DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD

DevSecOps Blueprint: from Vulnerability Management and Security-by-Design to Pipeline Integrity

DOWNLOAD

Getting started in AppSec with Tanya Janca SheHacksPurple

In this episode, we sit down with Tnaya Janca and discuss her journey from being a developer for government agencies to becoming one of the most recognizable faces in application security and cyber security in general.

Video Transcript

and Adrian's like I'll be right there I'm like no you'll be down there in the audience all nice and safe I'm gonna be on the stage all afraid and so he actually stood next to me on stage while I did my demo while my demo failed you went there with a demo on the first talk that's okay that's a bold move I know and I was hacking this like intentionally vulnerable website and unbeknownst to me like it would reset every night at midnight and someone that morning had smashed it before me Hello friends and welcome back to another episode of the security repo podcast today we have a fantastic guest we are honored to have Tanya Janka with us here who is someone that needs very little introductions in application security and cyber security in general you may also know Tanya by her handle she hacks purple and is the best-selling author of the book Alison Bob learn application security which is available on Amazon for you to purchase links in the description below Tanya is also the founder of we hack purple which is an online learning community that revolves around teaching everyone how to build secure software Tanya has been coding and working in the it's base for over 25 years and has worked everywhere from public services to Giant tech companies writing software leading communities founding companies and securing all of the things she is an award-winning public speaker a very active blogger and podcaster and has delivered hundreds of talks on six continents and last but certainly not least Tanya is a champion for diversity inclusion and kindness which radiates through her every time you get the opportunity to listen to her throughout this episode we talk with Tanya about her journey into application security how she started off public speak and became such a public figure now we also talk about application Security in general and what we can all do to build out better secure software it's a fascinating topic that adds huge amounts of values regardless of whether you're just getting into application security or a veteran in the field but Tanya shares with us also a huge amount of completely free resources so if you are listening to this looking to break in to application security or learn how to get into public speaking this is going to be an incredible episode for you so without further Ado I'll give up on my introduction to kick ass off on our conversation with the fabulous Tanya junker how did you get into security what was your journey into security like because you're such a big name in appsec and everywhere else now where did it all start um I was a software developer so I started coding when I was a teenager both of my aunts and three of my uncles are all computer scientists and then I'm one of the younger cousins but eventually like all my older cousins were programmers and then lots of my younger cousins uh and so when I was like I think I watched a computer science in college they're like yeah we know um and so I was doing software development for around like maybe 15 years and at the same time though I was a professional musician so I was playing in bands um and like being a folk singer all over my city of Ottawa where I was living and then um I toured and stuff a little bit and I released a bunch of albums and so then one day at my office I was introduced to this guy who was a penetration tester and he's like yeah I'm in a band too I'm like really because our bands need to play together um and he he kept trying to convince me from then on to join security he's like you'd be so good at it come on let's do it forever that's what and I was like I don't know sour development's pretty awesome like I really liked it um but I was in the government and I had reached the top technical level that existed and I'd been at it for around 10 years um so I had I don't know if you can imagine holding the highest technical level possible and then just being like okay so I've been there and I've done that because it's been such a long period of time and it was like you know I technically have 18 years left till I get my attention or I could move on to try something new and so he convinced me to give it a go and I started I apprenticed under him and then I I became a penetration tester after about a year part-time and then full time a few months later and very quickly I was like wow this is really lonely compared to software development uh and I kept I didn't know I was doing this but I kept on my contracts I would do application security not pen testing so I would I would get a note oh you're gonna pen test these guys in a few months so I'll call them and I'd say hi can I come now let me look at your design now let's talk now I'll scan things now let's do everything and I was doing little threat models with them and all sorts of stuff my boss is like why is this taking you so long um and then I would test the thing I'd find stuff wrong with it and then I he's like am I catching you sitting with the dev again like Tanya you're supposed to go in pew pew pew tell them what's wrong and then leave stop fixing bugs like stop teaching them stuff and uh so then one of my so very quickly I outgrew the first professional Mentor because of Ethics um I have a lot of ethics and turns out not everyone does and I was like oh that's I gotta move on um so my next professional Mentor who is still one of my mentors Sharif Kusa who runs um software secured he was like Tanya do you want to know why your boss is always frustrated with you because what you're doing is called application security like it's nice you throw a pen test at the end but this is why it's taking you 14 days instead of 10 days this is why you have so many visits and this is also why they keep asking for you and so did you know that's a full-time job and you you could have that job like there's people dying to hire I was like oh and so um I moved over and started doing that full time and I wasn't in a data center freezing my buns off wearing a tube that's a Canadian for hat uh and then mitts and being by myself for like hours or days at a time just like hacking away at an app it's like oh I could just like automate all the boring stuff I get to like teach them to do I could see improvements as they're happening a secret thing that the public or that infosec in general a lot of people don't know is that pen testers at first it's awesome like I'm hacking all the things this is so cool but very quickly you end up going back to the same place and they have fixed nothing and it feels really bad and then imagine coming back the next year and the next year and I've had pen testers tell me yeah I do the test I get a copy of the old report and I just like update one or two things that it's because nothing has changed my work has made zero impact and sometimes they start getting depressed and they do other work and that's how sometimes we attract them over to the dark side which I call abstract um and where so I'm not saying pet testing isn't important it's really important it's a very valuable job um but I feel like I made a better difference and my personality fit better being like really extrovert and social doing application security and so I have like the weirdest uh I guess like coming into oh you're in a band I'm in a band let's let's start doing information security it doesn't make sense but it worked for me so yeah I grew up a musician myself um drummer as in a multiple punk bands in college era so uh Curious though um how did you get into public speaking like the the jump from App security to hey I'm talking about this in public I don't see how did you get there it was the community so I uh um so I played music forever and I helped organize music festivals and I was a concert promoter so I organized tons of events and then I had a community of practice with my software developers and one of the communities of practice I did was like so big we started webcasting across the entire government for all the software developers because it was going so well we won six of words and I say we it was me I did the whole program by myself anyway I'm bad for like always giving my team credit but I'm like actually I did that all by myself um and so when I switched into security part of it was this Mentor but I also met this really interesting guy named Nadeem Duba and he I had hired him to do some work security work where I was working and he said oh like this week on I can't remember what days like I'm doing this Workshop about buffer overflows and hacking and you should come and it's like okay and then he did this amazing buffer overflow Workshop I don't know if you've ever done it but it's basically like chapter three or and four of the shell coders handbook and it's super fun and he is a really good speaker he's very very fun and there's lots of like young students there and I hadn't like thought about the stack in a long time like I've been out of college like almost oh my gosh embarrassingly long I'm in my mid-40s and I did College in my teens right so I'm just like oh man uh but it was really fun and so him and the leader of the OAS chapter Sharif Kusa like after I was like this is amazing can we do a capture the flag contest they're like yeah sure if you organize it so that was like sharif's jam and this has been I've taken this forward with we hack purple and everything I do we can absolutely do it if you do the work if you want it to happen you need to volunteer and be a part of making it happen and so I like ran off like really quickly and form this giant thing and we all had a great time and I got sponsors and they're like how did you do that like oh I've been organizing a fence for like 15 years with way less money and no one wants to sponsor music and so then very quickly I became one of the chapter leaders and after three years of meetings every single month with a dude speaker he's like why are there no women why am I always the only girl this completely sucks why can't we have lady speakers and he's like Tanya I agree with ten thousand percent but guess what I have learned there's one thing that I I can't do that you can do and I'm like what and he's like if you go to a women's Meetup and you say hey come join this it'll be fun I'm part of this I'm one of the leaders he's like it's not the same as if I go and I'm like I wish there were more chicks and oh walls he's like there's no way I can make this come across and not sound creepy but I believe this is a problem too I really so what can I do to help you do this and so I spoke so basically him and all the guys forever were like you really need to speak and so I gave us a talk at my OS chapter and at work and they're really nice to me and then my other my next professional Mentor Adrian De Beau prey he announced because so he ran the Ottawa b-sides at the time and he's like Tanya Jake is speaking next year and I was like what I didn't even applies like it's on the internet so you know it's true [Laughter] and so him and uh Rick Mitchell from the owaspat project and all these other people all came together to like help me with my first talk and I was so nervous I literally I was like I'm definitely gonna die and Adrian's like I'll be right there I'm like no you'll be down there in the audience all nice and safe I'm gonna be on the stage all afraid and so he actually stood next to me on stage while I did my demo while my demo failed that's a bold move I know and I was hacking this like intentionally vulnerable website and envy notes to me like it would reset every night at midnight and someone that morning had smashed it before me and I'm like no and finally I after like six times of it not working I'm like whatever you get the picture let's continue and so then I spoke at every other Meetup in town like the JavaScript Meetup the python Meetup like every single different programming language all the women's meetups and I was like come hang out at OAS and we ended up get it going from like a hundred people to 1500 people and lots of women and people of all ages people like students like newcomers people have been doing it forever and we started having like a much bigger kind of volunteer community if that makes sense where like the communities people really liked seeing each other and we started this thing where whenever anyone shows up new we don't know them we'd run over and say hi welcome we're so happy you're here do you want to meet new people today and we would just introduce them to tons of people that we knew were friendly and it it started it changed from like people awkwardly standing around and waiting for the pizza to people running up and hugging each other and it's just like such this wonderful beautiful thing and so um so then they're like you should speak at a conference and I was like oh no no one wants to hear what I have to say um but they all just really encouraged me and so I spoke at the python Meetup in Toronto which was really exciting because basically they're like okay so you're not good enough to like be at the conference on the but what if you were a backup speaker and so someone canceled so I got to replace them which was exciting and then I applied at OAS global app Sac it was in Ireland and I got in and I thought I was gonna pee my pants I was like and then by that point I had spoken like 20 times and I speaking at every Meetup that would just tolerate me I was speaking at my friend's offices I was like yeah yeah and so then I spoke there and I remember getting off stage and this guy came over and he said hi I ran a conference in Switzerland do you want to come speak there and I was like oh I can't afford to pay for another trip to Europe because speakers usually pay their own way like their own hotel and and they have to and he's like oh it's all expenses paid and I was like what and then I started getting plane tickets for all around the world because people don't usually jump up and down when they talk about devops because I literally jump up and down sometimes and I was just like so excited all the time and they're like look that's really happy lady um and so then Microsoft reached it and they said hey we heard we need to meet you and I thought it was a prank call but it turned out was real and it turns out that this hobby is a job and so that's how I started public speaking which is not your usual story but because of all the years of jumping into mosh pits and um like literally throwing people off of stages I'm like I don't even have to be in key and play an instrument at the same time it's so much easier knowing drunk or throwing things it's great absolutely uh that is an incredible story um and then like recently you didn't speak just once at a conference uh you gave at least four different talks at RSA like three officially on the schedule one at the devops uh connect uh I got to see that one uh very fortunately um that is just so much content at one time and I guess the music does you know factor into that like preparing for a concert you're looking at multiple pieces at the same time um but how on Earth are you keeping all these straight in your head uh I I give two talks here in a week and I mix them up like but literally did that a couple weeks ago I had two talks in the same week and like the second one at one slide I'm like oh wait a minute this wasn't supposed to be another talk sorry everybody uh how how do you not do that I actually am like a thing I hadn't announced I guess uh so I actually applied for RSA so you apply many many many months in advance and I was working somewhere else and then I stopped working there and they're like that's our content you don't get to present it anymore so I actually had to rewrite every single talk that I did I write a brand new talk so I wrote four brand new talks for RSA that was hard it took like three straight weeks of hard work to do that um but it was really really fun and for my workshop with Clint Clint helped so that was about doing stack analysis so originally it was how to do Dynamic analysis in a CI CD without losing all your friends because quite frankly I see that mistake a lot like a lot and a lot where people put some sort of scanner interest the ICB and devtools take like 4.3 seconds and like 34 seconds and 12 seconds and then we're like we'll be back in six hours um and no one thinks that's cool um so Clint helped with that one which was awesome and then um for the other ones this might sound weird but so the the one I did about incident response I give secure coding training all the time that's what I do a lot at we had purple and one of the clients I had in 2022 said could you just our devs keep messing up our security incidents like they're they mean well they're they're wonderful we love them we don't want to be a lecturer like that they've done something wrong but sometimes they don't tell us and they're trying to fight the security incident by themselves without the right tools sometimes uh they don't realize it's a security incident and they clean up all the evidence uh and sometimes you know there's all these things that have you seen this oh yeah I've seen this a lot and I had given custom Training to my software developers and my sis admins before but it hadn't occurred to me that as part of secure coding training they would want that so I wrote it for one company and then every company wanted it from then on and I got a lot of feedback oh they're reporting tons of security incidents to us like they haven't ruined evidence all year like this is so amazing the Passover are really fantastic they take it really seriously now um and so this might sound so silly but someone was like why don't you give that as a talk at a conference I'm like oh that's training no one wants to see us and they were like why don't you submit the training and see what I had so apparently people liked it and so that that's awesome um and that the devs that cops when because I I know you want to talk about that one so I this might sound really odd but I've been doing consulting on the side since 2018 so when you speak on stage all the time if you're not doing the work that you talk about what do you talk about right like so I was coaching this one company for many years and doing devsecops around two to four hours a week and I would just like smash things into pipelines and code review and do all these things for them but just a few hours a week to like train their team and help them run their program and then I started working at ions research as well where I do this might sound weird but you know if there's like a game show and you can film your friend for help so basically this service is where you can phone a security person for help and so you subscribe and you can call me or like Mel or Jake or Dave Kennedy or Shannon Leets or um all these like infosec professionals they're like really amazing practitioners and then we just crush your security problem for you and so I handle a lot of the apps that calls and so I've got to work with almost 400 companies at this point over the course of this many years and so I've seen program after program after program where there's problems so I went across like all my notes and it's like what has repeated over and over and over from company to company and so I came up with 15 worst practices like things where I'm like their heart's in the right place and then it's again this is how a hundred percent the time it fails and here's how we can avoid that and so um I suggested that to replace the original keynote that RSA had accepted and they're like oh we're in this is this is even better yes let's do it I was really worried I being able to Keynote such a gigantic conference is such a huge honor and I'm like oh my gosh am I going to lose it over coffee right no so I was so happy they let me like resubmit and rewrite a whole talk yeah well I'm sure I'm sure everyone's pretty pretty glad that they did but I I'm really glad that you talked about that because I saw that talk and unfortunately uh I was I was stuck in there in the the vendor Hall death by vendor I call it uh but uh um I was I looked at that and I was just I just wanted to know what are the talk was called devsecop's worst practices and you said that you get 15 so maybe we don't have time to talk about 15 of them but are there a couple that that keep coming up after the many years and nearly 400 companies you talked about that that come up frequently what are the worst devsecops practices so the first one is breaking builds with false positives it like I'm sure you see why that's a problem but a lot of companies the the vendor tells them the sales person tells them oh yeah just like plug it in and and it just will magically make all your abstract dreams come true it'll be perfect and then they're they're breaking builds because they're like well Netflix does it I'm like is the name of your company Netflix no okay so your company's not Netflix so then you don't have to do what they do and they're amazing and like I've had lots of Amazing Friends that work there and they're cool we're not as cool as Netflix I don't know how to tell you that but we're just not so we need to be more realistic and it's okay not everyone can be Netflix of all the company companies I know only one is Netflix and so um like kind of like and basically like we break trust every time we do that another thing is they just throw the tools in and they don't test them first so even if they're not breaking any builds like they throw in this tool and it's been like six hours and it's still running and they've done no testing so they don't know why or they've written the stack analysis tool and they didn't test it on a couple apps they just tested it on the one tiny piece of code and then they're testing against all the apps and it's like oh you're reported 4 000 things or oh it's you know it's tomorrow it's still running and this might sound really obvious but I see it all the time or test results that are saved into the security tool and then you have to remote desktop into another server then you need a special password and username then you go in and you can see those and you can't copy and paste or export them no dev's gonna fix that bug they don't have time for that they have work to do put your bugs with all the other bugs and then it could be part of the the work that they do but if you keep it a secret they're not going to fix any like any or almost as many like very very little and again I see this over and over again when that people asked about it a lot after the talk was so I call it um unreasonable service level agreements but I started doing a thing and I didn't realize everyone wasn't doing it so I've had a lot of people comment on this one so this this might sound nuts when I explain it and it might sound really obvious but I see it everywhere where they decide our service level agreement is there will be no criticals or highs or mediums going into prod anymore and we're going to break the build if it goes if it's one of those and then people who support Legacy apps can't go to prod like at all because they have 300 criticals that are technical debt and so here they are let's say they fix 10 and the abstract person's like no you can't go to prop because you have all these criticals so these 10 fixes stay not in production because it could be a more secure app and so I I just configured the tools have two slas like one for this is the stuff from the first scan we ever did this is our Legacy and we will chip away at this slowly over time but the new stuff no new big vulnerabilities are going into prod and then all of a sudden we're passing built right I'm still gonna hassle you about your technical debt I'm still going to be a pain in your butt because that's part of being an abstract job you go and you bother them like hey so there's still 300 I thought we were gonna go for 290 this month instead what are we gonna do about this right but I see apps like person after abstract person just breaking the build so either the Legacy people are never going to prod or they don't and so one of my friends actually she resigned so I used to work somewhere and then she started working there after me to replace me after I did a contract there and she said basically after a year she did this search of all of her pull requests and almost like less than half were merged and she said I found tons of pull requests from you and they're all critical and high vulnerability fixes and she said there were over a hundred that no one had merged because of their one service level agreement and the other abstract person kept fighting her and she's like that's it I quit I just I can't do this I can't fix hundreds of bugs and have you not submit them because it needs to be perfect we're not perfect buddy newsflash and she's just like ah um and so we had tea and she told me about it and I gave her a hug because she needed one after that but but it seemed so obvious right when I explained it like that but there's tons of abstract people who I call the old GERD where they're like we're not letting any critical vulnerabilities into prod like they're already there you're not letting a new one in oh come on when you explain things it seems obvious but I think but like when but I think someone's coming from the outside would be like yeah of course we'd block all the critical vulnerabilities but that that different mindset that you have to come in with to say no actually we need to look at this a bit differently and move together because we're already starting off on a poor footing yes yes and if you can automate it all the better so uh I don't know if you're familiar with the concept of hug Ops um in the Drupal Community we we Embrace that a lot because there's a lot that goes wrong in Drupal and you need a hug sometimes it's true oh I should have told her I'm giving you hug-offs that would have been perfect um so I want to Pivot just a little bit um yeah here but I guess we're in the same realm um around Community uh you run a community uh yeah we hack purple I'm a member uh we get the newsletters uh very grateful to be a part of it uh and you're famous known as she hack purple um the purple branding just talk a little bit about that yeah um so when I started in security I did patent testing which is known as red teaming or it's it's part of red team so red teaming is a special exercise you do with usually a bunch of penetration testers and you you attack production to see what your real risks are and so when you write an exploit you're on your red team so every sort of offensive style security and I always explain that does not mean we swear at people it means we test the limits of our systems and if you think about it stress testing and performance testing sort of fold into this idea of testing the limits of everything where blue team are Defenders and so if you fix a bunch of bugs you implement a WAFF a web app firewall or a rasp a runtime security protection tool when you patch things you upgrade your Frameworks all those things are defense and because I kept not being able to choose which one I wanted to do and they're like you know there you are hanging out with the devs showing them how to fix bugs and you know you gave that Workshop to everyone on how to do this but then you smash their apps later and it's like you can't convince yourself which one you want to do so it's like your purple team because you keep doing both and so then I was at the first International Conference I ever spoke at almost Global appsec in 2016. and on stage this lady named Jaya Babu she was on a panel but she kept just playing with her phone and ignoring the audience which was really confusing I was like well that's not very respectful and they would ask her a question she's like no no no no no and she kept just playing with her phone and I was really surprised because you know here there are like a couple hundred of us wanting to hear what she says waiting patiently and finally part with her she's like okay I'm ready to talk I'm sorry my company created a a proof of concept exploit from the NSA hack of one of the vulnerabilities and we checked it into DB dot exploit so that people could use it to test their systems but someone has taken it and turned it into a vulnerability like a a malicious malware and they've attacked the NHS the British Health Service and I have to go right now oh my gosh what have I done and she ran off the stage and all the incident responders ran out of the room and everyone started sharing things on Twitter and I didn't have a Twitter account and this woman named Shannon Leets who also spoke and she's amazing and I was like looking over her shoulder at her phone and like what's happening and she's like it's called Wanna Cry and I was like oh this is so amazing and she's like Tanya get an account grow up and be a real infosec person and get your first Twitter account and I was like okay and I was rushing to make it and I needed a username and I'm like well my email is she hacks computers gmail.com and it's like she acts computers is too long and then I think maybe my friend Nancy garisha she's like why aren't you just purple just hack the purple so he's like she hacks purple oh it works let's just go so I can tell my company about Wanna Cry and I can be a good instant responder and then it just stuck and people started saying oh it's the purple lady and I wore a purple shirt one day and everyone loved it and then my friend Kevin Wall one day he's like you know you show up every day and your hair is still Brown I wonder when it's gonna be purple and you're gonna be all in and so I I purple streaks just to play like a little prank on Kevin and he laughs so hard and so people just loved it and so when I was like what am I gonna call my company one of my friends was like well I think it's obvious you're gonna call it we hack purple and I was like oh I guess I am and so yeah that's how it happened like it was to serve this weird organic thing and that's how I started having a Twitter account I just wanted to read what Shannon was doing and then eventually people start following me I was like oh hi definitely I'm one of them I haven't heard that story anywhere so I'm really glad to hear that um it was amazing Jaya blue is pretty incredible uh all all connected to Wanna Cry that's a yeah Wanda cray was not good but um it connected a lot of things for me and it hurt me so uh when I talked to you back at RSA one of the things you were very excited about um was the security Champions program that you're implementing our your initializing what's the word there um kicking off I guess you're kicking off yeah let's take that again so I want to talk to you back at RSA you were really excited about the new initiative that you're starting uh security Champions program um can you tell us what is that what's the high level overview of what's a security Champion what does that mean Okay so um when I start my first appsec program I wanted everyone to scan their apps with a an open source Das scanner and I was just like I just want you to be like pew pew and fix the highs and criticals you find that's it this is all I wanted for my first abstract program because I had zero experience and they had zero abstract there before and I was like if you can do that then when it comes to me I can do much more thorough testing and then together we can make better apps and very quickly there's just one person per team who was my guy and sometimes my guy was a lady like this is my human this is and I would always just talk to Liam or talk to Stefan or talk to whoever the person was on that team and then I started having meetings with them and showing them stuff and then when I went to my next office they said oh that's called a security Champions program I was like oh and so then I started again there again very informally at first and after nine months I we would have like these lunches and we would teach each other things and they would run off and secure their apps and I was like these are the best and I would give them candy and bake them cakes and cookies sometimes because I have this it's weird I don't really like cake but I really like making them because they're very pretty anyway and so I would bring little carb and sugar related gifts and so then when I joined Microsoft and I started speaking at lots of places I met this guy named Ray LeBlanc and he and this other guy named Aaron Lord they run hella secure blog and Ray's like hey check out this blog I wrote and it was about his security Champions program which was five years old and he was super organized with his champions and he outlaid like this framework that he used and so then through Ian's research very quickly so I had one call about security Champions and I helped them organize their program and then before I knew it I had taken 40 calls like 40 different companies and like I helped them start it and then like a few months later you check in ETC and so companies have been asking me like hey will you run our Champions programs and I can't work full time at a company and run their security do you know I mean like I can't run we had purple and do that so instead I came up with a coaching program that we've just launched and so basically now that we have purple has a whole bunch of professors we have tons and tons of speakers and for years I've been going and speaking at people's security Champions programs because that is the thing so you want to get the Champions excited and interested in security but if you are not good at public speaking it's really hard especially if you're very introverted shy absec person and a lot of appsec people I'd say the majority more than half are more introverted rather than extroverted and the idea of doing public speaking is sort of like I'd rather you punch me like they just really really really don't like it at all and and so I I started getting invited to do that quite a bit and so basically we've launched this program where we'll provide a new speaker every month and we will provide this frame for work for you to work within and then a coach that like makes sure you're on track with your program and um I was talking to this amazing person named Brendan yesterday what was his last name just second Brendan uh where are you Brendan and my emails oh man okay well his name his name's Brendan and he is from uh synopsis and he has been running security Champions programs forever and I he's going to be on my podcast soon and him and I it's like have you ever met someone where you're like such kindred spirits and you just like nerd out so much and you get so excited and he's like I look scary um and so if this isn't a thing that a lot of people offer for some reason so this is a need and so the reason why you have champions is because there's not enough outside people there just aren't a Dwayne McKenzie I'm pretty sure you know this there's just not enough Security Professionals in general to do all the security work we need doing even like there's all these open positions all over the internet but then imagine you're the abstract person and you have 200 software development teams that you're supposed to be taken care of you can't personally know everyone on every team you can't personally coach every single person but you can meet with Champions right you can train one person from each of those teams and then maybe Mentor some of them and have someone else on your team Mentor some of them like if we want to scale our Security Programs we need the users on board and when you're doing appsec it's software developers that we need on board and so it's a way to get the software developers interested to get their buy-in in like wanting to secure their apps and how to do it how to use the tools Etc but it's also a way to scale and quite frankly like save money so if you have the developers writing more secure code you have the developers running the scans and using the tools themselves fixing the bugs before it gets out to that pen tester or that last test before a prod you've saved a ton of money right and if those things never get into prod in the first place you don't have a security incident you don't have an emergency or a data breach or all these other problems and again you've saved money and face like you've saved here at the reputation of your company and so there's like a huge return on investment in Saving security dollars and saving also um I guess a lot of time because software developer so I as a Dev we do not like it when two weeks before we go to Pro the security team shows up for the first time and tells us we've done everything wrong it's like why aren't you here six months ago when we started this like where were you buddy and so with security Champions the person's always there because they're on your team and so um I've had a lot of a lot of success with this and like if you're the only abstract person and there's 2 000 developers like what do you do you can't just work harder you can't work more hours that's like it's just impossible so you have to work smarter and so scaling is a thing that I've paid a lot of attention to and OAS just started their first security champions um I guess project and it's just a link to like my blog and race blog and another couple of Vlogs but I'm hoping over time like we can develop a framework that everyone can use um I've released one on my blog uh and it has like six steps and there's like a recipe and it's like how you can do the things it's not super formal like something like nist or bsim but it's like follow these steps and it will at least be okay uh so I think yeah a benefit honestly um this standards they just re-upped them uh at RSA who got the 2.0 um and it's just it's a lot of reading and at the end you're like what am I supposed to do again so I think simpler like here's a few steps is a much better Direction on things yeah and I tried to make it very very actionable like one of the suggestions so one of the steps is like recruiting and I call it attracting so I want to attract the right people to my program because if you volunteer someone and force them to be a security Champion they are not an amazing Champion they are going to be lukewarm at best because they're like I was like to meeting and then that's punishment now I'm a security Champion that's going to be a crappy champion and so like one of my action items is like change the just the signature in your email to say I'm looking for security Champions ask me how I have found Champions that way they just write me and they're like what is that I'm like oh it's this and then two of them were like hey okay I'll try that and I every single like all staff meeting get up for five minutes and talk and say okay so this is like stuff the security Champion or the security team has accomplished lately and I want you to know we're looking for security Champions and this is what it is and this is what we'll expect from you and this is what you'll get so send me an email if you're interested and I'll tell you all about it and just like doing it sounds so obvious like when I'm saying it as a list but people will say I don't know what how to start I might change your email signature that's not hard you can definitely do that and then just every time you send an email you're getting the message out and these little things work and it all built up to a program I'm very glad that you found a way to duplicate yourself because as you've been talking for most of this episode I'm just sitting here wondering how does she do so many things at the same time so so yeah I'm glad that I'm glad that you're you're you're you're you're creating and putting down and creating some Frameworks around how we can get more uh more of you working in the security field there's going to be links to the Frameworks that you've created in the show notes for those listening so please check out the show notes if you want to check out the security Champions Frameworks that Tanya has been talking about I just want to quickly we'll start wrapping up because we've taken up a lot of your time and we appreciate that but I wanted to finish up with something uh that I know of it there's going to be so many people listening to this that are going to want to know and what advice do you have for people let's say developers because that's we where you started that are looking at making their way into security into becoming a security champion are there some steps some resources some recommendations that you would that the listeners that are wanting to step into this world what could they do today tomorrow next week to to start their Journey okay so I have a bunch of things so one thing so right now while we're recording this it's Monday but you might not have been aware it's also cyber mentoring Monday um so since 2018 I've run a mentor matching program on Twitter and I'm now running it on Bluesky and also on Mastodon on infosec.exchange and so basically I use the hashtag all one word cyber mentoring Monday and I announce it is the day um and so basically people respond and say I'm looking for a mentor in this or I'm willing to offer a mentor in that and most of the action is actually all in direct messages so that you can't see it so someone says oh I'm hoping to learn more about incident response and you might see one or two posts that respond but really their inbox is filling up and so if you are listening to this and you want to get into information security the first thing I suggest is trying to figure out what topic is of interest to you and then finding a mental within that Community or topic and then joining every single community that has to do with that topic so for appsec very selfishly I would suggest you join we hack purple but also oasp the open worldwide application security project uh and we have purple and even um Dev said Khan maybe which is uh run by a company but it's still lots of nice folks in there I know their Community manager and she's an amazing Community manager Hi Sam um and I feel like joining a community that's the topic you like finding a professional Mentor those are an awesome start if you want to specifically learn application security inside the we hack purple Community there are free courses so as part of a business deal that didn't work out last year I made all of the we have purple courses for free and so you can take applications security levels one two three and level two goes into how to create a developer advocacy program and a developer education program and a security Champions program which all kind of like hold hand in hand if that makes sense and so if you want to learn about that there's an actual course and it's free there's infrastructure as code there's Azure security there's a whole bunch of stuff in there there's lots and lots of stuff and all of that is free and we have monthly events as well that are free but another thing you could do so I love oasp I'm like giant fan girl uh and I'm a lifetime member and they have a YouTube channel there are YouTube channels amazing they have like hundreds and hundreds and hundreds of hours from all the different conferences and meetups that they've had over the years oasp is 21 years old it's 22 this it's turned 22 this year and so they have like so I like to think I have like lots of awesome app sec content but they have the most and it's awesome and so um if you could find topics that interest you or find a speaker that you really like you could just go and see all of their talks for free and so um I'm a big fan of like I find someone and then I'm like oh I'm gonna watch everything they've ever done I'm that person just like when I find an author I like I read every single book they've ever written I read all of their books I just go back like years I'm like I'm gonna read every single thing they've done because that's what I'm like and so Alaska's made that very easy to do on their YouTube page which is really awesome that's uh that's fantastic and there's going to be links to a lot of resources in the show notes if you're listening and you're trying to jot all this down then you don't worry you can just go to the show notes uh there uh well Tanya we've come to the end and just thank you so much for this usually we ask uh where people can follow you but that's I think the great thing about the the purple uh branding is we hack purple and she hack purple is that across all social media platforms people can follow and find you and uh with the same with the same handles it is um except for she hackspurple.dev that is not me that is an imposter I am not trying to sell you online gambling just to be clear so ignore that site but she hacked her full.ca we have purple.com she acts purple on every single platform and we had purple those are all me just ignore the dot Dev I should not have let that domain name go and I have learned a lot of lessons today from all the people who sit on domain names and never use them that I just learned to that lesson yeah well that's great well thank you again uh Duane do you have any final notes before we press the big red button uh no I just want to say thanks again for being here thanks for promoting oh wasp and I love hearing oh wasps come up in conversations uh I love talking about that accomplishes and the number of people who are doing security are like a wasp is still around or what's a wasp always just shocks me so yeah thank you it has been my pleasure