teaching secure coding

Episode 260: The Art of Teaching Secure Coding with Tanya Janca

by Paul Roberts

Podcast: Play in new window | Download (Duration: 36:32 — 33.4MB) | Embed

Subscribe: Email | RSS

In this episode of the podcast, host Paul Roberts welcomes Tanya Janca of She Hacks Purple back into the studio. Tanya talks about her newly released book: Alice and Bob Learn Secure Coding, published by Wiley and the larger problem of how to promote the teaching of secure coding practices to developers.

[Video Podcast] | [MP3] | [Transcript]

In today’s Security Ledger podcast, Paul welcomes the amazing Tanya Janca back to the studio. The founder of She Hacks Purple and the We Hack Purple community, Tanya does secure coding training, and developer relations at SemGrep. She’s a passionate advocate for teaching secure development practices and promoting secure application design.

In our conversation, Tanya dives deep into her new book, “Alice and Bob Learn Secure Coding,” a guide to secure coding for everyone from new- to experienced developers. We unravel her journey from doing coding to becoming a recognized expert in application security and secure software.

Tanya Janca is the founder of She Hacks Purple

Her journey highlights one of the software industry’s quirks: while the path to becoming a developer is straightforward, the paths to doing application security as a profession are seemingly arbitrary. Tanya’s own experiences underscore the need for secure coding to be intrinsic to every software developer’s education. And that was the inspiration for her new book, after Wiley’s Jim Minitel prompted her to write the book she would have wanted to read to make the transition from a developer to an application security professional.

Bridging the Gap Between Developers and Security

One of the big issues that complicate efforts to improve software security is the gap that exists between security and development teams .Contrary to popular belief, software developers and security teams operate in distinct realms with unique skill sets, and are often siloed within software development organizations.

This divergence calls for tailored approaches to instill security practices in software development—something her new book aims to achieve by addressing practical methodologies rather than dwelling solely on vulnerabilities.

In Alice and Bob Learn Secure Coding, Tanya explores the full breadth of secure coding practices, highlighting the importance of holistic practices across languages, frameworks, and technologies. She calls for a shift from relying on scare tactics to fostering a proactive, security-minded culture in software development teams. That includes a shift from the current focus on features and rapid release cycles to robust security measures. Tanya encourages developers to question existing norms and engage in conversations that could shift project trajectories towards more secure outcomes. That might include everything from questioning data permissions in application development to advocating for mandatory cybersecurity education for students and young software engineers.

“If you learn secure coding, you’re going to have less bugs later, which means you have less things to do later. If you are not creating the bugs in the first place, everything’s better, right? You save money, you save time, all these things.”
— Tanya Janca, She Hacks Purple

One solution might be greater governmental involvement to establish robust cybersecurity policies that hold software development organizations accountable for security lapses. Tanya and I talk about her personal and professional advocacy work in Canada, where she has called for urgency in integrating cybersecurity into both educational institutions and government policies.

With the release of “Alice and Bob Learn Secure Coding,” Tanya plans to release a series of live streams and discussions- one for each chapter in the book, making security education accessible and engaging. Her collaboration with leading industry experts aims to spark conversations that will promote secure practices across the board, from individual developers to policy-making bodies.

Video Podcast & Transcript

Video Podcast

You can watch a video of my interview with Tanya below. Also: check out more Security Ledger podcast interviews on our YouTube channel!

Transcript

[00:00:00] Paul Roberts (Security Ledger): Welcome back to another episode of the Security Ledger podcast. I’m Paul Roberts. I’m the editor in chief of the Security Ledger. Today with us in the studio, we have Tanya Janca of, She Hacks Purple, and now Semgrep and Tanya’s in the studio to talk about her upcoming book, Alice and Bob Learn Secure Coding. If you don’t know her she is an amazing InfoSec professional. She’s got a 28 year it career and has won many awards, including OWASP lifetime distinguished member and hacker of the year she’s spoken. everywhere at pretty much every conference worth speaking at and trained thousands of software developers and IT security professionals via her online academies, WeHackPurple and [00:01:00] SemGrup Academy and her live training programs.

Paul Roberts (Security Ledger): And these days, Tanya is the head of education and community at the firm SemGrep, where she speaks about secure coding practices, static analysis, supply chain security, AppSec, you name it, and helps build out and promote a community of security minded developers.

Paul Roberts (Security Ledger): Tanya, welcome.

Tanya Janca (SheHacksPurple): Paul, thank you so much for having me back. It’s so lovely to see you.

Paul Roberts (Security Ledger): It’s lovely to see you and a really great occasion to have you back, which is you got a new book coming out This is not your first by the way In fact, it’s not even your first Alice and Bob book, but Alice and Bob Learn Secure Coding It’s gonna be published by Wiley coming up in February early February Really cool topic very timely. Tell us a little bit about how this came about.

Tanya Janca (SheHacksPurple): Absolutely. So my first book, I had been blogging quite a bit about the secure system development life cycle and a bunch of publishers wrote me and said, you should write a book. And I’m like, I don’t know how to write a [00:02:00] book. I don’t even know how to write a blog. I’m just winging all of this. But then my publisher, Jim Minitel from Wiley wrote me and he’s like, what if you would write a book for Tanya?

Tanya Janca (SheHacksPurple): When she first tried to switch from being a developer to application security, what if you wrote that book for her? And so I just wrote out like an outline and he’s like, this is amazing. Come on, we got to do it. And I’m like, You’re right. Like, this is a great idea. So I did that, and then I started my company, We Hack Purple, which got bought by SEMGRAPH last year, and I basically helped make hundreds of app tech professionals, just like them reading the book, taking all the classes and then helping them find jobs and get interviews and all of that.

Tanya Janca (SheHacksPurple): And that was a thing that was really important to me to get a lot of new people in. But as so I’ve spoken at a lot of conferences and I’m always preaching to the choir. Right? So as I speak at security conferences, instead of software developer conferences. And who do I want to write the [00:03:00] secure code? I want the developers to write the secure code.

Tanya Janca (SheHacksPurple): And I had written this book thinking, Oh, like the software engineering programming classes. All, all, all of them, the computer science classes, they’ll take this book and they’re like, no, no, this is a security book. It’s not a developer book. And so I was like, I need to write a developer book and my publisher is like, Oh yeah, let’s do it.

Tanya Janca (SheHacksPurple): And so I, I basically was like, let’s think about past Tanya and all the things she didn’t know. And. What it’s like from the other side, because the first book is for the security professional or a person that wants to become a security professional, where this one is for, I do not work in security, I am tasked with making these amazing applications and I want my customers to love them.

Tanya Janca (SheHacksPurple): I want them to work well, I want them to be beautiful and fast, but gosh darn, I really hope they’re secure. Right? And so I wanted it to be sort of the flip side of things. So what is it like to experience the secure system development life cycle? Like, how do I write [00:04:00] secure code? Having someone yell at you does not make you write more secure code in my experience.

Tanya Janca (SheHacksPurple): Or you know, I scanned this and I found some things wrong and you email them a PDF. That’s nice, but the idea of this book is my hope is that you read this book and then you’re just creating better code. So when we do scan it, it finds very little or nothing. The pen tester comes in there, have to work so hard to find something wrong.

Tanya Janca (SheHacksPurple): This is what I want. So

Paul Roberts (Security Ledger): You bring up a really interesting point, and I think for our listeners many of them probably realize this, but some may not. But I think maybe the casual listener might assume that the software security team and the software development team are really just branches of the same, skill set, the same population.

Paul Roberts (Security Ledger): But as you point out, that’s actually not true at all, that the developers versus the security folk have very different career paths and [00:05:00] skill sets and yet they’re expected to cooperate. Can you just talk a little bit about what those different paths are and how you end up on one team or the other?

Tanya Janca (SheHacksPurple): software development’s a really obvious career path, like becoming an accountant. Right. So like you do certain steps and then you’re a software developer. So you, you go to college, you go to university, you take a programming bootcamp, and then you try to get your first job. You might do a co op placement or an internship.

Tanya Janca (SheHacksPurple): You might volunteer somewhere or do an open source project. And then eventually you have enough experience and someone hires you. Right. And then if you do well. The sky’s the limit. But for joining an application security team, Paul, it is weird. I have worked with app sec people who are like, Oh yeah.

Tanya Janca (SheHacksPurple): My last job was a teacher or a nurse. I’ve worked with people where their last job they were assisted men, they worked in help desk, they were an auditor, they were a lawyer they had all sorts of like a lot of project managers, [00:06:00] project managers can be great apps like folks because gosh, they keep everyone on target.

Tanya Janca (SheHacksPurple): But people come from all these different walks of life and then me. As the person that was a software developer, I have this huge secret skill when I do AppSec, because I can read code and write code, right? And a fair number of people, a surprising number of people that work in AppSec can’t do that. And so they don’t know, oh, I could just automate this.

Tanya Janca (SheHacksPurple): Or, oh, I could just write a script to do that, or I could just add this to the scheduler and then it’ll just run itself and I don’t have to manually start it every morning. That’s a waste of time and brain cells. Your brain is so much better than that. Right? And so they’re coming at it from different angles and quite often the security team is coming from it at an angle of, well, why are all of you doing that?

Tanya Janca (SheHacksPurple): Don’t you know? And the software developers are coming at it from where I came from, where there was no security class when I went to college and I went to college in the nineties. So that was a while ago. [00:07:00] I’m old. I have been informed by my children. I’m very old. They’re like, you were alive before the internet? Yes, m’am.

Paul Roberts (Security Ledger): But you’re younger than me, Tanya. So you’re the junior one on this podcast, afraid say.

Tanya Janca (SheHacksPurple): But even if you go to school right now, They’re not going to teach you application security, and they’re not going to teach you secure coding. If you’re extraordinarily lucky, there might be a web app hacking course.

Tanya Janca (SheHacksPurple): They will teach you the OWASP Top 10, and you’ll play with JuiceShop, which is an intentionally vulnerable web app from OWASP that is amazing. And then you might get a network security class or identity and access management class, but there’s no way they’re going to teach you. How to do input validation and then show you how to use a fuzzer to test your input validation and explain all the different nuances of what is input and what is not input and they’re just not going to teach that and I’ve approached universities and college [00:08:00] colleges like quite often with my book and all of them responded the same way.

Tanya Janca (SheHacksPurple): Oh. Well, if you’d like to, we’ll hire you as an adjunct professor, you will create a course for a semester, we’ll own all your intellectual property after, and we will pay you less than minimum wage. What do you say? And then I’m like, Oh, I’ll be teaching my class for free on the internet. Thank you. If it’s going to be almost for free.

Tanya Janca (SheHacksPurple): But on your terms, I’ll do it completely for free on my terms. And then, and I don’t like to volunteer for multi million dollar organizations. I don’t know about you. Like highly profitable organizations that are for profit? Nah, I’m good.

Paul Roberts (Security Ledger): The example of the other example that often gets used is our architects and, or mechanical engineers right where the ring right and just a core part of that is building safe structures that that are going to be able to withstand the pressures that that they’re going to endure and have [00:09:00] long lifespans and so on.

Paul Roberts (Security Ledger): It’s just baked into the profession itself. And yet software architects, no, not really, it’s about getting to hello world. And then, okay. It said, hello world. That’s all you need.

Tanya Janca (SheHacksPurple): The hello world lesson is so insecure, too. So the first thing you do is put it to the screen, right? And the second thing you do is say, what is your name? And then the third thing you do is you say, hello, your name, and reflect back without any input validation, output encoding, security headers, no nothing.

Tanya Janca (SheHacksPurple): And then we reflect cross site scripting to the user. We teach them wrong from the very first lesson. And it’s so frustrating that they’re like, Oh, well, we would, but we can’t because of our own reasons that. I feel like the government needs to say, you teach safety or you’re no longer accredited university.

Paul Roberts (Security Ledger): So you didn’t get this as part of your education as a programmer. How did you, when you sat down to think [00:10:00] what would I have needed to or wanted to learn about where did your mind go?

Tanya Janca (SheHacksPurple): So the first thing that I cover in the book and that I always want to talk about is programming advice that applies to literally every language because we need to. So I always use this as the first example, because it’s the absolute most important thing you can do, which is input validation.

Tanya Janca (SheHacksPurple): So, and, and this is very frustrating because in our industry, a lot of people say, yeah, input sanitization, like no validation, then either sanitization or escaping second step. And only if you need special characters, we validate that, like, let’s say it’s a date. It’s a date of birth. So first of all, it better be in the past, right?

Tanya Janca (SheHacksPurple): It better act. It should 150 years ago. It should definitely actually be a date. Right? It should be in the correct format that [00:11:00] you are accepting a date and then We do any like any other thing. So let’s say so let’s say your last name was O’Malley with a single quote So you have to accept some special characters you validate that it’s only the characters you’re planning on accepting and then you’re like Okay, so I do have to accept single quotes single quotes are dangerous So I’m going to escape that or sanitize that out, right?

Tanya Janca (SheHacksPurple): And so repeatedly, I see the wrong advice everywhere and, and. That’s less less secure advice. Is it better than not sanitizing at all? Yeah, it is better to sanitize than do nothing for sure, but that’s not the first step and that’s not the best step. And so I start with this advice that just applies to absolutely everything.

Tanya Janca (SheHacksPurple): And then I dive really deep into 10 programming languages and 8 frameworks and 5 different technologies because a lot of us are using serverless. A lot of us are building IOT, we are [00:12:00] all using APIs, right? And there’s slight differences for those things. And a ton of us are using like React, Angular, Vue. js. So many people use Flask. They use, you know, SQL. They use all these things, right? And I want them to know like, listen, this feature is super dangerous. And I would prefer you didn’t use it. Or if you do use it, here’s like five things to do to make it safe. And guess what? Your frame, the thing that was most surprising is such cool things that are available that no one’s using.

Tanya Janca (SheHacksPurple): So like Angular, Vue. js, React, they have so many amazing security features. I’m like, let’s use all of them. Let’s turn it on. Right? And so just, just like a page about, What all the cool things are that you can take advantage of so you don’t have to write the code yourself and it has been thoroughly tested and you know you can trust it.

Tanya Janca (SheHacksPurple): So yeah, I go through like what awesome things you should do in each language and then like these are some gotchas and things I need you to avoid. [00:13:00] Dragons be here.

Paul Roberts (Security Ledger): That’s one of the challenges right now, which is in the one hand, development has gotten so much easier. There are incredibly powerful platforms out there to help you develop. And now, of course, these days, AI as well, potentially to help you create code. There’s tons of open source packages you can just grab and pull functionality into whatever you’re building. and as you point out, there are risks that go along with those as well. What should developers who, you know, who have that instinct of oh, I’m going to grab that and use it because it does what I need it to do, or oh, I’m going to use this platform, it’s going to like really speed things up. What should they be looking for to temper that instinct and say hold on, you should check these things out or verify these things before you go ahead and use them.

Tanya Janca (SheHacksPurple): So if you’re going to get a library or a third party component, you’re going to download it from somewhere. You should download it from the official source. Every time. If there’s some other site that’s [00:14:00] hosting it, I don’t care. We cannot trust them. And then if there’s a checksum or a signature that you can validate, that’s way better.

Tanya Janca (SheHacksPurple): Because then you know that it’s authentic, it’s from the right place, and you know that the integrity is intact. So that’s even better. Then, I like to use a software composition analysis tool SCA for short. Sometimes they’re called software supply chain tools because marketing but basically it will scan it and tell you so it’ll scan your app.

Tanya Janca (SheHacksPurple): It’ll figure out all the libraries, frameworks, all the third party things that you have going on and then it will compare it to a list that it has of things that it knows has vulnerabilities. And then if you have a good 1, so this is a new feature that just started in 2022 and about like, a bunch of them have it and a bunch of them don’t.

Tanya Janca (SheHacksPurple): So I would not buy one that does not have this feature. It’s called, well, some of them call it exploitability, but most of them are calling it reachability. So let’s say you have the math library. Paul, we’re not [00:15:00] going to do all the math. We’re not going to do every single type of math. Maybe we’re going to do a derivative, right?

Tanya Janca (SheHacksPurple): And, and that’s it. So let’s say the math library has this giant vulnerability. Okay, but is it in the derivative function? The one that I’m calling? No. So is there no path from within my code to the vulnerability? Is the vulnerability not reachable? Well, then that means if we never get there, then it’s. not exploitable, except for in the case of log4j, which was very special and unique.

Tanya Janca (SheHacksPurple): Generally, if it’s not reachable, it’s usually not exploitable. And so then I’m like, Oh, I’ll upgrade off that later. But if it is reachable, I’m like, Ooh, I better run, not walk. .Cause I have a big vulnerability in my code that people know about

Paul Roberts (Security Ledger): So if developers are not learning this as part of their. official education as developers. let’s talk about the approach that you take in your new book to walk them [00:16:00] through that process and what how to make it real for them, relevant, to the particular work that they’re doing.

Tanya Janca (SheHacksPurple): So I teach secure coding from what I understand. differently than everyone else in the industry. And I’ve always been kind of a weirdo, Paul. I don’t, I don’t mean to do it. I just tend to always be kind of off. One of these things is not like the other. I don’t, I don’t know why. I don’t know if you know that Sesame street song from when you were a little bit,

Paul Roberts (Security Ledger): Of course I do. Yes. “One of these things is not like the other!”

Tanya Janca (SheHacksPurple): The way most other people teach is they’ll teach about vulnerabilities. And then they teach you how to defend against each one of those vulnerabilities.

Tanya Janca (SheHacksPurple): So they’ll talk about the OWASP top 10, CWE, CVEs things you hear about in the news. And then they’re like, Oh, you know, injection, it’s bad. Here’s why it’s bad. It’s so bad. Let me show you how bad I will do an exploit. Oh my gosh, so bad. And then they’re like, here’s how you defend. And I was like, well, that seems really backwards.

Tanya Janca (SheHacksPurple): So what I came up with was a list of things. way [00:17:00] to write secure code. So when we get input, this is what we do. When we do output, this is what we do. When we handle files, this is what we do. When we handle, we must manage memory ourself. This is what we do. And this is how you do a great job of it. And it’s funny cause I, so right now I have a bunch, I’m always teaching on the side from Semgrep. I’m always doing secure coding training. So I have this one client. And they have people all around the world. So we did one session in North America and we’re doing one in Europe and we did the one in North America. And I always tell my clients like, I don’t need to teach the top 10. You’re already going to know it once we teach, like we’re going to do the defenses and then the top 10 is a total waste of time.

Tanya Janca (SheHacksPurple): And they’re like, no, no, we need it. They always say they need it. And so we did the class a few weeks ago and we were planning the next class. And he’s like, so you’re right. We don’t need to. Do the top 10. We can skip it because every single one I’m like, okay, injection. So we already know how to defend against this.

Tanya Janca (SheHacksPurple): This doesn’t apply to us anymore. You do number one, number two, number four, boom, you’re done. You don’t need any [00:18:00] of this. And like the entire top 10, except for XML external entities, which is a server setting, which has nothing to do with secure coding. Like all of them are covered.

Tanya Janca (SheHacksPurple): A hundred percent of them are covered except for the one that is infrastructure. And so they’re like. “Oohh! I guess we didn’t need those.” I’m like, no, but if you want the top 10, I’ll teach you whatever you want. Right. And then there, so I thought it was funny how this is the first time where they’re like, you just skip that and you’re right.

Tanya Janca (SheHacksPurple): So I, I feel like we keep trying to scare the pants off of people. Cause we think fear, uncertainty, and doubt will get by in. And instead I focus on, this is how you make a completely kick ass app. Like, you can have a beautiful app that’s fast and, and it looks great and it does everything the customer asks for, but if I can hack into it in 10 minutes, would you call that high quality?

Tanya Janca (SheHacksPurple): And everyone says no. And I’m like, we want our apps to be tough and rugged and something people can depend on. And most people agree. And I’m like, that means it needs to be [00:19:00] secure. So let’s make our app like a bad ass.

Paul Roberts (Security Ledger): My guess is developers would say, yeah, sure. Except, my employer, the incentives in my organization don’t center on security. They center on, getting stuff, out in production, on the timeline that they’ve created. And that’s the

Tanya Janca (SheHacksPurple): Perverse incentives.

Paul Roberts (Security Ledger): Yeah. Perverse incentives or at least non aligned incentives, it’s not that they’re not perverse and that you’re sure you want to hit your deadline, but security just doesn’t figure into it. I’m guessing in your, you hear that in in the classes that you teach and is there stuff in this book to address those sorts of structural environmental factors for developers of like, how do you talk to your employer about ” we need to reprioritize things.”

Tanya Janca (SheHacksPurple): Yes. So one of the things is if you learn secure coding, you’re going to have less bugs later, which means you have less things to do later. Right? So if you are not creating the bugs in the first [00:20:00] place. Just everything’s better, right? You save money, you save time, all these things. So that’s one. So training yourself, and that could be reading my book.

Tanya Janca (SheHacksPurple): I have a free online secure coding class in the SEMGRAP Academy, and we can put a link to that in the show notes if you want. Every single thing in there is free. There is no upsell. They just hope that eventually when you need one of what SEMGRAP sells that you consider them, right? Which I think is great.

Tanya Janca (SheHacksPurple): I feel that’s a great marketing strategy. Earn lots of trust, right? But so take and there’s other secure coding classes online. You can take two and some of them are free, right? So train yourself. So then throughout the book I talk about, ask this question, poke this poke and prod about this, bring this up in the conversation because when you do it can change the entire Trajectory of a project and I also bring that up in regard to privacy as well and software developers often [00:21:00] have to do what they’re told to do, right?

Tanya Janca (SheHacksPurple): And, you know, if you’re told to build an app, like Cambridge Analytica, as an example, which was built in the city that I live in. Like, I’m just doing my job. I’m like, you’re doing your job. You’re also being complicit. In violating your user’s privacy, and is that something that makes you wake up and excited to go to work?

Tanya Janca (SheHacksPurple): Right? So you can ask the questions. Hey, is this a good idea? So, I mean, it was Cambridge Analytica’s entire business model to violate privacy, but for most of us, it’s not. So another example that where I’m going to make fun of the city of Victoria is I went to go park downtown and they’re like, Oh, download our app.

Tanya Janca (SheHacksPurple): So I download the app and it says, I want access to your contacts, your photos, your files. And I was just like yeah, no. And then I tweet at them and they say, “read our privacy policy.” I’m like, yeah, your privacy policy sucks. You do not need to see my photos. You do not need to see my messages. No, right?

Tanya Janca (SheHacksPurple): And so I [00:22:00] always just pay at the little meter thing because I won’t accept their terms of service because their terms of service suck. So Victoria, get with it. But I feel, I feel like just asking a question out loud or saying, I’m not sure I feel comfortable with that. Do we think, do we think our users will appreciate this?

Tanya Janca (SheHacksPurple): Right? Cause I, I went to a site so my friend was telling me that you can play D& D, but where it’s sci fi. And he was like, it’s called Warhammer 40, 000, which I’ve never heard of. I’ve never played D& D, but I’m like, Oh, this sounds interesting. Maybe I’ll look into it. And the first thing it did was ask for access to my hard drive.

Tanya Janca (SheHacksPurple): And I was like, guess I’m never going to play Warhammer 40, 000. I guess I’m done. Just goodbye.

Paul Roberts (Security Ledger): Unfortunately, of course, many users don’t know enough. They don’t connect the dots. Why does this compass app need my contact information?

Tanya Janca (SheHacksPurple): When we give access to a site like that, if that site ends up having one field with cross site scripting, [00:23:00] that means the attacker can go see my hard drive. Like, if I, if I click on, I also have to click on a link, or there could be stored cross site scripting, in which case I have no defense whatsoever. We talk a lot about least privilege, assume breach, and other things, and how to design and code our systems to be more secure.

Paul Roberts (Security Ledger): One of the things that we’ve seen certainly in the last few years is a lot more attention and talking anyway in the U. S. and Canada as well, around this topic of, secure by design and in the U. S. secure by demand. So both trying to get software producers and end user organizations to both raise the bar software producers: produce more secure code and user organizations raise your bar that you’re asking vendors to clear in order to put their stuff on your network. Are you seeing any evidence that’s having an impact in terms of. The way developers and development organizations are looking at their priorities.

Paul Roberts (Security Ledger): And, what do you think is a policy fix for some of [00:24:00] these kind of endemic issues around, low quality, insecure code, lack of incentives, lack of accountability, those types of things.

Tanya Janca (SheHacksPurple): I would like it if there was, for starters a place where people can report security issues, and then we know that they will be followed up on, and that there will be accountability.

Tanya Janca (SheHacksPurple): I’d like there to be a place where we can report, someone’s not following this policy. Because the, so I live in Canada, and the Canadian Revenue Agency, When I worked for them, I wrote their web app security policy and they are not following it.

Tanya Janca (SheHacksPurple): And I’ve written letters to the prime minister’s office, to their minister, and they keep saying, that’s none of your business and we can’t talk about it because security. I’m like, no, but you’re not doing security. I want to talk about that. So because security, really?

Paul Roberts (Security Ledger): we’re doing security through obscurity,

Tanya Janca (SheHacksPurple): but they’re not, they’re not

Paul Roberts (Security Ledger): but they’re not.

Tanya Janca (SheHacksPurple): And so I would want that. I would want a place where they are held accountable if they are not following the policies. [00:25:00] Then, oh, I would love it if I could write. So when I work places and I do AppSec, I make an AppSec policy. And so we decide what level of security assurance is acceptable for our org.

Tanya Janca (SheHacksPurple): And then we make a policy. That we think will bring us to that level for all apps. So it’s like every new app. We must have this type of test or these many types of tests, and we must remediate things at this level. We must have these things implemented, and these technologies and layers of abstraction or defenses must be included.

Tanya Janca (SheHacksPurple): And then for old apps, we must test like, or apps that are currently in production, sometimes called legacy. We must have this happen every month. We must have this happen every week. We must have these things, whatever, right? By having a policy that states how we must treat all of our applications, and especially having a secure coding guideline or standard, it’s like one of the things will be you, your code must [00:26:00] meet the standard.

Tanya Janca (SheHacksPurple): And if it does not meet the standard, it must start to meet the standard by. You know, X number of weeks from which you have been informed. If you need help meeting the standard, we will, you know, send you resources or whatever the thing is so that you can comply. And if we had something like that for, first of all, all of the government agencies are like, I need my data to be secure. Paul, the Canadian revenue agency lost my parents identities on the dark web.

Tanya Janca (SheHacksPurple): They have to have credit monitoring for the rest of their lives. There’s a huge class action lawsuit against CRA, and it came out recently that they did not report over 40 security incidents to the information commissioner because they didn’t feel they were, what is that word? That legal word that they use? Material and they were material and I want people fired. I know that sounds mean, but I’m sorry, there has to be accountability or suspended or a demoted or [00:27:00] something like, come on.

Tanya Janca (SheHacksPurple): I, I want it to mean something when you break these policies. And at first we do everything we can to help everyone comply and we do that for 2 or 3 years to get everyone.

Tanya Janca (SheHacksPurple): And then after that, it’s like, I’m sorry, we’ve had, you’ve had 2 or 3 years grace. Now we have a stick. And if you are not compliant, it’s because you’ve chosen not to be compliant, right? So, I’d really like to see that, and then I’d really like to see education for the public. So in British Columbia, where I live in Canada, the government issued a 22 million grant to a non profit to help everyone get ready for quantum computing.

Tanya Janca (SheHacksPurple): Why didn’t they do that for cyber? There’s nothing like that for cyber. Why? I’ve been volunteering for the Canadian government since 2018 to help add cybersecurity to high school and children curriculum. But the place where I volunteer the ICTC. They’re a crown corporation and essentially it is [00:28:00] optional for universities and colleges to decide if they want to do that content. And so like maybe 250, 300, 400 schools do it and the rest just don’t. I’m sorry. Mandatory digital literacy is mandatory. Cybersecurity literacy is mandatory, right?

Paul Roberts (Security Ledger): We said this earlier in the podcast, but there’s so many analogous, industries and activities, whether it’s food production or, building construction or, heavy machinery or what have you, where, Seemingly as a species, as a, as societies and economies, we realized decades ago Oh, this is hugely important technology, but there are all these risks that go along with it.

Paul Roberts (Security Ledger): So we need to put guardrails up and manage that risk in the spirit of public health and safety and so on. yet with software, which arguably just now just touches and runs everything. All of those things, plus other [00:29:00] stuff, healthcare. We can’t seem to wrap our arms around that same concept of like public health and public welfare, and being like, no, we gotta, we gotta insert ourselves into the build process, the development process, in the name of public health and safety.

Tanya Janca (SheHacksPurple): Right now we’re letting the industry decide. And guess what it’s doing? It’s profiting and I’m profiting too, just to be clear. So like when I do training for an enterprise, I charge as much as I can because I have mortgage and I want to not have a mortgage. But when I deal with individuals like that’s why I sold my company with a deal that all my content would become free in public.

Tanya Janca (SheHacksPurple): Because I want to move our industry forward, but right now we’re letting capitalism decide how we do cyber security. And that is gigantic conflict of interest. We need the government to get involved. And so, when I went to besides Ottawa, which, if you are watching, rather than just listening, you can see I’m wearing a T shirt.

Tanya Janca (SheHacksPurple): So I was there last week and. The treasury [00:30:00] board had a table. So that is the policymaker department for Canada. And then the CSC, the Canadian security establishment, that’s the cyber arm of defense Canada. I spoke to both of them and I was like, listen, like we got to do stuff. And they’re like, okay, let’s talk.

Tanya Janca (SheHacksPurple): Cause I, I, I built, I wrote this book so that it’s very easy to make a secure coding policy out of it. I wrote the book so that it’s very easy to make an application security policy. I want people, in the book I’m like, copy this and make a guideline where you work. I do not say copy this onto the internet so people can steal my intellectual property and not buy my book.

Tanya Janca (SheHacksPurple): But I really want you to use my work to do your job better. And I’m planning on making a cheat sheet out of every single section. And where it’s like, you join my newsletter, you get the pretty cheat sheet. Because I want it to be as easy as humanly possible. And so I’m trying to work with the Canadian government.

Tanya Janca (SheHacksPurple): I’m being, I, I said earlier before we started recording, annoying. And you said, [00:31:00] thorough, relentless, persistent. Ha ha ha

Paul Roberts (Security Ledger): I am a writer. That’s…

Tanya Janca (SheHacksPurple): all of us need to push, all of us need to talk to our government officials and say, this isn’t acceptable. So if all of us start calling, something will happen. If Tanya just calls Alistair, that’s my member of parliament all the time, eventually, well, he’s very polite and he always takes my calls, but it can’t just be Tanya has to be a bunch of us pushing and then it will matter.

Paul Roberts (Security Ledger): Okay. Final question, picking up on the same theme in your, with your past books, you’ve done these series of videos to basically give a video version of what’s in the book and you know Just release that for free to the public and allow them to watch these videos and so on You’re very focused on different learning methods and styles and this is part of that So just talk a little bit about what you’re going to be doing. with the latest book.

Tanya Janca (SheHacksPurple): Alice and Bob learn, Secure Coding has 15 chapters. And so it comes out in February, but we all know it takes a while for [00:32:00] everyone to get their copy and have it shipped to them. So maybe two months after that, I’m going to start doing a live stream every month with friends, just like I did last time, where people can come live and interact with me and whoever I’ve invited for that subject.

Tanya Janca (SheHacksPurple): And we’re going to do one chapter at a time for 15 months. We did it last time and it has thousands and thousands of views. I also released it as an audio only podcast last time, which had fewer listens than the views. So we’ll see if I do both this time. And then I’m going to save it to my YouTube channel permanently and people, someone wrote me like two weeks ago and she said, Oh, I bought your book.

Tanya Janca (SheHacksPurple): And it said that there were these things on your YouTube channel and then they were there. I’m like, Oh yeah, there’s, there’s a lot of stuff on my YouTube channel. There’s a lot of stuff there. And she’s like, and I’m watching them one at a time. That’s so cool. Thank you. Like even buying your book this many years later, it’s still there.

Tanya Janca (SheHacksPurple): I’m like, Oh yeah. And so I want to make it so that you can hear us talk about the chapter, what’s in it, what it means to us. And then I sort of do a little [00:33:00] interview with each of the people and their specialty that is in that chapter. And then we’re going to answer the questions that are in the end of every chapter.

Tanya Janca (SheHacksPurple): And. That is fun because sometimes my guests disagree with me and then in the end we usually always agree like we kind of suss it out They’re like, well, I like to think of it like this and this and this and I’m like, but in the end they’re like, yeah Because We’re friends for a reason, right? We really care about security.

Tanya Janca (SheHacksPurple): And so last time I had Adam Shostack on to talk about a threat modeling. I had my friends Ray and Aaron from Hellasecure for comedic relief. Yeah, I had just basically everyone I could think of on to talk about what their specialty is because sometimes hearing it from someone else is way better.

Tanya Janca (SheHacksPurple): Right. And so I have an entire chapter on vulnerabilities and what they mean and why they’re scary and how you would already know how to defend against them because of the previous part of the book. But having people on [00:34:00] that are amazing, talented pen testers to talk about the terrible things they do. I think that’ll help emphasize my point.

Paul Roberts (Security Ledger): Red teamers and pen testers. Absolutely. They’re poking for holes in your code. So who better to talk to? You’ve got an amazing network. So I’m sure that these 15 episodes are going to be a little bit of a who’s who in InfoSec and secure application development. Definitely worth

Paul Roberts (Security Ledger): keeping on your radar for when it comes. The book is out February 5th. How can people get their copy, Tanya?

Tanya Janca (SheHacksPurple): Yes. So you can, you have two choices. So one, you can go to my website, shehackspurple. ca and then click on my books and it has a list of every single place that sells the books. Or you can go to Amazon for your country. So I am in Canada. It, it’s for sale there. It’s for sale in Australia. It’s for sale in India.

Tanya Janca (SheHacksPurple): It’s for sale in The UK, et cetera. And so go to the Amazon for your country where you usually order things and it, [00:35:00] most of them have it. If for some reason you can’t get ahold of it, send me an email at Tanya.

Tanya Janca (SheHacksPurple): at shehexpurple. ca, and I will make sure you get a copy. If you have Security Champions. If you’re an AppSec leader, and you have a team of Security Champions, so people on your different dev teams, and you’re planning on buying a whole bunch, again, send me an email, and I will get you a 20 percent discount, and I’ll shove it full of stickers, and sign a little for you, for free. So, it’s a good deal. Yeah.

Tanya Janca (SheHacksPurple): If people want to learn more about me or follow me or see all my content, just look up SheHacksPurple and all of it is me. I used to have an imposter who impersonated me who had bought a domain similar to mine, but she’s gone now, so that is great. And so now all of SheHacksPurple is me.

Paul Roberts (Security Ledger): Tanya Jaca, it is amazing to have you back in the studio. And so great and congratulations on writing your latest book. You’re an [00:36:00] inspiration. And I’m really glad to have you on and we will we will include a link to the book and thank you so much for writing it and and trying to educate us about this really important topic.

Tanya Janca (SheHacksPurple): Thank you for helping me spread my message, Paul. I really appreciate it.

Paul Roberts (Security Ledger): My pleasure. And we’ll have you back on, on the podcast again soon.

Tanya Janca (SheHacksPurple): Awesome.

We want to hear your thoughts! Leave a reply.

This site uses Akismet to reduce spam. Learn how your comment data is processed.