Application security maven Tanya Janca – AKA SheHacksPurple – is an accomplished author, pentester and onetime music festival organizer. But she’s perhaps best known as the founder of We Hack Purple, a community of security professionals dedicated to sharing useful cyber information including coding trainings and coursework. (Dynamic application security testing Bright Security acquired We Hack Purple earlier this year, bringing its own approach to the “shift left” dilemma of moving cybersecurity earlier in the software development cycle.) Tanya has spent much of her career in cybersecurity and IT empowering others to strengthen their own skills. With We Hack Purple, she built a community from the ground up, and she’s organized plenty of security talks and capture-the-flag tournaments along the way. Computer science can be a nebulous, wide-ranging field – Tanya has further helped people zero in on what they should focus on learning in the wide world of cybersecurity.
Application security maven Tanya Janca – AKA SheHacksPurple – is an accomplished author, pentester and onetime music festival organizer. But she’s perhaps best known as the founder of We Hack Purple, a community of security professionals dedicated to sharing useful cyber information including coding trainings and coursework. (Dynamic application security testing Bright Security acquired We Hack Purple earlier this year, bringing its own approach to the “shift left” dilemma of moving cybersecurity earlier in the software development cycle.)
Tanya has spent much of her career in cybersecurity and IT empowering others to strengthen their own skills. With We Hack Purple, she built a community from the ground up, and she’s organized plenty of security talks and capture-the-flag tournaments along the way. Computer science can be a nebulous, wide-ranging field – Tanya has further helped people zero in on what they should focus on learning in the wide world of cybersecurity.
-------
Tune into the episode to hear more on:
* The story behind Tanya’s bestselling book, “Alice and Bob Learn Application Security”
* The qualities that make a good pentester: “You have to be very determined and detail oriented,” as Tanya put it
* #cybermentoringmonday and the value of professional mentorship
-------
Links:
Bella: [00:00:00] All right. Well, welcome to the show, Tanya. Uh, it is, it's really awesome to have you here. Uh, Jeremiah and I are both very excited to get to chat with you today. Um, I've actually seen you speak twice, both virtually at the last two Dianna initiatives and both of your talks were phenomenal.
Of course. Um, but additionally, like one thing that I very much remember in addition to the purple hair that I saw the first time, uh, I very much remember you. Probably one of the most enthusiastic and like genuinely passionate people that I've ever heard. Talk about security. So I'm especially excited to talk with you today.
I think obviously that makes for a great, a great podcast conversation. Um, but I wanted to start by talking about we hacked purple, um, and just kind of get, can, can you tell us a little bit about what that is and why you started it?
basically what I was trying to do with rehab propel was make a place. single type of person felt welcomed. So whether they were someone who'd been a dead for 20 years, and they're just curious about making a better app, or if someone used to be a nurse and now they are changing careers and they want to become a security professional.
And they're like, I'm not sure exactly where I fit into this whole cyber thing yet. Um, I wanted to make a place where basically everyone felt comfortable and welcome and that they could just, they could learn at whatever level their. So we even have introductory stuff or if you don't know any information security at all.
Um, and so when you joined the community, everyone like is like, hello. Hi. Um, and then there's a bunch of articles kind of to start off and then you can say, oh, well, I, I know nothing. Um, and you can sign up for like a, we call it. We get drip content. So once a week you get a little lesson to your inbox, or you could just jump right [00:03:00] in and take a course and just be like, teach me everything now.
Jedi's um, yeah, we just want to make a place where people felt comfortable because when. I switched from software development into security. I found sometimes people call it gatekeeping, but it's, it felt like no one wanted to teach me and no one wanted to show me how. And it was like, there are these great, amazing secrets, but they're keeping them from me.
And I was like, I want to know everything. I want to be really good at this. Like, I don't know. It's software development. It's like, Hey, see this cool function I wrote. But insecurity is like, yeah.
Bella: yeah. That's I think.
Tanya: So I wanted
Bella: have like a very like similar experience. When I first I remember like, when I first started getting into the security industry, I had so many questions. Of course. And like, this was, I was fresh out of college. I was so excited. I had so much energy. I wanted the same kind of experience.
I just wanted to know everything. And I like distinctly remember so many people telling me like, oh, there's resources online. You can just find information. And [00:04:00] I like distinctly remember thinking like, well, that's great, but like where, and how do I pay for them? And like, I think it's really, I've been really passionate about finding new or like, not even necessarily new, but like finding all of the ways that we can like teach new folks about cybersecurity without asking them to like fork over $5,000 for a certification.
Tanya: Yeah, when I started. So I'm Canadian and the Canadian dollar is where the lot less than the American dollar. And so when I would look at trading courses, And we also pay a lot more attacks. And so, um, I pay around half of each paycheck to tax. And so I [00:05:00] remember looking at one of the courses and I was like, this is literally 20% of my take-home for the entire year for one class.
And I was like, there's no way I could possibly ever afford this. And I taught, I remember telling my boss and my boss laughing so hard and he was like holding his belly, laughing and laughing and laughing. And he's like, you want $10,000? Canadian dollars so that I could afford like a six and a half thousand dollar cars.
So you can take one week course. He's like, are you going to come back and be a ninja? You gonna be able to like secure apps with your mind? And I'm like, well, that's actually like the first level. And then, and he was just like, oh And our budget was $2,500 a year. And I was like, well, what if I saved that for four year?
And he's just like, you're not allowed doing that. So I would be taking the entire team's budget for you to take one course. He's like, Tonya it's selfish. I can't do that. I'm sorry. And I was like, okay. So then I found a workaround and I, I figured out [00:06:00] if I give a talk at a con.
Bella: Yes, there is.
Tanya: And sometimes people like I'll be at a conference in person and they'll be like, Hey, let's chat. I'm like, come with me. There's this super cool presentation happening. I really, really want to see it. And like the jokes on all of you, I'm here to learn. And so it's like so
Bella: Oh my God.
I, I, uh, have always loved the idea of conferences. I love the idea of getting to like network with people in industry and learn from like the people that I look up to just like have them in front of me talking to me. That's amazing.
Jeremiah: I'm actually kind of curious on like, to go back to the, we hack purple again, actually, because it's such a cool, um, initiative.
I'm looking at the website as we speak, and I see that you can sort of request to join who, who is that for? And, and, and who all can participate.
Tanya: So we used to, when we first started, we charged $7 a month or a $70 a year to join, and that created a barrier to entry. Um, but it also helped fund my startup because from the first month, basically I was able to pay all my bills. So then suddenly I had a runway. In order to do. Cause like when you're starting a startup, you don't immediately have income.
Right. And so I was really lucky that basically a lot of people that support that really support what I do or like I'll give you seven bucks, no problem. And so before I know it, I could pay my bills and I was [00:11:00] later kisses. I like, I don't live in extreme. That also, it was not that hard, but so I'm like, okay, so now I sort of have this endless runway, but then I started creating courses and I started doing enterprise training, enterprise training pays really well.
And so then I reached out to everyone in the community and I said, okay. So I kind of want to make the community. Um, because I don't want people for whom, because for some people, $7 is a lot like in Canada, $7. Isn't very much, but in India it really is. And so I was like, I want to find a way where the barrier to entry is not financial, but I still want to have some sort of barrier to entry because I don't want it to be a place where I want like the barrier to entry to be effort.
And so the platform that we're on is called mighty networks. And so then I reached out within their community and people said the best one is make them answer a few questions and they just have to type. So basically you're just like, uh, what is your name? Um, and why do you want to. And as long as their answer isn't so I can harass others or so I can sell all my products to everyone because advertising is not allowed in the community. And then we have a big, wrong code of conduct and it's like really, really specific. So it's like racism, racism is not allowed and sexism, but we also get a bit more specific.
Like if we have. still following the code of conduct at the event, even if you're not inside the community. And if we [00:13:00] have an event and then you all go off and do something after we can't enforce the code of conduct. But if we hear about a bunch of you going to a bar after and making a scene and having a bar fight, like we're going to talk with you.
And the thing isn't to throw people out the thing is to try to figure out where there's miscommunications and talk about it. Um, and so then we formed this basically big organization of volunteers that helped me moderate everything. And everything's going so far really well. We've twice asked people to take down posts.
And one of them were like, could you just reword it? Because the way you worded it was a bit making some people uncomfortable, but the other one was. Um, it's an advertisement for a product. I'm a granola doing that here. Like, like if you work somewhere, you're allowed to say, like, I work here, we're hiring.
That's cool, but you're not loving, like our product is the absolute best product and you must buy this product now. I'm like, okay, so sorry, you can't do that. But if you wanted to give a demo of your product, like, and we can plan an event and then people know it's an event, they decide. Yes or no, they want to show up.
And so we've had several [00:14:00] products demoed, like, it sounds weird, but when you're an AppSec professional, you're expect. To advise on buying these products that sometimes cost hundreds of thousands of dollars. And if you've never seen them before, it's really intimidating. And then as soon as you want a copy of it, to make your proof of concept, the sales team descends and you get calls and emails and be like, oh, I got, wow.
Jeremiah: Never goes away.
Tanya: Yeah. So we started just inviting people to just give a demo. And I'm like, it's not a sales pitch about why your product's the best. It's like, here's the problem. And here's how we have chosen to solve it. This is how it works. And a lot of people have been attending them and people told me like, no, one's going to like that.
But we asked the community, do you want this too? So basically like, I hold votes a lot and let the community decide. Um, which might sound weird, but I find that that's better
Jeremiah: Democratic.
Bella: like, I think particularly like as a woman and cybersecurity, I'm constantly seeing like communities geared towards like either women or people new to the field or things like that. Like, I feel like in, in cybersecurity, but also just in, in tech in general, I feel like there actually is kind of a large push to like finding your community.
And I guess I'm wondering, like, why do you think that is?
Tanya: Um, when I was a software developer, I never joined any software development communities. And I would talk to a lot of devs, but I, I, I would network, I would say rather than like, I wouldn't go to dev meetups. I wouldn't do any of that because I was like, I'm building code. I keep getting promoted. I assume everything's fine.
And. And I was also a professional musician for a really long time. And so I would spend lots of time in the music community, um, drums, guitar, and I sing. Um, so I had five solo albums out and I was in a bunch of punk rock bands and I like, yeah. Played the same music festivals of just like rancid and follow up boys, stuff like that.
And, um, yeah, so like, if you look on Spotify, those are my albums under my name. Um, and so I would do that and I'd spend lots of time in those communities and I helped start a music [00:17:00] festival for women called lady Fest. And, and I would kind of go in a lot of those circles for community. And then when I was trying to switch to cyber security, You can just buy a book on how to learn Python, but there was no book on how to learn AppSec.
And there were two or three books on pen testing at the time, and they were all network pen testing and not where that pen testing. And I was like, well, I want to be really good at this. And I don't know. I stumbled upon a WASC, the open web application security project. And basically there are these two local guys Nidia mentoree framing it.
And I was like, this is so cool. And so then I asked her if like, can we ever capture the flake contest? He was like, yes. Take the lead and running it because I organize all the other stuff and I had organized a zillion calls, like a zillion concerts. Right. So, no
Bella: the same thing.
Jeremiah: in the bag.
Tanya: yeah, so then it will know I'd eventually organize four or five of them.
Like every year we [00:18:00] had one, I got bigger and bigger. And then after a few months, he's like, do you want to start organizing talks to like, are there specific topics you want to see or speakers do you want to see? And so I was like, oh my gosh, this is amazing. I can choose. What it's going to be about. And so then he made me one of the leaders and then I went and I went to the international Alaska event.
I got to meet all these other amazing leaders. And I was like, what do you do at your chapter? And like, how's that going? And then I met this woman named Nicole. And it was like friendship at first sight, like moment we met. And so she had made this intentionally vulnerable app and I was giving a demo of it at a conference.
And, um, unbeknownst to me, someone had hacked that at her website so badly the night before they'd taken it down and I'm like there and it's not working. So I put this email out to all the leaders. Of Owasso around the planet, like 1400 people. And I was like, this website's there. Can anyone help me? And then the most famous software [00:19:00] developer, responsible time and. now
Bella: Yep.
Tanya: deleted the you've deployed the whole thing and she opted the web server and she's like try now, like two months later, I'm in. At my first international conference. And, um, I am tall. I'm like five nine, and Nicole's very tiny, small woman. And so my friend, Tiffany, is like, she taps this tiny woman ahead of me on the shoulder and she's like, Hey, Nick.
I remember that, that lady that was trying to use your site, this is Tanya. And then we spent the rest of the trip, like inseparable. And then she's like, do you want to throw an open source project with me? I'm like, you have me at hello.
Bella: Yeah.
Jeremiah: You had me at open source.
Bella: gosh. That's awesome. So do you think it, like, I think, like, I feel like I hear not, not exactly the same story. I feel like that's a very unique, very [00:20:00] unique path to finding community, but I feel like I hear a lot of, like, a lot of my peers have like elements of similar stories of like, you know, wanting to find like, I guess, like, do you think it comes a lot of our, like as a, as a, as an industry, our community seeking, do you think it comes from just like there isn't another great way to learn from one another?
Cause I also struggle with finding the right resources. Like I think I have the one comprehensive web pen testing book that exists, like.
Tanya: I do feel like it's really hard to figure out what to learn. Like when, um, so when I made my AppSec foundations program, it was all the stuff that I had spent five years or six years learning. And it was like, this is my approach, my personal approach. To like creating an application security program and then making sure it succeeds.
And I had people who were like, I've been doing this 15 [00:21:00] years and I took your course and I, and like, I don't mean to sound rude, but I was expecting to learn nothing. And then I was like, oh crap. I never thought of it that way. Or like, oh, that's an excellent idea for this. Or, oh, we could do that if we tried.
Um, and so I feel like it's really hard. To figure out where to learn these things. I feel like it's really hard [00:22:00] to form a network and find your first job. So when I graduated computer science, I had already had several jobs in computer science. It's extraordinarily rare that cybersecurity hires interns because of.
Security clearance levels. And because they're not sure if they can trust someone to keep their trap shut and like, like I've done antiterrorism work. You think we're going to hire an intern? No, we are not. And so there's less opportunities for junior people and it's also because for some reason, our. So when you study to become an accountant, you graduate, you take the exam and you're an accountant and know how to do accounting.
But if you take a course at this place, that place in the other place, that doesn't mean you're a good pen tester. It doesn't mean you know how to do AppSec. So we don't have a really good way to measure.
Jeremiah: experience.
Tanya: And a lot of the people who are doing the hiring don't know how to qualify the person that they're hiring.
And so they're like, well, you have to have this certification or you have [00:23:00] to have 10 years experience. I only I'm working on my ninth year of security. And so I was telling someone today, yeah. When I was in Ottawa, all these guys, so all, all the main consultant pentesters were guys, they would all get the contracts and then they contract them to me to do, because I am a little.
And, but they had 10 years experience and I didn't, so I didn't qualify. And so I had someone ask me a few weeks ago and they sent me this job description for their AppSec leave. And I'm like, so I wrote the best selling book on AppSec for English. It's the only one. Uh, and I don't qualify for your job. So who does qualify for the job?
You post it, if I'm not good enough for that job, they're like, well, of course we'd hire you, Tanya. Like you're a world renowned expert. I'm like, but I, if you read your qualifications, I, I don't.
Bella: right. I think,
Tanya: And I don't know how to say this, but I don't know if I would have the guts to apply for a job that says you absolutely must have 10 years.
I have like, I'm almost at nine, so I'd probably [00:24:00] still apply. But when, yeah, but, but think about it though, if all the jobs say you must have 10 years in our, industry's only really developed over the past five or six years for AppSec, like it's only gotten big then
Bella: yeah. Yeah. One of the like big, uh, one of the big, like a piece of advice that someone. Gave to me when I was first getting into this industry that I constantly pass along to other people. Um, which is silly when I say it out loud, bear with me, uh, is when, when I read job descriptions, I ignore the requirements.
I read everything else. And I focus particularly on the, like, what will you do in this role? Because that's like, if I, if I think I can do that then great, but I skipped over the requirements. I never read them because either I like, I've never read a set of requirements that I felt like I met ever. And like, I have gotten jobs in this industry I'm currently working in this industry.
I don't think that I met the job requirements, like on paper of the [00:25:00] job that I'm even in now, because they're so frequently written in a way that's like not attainable. So anyways, I don't read them. I tell other people not to read them, but that's silly.
Tanya: That is actually brilliant.
Jeremiah: Yeah. Now I actually do the exact same thing. I think like there, in this industry, there are a whole memes that are created just because of how ridiculous some of the job advertisements are for this career field or. The field as a whole, um, you know, 20 plus years of cybersecurity pin testing experience, coupled with 15 years of developer experience.
And oh, by the way, you've gotta be a pilot and you also have to have, uh, uh, done some wailing in the past. And on top of that, if you could also, uh, make a pizza from scratch, then that's the bonus. I don't like
Bella: sounds like the requirements for time to retire. I don't, that's not.
Jeremiah: Um, there was a few things that you mentioned that kind of time to this thing [00:26:00] that I saw that you do, which is, um, cyber mentoring Monday. I was wondering if you could speak more about that.
Tanya: Awesome. I'd love to. So every Monday on Twitter, I use this hashtag code cyber mentoring Monday, try to help people find professional mentors. And it started because professional mentors are what helped me launch my security career and then help me watch my company and then help me get my company. And so I've gotten new professional mentors.
As I have done new things in my career, and people started writing me and saying, well, will you be my professional mentor? And at first I said, yes. And then I had four people. I was mentoring and I, and that's awesome. But someone else asked and I said, oh, well then I won't have time for my mentees that I currently have.
And then I'll be a crappy mentor. Um, and so then someone else asked and someone else asked. So then I did this post on LinkedIn and I. As person I know is looking for professional mentor in this, and I want to help, but I don't have time to be their [00:27:00] mentor with anyone respond and all these people start responding.
And then a bunch of other people started saying, oh, well I actually need a mentor too. And it ended up having a thousand comments. I'm surprised we didn't break LinkedIn. Cause their notification system really stinks compared to like other really bad. Yeah. And so then I wanted to figure out a way that I could help people find professional mentors.
So with my chapter, we started a mentoring program and we had like 10 mentors get up and offer to mentor people. And then people lined up and we did sort of like speed dating mentoring. So like they had like five or 10 minutes with each person. And then they decided who they thought would be good. And it didn't work very well.
Like I would love to tell you how it worked perfectly and everything was great and I was happy ending, but it was more like some of them connected and some of them just. And that's life. Like one of my mentees fired me. She was super protective. She's just like, you don't give me lessons and you don't.
She wanted like this formal structure of university [00:28:00] style. And I was like, I can't provide that for you. And then eventually she readjusted her things and then it's funny. Cause now we're good friends, but she was like very frustrated because I guess she'd had another professional mentor who had been a professor.
Professor. And like we create weekly lessons and spend many, many hours per week. And I was like, I can't offer that. Then I put this post and it was just mentoring Monday. And I was like, are you looking for a professional mentor? Are you looking for a way to give back to the community? Are you willing to take someone under your wing and just hundreds and hundreds of people answered the first week?
And so I was like, I'm just going to do this every Monday for I'm sure. After a few months, like we'll run out of people, but no, every Monday, so many, many people, [00:29:00] if you follow that hashtag are going to post every single Monday. I just try to help people connect. So you need to put yourself out there though. So first of all, don't some of people are like, yeah, I want to mentor to. And I'm like that doesn't sound.
Bella:I have had a few mentors at like really critical points in my like education and [00:35:00] career, um, shifting into, into this space and like, for me, Having mentors that helped me get to where I am.
I mean, like just essential for everything that I've done so far. But like, I think like one of the, one of the marks of like a really great mentor is being able to see exactly what you need. Right? having a professional who knows what they're talking about, say to you like, okay, it's time. Like you can do. Do it like that makes such [00:36:00] a huge difference. And I think like, I don't know. I know for me, I won't speak for anyone else, but for me that has like, absolutely helped me progress in my career.
Tanya: Absolutely. And I feel too like professional mentors because they have experienced in the area. You're trying to learn. There'll be able to say things like this is the book that changed my career. To meet this person, or even just like a recommendation for something that you might not have thought of, but I've had so many key introductions made.
Like it was one of my professional mentors idea. She's like someone wants to buy your company. And I had started, we had proposed like maybe two months earlier and I she's like, it's just an acqui-hire. They're just. you basically I'm like, can I haven't built anything yet? Like I have one course in it and I filmed it in a weekend.
Like it's not good. Um, I mean, like the con the topics were good, but it wasn't, it wasn't like professional. Right. And she's like, yeah, it's an Aqua hire, I guess, like, deal, [00:37:00] want a job with a big paid bonus.
Bella: right. Being
Tanya: no,
Bella: find that out for you, like figure out what's. Yeah.
Jeremiah: Yeah.
Tanya: Yeah. And then, and then two years later, check in with me and say, You know, someone, someone has a more serious interest in, they actually mean it this time. Do you want to meet them? And I was like, whoa, I didn't end up selling my company to them. It ended up being like many companies down the line that we decided where it was like a really good click because you you're going to work with these people for several years after, and you want to make what they're doing with success and you have to like, make sure you're actually on board and you agree and like, For me, especially, it's like this product Barbie really awesome, or I'm not coming.
Right. And so like all of these things like, and having, and having the guts to say no to someone, offering you a big hunk of money and stability, when. I am in charge of the livelihood for all the people that work at this company and that's pressure. Right. And if someone's like, well, just like throw a whole bunch of money at you.
And it's like, well, that is exciting, but that's not what it actually is. Right [00:38:00] for me. And that's not what is right for my team.
Jeremiah: our listeners can't see this, but in the background behind you, there is a couple of books that I've been eyeing. And I believe that as the Alison Bob, uh, learned application security, right?
Tanya: Yes,
Jeremiah: wrote that book. I was kind of curious about it because we're hearing. like application security all the time. And, and is there a big difference between application security and penetration testing together? I know application security personally is kind of a big deal. And, um, I was just wondering if you could speak more about that and, uh, some additional, um, insights that [00:39:00] you had in creating.
Tanya: Okay. So when I wanted to learn security, I was like, great. I'm just going to read a book. My library had Kevin Mitnick books and although it was an interesting and exciting tale that he told it didn't teach me any security, like the book that they had. And then I read gray hat hacking. I read the shell coders handbook, et cetera, but there was no book about how to do the job of application security.
And so I wanted to create the. That I wished I could have had, if that makes sense. And so application security is the security of software. It's the part of computer science. So computer science is a big nebulous. And then below that a sub section of our industry is cybersecurity and information security, and then a sub section below that.
Is the security of software and how do we ensure that every time we create software and every time we're releasing it, that it's safe for our customers or citizens or our employees to use. And so application security is [00:40:00] all the things that you do to make sure that people are safe using your stuff and the information that they put into it and whatever they're using it for. And so, um, I wrote that book because that book didn't exist, then I really wanted it. And I also wrote it partially because I'm so I'm dyslexic, I'm learning disabled. That's what it's called. But basically I learn in a different way. I still learn lots of stuff all the time. And so I wanted to create a textbook that wasn't so hard to read.
Like when I read textbooks, I was like, oh, I'm going to fall asleep. This is like so long. And so I wanted to have a book that was full of stories. Uh, like my stories, stories of Alison Bob, things that happened to them. I wanted to have like diagrams and pictures, and I wanted to be able to explain things in multiple different ways.
Like one of my technical editors was saying to me, this is the third time that you're explaining what dev ops is. And you're just saying it in a different way. I don't know why you need to say it three ways. Like you drew a picture, Tanya, do we really need a picture? And I'm like, I'm doing it so that [00:41:00] every single different type of learner understands.
That's why I'm doing it three different ways, because apparently you need to hear a very abstract concept in three different ways in order to completely understand it. And I want people to know that by the end. And I want people to really know, you know, the difference between dynamic or static analysis, for instance.
And I'm like, and so I'm explaining a different ways and using pictures and all these other things to make sure by the end of the book, people like it. And I've had people tell me, like I picked it up from. And I finished reading it Sunday afternoon and it was like a pleasure. And that was like a huge goal in writing a book that you could learn the stuff, but it didn't hurt her.
Um, and I don't mean that as an insult to other people that write texts. Because they're teaching and that is important, but I wanted to write a book that would be easier for someone like me to consume. And like I struggled with the shell coders handbook. I struggled with the web application hacker's handbook.
I just struggled through these things where [00:42:00] it's like the person that wrote it. Brilliant. Oh my gosh. It's like bigger than the Bible.
Bella: Yeah.
Tanya: It's like three Bibles or like
Bella: alone, even if you can comprehend all of the information, like first pass through it's it's a lot to digest and that's what, like, I feel like that's what every other resource is. Like. I think like when I first learned the phrase application security, it was explained to me as, oh, that's web penetration testing.
Like here's the book on it. I was like,
Tanya: okay. Let me explain the difference. I forgot Jeremiah. The second half of your question. So penetration testing is a person doing manual intense analysis of one application to try to find every single vulnerability that they possibly can. And then. Try to exploit the vulnerabilities to make sure they're real.
And then they write a report telling you all about them and like why you should be afraid, why you should fix them. And then hopefully advice about how to fix them. And so a person that does that job. [00:43:00] So I did that job for maybe a year and a half. You have to be very patient. You have to be very determined.
You have to be very thorough and detail oriented. And, um, and in my case, cause I had. A lot of these tests inside of a data center, you have to be a person that has a two commitments and a hat. It got really cold. And as a person who has a social butterfly, I'm very extroverted. I started to feel quite lonely doing that job as weird as that might sound because I would code all day, but I'd always be chatting with other devs.
And I never ever felt like lonely at work, doing development work. But for some reason, like being a pen test or I'm like, I'm literally in this giant data, All by myself the whole weekend,
Bella: Yeah. And I'm sure none of the devs or, or folks on the other side want to talk to you because you're the person who's there trying to break everything.
you know, I haven't been in the security industry for like a terribly long time, but even in my, my several years, like, I feel like I've seen either not necessarily a shift in the entire industry, but like evidence of a shift because companies that I've worked with that have been around for a long time operate very differently than new companies.
And I think a major way that I see that. [00:47:00] How would they define AppSec? Right. And like my first definition of AppSec, which I think is fair to say is wrong. Um, was I learned that because that's what I saw several companies doing as their entire AppSec, you know, work is, here's our thing that we've had live.
Here's our application. That's been up on the internet for 10 years, I guess let's check it out. Like what's going on, let's do a pen test. And it seems like, again, I don't want to say this is a recent shift because I think it's a shift that's been happening for a while, but at different companies at different paces, um, this idea of like, you know, the buzz word shift left, uh, moving security further left in the pipeline and like this idea of, of DevSecOps, which is another buzzword, but like very real.
Tanya: when I learned about the idea of shifting left, I was still working in the Canadian government. There's this guy named Damien and he would watch lots of conference talk, talk recordings from his desk when no one was looking like he's like, it's lunchtime. She could go outside at lunch instead. He's like, I want to watch this and I want to learn. And he was very obsessive about learning and super encouraging of me learning. And he's like, well, we just got shipped this left. I'm like, what are you talking about? And he's like in the SDLC and I'm like, do you mean earlier?
He's like, yeah. He's like, we keep doing Pennys at the end. Why are we doing that? I'm like, no, I agree. It sucks. When I, as a pen tester. I kept calling companies and saying, could I just show up two or three months earlier? And could we go over your design and could we do this? And can we do that? And I remember my boss, the pen testing boss was really ticked off at me.
He's like, why are you bothering our clients [00:49:00] way before your pen tests? I'm like, I'm just going to run some quick scans and like they can fix those things. And then when I would get my final report, there would never be Heizer criticals. Cause I would have already walked them through fixing all of them and retested them at the end.
And my boss was like, you can't find any criticals or highs. I'm like, well, I did. But they fix them. So it doesn't go in the final report. And so the devs were like, we really like her. We look better when she's around. And I had no idea that that's what I had been doing. And so he's like, yeah, there's this things called, like shifting left or like pushing rough.
And so then I read about it and then I ended up making a presentation about it called pushing left, like a boss, because I'm silly. Um, and people were like, how, how do you do that? How do you start earlier? I'm like you make the whole SDLC secure. So every single step there's five steps, whether you're doing dev ops or agile or whatever.
But you still have to gather requirements. You still have to design and basically you just do a baby small version of whatever the thing is. So you just threat model the new feature instead of the whole app where you just scan that new part of the code that they [00:50:00] checked in, not the entire thing. And I'm like, so every time we do requirements, like we still want to figure out what we're building.
And so why can't I add security? Like I know you're doing serverless well, these are things that concern me about serverless. So these are the rules or requirements for server lists. And I'm like, why aren't we just tell them at the beginning what we want, instead of telling them how wrong they are at the end, you don't want to give an adult a lecture.
I want to like help them be awesome. Like I want to not find a lot of stuff in my pen tests. I want. I'll put myself out of a job. It sounds weird, but I'll always be able to be a dev, right? So why not?
Bella: so I just have like one, one kind of close out question, uh, for you, um, that we, that we, we have like one final question that we ask all of our guests.
I would love to ask you. Um, and it is what is something that we wouldn't know about you just from looking at your like online bio, social media, LinkedIn profile, things like that. And you can get as deep as you'd like on
Tanya: Going to say.
Bella: you're comfortable sharing.
Tanya: Well, I can't say music because now I already told you that. Um, but I'm also kind of an, a farmer now.
Bella: cool.
Tanya: Um, so I started growing things. It sounds weird, but I went through burnout when I was a software developer and. I read in books. Like if you want to get over burnout, you should get lots of sun. You should try doing grounding exercises where you like, just touch earth, which I thought was ridiculous.
Honestly, I [00:55:00] was like, that's so dumb, but apparently it really works and you should get exercise. So I was like, well, I'm hyper effective. So I'm going to do all three at the same time. And I landscaped my little itty bitty, tiny property that I had. And I was like, all my stress. Just, it sounds weird, but my stress just melted away.
And so then I was like, well, I'm going to plant like a little vegetable garden and. I like, so just to be clear, I sucked my thumb was black. It like, everything would die. I, someone sent me this meme and it's this lady and she's holding these plants and she's like, so happy with them. And it's like, hi babies.
Do you want to come home back home with me so you can die. But now I'm actually really good at it. And I like plant flowers and I gather seeds and. Growing so much food last year that I actually, my neighbors insisted that I create a little farm stance so that they could buy it because I kept giving stuff for free.
And I made $550 for my little
Bella: so cool.
Tanya: this year with special, thanks to bright security acquiring my company, I bought a very small hobby farm, and I'm [00:56:00] so ridiculously excited. I'm planting flowers and my significant other's planting things and were just like, oh my gosh, there's so much space.
Bella: Oh, that
Tanya: Yeah.
So I, I love gardening. I had no idea that there was this magic thing where suddenly it's like, I have no stress. I don't know how to explain by like, go into my greenhouse for a little bit. And I plant some seeds or I do weeding, which sounds like really crappy, hard work, but I just love it. It makes me so happy.
And so yeah, it turns out
Bella: That's awesome. Um, it was really, really, really wonderful. Uh, getting to speak with you today. Thank you so much for joining us. this was really, really lovely. Um, we're very appreciative. [00:57:00]