Episode Description
What We Discuss with Tanya Janca:
- 00:00 Intro
- 08:38 What is application security + why is it important for a company?
- 11:37 Skillset required to become Application Security Engineer
- 24:01 Future of Application Security Engineer Role
- 27:38 Certifications in App Security
- 31:43 Soft skills required to become an Application Security Engineer
- 37:41 Standing out with Personal Branding
- 42:06 Starting out in Security
- 47:08 Role of Cloud in Application Security
- 50:08 The Fun Section
- And much more…
THANKS, Tanya Janca!
If you enjoyed this session with Tanya Janca, let him know by clicking on the link below and sending him a quick shout out at Twitter:
Click here to thank Tanya Janca at Twitter!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- We Hack Purple
- Tools & services, discussed during the Interview
Tanya Janca: hey,
Ashish Rajan: welcome. Thank you for having me not a problem, , the funny thing is cause you, and I know each other for a while, so you’re not going to keep talking about everything under the planet, but for people who may not know who Tanya is. Can you tell us a bit about who Tanya Janca is.
Tanya Janca: Okay. So I am an application security professional who founded her own training company.
So we’re called, we hack purple and basically we teach everyone and every person how to secure all the things specifically and mostly software. But we also recently started covering Azure cloud security and I wrote a book. Alice and Bob learn application security and yeah,
basically I just do all the things to try to help people create more secure software. And I have a community, we hack purple community and it’s free and basically a hangout there. And I write blogs and I stream, and I am a nerd on the internet as huge. That’s the main.
Ashish Rajan: So the the gist is a nerd on the internet with a book called Alison Bob application security, by the way, people who are, who haven’t checked out the book, they should definitely check out the book.
It’s pretty good. I think I’ve [00:01:00] recommended to my team as well. So this is definitely something they should go into, but you mentioned you were an application security professional as well. , we kind of started off this thing. You’re a drummer, a singer.
How did cybersecurity happen for someone a singer? You just stumbled into being a nerd?
Tanya Janca: No. So both of my aunts and three of my five uncles are computer scientists. So a lot of my cousins are engineers and scientists and computer scientists, especially. And so when I say. Hey, I think that I programming.
So I was considering taking computer science in college. They’re , yeah, obviously you took all the classes in high school, you’re coding all the things you love all of your friends in that class, the best, , yeah. That seems that is where you would make sense. So I did computer science, so I had worked at companies before I even got.
Into college. And basically then the bubble, the.com bubble burst. And so I was playing music in bars, kind of as a hobby, but then it turned out. I was making most of my money each month from that. And , I could not find a computer science job for a while. I’d work in a computer [00:02:00] car for a year.
It really sucked, imagine getting out of college and you have more experience than everyone else. I’d worked at a startup, Nokia, Adobe, a bunch of places. I was very experienced for a 22, 23 year old, but then you’re competing with someone with 25 years experience for the same job because they have a mortgage to pay and they will cut your throat.
So all of them were getting those jobs, but then eventually, yeah. One of my old company bosses. He’s , oh my God, there’s a space come in now. And so then I was back into full-time programming again, and, but I still playing in bars all over the place, releasing albums and stuff. I released five solo albums and then released CDs with a couple of different things.
And yeah, that song you’re playing guys. The only music video I ever made is completely ridiculous. The mayor of Ottawa at the times in the video, our member of parliament and our municipal member of government, we’re all in the video with us and then the Canadian tourism, whatever. Cause we’re talking about how everyone’s so sexy from Ottawa.
They let us use all these official videos, take it with a helicopter from around parliament [00:03:00] hill and all this stuff. So the videos. Really fun and all these local Ottawa celebrities are in the video.
Ashish Rajan: Ah, so I’ll definitely leave that in the comment. Although that least in the show notes, at least people are able to come and check that out.
I was going to say so. I understand, okay. How you got into it, but why is the application security kind of important? Because I imagine a lot of people listening to this may not even they, this whole month is dedicated for people who are starting off in cybersecurity and getting their feet wet into it.
Application security engineer, I guess, before we kind of jump into the skillset. Well, what is application security and why is it important for a company?
Tanya Janca: Okay. So when you’re all over the internet, those aren’t website, Those are web applications. And whenever you’re calling some data and trying to get stuff back, , you’re getting answers.
That’s almost always API APIs, application programming interfaces, which are , kind of web apps, but with no cute Gooley front end and all of those API things need to be secure or people. Yeah. Rob your bank account impersonate, you stealing identity, et cetera. And so a lot of attention tends to [00:04:00] go towards ransomware as it should, because it’s awful and goes where it’s malware or viruses, because those also really suck, but those tend to affect more users.
Well, applications themselves are actually the number one cause of data breach . So I include API under applications, but this year Verizon breach report, they’re , oh, let’s separate them. And they’re number one and number two. So we double suck. We get both places, but a data breach.
I think it was I was doing some research cause I had to make a a pitch for some contest with the Canadian government and anyway, $6 trillion last year in cybersecurity, $6 trillion. That’s way more than money than Canada has. It’s 1% of the GDP of the entire planet in cybercrime. Yeah. And guess what?
The number one thing is it’s apps. They make a lot of money with ransomware, but the number when data breach. Cause is insecure software and data breaches tend to be the most expensive types of security incidents and they can also harm people the most. Right? So the only known [00:05:00] death or deaths that were caused by that were the Ashley Madison data breach, but there’s been lots of data breaches where there’s suspected.
Deaths as a result. And basically it’s always applications. It’s always software. Almost everything runs on software now, even infrastructure and cloud, all those things behind it. Guess what it is, it’s software. And so a lot of people forget that they’re , oh, that’s just my router. Guess what? Your router runs on software.
And if someone attacks it, they’re not going to attack the hardware. They’re going to attack the software. And so applications secure. Is the security of every type of software, every type of application. And we need a lot of people to do those things. We really do.
Ashish Rajan: Yes. It’s funny. I’m hiring for one and I haven’t found one for some time.
So in fact, most people that I know are looking for an application security person and they all talk about how that there are not enough people in this field at the moment. So if you’re someone who’s looking at becoming an application security engineer or application security person, definitely get into the field because there’s a lot of gaps.
Because that makes me thing. What kind of skill set , does one need to have to become, I guess, successful in [00:06:00] such a role.
Tanya Janca: So applications security, imagine it a big umbrella and there’s a whole bunch of things underneath it.
And so there are very technical roles and then there are less technical roles. And so if you work at a big place, you could get. One or two specific parts of that team, if that makes sense. But if you work at a company where you are the only one, then you have to have a lot more of them and be more of a superstar.
And so if how to code awesome, that is a good first step. You don’t have to, if you do one of the less technical rules. So let me start with some of the things. So one is software developers when they’re making code and they’re making applications. Usually, hopefully follow a system development life cycle and SPLC.
Right? And so you could be in charge of making sure that they’re following a secure system development life cycle, which means having at least one security step during every phase. So, if you’re doing waterfall agile dev ops, it doesn’t matter no matter what you have to gather requirements. So the security person can say, cool, you’re making an [00:07:00] app.
Awesome. Here’s some security requirements I need to add to that project so that what you produce is not a flaming pile of garbage. And then design phase they can analyze, another thing that they can do. They can learn and perfect each one of those skills or some of those skills.
So that could be penetration testing, security, testing, security automation. So for instance, If you have a team and they’re doing dev ops and they have these awesome pipelines, you could learn how to add certain tools to them really well, and then figure out the results and help the teams use that information to make more secure software.
So it can be a very technical role. I kind of liked doing that stuff. She might’ve guessed from the book, but there’s also the program management. Right. Gathering all the metrics and seeing that people are on the right track, there’s also education. So I look at the application security engineer job as supporting the software developers and creating secure software.
And so , what I do a lot is teaching. I do a lot of, Hey, guess what? We have a ton of [00:08:00] cross site scripting and it sucks. So let me tell you how to find it and then smash it apart. And so I’ll have these deep dives and I’m talking with people and then another time I’m arguing with a vendor and I’m , I would to pay less than that amount that you have said, what can we do about this?
Because my budget’s this big, but you want this much. And so let’s see what we can do and a lot. Of it is. Negotiating and persuading people to see your side of things. So explaining risk very, very clearly. So , I know you don’t want to use security headers because they’re super annoying in your words, but in my viewpoint, they protect us against this, this, this, this, and this.
And so can we negotiate please? How can I get you to add that one or two lines of code that are very important to me? But you are telling me, it’ll be really annoying to , list out all of your sources for different code that you’re do what I mean? And so it’s explaining the risks and sometimes it means making a proof of concept and smashing their app and embarrassing them.
But usually it means trying to communicate really, really well. So there’s a lot of space [00:09:00] for a lot of different types of people in this field. So , you could just do threat modeling all the time, but there’s not as many. And just threat modeling as if you’re , well, I can run a program, I can do threat modeling.
I can manage our vulnerabilities. I can meet with teams and , please fix those bugs. But , I can’t go find the bugs. I’m not technical, right. Or the reverse I’m going to crush all your apps. I’m going to find all the bugs. I’m going to automate all the things. And then I’m just hoping that you’re going to fix them and just hide out if you don’t just kidding.
Ashish Rajan: So it is definitely quite a wide space in itself cut. And I think you’ve kind of touched on it really interesting as you were going to go into it as I’m going.
Is there a junior version to this? Cause sounds there’s a lot of things that I guess a person who’s an application security engineer has to go through. , how people talk about, Hey, I suppose security analysts, SOC analyst, is there a junior kind of feel that people can start?
They feel they are programmers, but they’re straight out of university or college right now. I love programming, but I don’t know how to get into application security. So what’s the place where they can start.
Tanya Janca: So thank you for teeing this up. So clearly. So we [00:10:00] hack purple has an application security foundations program and you take her three courses and then you graduate and we introduce you to recruiters.
Ashish Rajan: Oh, I didn’t know that you guys are introducing the recruiters as.
Tanya Janca: Our grads have something a 95% rate of finding jobs in their field within 90 days of graduating. Yeah. So a lot of companies think they need a senior application security professional. And if they’ve never had any training and no one else has ever mentored them, it does take a long time to figure it out.
But if you had someone lead you through and , kind of help you, cause we build application programs with our students and then. We’ll have them loose. And even if it sounds weird, a lot of companies are , well, , we have to perfectly automate 57 tools in our pipeline and we must perfectly threat model every application every month.
Or it’s , no, you don’t have to do that. It doesn’t need to be perfect. But if you can get every app to have security attention as part of the system development life cycle, and you can get it to a level where it’s at a risk, you can accept as a. You’re awesome. That’s it? And that might your [00:11:00] risk level might be really high, let’s say.
So my company, as an example, so we’re a training company and we don’t build software, but our risk is actually generally really low. So the academy is we hack purple academy. So if you go to academy dot, we hack purple.com. That’s us. ,
Ashish Rajan: so you help people get trained and become professionals, I guess, ready for the world?
Tanya Janca: The thing is, as a lot of companies seem to think that they need someone with 10 plus years experience in application security.
Although technically as it has existed just over 20 years, technically it has existed. It’s only gotten hot in the past, five plus years. And so you didn’t use to see whoa, For that you didn’t see the rules named that. So it would be , we need a dev that , we’ll , make sure apps are secure.
And so , I guess there’s a secure app dev person and drop descriptions with weird names that didn’t make sense. And so now they’re , I want an application security engineer and you need to be senior. And sometimes people will write me and say , Hey, can we hire you to do that? And I’m , I wrote, one of the books are [00:12:00] very few books in the English.
On this topic. And I wrote one and I don’t qualify for your job because I don’t have 10 years experience doing appsec it’s only seven or eight at this point. And then they’re , oh, and I’m , so if I don’t qualify for your job, who do you think is going to qualify for your job? And how much do you think you need to pay that person?
And then they’re , oh, I’m , can we talk about more realistic requirements for your job? And that is a thing that a lot of people are coming up against, people trying to get the cyber security. I’m sure you’ve seen that. 15 years, AWS experience. Wasn’t really doing a lot that long ago to come work for you.
What are you doing? Yeah,
Ashish Rajan: I kind of find it hilarious when I see those job ads. Cause I think you kind of feel that the recruiter kind of would have gone, oh, you need someone for application security 10 years. I was good mark for a senior because that’s kind of falling the model from another.
I guess other jobs that may have been there for that much longer, a sys admin job or whatever, and people try and copy the same model doesn’t really translate well, but I think you’re raising an interesting point about. I guess starting with, , you don’t really have to have a lot of experience, but if you have that basic foundational [00:13:00] knowledge and I think you kind of have that set in we hack purple , are there other resources as well? , I mean, certificates and stuff that people can go for as well.
Tanya Janca: So if you just want to learn stuff for free and you’re , I’m not sure what. There’s a bunch of things. So you, first of all, you can join the, we hack purple community, totally free, totally free, no obligation to ever buy anything.
You could just read tons of articles and watch tons of videos, attend events just for free. There are also a bunch of things. It depends on which part of the umbrella you want to go under. So if you want to learn threat modeling, for instance, I would follow Adam show stack, and , there’s a list of awesome threat modelling people.
There’s threat modeling books, read the crap out of all of them, read their blogs and it’ll be awesome, right? If you want to become a pen tester. So that’s the most popular one. A lot of people are , I don’t want to be a pen tester and that’s part of application security. But then they find out I did.
So some of them, I love it. And some of them don’t meat, I, as a pen test, I’m , well, I don’t get to talk to any devs. I hang out in a data center, freezing my dairy or off. And , I find a bug and I’m , Ooh. And it’s several more hours with a scanner, just [00:14:00] poking things and kind of playing around.
And I’m , oh, I found another bug awesome. Then just data centers. Really cool. There’s no cool desks here. Part of why I chose computer science was because I thought of all the people in my different classes in high school. And I was , oh, I want to hang out with those people. I them in the past.
I know that you’re not supposed to say that but just I miss devs because I’ve just, I don’t know how to explain, but when I switched into security, I was , I felt I didn’t belong with all the pen tests. It’s , I just socially, I didn’t really completely glide in. And then I found a loss, an application security, and I’m , oh my God, you’re my type of nerds because a pen tester.
Who who’s awesome. We’ll rejoice and finding a bug. And they’re so satisfying. I kicked the crap out of that thing and I find some joy, but I personally find a lot more joy, talking to a dev and seeing that light bulb go on. And they never make that bug again. Or finding a design flaw during a discussion before they built the thing and we fix it.
And then. I’m just , yes, I just saved us a zillion dollars. Right. And so I personally find a lot satisfaction from that and I’m very, very [00:15:00] social and you have to speak to people if you do AppSec. And I’m , yes, Humana.
Ashish Rajan: Actually that’s a good point as well, because it’s not just about telling what people have done wrong, which by the way, my personal story, I did pen testing for one month and I gave up.
Not for that reason by my reason was more I could not imagine going through manuals for hours as a job. This is, this is not a cool way, but then I started reading manuals for AWS Azure, Google cloud. How I’d really changed spots. I don’t know. It’s , but I kind of have the same page.
I’ve got a question here from Venkata its nice to see Tanya live, with the industry moving towards low code/ no code model where would you think application security engineer role would evolve to be Great question?
Tanya Janca: So industry says it’s going to work. Low code, no code, but that’s part of it who are all the people writing the things that make it go low-code or no-code , I know the idea , is all, there’ll be stuff in the background that makes it so that you can just click configuration buttons and check mark.
Application security folks will be the ones making that thing that makes it low or no code. Does that make sense? And then errors [00:16:00] and AppSec people will be the ones testing it afterwards to make sure that your low no code isn’t still super insecure because sometimes. I remember when I was a pen tester, I pen tested a SharePoint implementation, and SharePoint itself has good.
Those Microsoft security team people they learn or they know what they’re doing. Right. They’re very good. But the way they implemented it was imperfect. This company was , well, we don’t trust her to be in our data center by herself.
And I was , cool, come with. And of course yet, I was , you could just watch over my shoulder, but you didn’t know how to code. So I was , oh,
So then he went just sitting in the corner of the data center, freezing his butt off, playing on his phone, supervising me. Right. And so I started, I found cross-site scripting. So I started sending him cross-site scripting alerts on his phone because I’d found it’s your food’s getting cold, blah, blah, blah.
And he was just saying for these coming from I’m, I found the. And so it can be fun. I don’t mean that it’s not fun. It just because it’s not right for me, doesn’t mean I’m not super happy. There are people that do a good job of that job. The low code, no code things. Someone [00:17:00] still needs to test that someone still needs to do a threat model on it.
I remember, before I was even insecurity explaining, we’re doing this entire huge information management system. And I’m all of my coding stuff, cause we had docs as software developers, but all the apps that we connected and we had how to do this, how to do that.
Where’s the database. And the regular public smell out, seeing that the rest of the plays are led seeing that they could own our apps with that information. And they’re , oh, we want to do. Open data and blah, blah, blah. It’s where you idiots. And my boss was , no, it’s fine. So I told them, I told the security team on ourselves because I’m silly.
And the security team was , no, of course you can’t share insider information about every single app. Where are you talking about? No, but , if they don’t understand the risk of what could happen and they’re , well, what could you do with this doc? And this, this, this, and they’re , no, but that’s only because them because you’re really smart.
I’m , I don’t think there’s other smart. Tanya’s okay. They’re everywhere. There’s lots of really smart people that aren’t as nice as me that might want to do evil to us.
Ashish Rajan: I think it’s an interesting point because it kind of reminds me of the sys admin field as well. , how kind of a [00:18:00] cloud coming in an order people kind of said, oh, actually, I don’t know.
I’m not really sure if sys admin is the right thing or , would exist. It still does exist, but it’s kind of existing on the AWS Azure side. Now they’re the ones managing the mainframe offices, the servers and data centers. It may go at to your point, would that would go down a very similar path.
So hopefully that answers your question. Venkata, thanks so much for this. One other question from d cho, who is also a fan of we hack purple. And are there any certifications in app security?
Tanya Janca: Yes. There are a few. So we hack purple has one and it is a certification that says you’ve completed the program.
It is not testing. So there’s only so much value that that provides there is the CSS LP from IC squared. So they’re the ones that make CISSP. And that one is specifically about kind of auditing your system development life cycle. And it’s very, very auditor focused. It’s very non-technical focus sort of thing.
And I looked at it and I was , yeah, I don’t need that. I don’t know, it just didn’t click for me. It’s never on any job [00:19:00] requirements lists there’s one from AC council and I have no respect at all for them. And I don’t anyone ever except DC council. And they have one called certified application security engineer and it is in my opinion.
I have nothing. I have nothing good to say about that one. If you want to be a pen test or a web app pen tester, there’s a bunch of really awesome ones. So there’s one from offensive security. That’s , you’ll just , especially if you wanted to do security research or become a bug bounty hunter, which is the Uber drivers of information security, you don’t have a regular paycheck and, but you can kind of do it whenever you want to.
It’s it’s not. If you can’t get a visa to work in a country that you desire to, you can bug hunt for projects within that country and probably get paid better than your own country. But if you have the skills to be an amazing bug hunter, you should probably be a pen tester. If you work in a country where you can get full-time work doing that.
So people can be watching from all over, not just Australia, where you are Canada, where I am.
Oh, there’s one more. [00:20:00] So SANS has one called and it is web app pen testing, and they have a certification on level one, and then they have level two, but there’s no certification and it’s just harder.
And so if you just want to know web app pen testing, the offensive security and the, the SANS one, they’re not cheap, but , they’ll teach you to smash stuff.
Ashish Rajan: I don’t have any
Tanya Janca: certifications except for mine.
Ashish Rajan: Thank you so much, man. For that question, I was going to say application security is interesting, right?
Cause you mentioned the technical non-technical and as you were kind of going through that. It occurred to me that a pen test is probably more suited to become an application security person, because they’re coming up with that skill set for, Hey, how do I break this?
But if you’re someone who’s social and enjoys pen testing, this is probably a perfect field for that person. Right? Because then you get to show proof of concept because I had mine are 10 times when you ask. I guess a developer, Hey, can you fix this bug? The first question is why, why is this? , , what difference does it make?
And you’re and if you don’t have the skillset to kind of show why it’s at risk at that point, or even do it, where [00:21:00] can to communicate that, I feel that would be the one difficult job you might have. But if you’re kind of what you were saying earlier, who, who just loves working with developers?
I feel there needs to be kind of a skill set for, from a soft skill perspective as well. , would you add anything else or I can do, that’s kind of one of the more important things for an application security engineer, I would say
Tanya Janca: you have to be able to participate in the art of persuasion.
You have to persuade a lot of people too, to let you do your job. , Hey, can I put this thing in your pipeline? And they’re , oh, the last person that puts something in my pipeline broke everything, Tanya, and then you have to overcome I feel that you have to be able to empathize. And I don’t mean to be poor.
You, you had a bad day. I mean , okay, so you have a deadline on it’s Friday. I’m terrified about this bug. Can we meet somewhere in the middle where. , you still need to meet your deadline. I understand that. What can we do here? And , I’ve even had it once or twice where I’m , may I fix the bug myself?
And they’re , are you kidding? I’m , no, man, I love sliding bugs. , let’s do it. But I have to ask permission to touch their code. Right? As a dev, [00:22:00] if someone tried to touch my code, I would’ve lost my mind. So so asking permission, gaining trust and stuff. And then I would say the last off skill, which I believe is really important is.
To be able to take a highly abstract, complex concept and explain it to another smart person in a way so that they understand what to do. They understand the risk and they don’t feel you’re being condescending. , I used to work somewhere as an act engineer surprise. And I was leaving and my manager, she was , Really cool.
And she used to be a DBA and she had briefly done coding and stuff, but she’s , , I put a manager a couple of years now. I’m not as technical as you, , what if I interview them? And then , I just don’t understand. And I’m stupid. I’m one you’re super smart. Don’t even start with me.
You’re so smart. That’s why you’re my boss too. If they, so what I said was, is one of the questions would be, explain one of the top. Tend to me, anyone you. And explain it to me. I’m a dev and it’s broken in my app. So I have this vulnerability you’re going to tell me I have it. Do not make me feel.
[00:23:00] Explained to me, how to fix it and answer my questions and it, and she’s , what if I feel condescended? And I’m , then they’re, they don’t get the job because this is their best behavior. And if they’re talking down to you in an interview, how do you think they’re going to talk to your depths? And she’s , well, what if they just talk over my head?
I’m , then they’re going to talk over the head of the devs. And that’s not per if every AppSec person we live and breathe and spent quality. Our BFF is, OWASP right? , oh, the open web application security project. owasp.org. They’re this huge open community of AppSec professionals who all share lots of knowledge.
And the top 10 is a very well-known list. And if you don’t know any of the 10 and you work in AppSec, you have a problem. And so you should be able to explain. Pick one of your own and then describe to a dev why it’s bad and how to fix it approximately. And if, you’re a very bright woman and if they can’t explain it to you so that it makes sense, they don’t get the.
You and I have gone over at a ton of times. You understand? You’re very smart. I know. And so [00:24:00] then she’s , oh, and so I wrote out a bunch of questions for her, but a lot of the hell out of the interviews, stuff in tech is really stupid right now. Are they 1 37 times? And they want you to do stupid white boarding stuff and all those crap.
I’m really lucky. I’ve avoided that mostly because they’re , can I have a resume? I’m , I’m Tanya, Jacob book. I authored the Google me and stuff, but normal humans can’t do that. They can’t be , yeah, I spoke at a hundred conferences, right? A normal human has to try to prove themselves. And so if you can’t clearly explain.
An abstract concept to a dev so that they can fix it. You’re not going to be great at this job and you’re going to be , cause I said so in that is you on an uphill battle every day, but if you can talk their language. It’s just , I’ll be in meetings with people and I would just be , boss, boss, please stop.
And I’m , Hey, okay. So here’s the thing I’m worried about. Here’s why, and if we just do this, this, and they’re , is it really that easy? I’m , yeah guys, blah, blah, blah, blah. And then we just , and I remember my manager after she’s , it’s , then you all [00:25:00] started speaking your little weird deaf language and you both got excited.
And then the other dude got excited and then eventually she looked at the other manager and she’s , I guess we can get.
It makes all the difference.
Ashish Rajan: I think Zinet agrees with you as well as, Zinet mentioned, relationship building is important and shows the devs are, I am here as a security in service for you approach. This is so true though. I was going to say, as you kind of explain your answer for the first question, but I guess you can Google me.
Cause I feel there’s a personal branding element in there as well then nowadays. Cause , as you’re teaching more people become more better applications, secure engineers to be hyper verbal. A lot of people learning through this in their job as well. I guess there’s a lot of competition in that space as well.
And to send out in a bunch of, to what he was saying earlier, someone has heaps of experience and you just want you, but you really want the job as well. How does someone stand out in application security in, I guess in that space, because I imagine personal branding has to do with something that , how do people do that?
Tanya Janca: So when you start in tech getting your [00:26:00] first jobs, the hardest one, once you have a year or two experience, The world is your oyster in tech, especially in security. If you’re a security person, applications security with one year experience, you tell them I did this project, I did this project, I did this project and I could do them all for you.
I that would melt my heart as an interviewer personally. What I did to get my first job. So I. A dev forever. And then I had switched to the security team where I worked and because I’d had a zillion years, so it sounds so odd, but because I had a zillion years of experience in tech and because of language requirements, so I speak French fluently and I was working for the Canadian government and they have this rule where it managers have to speak French.
And so. We kept having temp managers. None of them had spoken French for years. So they’re , there’s a complaint. So they’re , Tanya, can you just be the CISO for three months so we can check the stupid box. And so I was hells yeah. And so in the first two or three days, I took every single project.
Cause here, I’s coming in as the junior security person, but the super senior tech person, right? [00:27:00] Here’s the projects, here’s this, here’s that. And so I reevaluate, reordered, everything. We were working up towards the election. And so I was , these things can’t happen for the election.
You’re not allowed working on them until after every single moment is going to be us moving towards the most important goal of our organization, which is running a safe, secure, trustworthy election for the public. And so. Through everything aside made a list put times. And I was , and the boss was , yeah.
So the third day I’d already decided that you were going to run all the security for the election. , you’re just, you’re the boss now forget this crap. , it’s you. And he’s , I didn’t tell you for a few more weeks so that you felt were confident in the role, but he’s , you walk into an incident.
You’re , I’m the incident manager, blah, blah, blah, this, that you four minutes. I want update on that. He’s , you’re just so. Assertive and organized and fierce. I was , oh, thanks. Cause I’m worried. Right. And so then I was the CISO for the election, which was awesome. And so I got offered a million CISO roles and I was , no, I want a pentester role
it’s less stressful. And so trying to get a pen tester role when you’re a CISO , it sounds weird, but it’s [00:28:00] really hard. And also , I, I don’t know how to explain by it’s just , I don’t want to be a manager and I have a lot of respect for people that are leaders. And I guess , cause I’m a CEO now and I have a bunch of employees, technically I am our leader, but it’s different when you’re a middle manager in a giant organization.
And , it was poop travels downhill. Right. And, and so I, what I did was is there was an organization that was looking for a pen tester, and I was , I’m your person? And they’re , you don’t have enough experience. And I was , watch me. So I did a complete pen test. And I wrote the report and everything, and then I remediated all of the, the issues and he’s just , are you for real?
I’m , yeah, let me loose. And so I got the. And and then eventually I decided to have SAC was better cause I, as a pen tester and I just kept doing app sector, our clients, I was , can we have it? , I know the pentest is in a few weeks, but can I come down now? Could we just do a quick threat model?
And I want to look at your architecture. It’s , why are you wasting so many hours? , no, the clients are 10 times happier. I found this giant flaw, blah, blah, blah. , and then , I would come down for the pen test and I’d already have done quick scans and [00:29:00] done all this stuff and they’d had weeks to fix this stuff.
So I go to a pen test. He’s , you only found five mediums. I’m , And he’s , no, that’s awful. I’m , but they fixed 20 before the pen test, because he’s just , you suck.
Ashish Rajan: That’s how it kind of makes me feel. A lot of people should get into the field as well, because it’s going to be so helpful for people to understand how wonderful they are at any given point in time. I’ve got a question from Belay as well. I hope I pronounced your name correctly, man. What is your advice for someone who’s just about to graduate in software engineering and is interested in security.
Tanya Janca: Okay. So try to figure out what area excites you the most. So I wrote an article called jobs in InfoSec. So if you look up, she hacks purple. So that’s my online moniker name. Is she hacks? Purple. All one word. So look up. She hacks purple jobs. Yeah. InfoSec. And I list out a ton of different jobs, read them.
And if one calls out to you, we learn everything you can about that. So read books, join online communities, read articles, watch, , webinars or streams or whatever, and learn [00:30:00] about it until you feel. Yeah, I want to work in that and then pursue training and get more serious. You can potentially take online training.
You could potentially find a professional mentor. I have comments on mentors, but basically figure out which area you want first as best you can. And then aim at that full hog, because I didn’t know about all, I thought that you had to do risk managers. You had to be the person that did all the firewall stuff, or you were a pen tester.
That’s all I knew about security. And I was , well, I know I’m I know I’m not the other two. So I guess, right. , I didn’t know. There was this whole world of application security and incident response forensics. There’s so much super cool stuff. And so figure out what interests you most and then aim for it.
And then the other piece of advice is if you can. Well, for sure you can join communities online communities or local communities once COVID is not so scary. Meet tons of people, create connections and hopefully make friends that you can learn stuff with [00:31:00] or from, and then find a professional mentor.
So every Monday on. And in the, we hack community. I use this hashtag called cyber mentoring Monday, all one word, cyber mentoring Monday. And I tried to connect people. So people say, , cyber mentoring Monday, I am brand new. I I’m just about to graduate. I’m really interested in security. I think I want to do forensics.
Would anyone have a virtual coffee with me? Your recommend some books or podcasts to listen to? If you talk to enough people, one of them will agree to become your mentor. They will teach you stuff and they will help you. They will advocate for you. And so I’m really lucky because. So actually that music video Phil or sorry my bandmates name was Phil, but as she should, we were writing all these songs and one of the songs was called mandatory dance party.
And so I know, right. And so there was a pen tester in my office and he was in a band I’m , our band should play together and he’s , obviously they should. And I was , I’m going to write a mobile app for this song. And if two people get really. And they both have the app. It’s going to play the song and then they have to have a dance party, no matter where they are [00:32:00] and whoever moves the most is going to win.
Do you want to write it with me? And so then we became friends and then eventually after a year and a half or two years of being friends, he’s I said, I would never mentor anyone again. And I was , whoa, where’s this coming from? And he’s , you’re amazing. And I really want you to join secure.
Please, let me mentor you and teach you. You’re going to be an amazing pentester. Her and I was , oh, Well think about it. You can look at your to convince me because I was , I’m a dev. I am the King of IT, everything around me. Why would I sweat?
Ashish Rajan: I see that. That is true though. How many people don’t realize how much, how important development is in any context?
Development is kind of what, if any problem that you want to solve in it? Technically hoping for some kind of a development role or develop an engineer or engineer to come in. So yeah, I mean, yeah, you’re definitely at a great place. I think I would definitely follow what Tanya mentioned about find the field you want to go into, but you’re already found you’re in software engineering, which is a great field to be in.
I’ve got a comment here from Zinet as well. All of what Tanya said and the interactive career route to security [00:33:00] from an entry point, also www.cyberseek.org definitely check that out.
I know we’re kind of toward the I guess we found talking with our application security skills, soft skills, hard skills.
And we also spoke about I guess what some of the roles and responsibilities could be right in terms of what they need to talk to people about. I was wondering from a cloud perspective and and this being cloud security podcast is cloud kind of creeping into how important. , , I’m talking about belay as well over here, , and the question that earlier, where is cloud certification kind of becoming important or is cloud playing , any role in application security at all ?
Tanya Janca: So I advise application security , people to learn the basics of cloud, because then. When you’re more awesome and employable, but too, cause then you can understand how to do your job better. So I used to just do apps and then I did security and then I worked at Microsoft and I learned Azure security and I was , oh my God, there’s so many nifty security tools.
But then I realized. I could do dev ops. And so I don’t know how to explain this, but when I discovered dev ops, I’m , I’m in love. [00:34:00] And , I add security to, and I’m , I get to touch the ops stuff, but not too much. And I can code the ops stuff because that’s how I to do things.
And so if you want to work in an environment where they do dev ops, if you want to work in an environment when they do cloud, I suggest learning the basics of those two things so that your. And the security that you do for them, first of all, doesn’t bash into what everyone else is doing, because that’s not going to get you very far, but also because then you can do a better job.
So for instance, Learning a lot about cloud has helped me to learn for instance, how secrets can as kind of escape all over the place. Right. You’ve got a key here and you’ve got a thing there and you’ve got this. And I discovered a lot of those keys were trying to get into my apps. And I was , oh no, we have to have a discussion about this.
And so figuring out, okay, well we can manage all of the. And a secret manager. We can all access it. Programmatically. We can have this automatically authenticate here and there. And then all of us are doing a better job. And then me automatically scanning for secrets all the time. So if someone tries to plug something in, I’m , I’ve caught you.
But before I learned all about cloud and stuff, I [00:35:00] wouldn’t have sought to prevent it in the first place or to give a place for the infrastructure people to also store their secrets and how we could all use the same thing and manage our stuff together. I took a bigger view. And so this is something that’s more senior, probably if you’re a junior person, when I was a junior dev, I didn’t care about anything except my app.
Then I became an intermediate step and I’m , I better care about all the apps then I, as a senior dev and I’m , I care about all the apps, but I’m also , I’m all about your active directory. And I need to know about this and how are we managing identity, but more architecture level. Right.
And so when you do security, if you want to know how to secure things, you need to understand them. And if those things click into your house, It’s best to know something about them, but you don’t have to necessarily get a bunch of certifications, but you should know the basics for sure.
Ashish Rajan: Yup. Yup. And I think that’s kind of where it goes into the whole serverless kind of things as well, where you’re having that basic understanding of cloud will help you write functions, which are serverless and all that as well.
But that was a great. And I think I’ve, I’ve made sure all the questions have been answered in the comments as well, but that’s kind of what [00:36:00] was main crux of the technical side. I’ve got a fun side, as lots of people get to know the other side of Tanya as well. There’s three questions, not too many. First one being, what do you spend most time on when you’re not working on application security and teaching people application security?
Tanya Janca: So is Ashish already knows the answer, but it’s my farm . I have a little property and I have turned the backyard, the front yard, the side yard and the decks all under growing space. And so I have 17 raised garden beds and three homemade greenhouses. Yeah. And I have all of those. Every railing has a little planter on it.
And so I have grown hundreds and hundreds of pounds of tomatoes, six types of tomatoes this year. Peppers a zillion cucumbers, but this year, all my brassicas died. So I’ve had no broccoli, no cauliflower. And I’ve been very upset. Yeah. Cauliflowers.
Ashish Rajan: Is that what the chains on the backyard, because I’m still upset and broccoli gone.
Tanya Janca: Yeah. And I grew flowers this year for the first time. I haven’t been a flower person before by grew dally. Beautiful, absolutely astoundingly, beautiful flowers. And so you can’t eat them. So I don’t want to grow too. Yeah.
Ashish Rajan: Fair, fair point. [00:37:00] So farming is definitely a great time to be spending outside technology.
So, and you can sit with creating, right? You’re still creating things for maybe amazing. I’ve got a question
Tanya Janca: again, technology as well. Yeah. So we’re building out more stuff that’s automated. So stuff , putting a sand that empties the hot air from the greenhouse, or we have a pump with a water battery, , so we buried this giant.
Barrel underneath the ground. This was my significant other’s idea. And so we run the water through pipes at the top hottest part of the greenhouse. The wire gets really hot. We bring it down through the soil, heat up the soil and the word cools off the wire goes back into the battery and then goes back up again.
And the idea is, is that basically? Yeah. So we’re trying to be able to grow in the winter because we live in Canada and when it gets cold and stuff. And so, yeah, I’m pretty excited if you want to find them in music, just look up Tonya Jenka on Spotify or co tract, which is one word or zero day reapers.
I think those are the bandmates where there’s actually stuff still.
Ashish Rajan: [00:38:00] I’ll definitely leave the link for that in the show notes as well. Each of I, I’ve got two more questions for Kate. What is something that you’re proud of for the dot or not only a social media?
Tanya Janca: I mean, I learned French when I was an adult and I don’t get to speak it very often.
But whenever I whip out, the French people are , oh my gosh, you must’ve been speaking French your whole life. And it’s , no, I actually started classes when I was 26. I got kicked out because I’m dyslexic. I got kicked out of several schools. They’re , we can’t teach you. So I found a dyslexic school for adults to teach them a second language.
There’s one in all of Canada. And I attended it for three years until I could speak fluent French. It was really hard. It was much more difficult than my computer science diploma. It’s the hardest thing I’ve ever. When you’re dyslexic. Yeah. All
Ashish Rajan: right. Yes, of course. Yes. That would definitely make adds another layer of challenge off without, as well.
But I’m glad you, so I’m looking forward to talking to you in French someday as well. Cause one of the languages that I would love to learn as well, how cool. I’ve got one more question. What’s your favorite cuisine or restaurant that you can share? Thai
Tanya Janca: food. So my favorite restaurants in Ottawa and is Koa green [00:39:00] papaya, and they have five, five, sorry, not 10.
They have five. So these parents started the restaurant and then as their children got older, they opened a restaurant for each one of them. So it’s run by this giant Thai family and it’s just , absolutely so amazing. So that’s. That’s my favorite restaurant, but there’s also a restaurant Paris. I really OPA to crucial where it’s classic French food.
And it’s just so good. I remember. Four nights that I was in Paris. I was , I’m , oh yeah, anywhere else ever again.
Ashish Rajan: Yeah. I think I was going to save my French crews. I need to expand my French cuisine because I’m only will, haven’t gone beyond. The usual, the crock, I can’t even pronounce the name anymore. I’m going to embarrass myself. I want to talk about it offline. Sorry. Our negative was there a time, but where can people find you if they want to know more about you and V hypo, where can they find you to, I guess, follow up with you on this.
Tanya Janca: Okay. So if you look@wehackpurple.com, there’s the community, the academy, or a podcast. All the stuff is on. We hack purple.com. If you want to learn about me specifically, there’s she hacks [00:40:00] purple.ca cause I’m Canadian. And the site doesn’t have that much yet. I’m just about to launch a new one with actual facts and stuff, because apparently people want to know things, but if you just look up, she hacks purple or one word, that’s my YouTube channel.
That’s my Twitch. That’s my Twitter.
Ashish Rajan: Yeah, I’ll definitely put them in the show notes as well. Yes. These, these definitely check out the book and I think that’s definitely, worthwhile. If it’s someone who’s starting off in application security. Definitely.
Alice and Bob do a really great job of talking about app security in a way. It does make sense without the jargon. So I’ll definitely recommend it as well. Thanks so much for coming in, Tanya, and I really appreciate you hanging out with me and the audience over here. for asking all the questions.
Tanya Janca: Thank you so much for having me again.
Ashish Rajan: No problem. All right. I’ll I’ll see. I’ll hopefully I’ll definitely be in touch and see you soon, but hopefully I can bring you back again for another application to your topic, but for everyone else, I will see you all in the next episode. This was last episode for cybersecurity career month and I will see you next weekend for another episode, another trend starting on a Cloud Security podcast next month.
But until then stay safe. Peace.