Welcome to episode 12 of Software Security Gurus, with Matias Madou. In this interview, he chats with Tanya Janca, security rockstar and founder of We Hack Purple.
Visit We Hack Purple
Introduction: 00:36-01:35
How can we convince developers that software security is important?: 01:35-05:07
Are we making AppSec too complicated for entry?: 05:07-09:41
How can we make the tech industry less toxic and more inclusive?: 09:41-16:30
Matias Madou:
Welcome to the Software Security Gurus webcasts. I'm your host Matias Madou, CTO and co-founder of Secure Code Warrior. This webcast is co-sponsored by Secure Code Warrior, and for more information, see www.softwaresecuritygurus.com. This is the 12th in a series of interviews with security gurus, and I'm super pleased to have with me today Tanya Janca. Welcome, Tanya.
Tanya Janca:
Oh thank you. Hi.
Matias Madou:
Hey Tanya, so do you mind sharing a few words about yourself?
Tanya Janca:
No, not at all. So I am a nerd on the internet who is obsessed with securing software, and I run my own training company, and I just launched my very first book, Alice and Bob Learn Application Security. It just went for sale this week, and I can't believe I wrote a book.
Matias Madou:
Congratulations. I did not know it was out by now.
Tanya Janca:
It is for presale as of this week. I didn't even know. My followers are hackers, so they found it. And they were like, "Why didn't you tell us it was for sale?" I'm like, "I didn't know it was for sale. How do you know and I don't know?"
Matias Madou:
Nice. Okay, I'll pre-order. So action item for everybody on the call, which is hey, pre-order the book.
Tanya Janca:
Yeah, absolutely.
Matias Madou:
So if you don't mind, Tanya, I have three topics in mind for today. Hopefully they are near and dear to your heart. And the first one is around I read how you got into software security, and it took a hacker, actually, one and a half years to convince you that software security was important. So how can we now convince other developers, hopefully in a shorter amount of time, shorter than one and a half year, that software security is important?
Tanya Janca:
Well, the ethical hacker convinced me to stop being a software developer in order to work in security, and I just loved writing code. So I feel like the best way, so when I help companies create security champions programs, is I do lunch and learns, and I teach cool stuff about security, and then the people who are interested self-identify. So my very first AppSec program, I had switched from the dev team to the security team, and I literally sent out an email that said, "I'm going to hack a bank at lunch. I'm going to hack into a bank and steal the money at lunch. Who wants to come?" And people showed up. They were like, "Tanya."
Tanya Janca:
And then, I used a known to be insecure app, and then I showed everyone what SQL injection was, which was we'd had an incident with it. And then they were like, "Oh my gosh, this is ridiculous. How can we help?" And then I showed them how to use OWASP's app, and I made it this fun thing. And, before I knew it, there were certain people who were super obsessed with learning more, and more, and more. And I just encouraged, and encouraged, and encouraged. And before I knew it, I had whole champions team. And so if we can draw them in with interesting stuff, and teach them, and show them the cool secrets. That's how I got hooked, seeing the cool stuff.
Matias Madou:
I can totally relate to that. I think seeing it for real, that stuff is going to go down, and the closer it comes to home for these people, the more interested they are. I actually thought you always wrote perfect code and it took a year and a half for your code to be hacked.
Tanya Janca:
No.
Matias Madou:
No?
Tanya Janca:
No. I did every bad thing that they talk about developers doing. I didn't know any ... I went to college in the '90s. I'm older than most people realize. And so I graduated in 2000. That's a long time ago. And there were no security classes. There was nothing on that side.
Matias Madou:
Well, there was Crypto, but let's not go that route.
Tanya Janca:
Oh yeah, exactly. Well, learning all about crypto won't help you write secure code, unfortunately. I mean it's useful, but it won't help you write secure code.
Matias Madou:
Yeah. Okay. So I think proof of the pudding is definitely how we can convince developers. Today you have a company, SheHacksPurple, or WeHackPurple. Congratulations. And one of the things that I really like about the culture that you're producing is that you boil it down to the essence. So you're able to explain very complex things in a very simple way. For example, what is DevSecOps, Tanya?
Tanya Janca:
Oh, so basically DevSecOps is what application security people do when they work in a DevOps environment. So AppSec, it's our job to make sure the software that we're creating is secure. And when you work in a DevOps environment, you have to change the way you do your work. So you have to work within their processes. You can't just put a SAS tool into a pipeline and have it run 18 hours. No, you will have no friends. So you have to go with all the dev and the ops people and use their processes, and fit yourself and weave yourself into what they're doing. And that's SecOps.
Matias Madou:
So you've explained that in under three minutes where, if I ask that same question to other people, it can take 15 to 30 minutes and I'm not any wiser. So is that the problem of application security or technology, that we're making stuff super complex and very complicated? Is that a contributing factor that we are not getting enough people into our space?
Tanya Janca:
So applications security is hard. That's part of actually what attracted me to it. So the more difficult a project is, I'm like, "Oh, me. Pick me," because I guess I'm a masochist or something, but I really love to have challenges, but I feel actually it's that we're not teaching it in school. So we teach Hello, World!, but the lessons actually teaches you how to embed cross-site scripting vulnerabilities into your app if you look at the first lesson. And I also feel that we've made training absolutely completely unobtainable, so there's no school you can go to and then you're an AppSec engineer. And so that's what WeHackPurple is trying to create. But for instance, [SANS 00:06:21] offers lots of super cool classes, but I live in Canada and our dollar is not the same as their dollar, and I looked it up once, and it was going to be 20% of my post tax income for the year to take one course. And I was just like I can't.
Matias Madou:
Yeah. No, that's the limiting factor for a lot of people then.
Tanya Janca:
Yeah, exactly. And don't get me wrong, if I could get in free, I would do every single SANS course in a row. Their stuff's really cool, but especially if you don't live in America, or you don't have sponsorship from your boss. And so I want to make it more obtainable. And I feel like right now, so if you're going to fly to a conference, which obviously, with COVID, we can't do, but last year I would go to OWASP conferences, and because I'm an OWASP leader, I could get in free to the training, which to me is amazing, but not everyone is willing to lead a chapter on a project and then pay for themselves to fly across the country so that they can go to a two or three day training. And so it's not in most people's budget. And I feel like we need to make it more obtainable, and then from there we will be able to spread the word a lot more.
Matias Madou:
Okay. So technology, it's not the simplification of technology but really the accessibility for people, the dollar amount they have to pay to get into these programs that is a limiting factor.
Tanya Janca:
I feel that, and also that most of the training that I see online is ... How do I explain? So there's a lot of cool stuff on open source tools. There's not a lot of training that is available on those really expensive tools. If you want to learn how to use a SIEM, a security information and event management system, so a thing that a SOC analyst would want to know how to use really well, you can't just go take a course and learn all the different SIEMs so that you can put on your resume, "Experience with QRadar, with ArcSight, with this, with that." And okay, one, all of that stuff's so cool, I love seeing all these really amazing security products and what they can do, but also you can't really go do it. And I feel like we need to open that up a bit more, but I'm biased. I don't make a cool product, I just make training.
Matias Madou:
It's a chicken and the egg problem. So they quite often require people to have a certain amount of years of experience, and at the same time, it's kind of impossible to get that experience without paying a lot of money.
Tanya Janca:
Yes, exactly. And then who wouldn't be a bit put off by that? So I feel like I was really lucky because the OWASP community in Ottawa just adopted me, and all of them were teaching me stuff, and they were all just so amazing, and mentoring me. And I feel like I basically had the nicest introduction to InfoSec that any human has ever had. I feel really grateful and lucky.
Matias Madou:
That's a selling point for Ottawa.
Tanya Janca:
But how can we get that for everyone?
Matias Madou:
It's a selling point to go to Canada and Ottawa.
Tanya Janca:
Oh yeah. Oh my gosh, the community there is amazing.
Matias Madou:
Nice. Last topic, Tanya. So in your resume that I found somewhere online, you mentioned several career setbacks, harassments, toxic work environments. You also mentioned that the tech scene actually has improved over the last couple years. You were one of the driving forces behind Women of Security, if I'm not mistaken. So if we're looking forward, what can we do to take the next step today to be more inclusive? What are suggestions of, where we are today, what is the next step? What can we do?
Tanya Janca:
I would say that if every workplace, if every manager went and then just asked all of their employees who are from underrepresented groups, "Hey, how's it going? Is there stuff that we could improve?" assuming you can not be defensive, because it's really hard, but if you can listen openly, and hear what they have to say, and then improve those things, I bet that you would see a giant change. During the Black Lives Matter movement, so I realize it's still ongoing, but when it first started, I reached out to a bunch of places where I consult and actually asked them to make statements about it. And one of them, the CEO met with me, the CEO of the giant company met with me, and he's like, "Tanya, I want to make a statement, but our board is all old white dudes. And I don't want to make a statement. Instead I want to make a change. How can we change?"
Tanya Janca:
And so that company, I do training and other stuff for them, and so I was like, "Okay, so now all the training's virtual, right?" He said, "Yeah." "Well, why don't we open up two spots in every training to someone from an underrepresented group?" And he's like, "Oh my gosh, yes." And I said, "You keep asking us to refer candidates. What if you gave a bonus if the person was from an underrepresented group?" And so we made this list together and he's like, "Thanks for the list. I'm going to go knock this out of the park." And then he just off and made changes. And so I feel like if you can reach out to the people who work for you who are from underrepresented groups, ask if everything's okay, ask if they have ideas of how they could improve it, and then actually do it.
Matias Madou:
Do it, yeah. Listen and do it, yeah.
Tanya Janca:
And I don't mean that each person who's a woman or who's a person of color, et cetera, it's their responsibility to do it, but they probably will see things that you might not. In one of my exit interviews, my manager, who had been totally sexist the whole time, he said to me, "Okay, so I guess sexism in IT isn't a thing anymore." And I couldn't believe he said that because he had asked me if I was pregnant in my interview, and he had asked if I was planning on babies, because he didn't want crap getting in the way of my responsibilities, and all of this stuff that's totally inappropriate, and illegal, I might add.
Tanya Janca:
And I was the only white person on that team. Everyone was Asian except me. And so I said to him, I'm like, "Imagine if I said to you racism isn't a thing. It might be because I'm white and it's not happening to me, so I think it doesn't exist because it's not happening to me, and I don't have my eyes open enough to see that it's happening to all the people around me." And then he said, "I understand, thank you." And that was the only time I felt I connected with him the whole time I worked for him. I was just like oh my God, he listened.
Matias Madou:
That's so terrible. So unfortunate.
Tanya Janca:
But I feel like then it connected for him. And so maybe he would stop asking ... I did end up telling his boss about the inappropriate things during my interview. Yeah, he actually asked in an interview two weeks later if I was pregnant, and I was like, "I have not had that good of a time in the past two weeks," because I just didn't know what to say. I was just like what is wrong with you? I can't believe you're basically asking about my sex life. Oh my gosh. Yeah, but I got the job.
Matias Madou:
So listening and taking action on what the suggestions are, ultimately.
Tanya Janca:
Yeah. Asking and hearing, hearing what they say, and not being defensive.
Matias Madou:
Okay. Last question, Tanya. Again, I read on your life story that you were in an hardcore punk band when you were 20-something. And I was first wondering, did you have a purple Mohawk?
Tanya Janca:
No, actually I have never had a Mohawk, but yes, I've had interesting color hair for most of my life. As soon as my parents allowed me to dye it and add color, I did.
Matias Madou:
So how many subscribers will it take to convince you to have one?
Tanya Janca:
I actually am really liking the long hair. A Mohawk is so much work. They don't tell you that, but I've had friends, lots of friends with Mohawks, and women friends with Mohawks. So if you're a woman and you have a Mohawk, your Mohawk has to be so much prettier so that you can still feel super fem, and so you might have little bangs on your Mohawk, or you might style it in different, cute ways. And I'm lazy. I have long hair because then it just sits there and people are like, "It looks nice." I'm like, "I brushed it."
Matias Madou:
So I'm not able to convince you to get a purple Mohawk? Not yet.
Tanya Janca:
Not right now, but who knows?
Matias Madou:
Who knows, yeah.
Tanya Janca:
I don't say never on very many things.
Matias Madou:
Well, wait until the midlife crisis comes and then maybe.
Tanya Janca:
Yeah, really. I mean I don't know. I think I had my midlife crisis last year, where I decided to start this company, and I moved to Victoria. So I moved away from Ottawa to the west coast, and I now live by the ocean, and I run my own company instead of working for someone else, and I wrote my first book, and I made this huge change. And so someone was saying to me, "How's your midlife crisis going?" And I said, "It's great."
Matias Madou:
Keep it going, Tanya. Keep it going. So thank you very, very much, Tanya, for accepting to being the 12th guru on the Software Security Gurus webcast. It was a fantastic chat.
Tanya Janca:
Oh, thanks for having me so much.