In this episode of Security Masterminds, Tanya Janca shares her insights on application security, OWASP, and her community, "We Hack Purple."
"I would say software developers are more interested in security than they ever have been before they're being pushed that way, but I think a lot of them are just becoming interested in it."
Tanya Janca is the director of Developer Relations at Bright Security and founder of the We Hacks Purple community. She is a software developer with over 20 years of experience and is the author of the book Alice and Bob Learn Application Security.
In this episode, you will learn:
About Tanya Janca
Show Notes:
KnowBe4 Resources
This show's sound is edited by ProPodcastSolutions - https://propodcastsolutions.com/
In this episode of Security Masterminds, Tanya Janca shares her insights on application security, OWASP, and her community, "We Hack Purple."
"I would say software developers are more interested in security than they ever have been before they're being pushed that way, but I think a lot of them are just becoming interested in it."
Tanya Janca is the director of Developer Relations at Bright Security and founder of the We Hacks Purple community. She is a software developer with over 20 years of experience and is the author of the book Alice and Bob Learn Application Security.
In this episode, you will learn:
About Tanya Janca
Show Notes:
KnowBe4 Resources
This show's sound is edited by ProPodcastSolutions - https://propodcastsolutions.com/
I would say software developers are more interested in security than they ever have been before. They're being pushed that way, but I think a lot of them are just becoming interested in it. Hi, I am Tanya Janca, and I am the director of Developer Relations at Bright Security, and I'm also the CEO and founder of We Hack Purple, which is owned by Bright Security.
Announcer:Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cyber security, taking an in-depth look at the most pressing issues and trends across the industry.
Jelle Wieringa:With over 20 years of experience, Tanya Janca has been a startup founder, pen tester, ciso, and is the author of the book Alice and Bob Learn application security.
Erich_Kron:Application security is the practice of integrating software development and security principles, and Tanya shares with us her insights along with OWASP and her community, "We Hack Purple"
Announcer:This is episode 11. Ways to secure your applications and reduce the risk of a cyber attack on your organization with our special guest, Tonya Janca.
Erich_Kron:All right, so this is another exciting episode, and again, we have just an, a fantastic guest on this one, Jelle. Tonya was incredibly fun to chat with, incredibly smart, and she had a really cool story just in general of the things she's doing. But as we always do, one of the things that interests us is how do people get in this industry?
tanya_janca:Yeah. So I think that I was an unusual little girl in that both my aunts and all my uncles were computer scientists and all of them were programmers. And my dad knew out a program and my mom's a mathematician. And so when I was like, I think I wanna take computer science in college, they're like, What else would you do? And so then , I was a software developer for around 17 years. But at the same time, I actually started playing music in bars around town. I play guitar and sing songs that I wrote, People giving money, and you're gonna laugh, but this helped put me through college. Um, and I released the little albums on Spotify, et cetera. And then I started in punk rock fans and played not very many festivals, but lots of like little gigs all around Ontario where I lived. And then I found security. So basically I was in a band and programming at this big place that will remain unnamed in Canada. And then we had a pen tester that would come in from time to time and he was in a band. And so obviously our bands had to play together. And we became friends cuz what else can you do? And after a year and a half of friendship, he said, You should become a pen tester. You would be so good. Tanya. You really should. And he just kept bugging and bugging me for like a year until I gave in. And he's like, I said, I was never gonna mentor anyone again, but I wanna mentor you. And I was like, No, programming's the best. Why would I, why would I change? I'm pretty darn good at this. And, but then he kept showing me cool stuff and more stuff. And then I figured out that I liked the AppSec and he was a pen tester through and through, which is awesome. And we need pen testers, definitely. But I'm too social. Um, being alone all day, like I got lonely. Um, and also I was bad at pen testing cuz I doing AppSec. So I would take forever, like I'd show up way early and be like, Let me scrap model with you and then I would always stay late and help them fix bugs and like, Just call me if you need something. He's like, Stop doing that Tonya. He got pretty frustrated with me. And so then my next professional mentor that led um, the OWASP chapter in Ottawa, his named Sherif Koussa, he's like, Tanya, there's a job and it's called AppSec and I think you really wanna do it . And so I got stopped doing that and I was like, Oh, this is where I was meant to be. So that went well.
Erich_Kron:That is so cool. Like, again, we started out with something different, you know, music and then interestingly enough into the pen testing gig, but then moving out of it, I, I don't hear a lot of stories of people that say, You know what, this isn't for me. It's, it's such like a rockstar glamour sort of thing in our industry. I found that really interesting that she was like, Nah, nah, not really. No, I, my, my thing.
Jelle Wieringa:Well, it's really cool that she came from the pen testing background because now she can go into application security and take all of that knowledge that she gained on how to get into companies, how to pen test networks and take that to the application side as well. I used to have a bunch of programmers in my teams that I manage and application security it's a different mindset that you have to have than when you're a pen tester, for instance, because within application security, sure, you're testing the security of the application, but you need to keep the functionality in mind as well and it's a delicate balance between those two. It's not an easy thing to do.
Erich_Kron:Yeah, I thought it was very interesting and, and the idea of taking that practical knowledge from actually doing the pen testing. All right. So another thing, that kind of got me is wearing many hats in the career and we've all done that and she wore so many hats in her career. So I wanted to know of all the things that she's done, what has been the most rewarding and why?
tanya_janca:I would have to say starting my own company. Definitely. So once I started doing a lot of AppSec, quite frankly, my employer didn't have money for training. And so I figured out, I guess lots of people know this, but I didn't know if you speak at a conference, you get a free ticket. And so I started speaking at conferences all the time. And it turned out, since all my years of musical background, I is really good at public speaking, even though at first it was terrifying. So then when I started my own company, it sounds really weird, but I had joined a startup and it had failed really quickly cuz if you're gonna fail, fail fast. And so, In nine weeks, we fail very explosively,. Cause I really gotta outdo myself if I'm gonna do it. Um, but then, uh, I started another company and I, it sounds really silly, but I just met with lots of people in the industry who I respect and said like, What do you think our industry's missing? What do you, what do you think we need? And person after person said, I have money. Will you come train our devs on security? And he is like, Oh, I actually really, I really like doing that cuz it's, it's public speaking, but it's also like it has a bigger impact. When you have more time with them, you can teach them more. And a lot of my talks are just lessons that kind of camouflaged as a conference talk. So I'm always trying to like teach a certain thing. And so I just kept doing that. And then I recorded an on demand course just to see if someone would buy it. And we sold over a hundred the first week. So I was like, Oh, apparently there's a market for this. And I just kept doing more and more. But when you are a CEO and you own your own company, especially if you are bootstrapped like we were, that means you get to make decisions. So a while ago I was on Twitter, uh, and this woman that I follow who is Black and American, she said, How can I, as a black woman possibly ever be able to afford to take a SANS course? And a bunch of people responded, Oh, will they charge everyone the same price? They don't charge more for women or for black people. She's like, But it's not the same for me. And so I chimed in and I was like, She's not the same starting place. So on average, women get paid less. On average, black people get paid less on average, they're more likely to have family members they have to support on average. Like there's all these things. So they're not starting at the same starting place as you. And that's the problem. It's not that SANS is like discriminating at all. That's not what's happening. And so I was like, You know what? I'm gonna give away like 10 free rides to take like the entire, We have an application security program where you take multiple purse things and then we, before we were acquired, we used to actually set you up with job interviews and stuff. So I gave way 10 to women of color on the spot. And then this really awesome woman named Katie Moussouris, she runs Luta Security. She's like, Hey, how many can I get for 30,000 bucks? I was like, Oh. And she's like, Give those away for me. Will um, and then other people then Slack, then all these companies starting sponsoring us. And we already had like a private deal with private people who wanted to do that. Where like we would give way three for every one that someone paid for. And so we were able to put maybe 120 women of color into our program. And not all of them graduated because now everyone's meant to do AppSec and that's fine, but we got tons of them jobs. Tons of them like have reported back these wonderful life changes. And when you own your own company, you can open doors for people in a way no one else can. Right? Like you have this power to share knowledge. And so that was ridiculously satisfying to be able to, And, and all the regular students too, them finding jobs. Like we had nurses, teachers, We had a guy that worked on an oil rig in the middle of the ocean who didn't know how to turn on a computer. And he like had taken a bootcamp and then joined us and works full time in AppSec now.
Erich_Kron:Okay, So that is really cool that she's running an organization that can help so many people. And I love that. I love the way she said they failed explosively. It kind of gives you an idea of, of how that went, right? But she wasn't discouraged by that and by moving forward, She's made a real impact in the industry and therefore, honestly, the world at this point, because this is something we really need is more of those people, just people in general in this kind of work. We're so short staffed in cybersecurity, so I'm really I'm just taking aback by, by what she's accomplished.
Jelle Wieringa:Well, I have a soft spot for entrepreneurs and then an even bigger one for those that are creative and brave like Tanya, especially when you, they can really apply what they do to better the community in the world around us. I really do admire that. I would say for everybody that wants to chase a dream like she did, go out into the world and experience what you really want, figure it out, and start doing it more and more. Because if you become as passionate as Tanya is in her role and in her company, there's no way of failing.
Erich_Kron:Absolutely. So along with this, we hack purple is a really cool thing that, that she's been doing. We just heard it's a special part of her career life, but there was a big change with that recently. And so I wanted to hear about this big change. I wanted to hear kind of this announcement or what big thing happened to her. It's very exciting
tanya_janca:Absolutely. I was on the advisory board for Bright Security for quite a while and we're friends and such, and one of them approached me and he said, You know how we always offer you a job and you tell us to go away. Because you already have your own company and that's your dream. And you're like, Cuz I'm like, when you offer me a job, you're saying your dream doesn't matter. Come join our dream. Throw your dream in the garbage . But uh, they're like, what if your company and our company, just like were, were one bigger company and then we know you wanted to give all your courses away for free. We know that like your main mission is to try to spread information and spread knowledge and bring new people into our industry. Like what if we bought your company and we make all of your forces free for everyone? And I was like, this sounds extraordinarily appealing.. So our, our lawyers had to like fight a lot, but once the two lawyers worked it out in May, 2022, um, they acquired, We hack purple and it's like a multi-stage process or whatever and lawyers are boring. But now all of our courses are free. So if you join the We Hack Purple community. So if you go to community dot, we hack purple.com. You join. So you have to give us your email address and some sort of name and agree to our code of conduct. Which is like don't be mean, which I feels really reasonable. Uh, we haven't had to kick anyone out yet, so that's good. Um, but then you can join, like there's around 3000 of us in there right now, and you could take all the courses. So we have several app courses, we have secure coding, we have Azure security, and we just added a course from Bridge Crew called Securing Infrastructures Code. And so it's like is infrastructures code, How can I go do some, how can I secure some? What are the best practices? What could go wrong? Uh, and this guy named Steve is in the video and he's super hilarious. I got to sing karaoke with him last week at Hacker Summer Camp, and he was so good. Like ridiculous. So that was really fun. And thank you to Bridge Crew for do like, they created the whole thing for us for. And let's give it away for free, which is, I feel very generous. There's a bunch of other people in the community who have offered to make courses for us who are like so lean and doing stuff, and so it's really exciting to be able to provide a platform for other people to share knowledge. We have events every month. We have just a lot of problem solving going on. Like lot, this is happening to me at work, Mel, it's Absec problem. What do I do? And then everyone's like, This is what you do, or this is what I do, or this is, this could help. Or, I'm having that problem too. Please tell me the answer when you find it.
Erich_Kron:You know, Jelle we've, we've talked in the past about how important having a network is and how we can reach out to other people that know things that maybe we don't. I really like this. I think it's really cool that they were acquired and now they get to give away this valuable stuff. It's always so nice to have somebody that you go, you know, I'm, this isn't my specialty, but it would be awesome if I know somebody that does and communities help us all with that.
Jelle Wieringa:A community is actually what, in my mind, is the key to making the world more secure in cybersecurity. You can't, you can't go at it alone and the experience that you get from others, but it's the best tool you can get to solve issues. It's why, I truly believe that an initiative like We Hack Purple, first of all, it's red and blue together combined. That makes purple. That already is a collaboration between those two is already a really good way to approach security, focus that on application security, build a community around that, and you have a really powerful force of change within cybersecurity.
Erich_Kron:And that's a, that's a big issue I see sometimes with the younger people in cyber is they're afraid to say, I don't know how to do this. And I put a lot of weight on people that go, You know what? I'm not sure about this. Can you help me? As opposed to just getting in way over their heads. Now something I've started to see a pretty significant shift in the developers starting to think more about security and being more secure in their code development overall. Like that's becoming more of a core thing, not everywhere, but in a lot of places, and especially organizations with a good security culture. So I wanted to know if she perceived them becoming more secure in their development or not.
tanya_janca:I would say software developers are more interested in security than they ever have been before. They have to be PCI compliant or something like that. They're being pushed that way, but I think a lot of them are just becoming interested in it.
Erich_Kron:And that kind of reflects what I think I'm seeing out there now.
Jelle Wieringa:I think for businesses in general, management within the organization and for the developers that build those applications, they used to focus on functionality, right? Let, let's push features out as quickly as we can. Who cares about security? But especially from a management perspective, if you look at the risk that brings to the organization because building crappy software that might have plenty of features but is vulnerable to a great number of attacks, thus risk, your reputation is at risk. OWASP is more accepted now than it was 10 years ago. It's gaining in popularity and rightfully so, and that changes the whole perspective that developers have on building software.
Erich_Kron:Well, as security pros, we've been screaming about this for years.
Jelle Wieringa:Yeah. Secured by design is no longer a trend. It is the defacto.
Erich_Kron:Yeah, absolutely. She's really got a grip on this, and I know she's excited about, is writing a book about AppSec. It's, it's called Allison Bob Learn Application Security.
tanya_janca:Definitely don't write a book. If you're planning on getting rich, you, you, it's gonna, A textbook is not the way to do that. In case you're wondering, I wrote a book and I just started writing the sequel, so it is called Allison Bob Learn Application Security And you have it signed? Yes. So basically Allison Bob are the characters that were first to use to describe what encryption is to all the normal people who weren't cryptographers. And Alice wants to tell Bob a secret. And so everyone's been using them for examples for a long time. And I use them a lot in my blog. And when I'm speaking I'm like, you know, it's not Alice's fault, it's a policy that was broken. It's not Bob's fault, it's that a safeguard was missing. And so when I went to figure out what I wanted to name my book, I was like, I was thinking of Allison Bob learn application security. Would that be weird? And my publishers like, that is the best name ever. And I was like, I really want to have the characters be like, have families and lives and medical conditions and jobs and stories about things that, how when you make a decision to implement a security header or not, how this could hurt else's career. Right. And so, um, both of them, you know, Bob's a grandpa in the book and um, he has a pacemaker and he tells everyone and he doesn't. But Alice is a business woman, and so basically it's a really weird textbook, . So I'm dyslexic and I find reading textbooks super painful. I really don't like it. I want to have all the knowledge in the textbook be in my head, but I don't wanna have to sit there and hold a very heavy book for many hours on many days. And so when I wrote the book, I tried really hard to cover as many learning styles as I could, so it would be really accessible and easy to read. And so I've got a lot of feedback that was very easy to understand and I took a lot of complex concepts and kind of broke them down. Sometimes I would draw pictures or tell, like tell a story, give some code, and just show it in a bunch of different ways. And by the end, the person's like, Oh yeah, I got it. And that was my goal, was to take this, basically make a book that people who are like, I don't know anything about AppSec. How do I do AppSec? And you could just give it to them or give it to a software developer or anyone else in it and they could just understand. And so I, I heard that I did well. Uh, and so then I started the next book. I finished chapter one now of Alison and Bob Learn Secure Coding. That's out next. Yeah, it's gonna be a while though. Folks takes a long time to publish a book and I make a lost spelling mistake, so I need some editing.
Erich_Kron:You heard it here first folks, Alice and Bob do AppSec. This is a really cool thing here, so it's kind of cool to see her take what she had and turn it into something that's now helping other people in printed form and may have legs, in other words, may have something that she can make a series off of. I think this is kind of a cool approach.
Jelle Wieringa:I've been in IT for a long, long time and application security's not easy even to me. So having a book and writing it in a way that's, first of all, it makes it relatable to the reader, but it also takes into account the many different styles in which people learn. It's great to see that something as complicated as application security, we try to, well make it as accessible as possible for everyone. Having something like Alice and Bob Learn Application Security is awesome.
Erich_Kron:Yeah, absolutely. And I love what you said about meeting those different learning styles in there. That's a focus of that because we do learn differently and we know that from what we do here, KnowBe4 all the time. So what I asked her next was, how can CISOs or upper management ensure that their developers are creating secure apps and reduce the issue of getting to market preventing proper security measures being implemented?
tanya_janca:Okay. So there's a multi-part process here. So I would say advocacy and creating a secure SDLC. So let me explain those things. So when I started at Microsoft as a developer advocate years ago, I was like, That's my hobby. You wanna pay me money to do my hobby? And they're like, Yes. And we want you to tell them that you're from Microsoft when you do it . So I was like, Okay. And so advocacy basically is changing. It's a lot of things, but if you do it within an organization, the idea is you are changing your culture to be a more security focused culture, right? And so this could mean the security team holding lunch and learns every month. This could mean holding a capture of the flag contest to have all the developers learn about what it's like to find about, and also what some of those bugs might be in their apps. It could be you going around meeting all the different devs and saying like, I'm here if you need me. I have office hours every Friday from this time to this time. Or, Oh, I bought you all a bunch of books. But the idea is, is reinforcing a culture because what you're doing is you're advocating for security in your organization. Even little things, if you have any sort of consistency, you can see big cultural changes over time. But if you just do a whole bunch of things in security month in October and then don't speak to them for 11 more months, it, they're not gonna, it's not gonna be a huge change that you see. It's better to do a little bit all the time than do a whole bunch of things for one week and then quit. So the other thing is a secure system development life cycle. So if your devs are doing Waterfall or doing Agile, they're doing DevOps, they're wacky and they're doing one of the other ones, or a mishmash of one of those two or three, that's fine. But no matter what you do, you still have to have a list of requirements of what you're building. Like you still have to figure out what you're building. And so during that phase, you could offer security requirements and show the developers and teach them what you mean. You know? So we expect you to use these security headers as part of this project. We expect you to follow the secure coding guideline. We plan to do, you know, this type of testing, et cetera, so they know what's coming for the whole project and they can schedule it. And then during design, there's a whole bunch of cool design security things you can do. Even if you're doing Agile and you're just doing three weeks sprints, if you're gonna do an entirely new feature, you could spend 15 minutes threat modeling it and potentially find a flaw that you would've had and change it before it goes out into prod, right? So taking the time to add security steps to each phase of the system development lifecycle, and almost no one's got it perfect. Almost no one is releasing apps with zero vulnerabilities, but each security thing, Each activity you add is support to help them make more secure software. So if you adopt this, I call it a mantra, but it's my job to help you do your job securely. And you're my customer. Like I serve the devs, I work for you guys. I know the security team pays me, but it's my job to help you. And if I'm not helping you, then I'm not doing my job. And so when we approach it like that and they know we're there to support them and help them, things get way better very quickly.
Erich_Kron:One of the things that I noticed right off the top that I, I really love to hear is something I think we've been hearing more of Jelle and that is the discussions about culture, organizational culture and security culture and there's something called the ABCs, which is awareness, behavior, and culture. As we're driving through the ABCs, we've got the awareness piece that's out there. People know about that behavior changing is a good focus that results in culture, right? I love to see discussions about culture. Happening out there and, and she was very good about that piece of that there. I think she really gets it. And her examples are talking about different security culture within an organization. Jelle Wieringa: Both of the in that organization it's about doing security together. Otherwise you're not gonna make it. Application security is now at that point where security culture comes into play. You get the culture that you ignore. That's something that's definitely applicable here. A lot of organizations are simply not there yet. Not necessarily a bad thing, but the more organizations that realize that security culture, just like your company culture is simply there, best approach it proactively and start changing it and shaping it in a way that you want it to be, well, the better it is. Absolutely. Okay, so I was curious for folks that are in AppSec already, what can we do to help improve the AppSec idea within the industry and within organizations?
tanya_janca:So there's frameworks, but if we could come up with like a general secure coding list. This is stuff that applies to every framework. This is what we would like if we could kind of come together on something like that. If we could come together on what makes up a secure system development life cycle. And it could be like, here's phase one, here's phase two, here's phase three. For instance. If you look at another awesome thing from OWASP, it's called ASVs, or the Application Security Verification standard. They have three levels. Because if you look at level three from the beginning, you're gonna go, Oh, my goal, I could never actually make my house that secure. But if you look at level one, you're like, Maybe I could accomplish this. Maybe I could do this. And then the next year you could take a look at level two and it's like, I don't know, maybe I could do a bunch of this. And then after a few years, the idea is that hopefully you can reach level three. But I feel like sometimes we let perfect be the enemy of good. So for instance, we present a a level of security assurance that is like for top secret, super duper amazing stuff when a lot of us are like the, we hack Purple Academy and community and and company we didn't need to have super high security. I am a security expert, and I'm obsessed with security, so we probably had a lot better security than the average business that just had five employees. Right? But the average company that has, I don't know, a bunch of videos on the internet, they don't need to have really, really intense security. And so when they read something like that, they're like, I don't wanna spend a million dollars protecting something worth half a million dollars. And so I feel like if we could compromise or be a bit more realistic with like the levels of things and offer guidance of like low medium, high. Someone on Twitter was joking, Let's change low, medium, high to like legendary, well known, rather unknown, et cetera. And I was like, Oh, this, this person's got a good point. I like that. but I, I feel like sometimes we freak out on everyone when something has happened. But if we could start with like, start here, then work up to here, then work up to here. And I'm very biased cuz this is what I teach in the, We hack purple courses. I believe like, let, let's start with doing some scans. Let's start with just giving a really basic secure coding guideline and start it as a guideline. Like, these are suggestions. We'd really like to see you do these things and I'm gonna teach them to you. And then in a year from now, it's gonna become a standard. So you, you have a year to. Work your way up. If you're worried you won't get there, come to me. I'm gonna help you work your way up. And maybe there'll be some grandfathering in because your app is so old or because this or that. Right? But compromising and just understanding they have a job to do and their entire job is not what Tonya asks them. They have other priorities too. Right. And so if we could kind of come up with like a multi-step process, like start here and then continue to here and just move up a little bit and like try just these two things to start. But most companies that, that you're seeing, you know, in the top 500 companies, wherever, a ton of them, their outside program's, very basic and immature and way understaffed and often under tooled as well.
Erich_Kron:So that was interesting. I, I love the talk about OWASP. I've been a big fan of OWASP for a while, and I like what they do. I like the guidance that they give folks that, uh, that are getting out there and doing it. And I, I do believe that while it's not the end all be all, it is a fantastic way to get started.
Jelle Wieringa:Yeah I like the different levels that they have to basically get you started at and with something relatively easy and you can grow into it. I think that's a really good educational idea that they have and a really good approach because the things that we do in IT are usually Yeah, pretty complex and tough. So making it accessible to everyone, no matter your experience level is a really great way to improve.
Erich_Kron:Awesome. Now the next question we had was one that I always love to ask our guests because it's always fun to hear because we've all done these things and she even mentioned earlier failing explosively, which I love. So what we wanted to ask her this time around is what was your greatest failure, mistake or error, and what did you learn from it?
tanya_janca:Oh my gosh, there's been a few mistakes that I've made. So this is one I made right at the beginning. So this guy reported a security problem and his team had violated a security policy really badly and I can't tell you what it is, cuz of NDAs, we'd violated a security thing. And so we like went in a room to talk about it and I like yelled at him. He's like, Why the hell did you do that? Blah, blah blah. And I got like really upset and like kind of exploded at him cause I was really afraid cuz then we had this open risk. I was just like, my gosh. And like I just got switched to security and because I was so senior, because I have so much experience managing teams, I got this gonna sound crazy, but within a few months they pushed me to the CISO role because I, I just manage everyone. I'm just the bossy type. And just very quickly they're like, you are way more organized and running more stuff than the bosses and so we're gonna just make you the boss. I was like, what is happening right now? And then we had another meeting like later that day and this guy was like, Can you just send me the entire risk register so I could just like look over and see what it looks like? And I was like, No, I'm not gonna send that to you with a secret document. And then both these people recoiled from me cuz I was a jerk and really I was scared and I was stressed and I had worked 18 hours that day and we had this open threat that I was really worried. But I was like, That's not me, Why am I acting like that? And I'm like, Cause I'm scared. And so I talked to one of my mentors and I was like, I feel like I'm feeling I should not have yelled at I should not have been so mean to that other dude. He's like, Okay, so I'm here for you. We've got you your team, we've got you. Like if you don't know what to say, you just look at me and I've got it. If you feel overwhelmed, I've got it. Like, we're your team. We're here to support you. And how about you back up and have another meeting with that guy and say you're sorry cuz you're clearly sore. So I did and I was like, I'm really jerk yesterday. I'm sorry I was scared and that's not okay, but I wanna apologize and try start over with you and eventually him and I became good friends and then we both ended up switching somewhere else and then working together and it was awesome. And the other guy. I shouldn't have just snapped at you and said no right away. I'm like, let me explain to you why I can't give you all the risks across the entire organization, but I can send you your teams and here's how we can work together on this. But I learned to always be respectful, . when I was dev, I was always respectful. I'm like, Why did I suddenly forget about this when I switched to security? It's cuz I was scared. Like I was just so frightened. I was like, a lot of things are depending on me and so it was like everything really felt like it depended on me and that felt really scary. And I was like, I don't know if I'm up to this task. Like it felt like so much pressure. And then when my colleague explained like, It's all of our team's responsibility, not just yours. And it also, even though they don't realize it is every person in this organization's responsibility, it's their job to do their job securely. And it's our job to help them do that but I couldn't tell you that cause you were yelling.
Erich_Kron:One of the coolest things I got out of this was simply the phrase, always be respectful. And if we can remember that and sometimes even if we slip and we make that mistake going back and, and saying, I'm sorry, not an excuse, you know, long day, whatever. My bad, my apologies. That can go a long way and continues down the always be respectful part.
Jelle Wieringa:People in IT tend to be very technically oriented that they like machines better than people. But one thing is really important for anyone in here is that treat others like you. Be like to be treated yourself. Creating willingness in people to work with you or even for you if you are in management. I think it's one of the most important skills to learn when you're in it, cuz you've got the technical stuff down already. Now learn to work with people. learn to work with them and for 'em and it will make your life so much easier.
Erich_Kron:Absolutely. So this next question is one that we ask all of our guests and I always again, love the answers that we get out of this one. I think there's a lot to be learned from all of these very smart people. So this question is simply. What do you see as the greatest threat to organizations in the next 10 years?
tanya_janca:Okay, so this might sound really lame, but the inability to patch and release new code updates quickly. But basically if we can't respond quickly, if it takes like weeks and weeks and weeks to make a change, then first of all, we're probably way behind in our patching. We're way behind in updating our dependencies and fixing bugs and stuff. And also if like a big thing like Log4J happens if it ta like, I worked out this place where it took 18 months to make a code release, 18 months and an absolute end of the world release like the sky is falling, would take four months. Four months. And that was like an emergency. The world is like, we were in the newspaper for a lot of things that went wrong and they just didn't wanna change. They didn't wanna update the way they're doing things. And I actually resigned in protest formally. I was like, I'm leaving this job. So the person just below the CIO, cause there's a big organization, she took me aside. She's like, I need to know the truth. Is someone harassing you? And I'm like, the truth is everyone's extraordinarily nice here and I wish I didn't have to leave . There's this dear named Steve that's basically become my personal trainer. There's this other awesome dude that we have coffee together, there's this awesome lady and we do this together. And I like actually love working here and I hate that I'm leaving. And she's like, Why are you leaving? And I'm like, Because you won't let me do security. You won't let me do security, You won't let me run scans, you won't let me do security testing. You won't let me look at things. You won't let me talk to devs. Like they literally banned me from talking to devs cuz they didn't want me to put ideas in their head. And I was like, If I can't do my job, we're gonna have some serious security breaches here. And I, I can't have this on my resume. I'm gonna look like a fool. And she's like, Oh, so it's not a big deal. Okay, fine. As long as no one's harassing you. And I was just like, so shocked. I was like, Are you kidding? And she's like, Okay, well that's it. Everyone was so nice to me that I was leaving. Everyone was wonderful, quite frankly. Like, they're so nice. It was like, well, the happiest places I'd ever worked, I really didn't wanna go. And they have been multiple breaches per year since I left every year for years. And so I, I think companies that aren't gonna modernize their IT, and I don't mean press a button and magically are in the cloud. You need to like buy stuff to make it better, need to change your processes so that you can release code. And so you can release updates in a reasonable amount of time. And that is the thing that I see most companies so tripped up over . So I feel like yes, I, I want everyone to do cool DevSecOps stuff and do like the super modern stuff and like that does excite the crap outta me. But like securing our legacy stuff and making it so that we're not with our hands tied behind our back constantly by our processes. And I know that's a super boring answer. People are like, I wanna hear about zero days. And I'm like, I'm not worried about zero days. I am worried about it taking four months to do an emergency security release. That's what I'm worried about.
Erich_Kron:I'm not worried about zero days. Now honestly, I love that because so many of the major problems happen with something that is months old, vulnerabilities that are floating around out there that are exploited, they're unpatched. Zero days are a real threat in a lot of places. But ultimately, how often do we see these things that are getting hit six months, a year later?
Jelle Wieringa:It is a real security issue. But it's such an important, aspect of security nowadays that I kind of agree with her. Step over your own pride. Go fix that stuff. That's really what's important now.
Erich_Kron:Yeah, it is. It is difficult Patch management, I mean, it causes problems. You know, sometimes your patch breaks other things. We know this, but that's no excuse not to be doing it and to be doing it quickly. So, having said that I asked Tanya how would people find her and her blog out on the inner webs.
tanya_janca:Okay. So if you look up shehackspurple.ca , I have my blog there. I have my newsletter, I have links to like Twitter, LinkedIn, all those places. I technically have a Facebook, but you'll speak to my intern if you use it cause I hate Facebook. But the marketing team told me at we hack purple, I had to have one else, but I actually use Twitter a lot and all of those things is just, she hacks Purple Bull as my username. So if you just go to youtube.com/shehackspurple or whatever the thing is, that's me. If you wanna join, we hack purple and so you look up, we hack purple is three words on Instagram and all the places. Or go to we hack purple.com and just click on community and come join us and talk. If you wanna learn more about Bright, it's bright sec.com/blog. And I did a podcast but too, cause we had Purple as a podcast but yeah, I'm in all of those places. So she acts purple. We hack purple and bright.
Erich_Kron:I really, really enjoy chatting with people like this. She has so much to offer, so I really hope people do reach out to her and talk to her online, follow the blog, get involved, and we hack purple in their community. Last words on this, I did learn a bunch. I'm not an AppSec person, but it really made me think about it and, and really kind of understand where we're moving in AppSec a little bit more. It's making me feel a little bit better that there are people like her out there that are championing the maturity of a lot of these programs.
Jelle Wieringa:I love her energy. She's creative, she's energetic, she's a true entrepreneur that wants to help people and wants to make the world a better place. I think that's what I got from this episode was I feel like I need to do more of that. I need to help others, and there's way to do it. She provides ways for, We hack purple, the community behind it. For me, AppSec was always important. I used to lead dev teams. I know that it is important. There's so many companies out there that aren't there yet that we need to teach. This is something you need to spend time on.
Erich_Kron:All right, everyone. Thank you for your time. Thank you for listening to us here. If you enjoyed this episode, please subscribe and we will be releasing just about every month a new episode. So if you found this interesting or you wanna see some of our other ones, please look us up. If you have ideas that you want to hear about or guests that you want to hear from, please let us know. Reach out to us here, and we will see about getting them on the show or getting those topics covered with the show as well. Thank you for listening and have a great day. Say goodbye Jelle.
Jelle Wieringa:Goodbye yellow.
Announcer:Coming up on our next episode of Security Masterminds, We invite you to join us with our special guest, Quentyn Taylor, Director of Security for Canon Europe.
Quentyn Taylor:When you look at a lot of the information security failures, it's very, very easy to go, Oh, that was an advanced attacker. But if you start to boil all these lot down, it all comes down to really, really basic IT things so if you are working in an information security team, realize that really tiny things matter.
Announcer:You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cyber security.