APPLICATION SECURITY APPSEC 101

View Show Notes and Transcript

Episode Description

What We Discuss with Tanya Janca:

  • What is Application Security or AppSec?
  • Tanya Janca’s Book – “Alice and Bob learn Application Security”
  • How can someone start in Application Security, specially if they are trying to move laterally?
  • What is DevSecOps?
  • What is an AppSec Program and how can one make it successful?
  • What does a Mature AppSec Program look like?
  • How do you merge AppSec risk in the infrastructure risk to get a wholistic view?
  • And much more…

THANKS, Tanya Janca!

If you enjoyed this session with Tanya Janca, let her know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Tanya Janca on Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] So hello to everyone. Who’s, who’s coming in. This is Tanya Janca and she doesn’t need much of an introduction. Clearly if you go by all the hellos coming in, I do want to start with the obvious one, but Welcome to Virtual Coffee with. Ashish.

Tanya Janca: [00:00:15] Welcome to you. I mean, you know,

Ashish Rajan: [00:00:18] yeah. And I love the fact that you have, you got something really interesting.

I mean, last guest had a American street whiskey. What are you drinking today?

Tanya Janca: [00:00:26] Soda water with pomegranate juice, because if you just drink straight prom, pomegranate juice is pretty intense.

Ashish Rajan: [00:00:34] Oh yeah. I can imagine. Yeah. Give a bit of background about who’s Tanya, Tanya Janca.

Tanya Janca: [00:00:42] so I’m a giant nerd.

And, I used to be a software developer for a long time. Oh, I, and I met an ethical hacker and he started to teach me about security and I was running this lunch and learn program for my devs. Cause I. So I [00:01:00] was a developer a really long time. So I guess I’m older than I look. Cause I started programming like in the nineties and started working in tech in the nineties.

Ashish Rajan: [00:01:08] You mean you look younger than you look, I think you look younger.

Tanya Janca: [00:01:13] Okay. Yeah. Yeah. I’m in my forties and I’ve been working in tech for like 23 years. This month. Not bad.

Ashish Rajan: [00:01:21] Oh, wow.

Tanya Janca: [00:01:22] Yes. And so, so I switched, did a security because I thought it was really cool and I became a pen tester, but then I discovered kind of the magical meeting point between software development and security called application security.

And so, you know, you do security testing, you do threat modeling, you teach software developers about security. You help them with their designs. You wait for things and you just, you kind of like support them in making secure software. And then. I started speaking about it and I didn’t think anyone would, honestly, like I was running the OWASP chapter for maybe four years.

[00:02:00] as the chapter leader in Ottawa, where are you still live? And I kept saying, I really want to have a woman, speaker, and the other guy that ran it with me, Sharif is like, yeah, You, no way.

Oh, the guys, we would hang out all the time or like, yeah, we should all do this together. Like, like we’ll support you and you should speak. And so I spoke and I thought I might die, but I didn’t. and then I spoke for all the dev teams at work, and then I spoke not the Python meetup and the JavaScript meetup.

And then, and then my, my new professional mentor. So I had a new one and he announced on the internet, Tanya will be speaking up besides, can I say.

And so that was terrifying. I spoke at that conference and then people were like, you should try other ones. And I was like, Oh, I don’t know. And so then I just started traveling the world all the time, teaching people about security, and then [00:03:00] I decided to start my own company. so I decided last year and then did it this year.

And my plan was to travel around and teach everyone about security, but we know that that did not work

Ashish Rajan: [00:03:10] out. So.

Tanya Janca: [00:03:12] I am now teaching people on the internet all about how to create security software. And so I released our first course, we have three more courses coming in the next couple of weeks and I, yeah, I made an online kind of membership community, which we’re recording onto like a much bigger place.

Cause we have more and more people. We want to make it so everyone can talk to each other. Right. And I want to make it so like if you take a class, then you get some membership times that you can like talk with your classmates and make sure, you know, Cause sometimes they want to talk to each other and they don’t want to ask me if that makes sense.

It’s like, yeah. And sometimes you want to have support or friends. And also it’s a great way to recruit people.

Ashish Rajan: [00:03:53] The first question, where does it, how is professional life post transition from Microsoft to Xi expo?

[00:04:00] Tanya Janca: [00:03:59] Okay. So, when I was working for Microsoft, it was really exciting. And I learned a lot of stuff really fast, but it was also stressful to learn so much and travel so much.

I visited six continents last year. I visited Asia, Australia twice. so Comerica Africa, and then just like zigzag North. And although that was ridiculously exciting, it was also stressful. And so a lot of people don’t know that because like, They see my newer videos, but I put on like 40 pounds working for Microsoft.

And so then I went from being a stick figure to being regular

skinny. and so then quitting, quitting, I just dropped 10 pounds instantaneously. I didn’t do anything. And then now I’ve turned my property in a far affirm. so I’ve been like. Dislike living in much healthier lifestyle. So I have [00:05:00] like a lot of like muscle definition now that had disappeared. So like I would play sports and I paid play drums and abandoned all of this before.

And so then I stopped doing that and was just like living on an airplane and then eating food that I wouldn’t normally eat because it’s true. And I don’t mean the super awesome food. Once I arrive and the amazing country I’m visiting. I mean, all the ridiculously crappy food that you eat while you’re actually in transit.

So they travel to Africa, took two full days to get there and you know what? They feed you on airplanes, garbage that looks like food. It’s not good. It’s like, it’s really awful.

Ashish Rajan: [00:05:38] Yeah. Also, so it has been good for, I guess, mentally and physically for you then leaving

Tanya Janca: [00:05:44] way less stressed. Oh my gosh. Like I, and I’m so like I had so much fun and it was like really exciting at Microsoft, but, but also just like overwhelming and I’m really bad at saying no.

So I would say yes to everything, [00:06:00] but now I’ve hired a business manager and he says, no, he’s like, Now Tanya’s not doing that. I’m like, are you sure? He’s like, no, you’re not because I don’t want you working 95 hours this week. So the answer is no, I’m like, okay. Yeah. Two people to say no, for me, it’s amazing.

So I’m still like doing a lot, like this year, I’m writing my first book and it’s coming out in October. And we just recorded, one more chorus, Shirley Sanchi acts for pull that Deb and we have, we have a big announcement. Can I say the big announcement? We are changing the name of our company. Wow. Yeah.

So right now we’re she hacks purple. Then the next few days we are becoming, we hack purple and we’re releasing like a new styles of course, where it’s kind of easier to consume shorter, smaller bursts. we are in the fall going to be opening this brand new community space. And yeah, [00:07:00] we have like so much in store and we’re starting our own podcast.

Ashish Rajan: [00:07:04] So

Tanya Janca: [00:07:06] a live stream, plus a podcast release and video release. Cause now I have someone that does video full time.

Ashish Rajan: [00:07:12] Yeah. The $300 mic would be worth it.

Tanya Janca: [00:07:17] Oh, well that’s one of many mikes that we’ve bought. So like we have now like converted a room into like a. Full time studio and like just, yeah, like all sorts of things have happened.

And so I’m hiring students and teaching them all the cool tricks and stuff. And like

Ashish Rajan: [00:07:34] several weeks later, well, people who are, students as well in the car, in the crowd. So, and some people may be getting introduced you to the, to introduce you to you for the first time. So, yeah. I know I will be. I doubt people don’t know you, but you know, it’s like what, what 7 billion people in Blimpie run the world or whatever.

So I’m sure we can have new, new ones getting born every day. So, and you and I are a certain age that will definitely have [00:08:00] younger people. I was gonna ask in terms of, for, cause you know, it’s a Clark security podcast as well. So what is security for you? Like what does that mean for you?

Tanya Janca: [00:08:11] So I believe that there’s kind of two ways to look at cloud and when you can do lift and shift, and so cloud is someone else’s data center, it is someone else managing all sorts of things for you.

So you don’t have to, so you get to take some of the load off. And so you can just take your old stuff from your current data center and then just mash it into the cloud if you want to. And you will end up with stuff that is. Gonna stay up longer because you have people supporting that and it will be slightly more secure because they have some things that they just secure for you.

However, I think that, I think that’s a waste of money. I feel that you should take advantage of all the super cool stuff that the cloud has to offer, even if it’s just adding like seven [00:09:00] extra protections. So for instance, if you have well, goodbye and it is on a virtual machine, you can just pour it, your virtual machine directly.

And, or you could also install, like if you’re in Agora, for instance, cause I used to work for Microsoft. So that is the cloud I am the most familiar with. And. What you could do is you could. How to explain it to, like, you could install an agent for security center and then have it monitor it for you.

Right. Like, I think that, I think it’s really obvious you should do that, but not everyone does you better believe it? They believe it. Most of the customers don’t check that dashboard, like right. W I show it off to people all the time. I’ve walked clients and they’re like, Oh yeah, we kind of hooked around on this.

I’m like, this is amazing. And they operate like there’s a fade, but the free version is absolutely amazing. And like, why would you not turn that on? So I feel that cloud security like cloud native security is about taking [00:10:00] advantage of all the super cool things that you can do in the cloud that you just.

It’s not an option on prem. So you, I mean, you could buy a whole bunch of different tools so that you would be able to do an on prem, but like things just out of the box in the cloud that are just already there. Right. Like turn all of the stuff on. Cause you’re paying for it anyway. Hi. Is it any better?

Ashish Rajan: [00:10:21] Yes.

Tanya Janca: [00:10:22] Yes. Okay. Yeah. I’m so sorry about that.

Ashish Rajan: [00:10:27] I’m not even going to ask you as to what vendor were there, because technology has definitely been challenging this morning. I imagine what’s the name of your book and it already is. Can it be pre-ordered he’s already ready to buy it. You have a buyer right there.

Tanya Janca: [00:10:39] So it’s called Alison Bob learn application security. And the idea is that Alice and Bob are gonna learn dev sec ops incident response and all sorts of things. Cause it turns out I love to write. And so you can’t preorder it yet because. We still haven’t picked a cover

Ashish Rajan: [00:10:58] because we’re having

[00:11:00] Tanya Janca: [00:10:59] some, because usually, okay, so this textbook, so it’s from Wiley books and I’ve written a whole book.

Yeah. And I’m just doing, I’m just like doing little edits now. and, and sources, which is like, it’s so painful. But anyway, so I have like a billion, well, I have a hundred sources. Anyway, that’s fine. Cause I want to like prove all of my points. Cause my technical side, technical editors who are really, really, really smart.

but anyway, the idea of the book is that it will learn. It’s sort of application security from a to Z. It’s all of it. And. Like secure design concept, secure coding, how to make a secure system development lifecycle, how to create a program, how to do security testing, like everything. And the point of the book is that it is, is a textbook written in casual language.

and then there’s the stories of these two characters, Alison Bob throughout the book, and they have health conditions and families and, and careers and lives. And so there’s [00:12:00] stories about them and how these things truly. affect humans. And so when you think about, Oh, should I put this security header in or not?

I’m hoping that when people read, Oh, well, Bob had this happen to him, blah, blah, blah. And it really sucked or Ellis did this. And she was so glad she had a password manager or whatever it is that happened. and so. You know, there’s like tips and a bit of code and those things.

Ashish Rajan: [00:12:24] And I love the fact that you use Alison Bob as well for anyone from computer science.

Everyone knows Alison Bob, it just something that is drilled into everyone’s head, every story. And every example is Alison Bob. So I’m glad that you have already, at least I had that when I was growing up. So, I don’t know if that’s where the idea came from, but I think it’s a

Tanya Janca: [00:12:41] great, yeah. That’s where, that’s where cause, cause, but Alice wanted to get Bob a message, but she wanted to make sure no one else could read it.

Bob wanted to make sure the message was from Alice. How could they do this and SSL.

Ashish Rajan: [00:12:54] Yeah. And I think I love the, the diversity as well as just calling out. Are all agendas out there [00:13:00] as well. So that kind of perfect. I’ve got a question here from pile Bataille is what tips do you have Tonya for the lateral in software?

but bigness in secure also, she’s trying to move laterally, I guess, in security space. What sort of tech stack and tools and platform, but I think, and this is kind of related to the question that I was going to thinking, which is for people who are new to AppSec or transitioning, what are the basic building blocks to start learning AppSec.

So, and I think that kind of goes into what she is asking as well.

Tanya Janca: [00:13:30] So I have a blog post online that I keep updating with all free resources to learn about AppSec. and then I wrote a 23 blog post series as an introduction that kind of crash course to AppSec. And then I build courses on that, but.

Basically you want to learn, so let’s assume you, that you learned the system development life cycle because you know, software. So yeah. You want to learn about what you can add to it, to ensure the software at the end is more secure. So [00:14:00] for instance, let’s say that you were involved in getting requirements for the project.

You want to add security requirements. So you would look up types of requirements that you might want. Yes. I have a blog post with a big list, feel free to steal it. And then you would want to make sure that when you’re designing your app, that you’re following design, secure design concepts. And again, obviously I’ve shared a blog post about this, and those are free just to be clear.

and yeah, they talk about it, like least privilege.

Ashish Rajan: [00:14:28] Only thing I was going to add to this was I think. So your point about finding a language and being a bit of a program of before, would you say some of the blogs that you’ve covered? It’s a great introduction into application security. It’s a great introduction into what the billing loss would be, but I guess that is a big part to be played by the students to go down and find out what language is being used in the organization.

Yeah. Are there like resources? I think there’s a question here. How should one improve skills on static code analysis, any specific resources and any specific tool for recommendation, [00:15:00] but I want her to kind of be a little bit more, I guess, one more layer up a bit. Like what is static code analysis in reference to application security?

And then we can dive into the question where do you think?

Tanya Janca: [00:15:11] So all security testing tools from application. Security vendors tend to come down to SaaStr desk. So SAS is a static analysis of code. So it means checking out the written code it’s if then, else it’s looking at that. Well, dynamic that it means interacting with the application as it runs. So in the SAS category, You can do stuff like a manual code review, and you can read the code with your eyes and look for security problems.

What a SAS program does is it will sorry. It’s like getting, like, say to what a SAS program does. Is it purses [00:16:00] all of the code from the entire application or. Just the part you send it depending. And then it looks for potential places where a security problem could exist. So let’s say you’re taking input from the screen.

It will look, are you using this input immediately or are you doing some sort of validation on it? And if you’re not, it’ll alert you, that looks bad. You should validate that you’re getting what you’re expecting or reject it if it’s bad and then it will look, Oh, you’re outputting something to the screen.

Oh, is there some output and coding there to make sure that, you know, if there was something malicious in what you’re outputting, it can’t do anything Oh. Going to report that. But then it goes layers and layers and layers deeper than that. It can do many layers of recursion. It could go from function to function, to function, to function, and basically see things that human beings usually miss that said SAS tool goals are pointing you to potential problems.

It is not answers. [00:17:00] It’s hints. So it’s around, there’s a very large percentage of false positives and the results that you will get. And it’s not that it’s false positives. It’s that? We think there’s something here, here, and here. Go look. And when you look at the results like that, you’ll do better. So how can you improve your skills?

Do it join a open source project and ask if you can do code review or ask, if you can do tasks on their things. There’s a whole bunch of open source tools that. You can use. So for instance, if you’re using Ruby on rails, you can use something called break, man, and it’s free. It’s open source. If you’re doing Python, there’s a whole bunch, including pie charm.

If you’re doing PHP. Oh, I did a thread like maybe two weeks ago about all the different open source PHP scanners. So there’s, there’s a bunch for.net there’s Rosalyn. and then there are paid ones and they will go. Like this, I mean, Ruby for break, man, for them, from what I’m told, like that’s just [00:18:00] what you use, but for a, for instance.net, you might want to buy a tool they’re quite expensive.

So if I were you, I would use the free open source ones to learn. I would volunteer as part of an open source project or ask if at work, if you would be allowed to do a scan, they might be quite hesitant. So as you could show them, I’ve worked on this already, also. Look and see if there’s talks or workshops, and actually organizing a thing for the fall where there just might be a secure code review workshop that is happening.

That will be free, but

Ashish Rajan: [00:18:35] online.

Tanya Janca: [00:18:36] Yep.

Ashish Rajan: [00:18:37] Oh, you should, I guess people are asking you should definitely connect with Tanya. Cause I think the one good thing about covert, I don’t want to talk about a covert completely, but one good thing. My COVID is like everyone’s turned international as long as you can make the time.

Everyone can attend any event anywhere in the world. Like that’s what I love about, I mean, apart from obviously not good about the dying [00:19:00] people, but from that perspective, this is amazing that we can all, we can all go and enjoy this everywhere as well. I feel like that’s amazing, but,

Tanya Janca: [00:19:07] I’m sharing a link to you in stream yard that you can share.

So if you follow my, Oh my Oh, last chapter, so Alaska Victoria, we will be sharing stuff about that and it will, it will be October 3rd. Sure.

Ashish Rajan: [00:19:21] So, and it’s been shared across the multiple, so people know this now I’m just moving onto the next question over here and because, and it’s a great point that you mentioned, application security.

You had touched upon DevSecOps earlier as well, and I’ve kind of want to bring it back a home for these people in terms of cause. And it’s because it’s apps like one Oh one, where does the CSPD pipeline and what does application security have reduced the STD pipeline? And does that mean that cops

Tanya Janca: [00:19:52] okay.

At the beginning. So DevSecOps is the security component of dev ops. [00:20:00] So. It’s what I, as an application security person does when I work in a dev ops environment. So if I am a, you know, a consultant and my clients are doing dev ops, then I do SecOps and it means I still do application security. I’m still trying to make sure there’s software secure, but I work with different processes and potentially different tools.

And I do slightly different activities so that I can fit into their processes and not break anything. And so a CICB pipeline in very, very short, short, short definition is it is software that you cram your code into. It does some automated tests, and then it releases your code for you. So let’s get into that more, but basically it is a thing that deploys your code for you.

So CAI stands for continuous integration. So what we used to do a zillion years ago is we will, we would code separately. We would code all these separate things and then [00:21:00] we would have to do integration testing, and we would mash it all together. And that was always hard. So if you have a software developer that’s working over here and another one over here for six weeks and they haven’t tested their stuff together.

When they go to put it together, it’s going to suck because one of them’s like I was expecting a date field and the other one’s like, but I sent you a string and then boom. Right. So we started doing trunk based development. And so that means checking your stuff back into the main branch over and over and over again so that you check.

So you make sure it compiles, but what’s continuous integration is, is making sure it works together. So continually integrating your code. And that means using a tool while continuous delivery means using this tool to release your code from place to place to place. And so it’s the automation of using a tool to make sure this integration is working all the time and adding all sorts of tests, [00:22:00] including security tests, to make sure that it’s good quality because let’s say we both have a date field and we match the code together.

And it compiles that does not mean it works. Right. So the integration testing is automated in this pipeline and it says, okay, so they both have a date field in the same place where the stuff clicks together. Good. Now, Is it going back and forth and actually working. Does the app start? Does it do the basic things?

Great. Now, can it handle it when I punch it in the face? That’s when I get in there. And so you add security tests and checks, you add quality tests and security is of hard quality, and you do this and then continuous deployment. So there’s continuous delivery and continuous. So continuous integration and then CD stands for continuous deployment and continuous delivery.

And so continuous deployment means that you have so many tests and you are so sure of the quality that you allow it to go [00:23:00] out into the final environment, which is the production environment without any manual interruption. So usually you do a whole bunch of things, a whole bunch of things, a whole bunch of things.

By going through test, test, test, test, and then at some point a human, this is the button to go out to production, but that’s where you are so confident that you allow it to completely be automated. And every single new change goes out if it passes every test. And so that’s a more advanced activity. And so dev sec ops is us weaving security.

Into those parts to make sure it’s appropriate, but it is also knowing when we should not put a security test in the pipeline because it’s too slow or because the results, for instance, like we talked about with SAS, if you scan an entire code base, there will be false positives. Right? So let’s not put that in the pipeline because we want to enable them to go fast, but we will put it outside the pipeline and maybe we’ll [00:24:00] just check the little tiny bit of code that they checked in.

And so it’s about. Not breaking their processes, not stopping their speed, but ensuring that they are creating secure software reliably.

Ashish Rajan: [00:24:12] That’s a great, that’s a great definition. I think I did want to call out the fact that it’s always good to kind of see from different perspective. Like I think when people talk about, say a static code analysis, I think that you mentioned that earlier too.

I love that the laundry trade, it just hints. It’s not the solution because people send like, you get a report and you just send it across the whole thing, go fix it. And you’re like, but most of them is just false positive. So I’m great. So I’m glad you mentioned that thing, but. Taking that I guess, taking that a level up, we spoke about DevSecOps yesterday pipeline, but obviously there’s like a program of work that needs to be done before you can do any of this as well.

Right. And, I think where I’m, what I’m hinting towards is I just saw a question, which I, I unfortunately missed earlier. How do [00:25:00] you move? On, when something do not work with either building a company partner company, building an asset program, how do you transition corporate world to entrepreneurship?

And there’s another one from the last partnership you had with the company to the present. One is sometimes we lose persistence concentration or learning from something. So I guess. Kind of like losing people who have the knowledge and do build an AppSec program. Thank you for that question. That engineer, as an engineer

Tanya Janca: [00:25:27] and I left Microsoft a bunch of app sec people, and I were chatting about how hard it is to hire app sec people.

And we were joking that a white van would come up and someone would throw me in. And that that’s how you recruit professionals.

Ashish Rajan: [00:25:43] So the current processes, are you okay to be tortured in a white van?

Tanya Janca: [00:25:48] No, they, they, they’re very nice to you once they get you, but you can never leave.

Ashish Rajan: [00:25:53] And it’s true though. It is, it is actually true, quite hard to find up, find people who want to move in the app space as well.

Well,

Tanya Janca: [00:25:59] that’s why [00:26:00] I’m trying to create new app sec engineers with my company, but how do I continue to have persistence? I feel like my middle name should be resilience instead of Christine. Because that is, I just, I can’t stop. I don’t know how to explain it, but like, I, I, I always need to have goals if I, if I don’t have goals and things I’m aiming for, I feel really rudderless and I get.

Really frustrated. I have a lot of energy, so, sometimes people will talk about how many spoons people have. I don’t know if you’ve heard of spoons, but the idea is, is you start the day with like 20 spoons worth of energy and then certain things take. Cost a whole bunch of spoons. Like if you have an argument, right, their spouse, it might cost you like 10 out of your 20 spoons for the day.

Then, you know, you get on the bus and it’s really credited and really sweaty and it’s awful. And so then you end up using like two spoons on the activity, right. And then part way through the day you like run out and you’re just totally exhausted and tired. so I have like [00:27:00] 500 spoons per day. Oh,

Ashish Rajan: [00:27:02] that’s why the muscle tone that you mentioned about earlier you’ve been working out.

Tanya Janca: [00:27:06] I, no, but not just physical energy, but I mean, like, I have the ability to work for like 12 hours straight. I have the ability to like work in my farm for two hours and then like, I’ll give three talks in the same day. I’ll like, I just, I have so much more energy than the average person and I have to burn that energy off or I can’t sleep and I can’t.

Be a patient happy person. So like, I’ll go running. We’re all, build things with power tools or like, so I have this energy at the burn off. So when I give talks, I am extending a whole bunch of energy and it’s awesome because I need to get rid of, that’s why I used to play like hardcore music and like punk music.

Like I’d be drumming and screaming. They’re like, yeah, this is great. Cause I’m like exploding with energy and I know some people kind of go up and kind of go down, but I just tend to go up, up, up, up, up, [00:28:00] up, up, up, up, up. It’s great. It’s really great. It’s great to have a lot of energy. I had no idea. Like I had no idea that I could find the limit of that.

When I worked at Microsoft, I found my limit a bunch of times where I was like, Oh, okay. So

Ashish Rajan: [00:28:18] that’s it. That is interesting. So to your point, and I think. It’s amazing that he has so much energy because very few people have met you and spend time in Perth with you in person. They all know you you’re like a ball of fire walking around as well, for lack of a better comparison.

I do want to kind of point out something which made me realize some people might not even know what an AppSec program is. And it kind of goes back into the maturity level conversation as well. We spoke about the bilinguals and how to become an athletic person. But if you’re trying to run, if you want to measure maturity of AppSec in your organization, like what’s the, what’s the step one?

And what’s like step 20, I

Tanya Janca: [00:28:53] guess, of maturity. An application security program is you formalizing [00:29:00] steps as part of your system development life cycle for security. So adding security steps as part. So that happens every year. Single time. So there’s no project that gets out where no security happened and it needs to be the same steps and slowly you add more steps.

So my very first AppSec program that I started, it was like, Oh, I wish I could show you that the sticker, but basically, it was like this giant dumpster fire that this giant I’m sure that was on fire. It was so bad. And, So I, I asked, like I saw with money with metrics, how much money I could save them.

And they said, yes. And so I have a whole bunch of developers who have never really had to deal with security before, or if they did like, would be like an external pen tester that would come in, they would do, they would give them pen test results. And then that was it. And that was their entire effort towards carrying their software.

So I made it a secure coding guideline and. Quite frankly, now that I know a lot more, that [00:30:00] guideline sucks. I’m so much better at communicating. It was like 25 pages long that’s way too long. A bunch of parts were vague and didn’t make as much sense. Cause I didn’t understand it as well as I do now. so now when I make a guideline, it’s like, okay, here are the 14 commandments we’re going to start with.

And then here is a link on the Wiki of the code of how to do each one, right? So I gave them a secure coding guideline that. I know it’s not very good, but it was the best I knew how to do at the time. And then I gave them all Alaska zap and taught them and gave them a safe place to do security testing.

And I said, just run the automated attack scan. That’s it. And if your app is internal and has nonsensitive data fix this. If it’s external, you have to fix at least this. And if there’s sensitive data in it, you also have to fix this stuff. And then when it comes to me, I will attack it for real, because I don’t have time to do all of that.

And so if it gets to me [00:31:00] and then I run my tools and I find crap that I know zap would have found. I will make fun of you at your desk. And since I was their peer, cause I’d been the deputy and they’re like, no, no teasing. So whenever something got to me and then it would be in good security shape, I would run over to their desk and high five them so that everyone could see, they knew it was the security team, approving their app.

Ashish Rajan: [00:31:23] Oh, wow. That’s a good, that’s a good way to show positive a reinforcement as well.

Tanya Janca: [00:31:29] Yep. And so then I told them like, if you don’t know how to fix something, you tell me and I’ll come help you fix it, whatever it is, I don’t care. And so that was the beginning of our AppSec program was secure code guidelines and this type of security test.

And then Tanya will try to do a pen test on it if she has time. And I only had four months to develop that and trained. So I trained every single software developer, how to use that. We got a sandbox going, no one, her, no one broke anything. So like no one used that for evil. Like they’d been [00:32:00] afraid they would.

And I was like, dude, software developers. If they wanted you to be in trouble, if they wanted to wreck things, they could they’re all hackers. Just, no one told them yet. And so, that was my first AppSec program. And then since then now, like, Oh my gosh, I know so much more. So I usually start with, I want the very first thing I would do now that I know more is I would do inventory and every new app, I would just run a quick test scan on it.

So dynamic application, security testing scan. So like, Oh, us zap, burp, suite Actionetics, white source software. There’s like, there’s just like this long, long list. Right. Yeah. and then I would try to make a complete list. So an inventory of all the apps and I want it to have on there. So all the different environments where I can find that app, I want to know it’s tech stack.

So is it in Java, Java? What spring boot or streps something else I want to know. who are you contact? Like which dev team. And then I, and I want links to it. [00:33:00] I want to know where it’s code is stored. Then I would set up SCA. So software composition analysis, just aim it at every code repository that I can get read access to with that you can have a very decent picture of what your security posture looks like.

So, first of all, you’re going to find a bunch of apps you didn’t know you had, I have like in my community, I’m always like sharing how to do stuff. And so I have a thing about how to do inventory internal to your network. Because you probably have a bunch of crap you don’t know about. And then once you have this list and you know, you’ve seen, okay, so these apps are totally on fire.

These apps, abs it seems to be okay. You know, then I want to issue guidance and I want to start having certain processes. So secure coding guideline and you know, an application security program documents. So let’s say we’re going to desk scan each app before it goes to product. We’re going to do this.

And so slowly start adding things and support [00:34:00] also, when you, when you do that scan of everything, then yeah. You make a list of your top three problems that you’re seeing the most. So people will report problems to you, but you want to put all of this into an Excel spreadsheet or even better if you happen to have.

Vulnerability management software, like defecto Joe from , which is free. You figure out what your top three problems are. So I do this for clients all the time. I like love to mash data into Excel and just like, press some buttons and like beat people book. These are your top three. And then I want to educate on those top three right away.

So it’s usually cross site scripting. No one is using security headers. And then the third one is always completely different for every org. It’s always something weird. And just start educating how to fix those things and start specifically testing for those things and trying to bring that way, way down.

Yup. And that is usually the beginning.

Ashish Rajan: [00:34:53] So what’s the, so what’s the, I guess the ultimate. So to your point, the ultimate mature state is when the developers [00:35:00] themselves are running or SAP and not coming to security team. Is that the ultimate?

Tanya Janca: [00:35:05] No, I would say it’s when you have an application security program that releases.

Reliably secure software that you can afford. So I’ve seen people spend zillions of dollars. That is not what you need to, that’s not the requirement. The requirement is that you reliably release pretty darn secure software. So I want software where the average attacker cannot get at it. If a very advanced tech attacker like a nation state wants in, they will get in.

so most of my clients like it’s. It’s not like a spy agency, right? It’s corporate corporations that want help or governmental organizations, but that don’t do top secret things that want help. And so if, you know, a very advanced nation state really, really, really, really wants to get in, they will get in, but I want to make it so that a malicious actor would [00:36:00] have to, it would be so expensive for them to get in that it’s not worth it.

That is what I want. That’s

Ashish Rajan: [00:36:07] so, I love the answer and I think it’s a great segue into the next question. That’s come in as well. There are quite a few questions coming in, so I’m going to try and go through as many as possible as well. Are there any specific tools used for tread tread morning as part of CRCD or is it conducted separately?

Tanya Janca: [00:36:24] Okay, so threat modeling is generally considered. A manual task and there’s, threat dragon to help you do that. You can also play elevation of privilege or just get, just get the card game, just go through the cards. You don’t have to actually play the game.

Ashish Rajan: [00:36:42] there’s a question about the best way to describe it or dread or something else.

Like what are those for people who don’t know?

Tanya Janca: [00:36:49] So I’ve actually never used dread, but I’ve used stride, so there’s different. So there’s different methodologies for threat modeling and stride is a very well known one [00:37:00] and stride as an acronym. So S T R I D E and each one of them stands for different things.

So S is for spoofing. So are they trying to pretend there’s someone else? So someone trying to pretend they’re me and log into my email or tampering. So is someone trying to delete all my emails for sending emails without, I don’t know, mess up my emails somehow. Right. And so each one of the letters. It’s a different word.

There is a potential threat. And so you’ve tried to find out if those threats apply to your system and you identify those threats, you rank them based on how scary they are. And then you decide if you will. Put forth effort and money to mitigate those threats. So fix the problem, or if you will accept the risk, which means it’s still documented, but someone who has authority has said, I will accept that risk.

and then sometimes it means you fix it later, or you do something to reduce the risk, but not fully mitigate it. So, Quite often clients will [00:38:00] come to me and they’re like, listen, we have like 20 new apps, but we have these four apps that are 5,000 years old that we got. When we acquired a company they’re in bad shape.

What do we do? And I say, let’s put a rasp, runtime application, security protection, or a whack. What about firewall? Which is a shield. Let’s put that in front of it for the first year. Well, we make it so that it’s compliant with all the other stuff we do. So it’s a bandaid, but it’s not permanent bandaid.

Right. So let’s reduce the risk greatly by adding that, because right now they’re scary and I don’t feel they’re safe for the internet. Certainly don’t want to let that stuff on your network until we put a shield in front of it and then we’ll start fixing it. And then eventually it’ll be good enough to not have the shield anymore.

Ashish Rajan: [00:38:43] And I think it’s a good segue into the next question as well. What’s the most difficult piece of AppSec discipline to explain again and again for others to try and understand it better and more crystal clear manner. It’s a great question, by the way.

Tanya Janca: [00:38:57] honestly, the biggest question that I [00:39:00] get, which is usually towards the end of every Q and a session is.

How do I get buy in? Because I feel like half my job is fighting with management or fighting with dev teams. And so you have to learn negotiation and persuasion tactics to be good at AppSec. And sometimes that means you also have to be a jackass. so I, I always start with sugar and honey and sweetness and I’m like, Hey, I found this thing wrong.

Can I help you fix it? What’s up. I brought donuts. but then, if they’re not fixing it, you know, I’ll talk to their boss and I’ve had bosses say, don’t bother my developers. I don’t have time for your crap. And their apps are on fire. They’re awful. Right. And so then, then I move up from there. So, I start with explaining the risk to them and holding lunch and learns and trying to reach them with logic.

And if not, you know, I’ll talk to my manager and try to get some power, but the best [00:40:00] ways that I have seen, and these are like confrontational ways that will not make you friends. So one create a proof of concept where you just destroy their app and humiliate them, just send it to them. Don’t send it to everyone else.

Yeah. Hi, this is me framing your website and stealing all your user’s credentials. Yeah, that’s prod. I did that. So like, I’m sending it just to you, but this took me an hour, so we fixed it. Now another way is to, I, I invented this at one of my jobs, and it’s called the risk sign off sheet, the risk acceptance.

Documents. And so I write out all the risks of things that they’re not willing to fix. And then I send it to like the chief information officer and the chief departmental security officer. And I say, Hey, would you sign off on the risks? Like we had this pen test done two months ago. No, one’s willing to fix basically anything.

And the app is on fire and they want to put it live on the air. And I’ve like laid down in the street front of the car, but they’re still going. And so I don’t know. [00:41:00] I do. And so it’s like, If a security incident happens because of this, like I have made you so aware, there’s just, no, you know, I’ve made my feelings known and then every time the person’s like, I’m not signing this crap, Tanya, I’m not signing this.

No, but then they give me the power to go fix it. Right. So they’re like, you’ve

Ashish Rajan: [00:41:21] told them

Tanya Janca: [00:41:23] is not acceptable and it’s because they didn’t understand. And I wrote out and explained it. And then the last one that I’ve done is resigned. I’ve resigned in protest. I was working at this place and everyone was so nice and they would not do any AppSec.

And all I did was incident response, like all the time, they’re too afraid to let me run burp suite. They’re too afraid to let me do security testing, so terrified. And so all I did was respond to incidents all the time. And so it’s, their response is equally exciting and stressful. And as a person who like just goes, I [00:42:00] just get very excited.

I would find myself feeling like so energized. I wouldn’t be able to sleep. Like it would take me like two or three days to come down. And I’m just like constantly doing incidents all the time. Like, did your church, your teacher, and I wasn’t doing the job they hired me for, which was security testing and, you know, writing secure design documents and stuff like that.

And like threat modeling. And so I was very upset. And so, after nine months I resigned, even though the people on my team were really nice. The upper management just wouldn’t let me work. And the really big boss took me aside and was like, I don’t understand. It hasn’t even been a year. Why are you quitting as someone harassing you?

I’m like, everyone’s so nice. They’re so nice to me. I like flat tire and like, they all had to fight as to who would drive it in the home. Like there’s so nice. It’s ridiculous. How nice it is to work here. I don’t want to, but you won’t let me do my job and I can’t have my name on this crap. It just can’t.

You won’t let me do what you hired me for and I won’t stand for it. And they’re just like, are [00:43:00] you kidding? I’m like, no, I quit. Like I found another job it’s too late. You just keep roadblocking me. Roadblocking me for nine months. You won’t let me have tools. I just I’m out and they’re like, so no one’s harassing you right now.

It’s a lovely, I literally get hugs. This is the best work environment ever. I

Ashish Rajan: [00:43:21] thought that was just a Canadian thing. Like helping be helping people saying yes. Thank you. Sorry. I told her a very Canadian thing, but sure. I guess workplace as well. Let’s go with that.

Tanya Janca: [00:43:30] Yeah, no, they were just they’re there.

They’re great. I really liked working there. There’s awesome bunch, but the upper upper management were just too fearful of change. There was another question that I wanted to do.

Ashish Rajan: [00:43:43] Sure.

Tanya Janca: [00:43:44] What one question that someone asked. So how do you do threat modeling and CIC?

Ashish Rajan: [00:43:50] Oh, sorry. Yes. How

Tanya Janca: [00:43:52] do you automate that? So you can’t really automate, automate it well, from what I know, but you can do this so you can do two things.

If you are going to [00:44:00] release a new feature, manually threat model, just that feature. If you’re going to do a major new release of your app, threat metal, that, but when they’re releasing little fixes and this and that. You don’t need to threaten mobile that in your pipeline. So one of my clients thought of this and he’s a brilliant, amazing genius guy.

He’s so awesome. And he’s like, we can’t automate threat modeling, so let’s automate our reaction to a threat model. So we had this five question thing and I can’t tell you all the questions because of their personal stuff, but basically is that right? That public facing or internal only. Does it contain classified information or not?

Is it considered one of the five mission critical apps or not? And then two questions that are their business that I can’t share. And then the CICB pipeline will fail. We’re not fail based on that small Jason file that each app would make. So let’s say an app is internal and as [00:45:00] no sensitive information in it, and it’s totally not mission critical.

So I’m not going to let criticals go, but like lows and mediums, maybe even highs, I’ll still let it go to prod. But then the high goes in, automatically goes into the bug tracker. It’s like, I need you to fix them five business days, yo. But like, I’m not going to block your little change or whatever. It’s fine.

Like it’s, it’s. We’re willing to accept that risk, but if it’s public facing and it’s one of the mission critical apps, because they have one app that ever is the thing, it’s the very important thing. So if it’s that app, and so then it is public facing and it does contain sense because it’s that app. then I’m sorry, unless it’s a, Whoa, you’re not do not pass.

Go do not collect $200. Like, I’m sorry, I’m breaking this build. Right. And so with this, we can automate the reaction of the pipeline. Does that make sense? And so like that’s as good as we could come up with to automate for hundreds of apps. Yeah. and there’s a couple other ones where we still [00:46:00] put them on the mission critical list, even though it’s not the one.

but they’re still very important. And like, this is, this is about like negotiating. So again, as an abstract person, negotiating and persuading, this is you. And so we’re also on the lookout though for people filling out that Jason file and having it be a lie. So we are making it a policy that you must fill this.

Oh. And how to fill it out. And so if someone puts, Oh yeah, it’s a, it’s all public facing data and it’s, and then it’s not true. There’s going to be a discussion about that. Right. So like you put this file in and this is a lot, so your, the risk, so this is a security incident and no, right. So.

Ashish Rajan: [00:46:43] Yeah, I’d love the automation of a treadmill.

Cause I think that’s a very common question as well, but to your point, so I guess with AppSec programs and making a policy sounds a lot like. Absolutely requires you to be a human psychology kind of person as well. So understand [00:47:00] and drive and motivate people. So I feel it’s a security thing in general.

I feel is that, am I getting that right?

Tanya Janca: [00:47:07] I feel like you have to have really good soft skills or you will be an awful application security professional. And I don’t do you have to have pretty good social skills. You have. To have really, really good communication and persuasion and negotiation skills. You need to be able to have empathy.

And I don’t mean like, feel sad when you see a sad puppy. what I mean is that you need to be able to say, okay, so the software developers are in this situation where whatever the thing is, right? Like, yeah. Sometimes just even just like when I, as a pen tester, I would always just go tell. The team’s early about my results.

I’m like, listen, I found this and I want you to know now so that you can fix it before the end of the engagement, and then I can retest it for you. you know, like then if you want, like you’re paying me, I’ll drop it off the report. Right. So you look really smart. Oh, [00:48:00] Tanya. Silver is fantastic. So there’s no highs coming out from the fix them.

Yeah. First. Right. But this makes them look good to their bosses. It makes them happy. And if they’re the one paying me, they’re the one I’m serving. Right.

Ashish Rajan: [00:48:10] And to your point, because even if you maybe try and transition her to apps, like you can already practice the skills already because to your point about being a security champion earlier, you can only start pointing this out and we’ll start working on your soft skills and persuasion that, Oh, not tactics, but skills, I guess, as you’re going through this convincing exercises in your team, which are people, you know, these are not an external people as well.

These are the people, you know, you work with. So I think that’s a great advice. I know I’m just conscious of time. Yeah. I’ve got one more question that I wanted to address over here. It’s from Michael, a great guy, by the way. how do you manage, how do you merge in front of thick data into AppSec research as a low spec security apps might be more important knowing it’s exposed in the infrastructure.

Tanya Janca: [00:48:55] so infrastructure, basically what I tell AppSec [00:49:00] people is that. If your app lives on insecure infrastructure and your app is Bulletproof, but your infrastructure is wide open. You still have a big problem. And you still have a look on your face if your app gets hacked because of it. And so I generally try to work with the network security team to come up with processes that work for both of us, so that we can make sure you know, that there are things are getting patched.

Well, our things are in line with their processes. So for instance, let’s say you work in a dev ops environment. So I would want to have infrastructure scans. I also would want to take all of that data. So I’m like, I really like data for a while. I had a job where I had to massage huge amounts of data, really weird data sets so that they could make sense.

and I really liked it. And I like to take the infrastructure data and the app data and put it together and talk about like what types of things you’re seeing over and over again. So [00:50:00] what types of patterns can we, can we fix these patterns? Right? Like if the app has a critical, but then the infrastructure has like 99 highs.

W which is the thing you fix first. Is it two separate teams fixing these, or if it’s dev ops, is it the same people? Right. and so I, I definitely feel that it’s a complete picture if you have both, if that makes sense, and you don’t have a complete picture, if you just have one, I know lots of organizations that they don’t have any AppSec people.

So they’re just scanning with Nessus and this, this is an awesome tool to scan your infrastructure. it doesn’t really do app scanning. Right. That’s not its job. It’s awesome at its job. And so then you only have a partial picture, so yeah. I feel that you need to look at both and then, then have a constructive conversation about what you’re going to fix.

First. I also think it’s really important to look at both, to see what types of patterns you’re seeing [00:51:00] and seek out the way to solve the patterns. So if you work somewhere and no one’s ever patching. Cause there’s a reason. They’re not like, like having the secure, the software insecure. There’s no infrastructure person.

That’s like screw security. I’m going to make the sense of cure on purpose or I’m so lazy. I’m just going to need no patching. That’s not what’s happening. What’s actually happening is they’re in a situation where they have 25 different approvals. They need to issue a patch. So it’s slow. Or they missed this part because, their tool doesn’t scan into that.

Sub-net because there’s a firewall or something, and I didn’t realize it, or like, there’s like real reasons behind this and it’s almost never Mo malicious intent. Right? Yeah. So it’s usually, yeah. Some sort of process with broken. And so you want to figure out ways to improve the processes so that these patches are getting out.

And so that the software developers are able like that they have the knowledge. And the resources and the [00:52:00] time and the processes so that they can release fast fixes because I’ve worked at places where I’m like, Oh, these people are super smart. Oh my gosh, these processes are debilitating. No wonder this app is like, kind of garbagy right now because they have both hands tied behind their back.

Okay. So how can I, how can I help on tie a hand?

Ashish Rajan: [00:52:20] So this is a great way to look at it. And I think, That’s the, I do want to put a hard sock with themes. Like I need to bring you back again. Cause that’s the question you still keep coming in. I’ve got a few questions that aren’t container security and stuff as well, but I I’m conscious of your time as well.

I do want to move into the last section, which is a fun section. So I love, three questions. First one being, what do you spend most time on me not working on apps, sick cloud or technology in general.

Tanya Janca: [00:52:47] I work on my urban farm. I’ve turned my property into affirm and I am growing enough food that now we’re starting to sell the food.

Ashish Rajan: [00:52:55] Wow. So you’re a Tanya AppSec person found [00:53:00] a and a farmer.

Tanya Janca: [00:53:02] Yep. Yeah. We’re actually thinking maybe like next season, starting like a farming channel because we have basically like, it’s like a house. So the front lawn and the backlog. Yard. We were turning into a farm. So we have a greenhouse, we may we’re growing like some food vertically, upwards, and some vertically downwards.

And then a whole bunch just like giant open sun. And yeah. How did you like irrigation to save water? How to like Reese. So like. Composting all your food and all of that stuff so that you can create delicious food at home. So I am eating food that sometimes was picked five minutes ago for dinner. And that’s

Ashish Rajan: [00:53:46] so jealous a fee.

I only get the fertilized food from supermarket. yeah, I’m not going to go into that from very different topic. What is something that you’re proud of, but it’s not on your social media.

[00:54:00] Tanya Janca: [00:54:00] Mmm. I, I am very proud of how far woe sec has come since I started it two years ago. So women of security, my friend Donna, and I started the first chapter and then we added Chloe, miss daggy, and then things just exploded.

And then now we just had our first board of directors election and yeah, and we are now doing legal steps to become a nonprofit and we have multiple sponsors and we have. So we decided actively to stop opening new chapters, maybe six or seven months ago because we’re growing so fast that we’re kind of tearing apart at the seams.

So we have 32 worldwide chapters, and now we are creating like support systems for each chapter to make sure they can grow more. And we are like investigating ways that we can reach more women that don’t live in major cities. And. Just like have people connect and create [00:55:00] like real longterm friendships.

We’re helping women find jobs. We’re helping places that do have really good culture or attract really amazing women. And, it is resulted in women starting businesses. Mmm Hmm. I have hired people from mosaic, like for contracts, for my new business, because we don’t really have any full time employees yet.

It has resulted in mentoring, mentoring, like mentoring, mentee relationship. I think that, yeah, cause it’s been enough time now. So one of the chapters, there was a sexual assault in her school and she told her chapter later and her chapter told me, and it was a member of the faculty who was, was it called when they’re permanent 10 tenured?

Yeah,

Ashish Rajan: [00:55:41] I guess, but yeah.

Tanya Janca: [00:55:43] Yeah. I used my social media prowess and power to make them watch an investigation and they fired that person. Yeah.

Ashish Rajan: [00:55:52] Good riddance.

Tanya Janca: [00:55:53] Yep. And so us using our power together to like, to help each other flourish, [00:56:00] but also protect each other when it’s needed. And so having like more senior women be able to like, You know, teacher opened doors for more junior women and having more junior women have like, you know, a whole bunch of women that they can trust that will help them.

It’s been so unbelievably rewarding and just like, and like all the leaders around the world for these chat, like I admire them. They’re amazing. And I feel like, they’re like, Oh, you’re amazing. Cause I’m like, no, no, it’s you.

Ashish Rajan: [00:56:31] I think I’ve met a few, the ladies as well as I think it’s an amazing group.

And congratulations. I didn’t know that, but it’s amazing. I think it’s an awesome effort that you guys are putting together. Although wanna say ladies? Cause it’s like, I feel like guys are very annoying. It’s funny. I’m trying to unlearn what I’ve learned. Even things like no man’s land. I’m like who the hell made like a man plan.

Yeah. Anyway, you don’t, unless you start registering and you’re like, Oh. There’s a lot of [00:57:00] conversations we have in general English, which is very man centric, but at the same time. And that’s why I truly appreciate the work that you’re doing. cause I think we definitely need a lot more, I guess other genders as well, insecure, not just men.

I don’t, I don’t think it’s a fair, but because the language itself is very different. Funny. when the gender, when the black lives matter, conversation came up, one of the things that came up was around. The guitar brunch is being mastered in slave master and feature branches like

Tanya Janca: [00:57:32] before get hub, it was always the main branch and then the children branches or the leaves or whatever, it was never called that.

And then get hub added it and I’m like, Oh,

Ashish Rajan: [00:57:43] Yeah. And now you look back into like, actually, there’s a lot of things that we do subconsciously. Yeah. It’s a whole different topic. I’m not going to get into that.

Tanya Janca: [00:57:51] I actually changed the language in my book because there’s a product called, you know, application weightless thing, but there’s negative [00:58:00] connotations between whitelist and blacklist.

And that’s not really what you do. It’s really approved or blocked as nothing to do with colors. And it

Ashish Rajan: [00:58:08] actually has.

Tanya Janca: [00:58:09] Yeah. So, Microsoft. Has named their product applications, security control tooling, and then carbon black changed the name of their software from. Weightlifting software to application control software.

So I was like, I’m going to change my book. So I had to go through every single part re published.

Ashish Rajan: [00:58:31] Hopefully

Tanya Janca: [00:58:33] I know they were like, yes, they’re totally on board for that because we don’t realize how our language can imply things that we to, and it’s like, Not that much effort to just not be a Dick.

Ashish Rajan: [00:58:48] Yeah.

It’s like, it’s hardly that hard if you, if you really try to be, just do the bare minimum things as well. I do want to call out the, yes, I’m going to one more question. What is your favorite cuisine or [00:59:00] restaurant that you can share? Well, I’m assuming it’s from your farm, but I’ll just let you a few more dealers.

Tanya Janca: [00:59:07] So you asked this last time and I said Thai food, because I can’t create Thai food like Thai restaurants can, but I have a brand new dish that is now my favorite dish. So I have a zucchini mageddon happening right now on my farm. So I planted too many dakini plants. So like I literally harvested like six today.

And he had like five yesterday and there’s a whole bunch where I’m like, please stay on the vine and I’m not ready. So I have so many squash. And so, so like literally like five grocery bags full of stuff. And I only took some of the things. So it’s like out of hand, so digest gluten very well. so I don’t usually eat it.

And so I find gluten-free noodles are usually like, not very good. The texture is not that great. So I learned how to make. So Keeney noodle lasagna. So I’m not [01:00:00] have lasagna in over a decade because gluten like the gluten free, it’s just like, ah, and so, Oh my gosh. It’s so good. I actually made the whole thing again, like a few days later and it was, it’s just so amazing.

I had it used that two gigantic CUNYs, both. So I was like, yes. and all these amazing frozen dishes. So once like a cream. So can you lasagna with like chicken in it? And then the other one has like ground beef and like a tomato sauce. And it’s just like, Oh my gosh. So God. So I’ve always not really liked pasta very much the past couple years, because gluten free pastas aren’t the same.

Yeah. But now I’m like, maybe I could be into pasta again.

Ashish Rajan: [01:00:44] Oh, I, I, yeah, I think I’m go rid of definitely male, male master chef out of a lot of, a lot of people. So I’m not doubting that. Like, I think I’ve been like my wife and I’ve been cooking quite a bit as well, so I totally get where you’re coming from.

I think we’ve made a lot of different dishes as well, but I do, I did want to call it [01:01:00] out that, It it, I think it’s been amazing. I just wanted to call it. Thank you so much for sharing all of that. And I do appreciate the fact that you’ve given out, I’m going to reach out to all these people who have asked these questions and get them to court, the promo courts.

So, or what’s the scenario we ask them to reach out to you so they can get a bit more. A one on one, if they want you to have that conversation as well. Like, cause I think we didn’t, we couldn’t get to answer all the questions, so maybe they can reach out to you. Yeah. But I think it’s amazing. I do appreciate the time you’ve spent on this.

I think a lot of people learned a lot of things from this. Well, you meant from like application security, beginning basics, building blocks to building apps like programs when we’re designing from companies, because we don’t like that term. I love the spectrum we covered and I’m pretty sure other people did as well.

So I do appreciate the time as well. I can’t wait to bring you back again and find out what else you do with your farm.

Tanya Janca: [01:01:54] I know, I know it’s so

Ashish Rajan: [01:01:56] much. Yeah. Thank

Tanya Janca: [01:01:57] you so much for having me.

Ashish Rajan: [01:01:58] Thank you. And I’ll [01:02:00] see, I’ll see everyone next week with any episode. Thanks so much for coming.

No items found.