like, not like less testing, but just like a softer approach, if that makes sense. So I'll go to someone[crosstalk 00:32:38]
[00:31:46] Mark: Maybe they want someone who can, who can communicate effectively the problems-
[00:31:50] Tanya: Yes.
[00:31:50] Mark: ... and challenges as opposed to slapping a shoddily written report on the table and saying-
[00:31:55] Tanya: Yes.
[00:31:55] Mark: ... here's your problems, go fix it.
[00:31:57] Tanya: Yeah. So I worked on this team of pen testers. And I remember like, there was a client and they'd sent like this guy, and then they sent me, ... Or no, they'd sent me. And then they sent the guy. And he was like, "Well, Tanya missed this thing?"
And they're like, "No, like, we changed code since she got here. So it's probably there." And he was like, "She doesn't know what she's doing. So she should [inaudible 00:33:11]." And he's like, telling the client this. And I was like, well, this is a discussion we should have together.
[00:32:24] Mark: [00:32:24] Mm-hmm [affirmative].
[00:32:25] Tanya: ... so then he kept insisting that he would go back. but then he was away. So they sent me and, you know, I would say, like, "Hey, I think I found something, can we go over it.
And like, look at your code together or whatever." And so then the client just like, called the boss and was like, "We never wanna see that guy again.
[00:32:39] Mark: Good.
[00:32:39] Tanya: He's so rude. He's here[inaudible 00:33:34] to us. He's such jackass. And like, she found all the things."
[00:32:45] Mark: Yeah.
[00:32:46] Tanya: Like, right? Like if they're, they're just like, we don't know what he's talking about. Like he- he was saying, I found a thing that then you refuse to give any proof, but just kept saying I didn't find a thing. And he's like, "I don't have time to write a bullshit report about this." And we're like-
[00:33:00] Mark: That's good point.
[00:33:00] Tanya: ... but that's what we paying you for. That's what we're paying you for. It's the report. He's like, "Why don't we just not write shitty code." He's saying that to a client, "Don't write shitty code."
[00:33:06] Mark: Hmm.
[00:33:07] Tanya: I'm just like ... I'm, I'm in the conference call. And I'm like-
[00:33:10] Mark: Yeah, yeah.
[00:33:12] Tanya: And so like, guess what, that guy doesn't work there anymore.
[00:33:14] Mark: Mm-hmm [affirmative].
[00:33:14] Tanya: And I guess theoretically I don't either, 'cause I started my own company.
[00:33:17] Mark: [laughs].
[00:33:17] Tanya: But not because of that.
[00:33:19] Mark: Yeah, yeah. Yeah, yeah, yeah. But it's, it's interesting. So I mean, this tying back to the empathy, you know, and the soft side and sort of the, you know, and I hate that term, soft side, but it's, you know, it's the common reference, by communication skills, and-
[00:33:29] Tanya: Yeah.
[00:33:30] Mark: ... social skills. and I was talking to, Patrick Debois last week. so you know-
[00:33:34] Tanya: Oh, nice.
[00:33:34] Mark: ... you know, Patrick, right? so, DevOps, handbook author, and very much coming at security over the last few months from the development side as well. And so he doesn't have the personal stories that you do having worked in security for a while-
[00:33:46] Tanya: Mm-hmm [affirmative].
[00:33:46] Mark: ... but he had very echoed very much the same thing. And it's, you know, something as a security person I've seen forever in, you know, firsthand is that the reputation rightly or not, and sadly, more rightly than not, is that security's grumpy, hard to work with obstinance, arrogant, we don't have a good reputation as a profession.
[00:34:06]you know, and I think that's something that we need to work on. But the good news is people like yourself are proving that you can have the deep chops and that, you know, the badass skill set, and be able to speak English and be compassionate and be empathetic and realize that nobody set out to write crappy code today, and just they made a mistake, and we can fix that. And-
[00:34:26] Tanya: Yes, I know.
[00:34:26] Mark: ... it seems like that's baffling to people that nobody wakes up trying to sabotage everything. but this leads to one of the questions I wanted to ask you.
So you've in your career, you know, you spent some time with the Federal Public Service, here in Canada, which is, you know, a very conservative, you know, culturally. and then, you know, you follow that up by, working at Microsoft as a senior cloud advocate, being out in the community. very, you know, polar opposites, on the cultural.
[00:34:54] Tanya: [laughs].
[00:34:54] Mark: what's a positive of that sort of conservative, very, you know, s- ... almost glacial pace of change in the, in the public service, then what's the positive of the more Azure society, you know, out there? Can you, can you give us a pro for each?
[00:35:10] Tanya: Working in the government means they're very risk adverse.
[00:35:14] Mark: Mm-hmm [affirmative].
[00:35:14] Tanya: And it's good because that means that sometimes as a security person, when you advise, like that is a risk that I believe is too big to take. They actually listen, and then don't do the thing. They're like, "You know what? Maybe she's right. That does sound scary."
[00:35:29] Mark: Mm-hmm [affirmative].
[00:35:30] Tanya: They also I'm not sure if you know about some of the policies, but there's one called ATIP so access information and privacy. So everything that's in your emails can be read by a person in ... a public citizen who requests it unless there's a security reason not to.
[00:35:46] So they're very conscious as to what they say and what they write. And it's good because if I put something in writing that is serious, like this is a risk sign off sheet and I need you to sign it.
Even if they don't sign it. The fact that I've put all of that in writing is this beautiful paper trail for the public-
[00:36:07] Mark: Yeah.
[00:36:07] Tanya: ... if something really bad happens, right? And that is how the government works like, transparency.
[00:36:13] Mark: Mm-hmm [affirmative].
[00:36:14] Tanya: Right? And- and they care about different things than business cares about.
[00:36:19] Mark: Yeah.
[00:36:19] Tanya: So good things about joining Microsoft was they're at the bleeding edge of all the coolest scary tech. Like.
[00:36:27] Mark: Yeah.
[00:36:27] Tanya: ... wow. And you could tell them a thing, and in four seconds later, it's done. [laughs] I'm like, I think these things ... and then like, two days later, they're like, go into Azure and look and I'm like, "Whoa, [laughs] that's incredible." so they would change things very quickly and as exciting and they were not afraid to take risks.
[00:36:49] Mark: Mm-hmm [affirmative].
[00:36:50] Tanya: They still like ... 'cause they're, you know, they're blue chip company for a reason.
[00:36:54] Mark: Mm-hmm [affirmative].
[00:36:54] Tanya: They're not reckless. They're not like a startup. We're maybe they would be like, you know, halfway jumping off cliffs they're, they're not like that.
[00:37:02] Mark: [00:37:02] Yeah, no, but it's, it's moved fast fail forward and you know, take reasonable risks as opposed to the government-
[00:37:07] Tanya: Yeah.
[00:37:07] Mark: ... which is, we got to make sure this is gonna work. There's no room for error on anything.
[00:37:12] Tanya: Yes. Yes. And- and I also found that the security people at Microsoft, like, they're very passionate, and just their level and depth of knowledge just constantly floored me. Just like constantly like- [laughs]
[00:37:30] Mark: Yeah.
[00:37:30] Tanya: ... and there's a lot of smart people in the Canadian government. I worked with lots of intelligent people. But- but- but go- ... like Microsoft like I just kept saying, it's like ... it's the, it's the cream of the crop and sometimes I just pinch myself like, "How did they let you in like don't they know you're riffraff? [laughs].
[00:37:48] Mark: Come on.
[00:37:48] Tanya: And I don't really have like imposter syndrome. I'm not that person. But I'm just like, "Damn."[laughs] Yes, is cool. Like in my interview, Jessie Frazell interviewed me and I was just like, "I follow you on Twitter.
[00:38:02] Mark: [laughs].
[00:38:03] Tanya: [inaudible 00:39:07] This interview was worth it just I got to hang out with you for an hour one on one." [laughs].
[00:38:09] Mark: Yeah, that is, that is a very cool experience. But also, you know, the reason why you were hired on and there because you deserved to be there.
[00:38:17] Tanya: Yeah.
[00:38:17] Mark: You're also someone who if they get one on one time, be like-
[00:38:21] Tanya: Yeah.
[00:38:22] Mark: ... "I follow you on Twitter, I subscribe to your website."
[00:38:24] Tanya: Yeah.
[00:38:24] Mark: "Like you are coaching me on a bunch of stuff. This is awesome.' So you know, tables have turned in a short time. So, one-
[00:38:32] Tanya: It's true, it's true.
[00:38:33] Mark: One of the things I like to do on the show is put people on the spot a little bit.
[00:38:37] Tanya: Okay.
[00:38:37] Mark: which you know, but in a politely Canadian way. So it's, it's not bad. we do this little rapid fire segment, I'm gonna ask you a couple things.
I'm going to give you two choices and you got to pick one but you can't explain why you just have to pick it up. And then we'll circle back a little bit.
[00:38:50] Tanya: Okay.
[00:38:50] Mark: so a little bit challenging, but a little bit fun too. So a rapid fire here. so everyone's obsession with hackers so movies, TVs, the popular media, stuff like that. Is that good for cybersecurity or bad?
[00:39:03] Tanya: Bad.
[00:39:04] Mark: Okay, we'll come back. if you can only have one of these, do you get vulnerability scanning in your pipeline or regular pen tests?
[00:39:12] Tanya: VA scanning.
[00:39:13] Mark: Okay. which one is perceived as cooler, perceived as cooler? Red or blue teams?
[00:39:20] Tanya: Red.
[00:39:21] Mark: Hmm, interesting. Okay, what would make a better security pro? And I think we've already covered this, communication skills or technical?
[00:39:34] Tanya: Technical. [laughs].
[00:39:35] Mark: Okay. Okay. now, if you had your choice you could wipe ... magically wave your wand and wipe one issue off the internet entirely, injection attacks or broken authentication?
[00:39:47] Tanya: Broken off.
[00:39:48] Mark: Hmm, interesting. You went on a couple of different ways that I thought you would in there. Okay, let's just-
[00:39:52] Tanya: It's just so much more broken off all over. There's just a way more of it.
[00:39:57] Mark: Okay, and I- I mean I- I- I see where you're coming I mean they're both massive issues but i think you know, broken without ... like without strong off there's so many other things that we can't do, right?
Like we can't get into zero trust if we don't have strong off, but interesting. so why red team over blue for cool?
[00:40:14] Tanya: You said perceived as cooler-
[00:40:15] Mark: Yeah.
[00:40:15] Tanya: ... you didn't say what one do you think is cooler.
[00:40:17] Mark: No, no, but why ... so you ... perceived as cooler now do you-
[00:40:20] Tanya: I guess movies, movies are, movies are all about hackers breaking the things-
[00:40:25] Mark: Mm-hmm [affirmative].
[00:40:25] Tanya: ... and they're running around and like no one's like, oh, except for that really dumb movie where they needed to patch an airplane. Did you see that? And like they're like driving and he jumps and he puts the USB key inside-
[00:40:37] Mark: Into the ... Yeah. [laughs].
[00:40:38] Tanya: Oh, you would ... We just stopped the plane. Why would you ... why would you-
[00:40:42] Mark: [laughs].
[00:40:42] Tanya: And obviously you need to reboot the plane. Come on. [laughs].
[00:40:47] Mark: So let me, let me ask you a follow up question then. Given that you were a dedicated pen tester for quite a long time, have you often carried a machine gun and jumped on several international planes like Chris Hemsworth in Blackhat?
[00:41:00] Tanya: I, you know, I haven't even done that once. What I would carry would be a toque. And then those smoker mitts so like your fingers stick out, but then there's like a thing that you can cover.
[00:41:11] Mark: Yeah.
[00:41:11] Tanya: And then an extra pair of pants 'cause in the summer I wear a dress. Have you ever been to a data center? The coolness comes up from the bottom.
[00:41:22] Mark: Yeah.
[00:41:22] Tanya: If you're wearing a dress, I'm just like, "Oh, my legs are just totally numb." I guess I'm just like, yeah, so I had like this emergency data center outfit-
[00:41:30] Mark: [laughs] Nice.
[00:41:30] Tanya: In case like, like, we're not planning to go to the data center today, but like, time you go to the data center.
[00:41:35] Mark: Fair. And I mean, we all have weird things in our go-bags that happens.
[00:41:39] Tanya: [00:41:39] Yep, yeah.
[00:41:39] Mark: But yeah, I mean, I agree. I know this is the challenge, especially around the media and how they portray, cybersecurity and hackers. you know, I think I heard it as a comment in one of your talks, but I know I deal with it a lot myself is explaining to friends and family what you do, because the automatic assumption is, you're that cool person who jumps around. I mean, I think we're cool.
But, you know, we're not jumping a plane with a machine gun and then parachute out of that plane into a foreign city, you know, kind of cool.
[00:42:03] Tanya: Like, we almost never do that, like less than once a month.
[00:42:07] Mark: Yeah,[inaudible 00:43:19]. I've only done it like three times this week in a pandemic, it's fine. It's, it's all good. you know, but it- it is a challenge of you know, the- the difficulty I always had was with CSI. my partner, she's a genetics researcher, and by training, I'm a forensics, investigator.
So you know, we're, we're we could be on CSI. And the challenge we always had was that the DNA and CSI in the test tube, you could see it. and then when they're doing the cyber side, they take like a two terabyte hard drive, but put it in the machine, and they have answers immediately.
And you're like, "Where's the three days of watching it like index and copy and like ... then coming back and like the eight pounds of coffee you've had in those three days like no, no, it's instant. In I mean, I get it for TV. But-
[00:42:49] Tanya: Also, did you see, did you see that when where there's like, someone's like they're like hacking. They're like hackback and they're on the keyboard and then the other one puts their hands also on the same keyboard. It's just like-
[00:43:01] Mark: It was a duet. It was beautiful.
[00:43:03] Tanya: Just all the forehands giant mess. It's like, don't the-
[00:43:07] Mark: Mm-hmm [affirmative].
[00:43:07] Tanya: ...like, don't the actors think like this doesn't make sense?
[00:43:10] Mark: It's what-
[00:43:10] Tanya: [inaudible 00:44:24] no one who's like-
[00:43:12] Mark: It's what looks good on TV, right? It's the same with the short-
[00:43:15] Tanya: Yeah.
[00:43:15] Mark: ... lived thankfully, CSI cyber, when anytime they had red code was malware, they had green code, and then red code was bad code.
[00:43:23] Tanya: Oh, look that is green code. [laughs].
[00:43:25] Mark: Yeah, yeah. So, I get ... Yeah, I hear it. So one of the ... back to, back to some reasonable questions. one of the things that you've been a huge proponent of and a massive help in the community is around mentoring and helping getting people in.
So you run, Cyber Mentoring Monday. That's the new hashtag, right?
[00:43:42] Tanya: Yes, yeah.
[00:43:43] Mark: So what's your top piece of advice He's for somebody looking to get into cybersecurity besides training to jump off of planes with guns.
[00:43:53] Tanya: [laughs]. So the way I got into cyber security was that I got a professional mentor. And by I got when I mean he dragged me kicking and screaming into InfoSec, he spent a year and a half convincing me to become a pen tester.
Then I got another two professional mentors, I guess three and all of them encouraged me and enabled me and taught me. And if I would get really stuck with something, they would always help.
[00:44:20] Mark: Mm-hmm [affirmative].
[00:44:20] Tanya: I feel that having a professional mentor is the most important step because you can't ... right now you can't just go to university, and then become a pen tester or an application security person.
There's, there's courses on Udemy, there's, you know, sans, if you just have hundreds of thousands of dollars you don't need. Like they have amazing courses. If I had all the money in the world I would go.
[00:44:44] Mark: Mm-hmm [affirmative].
[00:44:46] Tanya: But the Canadian dollar and the American dollar, just oh my.
[00:44:51] Mark: Yeah.
[00:44:51] Tanya: but there's no like clear career path to get there. But with a professional mentor, you have a person that is in your corner who you can trust, even if they just have coffee with you once a month and you just say like so, you know, read this book and completed this course.
And I really wanna get some hands on work like, Is there a place I can volunteer or like an open source project I could join. Or like, do you think I could get an internship somewhere like, what are my options?
Just having a person that's more senior that can help- help, not telling you what to do, but just give you some guide rails-
[00:45:24] Mark: Mm-hmm [affirmative].
[00:45:24] Tanya: ... some gentle nudges or really hard nudges depending upon your mentor. Like one of my mentors was like, you're gonna speak up Besides, and I was like, "What, I don't do talks." He's like, "You do? I'm giving you 10 months to get ready."
And I was like, "No." And he's like, "I just tweeted it too late." I'm like, "What? what? What?" He's like, "Get Twitter." [laughs].
[00:45:47] Mark: Yeah.
[00:45:47] Tanya: Because for the first time, I didn't bother with any of that. yeah, and then all these awesome people from OWASP, all agreed to help me with my talk. So my first talk was, how to hack your own apps. Mm hmm.
And it's like how to use a VA scanner, and what the results met, and how to like, go in and fix things. And like, what does this mean, and why is this scary? And how to do it safely. It's just how to run a VA scanner as a Dev.
[00:46:12] Mark: Yeah.
[00:46:14] Tanya: Yeah. And that was what I was learning. So they're like, "Do you understand how many other people wanna learn that?" And I ended up turning into a workshop and giving it every single meetup that would possibly take me in Ottawa.
Like, it did not matter what their meetup was about, I'm like, "Hi, I have this workshop, blah, blah, blah, can I get ... and they just be like, "You're so adorable. You're clearly really excited. Like, yeah, let's do it."
[00:46:36] Mark: Yeah.
[00:46:37] Tanya: Like every meetup said yes.
[00:46:39] Mark: Well, 'cause you're passionate about the subject, right?
[00:46:41] Tanya: Yeah.
[00:46:41] Mark: And the thing that I always try to run Mind people is that there's always someone further behind on the path.
[00:46:45] Tanya: Yeah.
[00:46:46] Mark: Right? And if you've struggled through figuring out how to work that into your workflow, especially when you were just starting out as a developer, that's, you know-
[00:46:53] Tanya: Hmm.
[00:46:53] Mark: ... as much as you're like, "Oh, you know, I'm barely made it work." That's an insane amount of value that you can share with somebody in 30 minutes or 60 minutes or two-hour workshop-
[00:47:02] Tanya: Yeah.
[00:47:02] Mark: ... that they don't have to struggle for weeks, you know, banging their head against the wall, they can learn it from you, and then they can teach somebody else.
[00:47:09] Tanya: Exactly, exactly. And it was just so fun to like, I went to the University and like the Student Association made, like reserve this giant room and then all of us were just hacking on stuff for hours. I'm like, "Go smash all the things. Yeah."
[00:47:22] Mark: [laughs].
[00:47:22] Tanya: And I'm giving them like this VM that had all these different apps. I'm like, "Go get this one. Go get that one. Let's do this." Everyone's running around giving high fives I was just like, "This is nuts." [laughs].
[00:47:32] Mark: That's awesome. That's a fantastic thing to take something that complicated, make it approachable, and to show people the enjoyment in it, right? When I'm talking to people or trying to get in the field, my biggest sales pitches always you will never be bored because there are some of the most amazing problems because cybersecurity touches everything in tech.
So if you wanna work on smart cars, you can go do that. You wanna work on factories, cool. You wanna work on web apps to serve millions of people, yeah, there's a need for all this. And if you like puzzles, this is a great field.
[00:48:02] Tanya: Yeah. All my talks are just lessons that are, camouflage does talks. They're just things that are like, I wish I had known that-
[00:48:12] Mark: Mm-hmm [affirmative].
[00:48:12] Tanya: ... like the Pushing Left, Like a Boss talk is like, I wish someone had told me this at the beginning of my AppSec career. Like, what's the difference between a security assessment, you know, running a scan and a pen test?
And like, when should I do which one like when I was a pen tester, I almost never did pen testing.
[00:48:28] Mark: Yeah.
[00:48:28] Tanya: I basically did security assessments all the time, and called them pen tests, because that's what almost all clients want.
[00:48:34] Mark: Mm-hmm [affirmative].
[00:48:35] Tanya: And like, when should you write an exploit and when are you like wasting your clients money? It's just like-
[00:48:40] Mark: Yeah.
[00:48:41] Tanya: ... oh, that's so helpful. [laughs] You don't actually need to write an exploit for everything, because almost no one cares about you. [laughs] Yeah, I just freaked out.
[00:48:49] Mark: And, you know, that's I mean ... we see that all the time, right, where people are always worried about the latest zero day. And it's not that, that's not the biggest issue.
It's the fact that, you know, you don't have basic security practices in place, you don't have regular patching. Like, it's, it's as cool as it is.
[00:49:04] Tanya: Mm-hmm [affirmative].
[00:49:05] Mark: you know, and I think that was one of the challenges I always see at security conferences is their 99% cool, niche things. And 1% like, "Hey, listen, here's how you actually get stuff done when you're working. It doesn't sound cool.
But, you know, here's how you automate a bunch of your pain away." And that's a continuing theme and a bunch of your talks as well, right?
[00:49:24] Tanya: Oh, yeah, automating stuff is so fun. [laughs]. Like I learned how to code so I would never have to do something twice.
[00:49:32] Mark: Perfect.
[00:49:33] Tanya: And I love automating stuff, especially stuff where it's like really scary, like for instance, scanning for keys-
[00:49:39] Mark: Hmm.
[00:49:39] Tanya: ... and you code. Like that was a lesson I learned at Microsoft a really good lesson in my first few weeks. So the security team, the incident response team didn't like me so much at first because I triggered a real incident by accident. Being a bit of a jackass.
[00:49:54] Mark: Mm-hmm [affirmative].
[00:49:55] Tanya: So I was like, I'm gonna make a lesson for DevSlop. And I'm going to put, you know, fake username and a fake password in a connection string and check it in. And then we're gonna find it as an emergency and then fix it. Well, so I checked it in to my GitHub, and it's like a public facing repo.
And I use Azure to do it and Azure saw and Azure told on me. Azure was like, "Nope, this looks like a key," I'm like, "No, it's okay." And they're like, "We don't think it's okay." I'm like, "No, no, it's okay." on that.
And then it's like, "Did you ask your mom." I'm like, "Yeah, she said it was Yes. Yes. Go Go." So it ... I go past all the things and then it phoned my boss. And my boss calls me, he's like, "Janca, what is happening right now?" And I'm like, telling him and he's like, "Oh, that's hilarious. That's so funny."
And then like in between 11 minutes, the Incident Response Team contacted me and they're like, "Tanya, you put a connection string with ... and I was like, "Oh no, it's for this." And they're like, "So what you're saying is you triggered a real incident within Microsoft for fun?" I ... "No, shit."
[00:51:01] Mark: [laughs].
[00:51:02] Tanya: And- and can tell they're just like, "Huh, children!"
[00:51:06] Mark: But you tested their process and it worked flawlessly-
[00:51:10] Tanya: It worked.
[00:51:10] Mark: ... which is good and a good example of automation, you know, catching, catching, catching, like prompting, are you sure you know? And it was ... that was a nice, like, whether intentional or not, that's a great example of you know, a gentle prod like, "Hey, this might be a problem. Are you sure you wanna do it? Here's the consequence."
You know, "Oh, no. Are you really sure? Are you ... Well, have you checked?" And like, that's a great example of gently kind of walking the user through.
[00:51:33] Tanya: Yes.
[00:51:34] Mark: Please don't take a gun and shoot yourself in the foot.
[00:51:36] Tanya: Yes.
[00:51:37] Mark: You know, but not like, "Hey, don't do that." but just very nicely explaining and educating.
[00:51:42]so with that, I got one last question for you here.
[00:51:45] Tanya: Okay.
[00:51:45] Mark: this has been fantastic. You've shared so much great knowledge, you know, for the people in the audience, check the show notes. But remember tomorrow, all the talks online, Tanya's on at 8:45, Eastern or 5:45 Pacific with Purple is the New Black; Modern Application Security.
[00:52:01] Tanya: And when is your talk, Mark?
[00:52:02] Mark: 1:15, Eastern, thank you. Risk Decisions in an Imperfect World. I'll tweet that out later. But, the, important thing is in the show notes also, you can go to Shehackspurple.dev, sign up for the subscription. not that Tanya needs to know this but it's ridiculously underpriced.
It is an insane amount of value for $70. great set of tools, education, links to all Tanya's stuff as well. She blogs regulated on Dev too, still on medium I think as well, right?
[00:52:28] Tanya: Yeah.
[00:52:29] Mark: For Twitter, all that kind of stuff's there. Definitely follow her, obviously you can tell from this conversation. Just a sliver into the insights of how amazing and deeper knowledge goes in the field.
But with that I wanna give you one last question here. so you're a respected coach and mentor in the field, if you could get one thing across to everybody about cybersecurity, so they could just get it in their head, like it just sinks into their heart and just now known, what would that thing be?
[00:52:56] Tanya: For software developers or for every person ever?
[00:52:59] Mark: either or, your call.
[00:53:00] Tanya: Okay. For software developers, it would be input validation. I'm writing a book and I cover it three times three different ways.
[00:53:08] Mark: Mm-hmm [affirmative].
[00:53:08] Tanya: And then I have stories and then I have more articles. And then I'm more things because if we did input validation on everything ... So if it's from your database, if it's from an API, even if you wrote that API, if it's in your URL parameters, if it's from the user, if it's from anywhere, you validate that input, even if your mom sent it to you.
I remember years ago, I got email from my mom. And there was a virus attached? Actually, no, there wasn't a virus attached. But she had attached a Word document it was just named word.doc or whatever. And I called her and I was like, "There's no subject. There's no text. There's like ... are you sending viruses?" She's like, "Oh, no, I just wanted you to like, read this word document for me."
I mean, and it's saying word.doc? She's like, "Well, I just wanted you to review this." Well, I can't remember why. But don't even trust your mom. Because someone could have ... like, her computer could have got malware, right?
[00:54:06] Mark: Mm-hmm [affirmative].
[00:54:06] Tanya: And if you we could validate everything not sanitize, but validate-
[00:54:11] Mark: Mm-hmm [affirmative].
[00:54:11] Tanya: ... if it's not what you're expecting. Reject it.
[00:54:14] Mark: Yeah.
[00:54:15] Tanya: The end.
[00:54:16] Mark: Love it. Absolutely, love it.
[00:54:18] Tanya: Everyone's like 95% more secure, boom. [laughs] Done.
[00:54:20] Mark: Easy, right? Easy to say. Easy getting easier with frameworks. but yeah.
[00:54:25] Tanya: Yes.
[00:54:25] Mark: I mean, that's why injections been number one in the Top 10 for the longest time.
[00:54:29] Tanya: Yeah.
[00:54:29] Mark: Right? Because people just take validation and we see it even still to this day in tutorials on line for different things like hey, set this up and they just take random input from the internet and you're like-
[00:54:38] Tanya: Yes, I know Hello World, the first thing we do is we show them how to put stuff on the screen.
[00:54:43] Mark: Mm-hmm [affirmative].
[00:54:43] Tanya: And then the next thing we do is teach them how to get SQL injection into their app. Like then accept the input don't validate it. I'm sure it's fine. Now let's reflect it great cross site scripting. Awesome.
[00:54:55] Mark: Yeah.
[00:54:55] Tanya: [inaudible 00:56:23]
[00:54:55] Mark: Somebody has to teach the hackers of tomorrow.
[00:55:00] Tanya: Hello World! if we can adjust Hello World. Oh my gosh!
[00:55:03] Mark: Maybe that's, maybe that's a new project the new Hello World, like Hello New World.
[00:55:07] Tanya: Yeah.
[00:55:07] Mark: And then rewrite it-
[00:55:08] Tanya: Oh, I love it.
[00:55:08] Mark: ... with all the input validated, right? Hmm? We could [crosstalk 00:56:38].
[00:55:11] Tanya: Hello secure world.
[00:55:13] Mark: There- there you go. Perfect. Love it.
[00:55:15] Tanya: And we add that to the lesson. Oh, Mark-
[00:55:17] Mark: Love it. Absolutely love it.
[00:55:17] Tanya: ... this has been such a good conversation. [laughs].
[00:55:20] Mark: With that, I thank you very, very much. Again, everybody listening, hit up the show notes. See all Tanya's fantastic material, follow her on social, subscribe to her stuff off of her main sites. and check out all the talks online.
All the, donations, it's all donation based and all the, companies including Trend is sponsoring it. all the money is just donating, to the WHO, which is much needed in this time. with that, thanks again Tanya. We very much appreciate you taking the time.
[00:55:44] Tanya: May I pump the three other conferences I'm speaking at in April-
[00:55:47] Mark: Absolutely.
[00:55:48] Tanya: ... really briefly?
[00:55:49] Mark: Fire away, we will add these to the notes as well if they're not already there.
[00:55:53] Tanya: Friday, I'm speaking at All Day DevOps, more security, with DevOps. I'm also speaking at Hella Secure, which is, Why be secure when you can be hella secure. A conference all about AppSec, all free with no ads, no sponsors.
And then I'm also speaking at Isolation Con, which is put on by The Many Hats Club from London, but it's for everyone. And that is, I believe, a 24-hour conference as well. So no matter where you are-
[00:56:21] Mark: Perfect.
[00:56:21] Tanya: ... on the planet, you can watch them.
[00:56:23] Mark: Great and-
[00:56:24] Tanya: Thank you so much, Mark-
[00:56:24] Mark: Yeah.
[00:56:25] Tanya: ... it's been so wonderful.
[00:56:26] Mark: Thank you and we'll add the links to those three as well in the show notes and those will be up shortly. Thanks again.
[00:56:31] Tanya: Awesome. Bye, Mark.
[00:56:34] Mark: Bye.