Search
Follow me:
Listen on:

Day Two Cloud 143: Application Security Isn’t Just For Developers

Episode 143

Play episode

Today’s Day Two Cloud gets into security. In particular, we discuss application security and working with developers to make sure code is sanitized and tested. Writing secure code at the outset can dramatically reduce risk and help simplify operations and security.

Our guest is Tanya Janca, founder of We Hack Purple. We Hack Purple has online training to help developers integrate security practices into their coding. We Hack Purple is joining Bright Security, which will enable We Hack Purple courses to be available for free.

In addition to application security, we also discuss major security issues including phishing, ransomware, and the recent Log4J vulnerability that forced businesses to scramble to protect themselves. We discuss what the DevSecOps movement means. Tanya also offers advice on how folks can get into security as a career, whether with an IT background or from an entirely different field.

Sponsor: StrongDM

StrongDM is secure infrastructure access for the modern stack. StrongDM proxies connections between your infrastructure and Sysadmins, giving your IT team auditable, policy-driven, IaC-configurable access to whatever they need, wherever they are. Find out more at StrongDM.com/packetpushers.

Sponsor: ITProTV

Start or grow your IT career with online training from ITProTV. From CompTIA to Cisco and Microsoft, ITProTV offers more than 5,800 hours of on-demand training. Courses are listed by category, certification, and job role. Day Two Cloud listeners can sign up and save 30% off all plans. Go to itpro.tv/daytwocloud and use promo code CLOUD to save 30%.

Show Links:

We Hack Purple

We Hack Purple Community

Alice and Bob Learn Application Security – Google Books

@wehackpurple – We Hack Purple on Twitter

@shehackspurple – Tanya Janca on Twitter

Jobs in Information Security (InfoSec) – She Hacks Purple blog

SheHacksPurple – Twitch

SheHacksPurple – YouTube

OWASP Community

Cyber Security Career Guide (Book) – Alyssa Miller

#CyberMentoringMonday – Twitter

Day Two Cloud 055: Securing Cloud Infrastructure And Applications – DayTwoCloud.io

Transcript:

[00:00:00.850] – Ethan
Sponsor StrongDM is secure infrastructure access for the modern stack. Strongdm proxies connections between your infrastructure and Sysadmins, giving your It team auditable, policy driven IEC configurable access to whatever they need wherever they are. Find out more@strongdm.com PacketPushers this episode of Day Two Cloud is brought to you in part by ITPro TV start or grow your It career with online It training from ITProTV. And we have a special offer for all you amazing Day Two Cloud listeners. Sign up and save 30% off all plans. Itpro Day Two Cloud and use promo code Cloud at checkout to save 30% off all plans.

[00:00:52.350] – Ned
Welcome to Day Two Cloud, Ethan. We have a fantastic show today. Our guest is Tanya Yanka. She is the founder of We Hack Purple. And we’re going to be talking about App. Sec and infosec and how you can break into that industry if you want to. What jumped out to you about the conversation?

[00:01:11.670] – Ethan
Tanya is passionate about App. Sec, specifically working with developers to make sure that their code is sanitized and that it is tested well and so on. So we do spend some time there because I didn’t know anybody was teaching that. And Tanya thinks she’s one of the few that are in that space really covering this with Devs. But I was excited to learn from her just how in demand that skill set is becoming for developers. Security seems to be taken very seriously these days in the development community, Ned.

[00:01:39.890] – Ned
Yeah, absolutely. And she’s built up a whole catalog of training at We Hack Purple that help people almost go from nothing into this realm of application security. And stay tuned. Towards the end of the episode, we have some very exciting news that she’s going to break about her company. So enjoy this conversation with Tanya Yanka, founder of We Hack Purple. Well, Tanya, welcome to the show. It’s been a while. You were on episode 55 of Day Two Cloud way back in the days of July 2020. So almost two years. And I think you were just about to change your branding from she Hacks Purple to We Hack Purple. So what’s going on? How you’ve been in the last two years?

[00:02:23.670] – Tanya
A lot of things have happened, Ned. Thank you both for having me back on. So we Hacked Purple has gotten very big. I think we counted we have 6000 registered students in our Academy. Pretty awesome. And our Academy has grown. I think it’s just under. Our community has grown. It’s just under 2000 people now. And basically we’ve released more courses and we’ve started having more events and we started giving private trainings for enterprise customers. And yeah, a lot of stuff has happened. I also published a book since we talked last called Alice and Bob Learn Application Security. And that was a lot of work. But oh, my gosh, it’s so awesome to have a piece of work that you made like that.

[00:03:08.320] – Ned
Yeah, you did the book writing thing. I’ve done that myself as well, and that is a commitment. But it’s awesome to say I wrote a book.

[00:03:17.910] – Tanya
Yes. I actually want to start my next book. In the next few months, Alice and Bob are going to learn secure coding.

[00:03:24.950] – Ned
Awesome. Go, Alison, learn your lesson from writing the first book. If you want to write a second book.

[00:03:32.730] – Tanya
Exactly.

[00:03:34.530] – Ethan
Well, good for you, Tanya. I’m sure it’ll be as good as the first.

[00:03:37.830] – Ned
Thank you. Yeah.

[00:03:38.710] – Tanya
Thank you.

[00:03:39.320] – Ned
So for folks who don’t know, your primary focus is information security, right?

[00:03:44.310] – Tanya
Yes. And specifically application security and like how to make sure you are making secure software no matter what way you’re doing it, if you’re doing DevOps or agile, but just how to make sure at the end your software is safe to put on the Internet.

[00:03:58.110] – Ned
Got you.

[00:03:58.600] – Ethan
You don’t have to write firewall rules anymore, right?

[00:04:01.650] – Tanya
Ideally, no, not for the software, just for the network.

[00:04:06.630] – Ned
That would be nice. So what you’re saying is application developers could write more secure software and make my life as an operations person easier?

[00:04:15.030] – Tanya
Yes.

[00:04:16.060] – Ned
I am literally saying that I’m on board. How do I make that happen?

[00:04:22.830] – Ethan
Got to connect you with a deal over at Hashicor. If you do need to bang out and have an interesting conversation, that would be very interesting.

[00:04:29.350] – Ned
That would be interesting.

[00:04:30.160] – Ethan
It’s all about the not putting defense in depth layers if they aren’t needed, if they’re redundant, if they just complicate your life. So that would be I would love to hear you guys have a conversation.

[00:04:41.850] – Ned
Yes.

[00:04:42.430] – Tanya
We talk about layers of security quite often, and sometimes it’s worth it, and sometimes it’s not depends on what you’re trying to protect.

[00:04:50.610] – Ned
Yeah. And adding too much complexity can often make your stuff more insecure because you lose track of how things are configured or done.

[00:04:59.250] – Tanya
Yes. That is a thing that’s happening a fair bit with DevOps and cloud and especially like micro service architectures. Yes. There are definitely ways to make sure it’s less complicated and therefore more secure.

[00:05:11.490] – Ned
So what’s going on in the world of infosec and app SEC today? What are the big headlines or the big news that you’re focused on?

[00:05:19.170] – Tanya
So information security in general? Right now, it’s ransomware everywhere all the time, which is awful, obviously. And phishing, basically, those two things are the biggest things that are happening all over the world, and they can happen to a person or a company. Unfortunately, those are quite profitable for criminals. And so they’re doing a lot of it and it’s still working. And so our industry is trying to work against it. And unfortunately, we’re not there yet. But I specialize in the security of software. So application security, as it’s called, and application security is actually getting pretty exciting. So in December, we had the log four J situation. So basically, Java is really popular. It’s all over the Internet, and there is a walking library called Log for Jay. And lots of companies are smart and they make their apps long, which is good. But a vulnerability was discovered that was pretty darn terrifying. And it turned out just basically if you have it, you were vulnerable. So sometimes you can have a library, but you’re only vulnerable if you use this function or whatever. But it was just like if you have it, you’re doomed. And the entire industry moved very fast.

[00:06:43.940] – Tanya
I was really impressed with the way that a lot of incident responders did their job compared to in 2020 when solar winds came out, or 2016 when stressed too, had vulnerability after vulnerability after vulnerability reported. So I feel that our industry has really, really matured in those five, six years. But also I’m just starting to see application security being taken seriously, which is amazing. So I used to work with clients and I was just trying to convince them that software was a thing. If you’re making software, you’re putting it on the Internet and it’s like a window into your network. They just go right past the firewall if it’s insecure, and then they’re on your web server, they’re on your database server and they’re inside and bad stuff can happen to now the companies are contacting me and they’re saying, we want you to help us improve your apps. Tech programmer, we want you to train our developers and secure coding because we know we need it. And previously, when I started, most companies didn’t have any sort of apps, activities or apps that knowledge. And now it’s like this is a serious thing that has to be addressed.

[00:07:53.140] – Tanya
How do we do it? And I don’t have to beg to do my job anymore. And it’s awesome.

[00:07:58.890] – Ethan
When you talk about secure coding, does that mean an application developer is going to write some code and then to validate its security, it is put through a battery of tests, and when the bad code is revealed or missing code is revealed, it’s percolated up and changes are made? Or is it more like you need to have this security framework that you’re writing your code around from the ground up? Or you might as well scrap it and start over.

[00:08:23.340] – Ethan
What’s the approach?

[00:08:24.930] – Tanya
So for secure coding, specifically, we teach at, we have purple, we call it the 17 Commandments, and they’re in Alice and Bob learn. And basically it’s the 17 things that you need to do or you are just not safe enough to go on the Internet. So we talk about, you know, these are what security headers are. These are the exact settings that we recommend. You can go deeper and do more security and put tighter security. But if you’re going to go on the Internet, this is the bare minimum or input validation. This is what input means. So a lot of people think input is just from a field, but it could be the URL parameters, a hidden field from your own API. There Azure, so many places that are input to your app and then how do you validate that? What is escaping?

[00:09:09.040] – Ethan
I have fun tailing logs on my web server and I can see SQL injection attacks just scroll by every once in a while, people try it. Yeah.

[00:09:16.500] – Tanya
Yes, exactly. And so secure coding, we have a course on that. And basically it’s just about how software developers can start writing more secure code, how they can review a colleague’s code and look for those things and why you need to do those things. So why is this scary? What am I avoiding? How am I making my life better? But the first thing you talked about was more like a secure system development lifecycle. So the idea that okay, so we’re going to build an app. Awesome. We need some requirements. Let’s make sure there’s some security requirements in there. So let’s tell the devs what we want. And then when you get to the design phase, doing some threat modeling, looking at the design, like writing it on the board and just pointing out possible problems and fixing them. Secure coding, like you said, and then testing. And that’s what you talked about. Like a battery of different types of tests to verify all the things we did before that worked and then fixing anything that you missed.

[00:10:10.730] – Ethan
Like an automated QA process. That’s the part that excites me because it’s the kind of thing that you can develop over time. It’s not subject to opinions or people following a process. You kind of Bake it into the automation pipeline and you’re just less likely to miss things that way or to be lazy and just be like, it’s fine, just rubber stamp it and move it on. Because you’ve baked all of that testing in it feels to me, especially when time is put into developing the battery of tests over a period of months or years, even you’re just more likely to come up with a secure product at the end of the day.

[00:10:51.880] – Tanya
Yes, I talk a lot about the favorite marketing word right now is tech Ops. And it’s basically, in my opinion, what apps people do. So as security folks do if we work somewhere and they’re doing DevOps. So I still want the same stuff, but I want to automate and be cool like the DevOps folks. So putting things in the pipeline but making them short and fast, or putting automating checks that are outside the pipeline and it just sends the answer to the pipeline. So like, yes, they passed all their tests or no, two thumbs down. Do not let that go to prod. I have to say I’ve been having a ton of fun just automating lots of things for clients and then seeing the results. Right. Because then you can scale yourself and your work way better with automation because you set it up once you spend all this time. When I was a pen tester I take all this time, setting up all my tools, scanning all these different things, getting access to all this stuff, and then I’m just supposed to pack up my stuff and leave. I’m like, well, why don’t we how much would it cost to leave these tools and have them run every month and give them a report?

[00:11:57.280] – Tanya
And they’re like, Tanya, you don’t understand consulting.

[00:12:02.890] – Ned
If you leave them while they’re running, you can’t charge the person when you come back in six months, you got to keep the money flowing, right?

[00:12:12.430] – Tanya
I had to learn a lot about consulting when I switched from being an employee.

[00:12:16.750] – Ned
It’s a different world. And that’s a whole other episode that we could get into. I’m curious. So you mentioned Devset vROps, AKS being sort of the new big buzzword. And for some people they think, oh, that’s just getting the security team or the infosec team involved in the development process while other people think of, well, now I’m giving the developer yet another hat to wear. First they were developing code and then I told them, you also have to be able to deploy your code because now you’re an vROps and now I’m telling you, you’re a security person. So, like, what is the balance of security for the developer versus security for the Infosec team that helps out?

[00:12:57.370] – Tanya
I feel like every organization does it differently. I’ve seen companies where so for instance, Shopify, so I used to spend a lot of time at Shopify in Ottawa because they would host my OAuth meet up for years and it’s really great. And so their abstract team would just hang out with us, which is awesome. And they have a huge HAB tech team that they’re amazing. They’re just totally amazing. They’re like really steady a lot know exactly what they’re doing. And they’re saying generally it’s our job to find bugs, bugs and support the developers in writing secure code, doing testing to make sure what they’re doing is okay, like supporting them, doing security activities as part of the SDLC. They’re like, but sometimes I’m in there and I’m like, I’m just going to fix it. I’m just going to fix the bug. I don’t care. I’m not going to take the time to make a Jerry request, do all this other stuff. I’m just going to fix it. Now, I know I’m not supposed to fix bugs, but no one’s going to be like, oh, how dare you fix that bug. Sometimes if you’re already in there, it’s just easier to just get your hands dirty and do it.

[00:13:57.130] – Tanya
But I’ve seen other teams where never in a million years would they be allowed to touch code. And they’re very hands off and they’re like, DevOps, you do this, you do that and they just tell Devs what to do. I’ve seen security teams where they feel that all of apps tech is the software development team’s job. So when I get hired by companies to come in and give training around maybe 30% of the time. It’s the Dev team that’s hired me to come train them because they’re not getting answers out of their security team. So if the security team hires me, they have, like, a big bucket of things to do for apps, tech, and so they take that budget out of there. But if the Dev teams hire me, they’re usually allowed, like, $1,000 or $2,000 each for a year to get their own training. And so they’re mashing it all together to hire me. And they’re very passionate about security at that point. They’re like, we really care. The security team, they just send us these surveys, and then they might tell us to change one thing, like four months later, and they don’t talk to us.

[00:15:04.610] – Tanya
They didn’t give us any policies or they did. But it’s like how to use your computer from home. It’s not anything about secure coding and nothing about secure design. They’re like, we’ve asked for guidance, like 20 times. And they just say, well, you should know that. So we’re going to know it because you’re going to come in and show us. I’m like, awesome, yes.

[00:15:24.930] – Ethan
What has changed in the industry that all of a sudden you’re talking to these teams and having these sorts of conversations where they care. Because from a business perspective, for a long time, it seemed like insurance will cover it. It’s a risk that will cover with some kind of cyber insurance. That’s the way we’ll deal with it. But now what you’re describing is definitely a mentality shift. What’s changed?

[00:15:51.210] – Tanya
Okay, so cyber insurance really did not go well. I know there’s still some companies selling it, but what happened a lot of the time is companies would buy cyber insurance and then the cyber insurance company would come and say, well, you have no secure system development lifecycle. You have literally no standards. You did no testing. So, no, we’re not going to pay you out.

[00:16:14.160] – Ethan
You’re driving drunk, you’re not wearing your seatbelt. You hit a pedestrian. What do you want to do?

[00:16:19.460] – Tanya
And then you like, hit and ran, right? No, your insurance doesn’t cover Idiocy. That’s been happening at some companies where they’re just saying like, no, we’re not going to pay out. I remember the first house I ever bought, there was a little attachment to the house, and it was in an awful state and ended up having a flood. An insurance company came and they’re like, there’s literally holes in your roof. Like the previous owners had put nails directly into the roof and done all sorts of things. They’re like, we’re not going to pay out for this. And I was like, okay. And then I got to repair it myself. And that was not awesome. So I think that a lot of companies that bought cyber insurance got burned and some of them didn’t. Some of them for. And since they just got hit with ransomware. And so the insurance just pays the ransomware up to a certain point. They’re like, oh, we don’t care. And then they don’t learn. And then they kept doing the same things that made them vulnerable to ransomware. And so I was really hoping, I was very hopeful that the insurance would come out with like, you must do these things to be secure and the companies would actually start doing them.

[00:17:31.350] – Tanya
But the companies didn’t. So basically either, some companies already had good hygiene and might have had better hygiene, but the ones with terrible security hygiene just kept on doing that.

[00:17:43.470] – Ned
That’s really interesting. So to a certain degree, it’s a problem. Yeah, they learned the hard way that they have to do that.

[00:17:52.890] – Ethan
We pause the podcast for a couple of minutes to introduce Sponsor strongDM’s secure infrastructure access platform. And if those words are meaningless, StrongDM goes like this. You know how managing servers, network gear, cloud VPC, databases and so on. It’s this horrifying mix of credentials that you saved in putty and in super secure spreadsheets and SSH keys on thumb drives. And that one dock in SharePoint. You can never remember where it is. It sucks, right? Strongdm makes all that nasty mess go away. Install the client on your workstation and authenticate policy syncs and you get a list of infrastructure that you can hit when you fire up a session. The client tunnels to the Strong DM gateway and the gateway is the middleman. It’s a proxy architecture. So the client hits the gateway and the gateway hits the stuff you’re trying to manage. But it’s not just a simple proxy, it is a secure gateway. The StrongDM admin configures the gateway to control what resources users can access. The gateway also observes the connections and logs who is doing what, database queries and Cube, cuddle commands, etc. And that should make all the security folks happy.

[00:18:58.200] – Ethan
Life with Strong DM means you can reduce the volume of credentials you are tracking. If you’re the human managing everyone’s infrastructure access, you get better control over the infrastructure management plane. You can simplify firewall policy. You can centrally revoke someone’s access to everything they had access to. With just a click. Strong DM invites you to 100% doubt this ad and go sign up for a no BS demo. Do that at StrongDM Combecca pushers they suggested we say no BS and if you review their website, that is kind of their whole attitude. They solve a problem you have and they want you to demo their solution and prove to yourself it will work. Strongdm.com PacketPushers and join other companies like Peloton, Sulfi, Yext and Chime. Strongdm.com Packet pushers. And now back to the podcast.

[00:19:53.790] – Ned
Do you think that the fact that a few companies got burned has sort of spread the message around whatever industry they’re in? Hey, you need to pay attention to this app SEC thing because we got burned by it? Or do you think companies don’t share that sort of thing because they’re a little embarrassed by it.

[00:20:11.470] – Tanya
Some of the industries do share information. So I’m under NDA. But there’s a big industry that you know of and all of their CSOs meet and they talk about common threats that they’re facing and they try to share like, we got hit by this, so watch out for this. And they’ve been sharing security information and working really hard at it. But then other ones, such as healthcare, for instance, they’re not doing that. And it’s healthcare that’s getting really hit hard with ransomware. And healthcare is notorious for just never patching anything because for instance, hospitals have to be open 24/7. There’s no time where there’s like, oh, yeah, the business hours are over. Let’s fuel that doesn’t exist in the hospital. Right. And so it’s very hard for them to have even decent patching at all. Not just security patching, like just being relatively up to date. Like there’s tons of hospitals with Windows XP all over their networks right now and even earlier than that. Same with any sort of energy systems. So like nuclear power plants, a lot of them are running XP or even Windows 98 because trying to patch a nuclear power plant is a complex, high risk activity.

[00:21:27.550] – Tanya
So there are groups where it’s kind of impossible or it’s very difficult while there Azure, other groups, like even software companies or companies that make streaming videos online, like mine. So we pay another company to host the rehab, purple Academy and the we have purple community. So I don’t have to patch, they have to patch. But the companies that are doing the patching, it’s not always a good scene. It’s not always great. And I think that basically attack after attack after attack is happening. Data breach after data breach after data breach. And software has been the main specifically web software. So web apps and APIs have been the number one cause of data breach since I think 2008, when Verizon started writing that Verizon breach report every year. We’ve just been two thumbs down every single year. And so maybe people started reading the report, maybe people started listening more. But I think it’s actually just the bottom line. I think that they see another company utterly destroyed and going out of business and they’re like, that can’t happen to us. We have to take this seriously now, or worse, they did have a giant breach.

[00:22:35.450] – Tanya
So I’ve worked with a lot of companies where they’re like, we had a giant breach last year and we want to be like Aces and perfect and ten out of ten from now on on our security, you tell us everything we can do and we’re going to do everything. But a lot of companies that haven’t had something like that happen, they just keep on chugging along and hoping for the best. And that’s a scary place to be, in my opinion.

[00:22:58.630] – Ned
Yeah. Because eventually it’ll catch up to them, especially if they get bigger or some of the other targets go away because they’ve improved their security. Now you bubble up to the top as a potential target and you’re going to get hit.

[00:23:12.250] – Tanya
Yes, I’m not sure if I answered your questions about Where’s the balance for devs. I really do feel like the software developers are under a lot of pressure right now and expecting them to be Dev and off and all the security is too much. I agree. The model I teach is where security people support the devs and they try to give them all the things they need so that they can create secure software and they trust, but then they verify with a whole bunch of tests to make sure that it worked out and then get them to fix those things. I feel like if the devs are supported well enough, it can work really well. It just depends on if the company is going to take it seriously or not and has the budget and the people to work on it.

[00:23:54.370] – Ethan
Security has always been a shared responsibility model of some kind or another. Aws, I think uses those terms to talk about what they do versus what’s expected of their consumers. But even within companies, it’s been that. So it’s not all on the devs, but it’s a reasonable expectation that a Dev is going to do things like sanitize input that should be a given that kind of stuff. But right. We wouldn’t want it to be all on devs because lots of code to be written, and depending on their operating model, maybe it’s 15 micro services that they have to touch to update a particular service, which is counterintuitive. But the more I read about microservice environments, it does seem to be the reality of it, unfortunately. And so right. There’s a lot of pressure there. But I would imagine that there’s a balance of devs writing secure code and having best practices combined with operations as another layer that is keeping up with this. And then a security team that overall has design and the checks and balances on what’s finally making it to prod should everybody working together. We’re all one big team here, resulting in a product that’s pretty secure once it hits the wire.

[00:25:04.330] – Tanya
Yes, that’s what I want so bad.

[00:25:09.790] – Ned
Well, we need people to do it. We need more people getting on board with Infosec and getting into it. So when I spend any time on Twitter and the Infosec community, it’s not always the most welcoming community or at least portions of it or not. So I’m curious if someone is interested in getting into the world of Infosec or app SEC, what would you recommend they do if they’re coming from some other tech background? What should they do or where should they start to kind of break into that industry?

[00:25:42.310] – Tanya
I have so many ideas on this page.

[00:25:44.680] – Ned
Okay. All right.

[00:25:46.630] – Tanya
So first of all, I wrote an article and I’ll send you a link to it after. And it’s called Jobs in Infosec. And it’s just all the different types of jobs I’ve ever heard of and what it’s like and what it means. And I did that because when I started in security, I thought the choices were pen tester. The person who updates the firewalls or the risk analyst person that asks me a bunch of questions, does a bunch of paperwork, and then never speaks to me again. And I don’t know if I passed or not. And I was like, well, pen tester sounds the best of those three. That sounds good. Sign me up. And then very quickly I realized that I was meant to work in apps, not as a pen tester. And I loved talking to devs all day. Pen testing can be like, so I’m Super extroverted and I really like people. And pen testing. For me, it started to get kind of lonely, like me and an app for 8 hours, and I’m attacking it and I’m like, I found all this stuff. I feel good. But then it’d be like, Where are all the people?

[00:26:46.450] – Tanya
It wasn’t a good choice.

[00:26:47.990] – Ethan
Today I learned that I’d be a great pen test there.

[00:26:51.610] – Ned
Put me in a corner by myself. I’m happy.

[00:26:55.330] – Tanya
But apps really social like, you end up being kind of a social butterfly. And it really works well for my personality. And so I wrote up this article so that other people could know that other jobs exist and also total. Just like blunt honesty. I want to make people come work in at sex because I love it and the more people, the better. So then after that, I’m going to send you this link. So jobs and infosec. And then the next thing is trying to find communities and or a professional mentor and or friends that work in that area so you can learn more about it and then decide for sure whether you want to excel into that or you’re like, oh, I was wrong because I started with pen testing. I spent a long time learning how to do that. Realized very quickly that I guess I just kept doing apps that with our clients. And my boss was so annoyed hanging out with the devil all the time. Why are you helping them fix all those bugs? What are you doing? And it’s funny now, but he was not impressed. And then the clients would ask for me and he’s like, Why are they asking for you?

[00:28:04.500] – Tanya
You took like four extra days. I’m like, yeah, but I helped them fix all these bugs and we retested and we retested, and then we released it and it was really good. And he’s like, that’s not your job. And so I learned a lot. But the point is, if people could learn that without spending a few years invested in it before that, every Monday on Twitter, I do this thing called Cyber Mentoring Monday. So I have a hashtag, you squish those words together. So Cyber Mentoring Monday, and I just pair off people together. So I’m like, are you looking for someone? Are you willing to offer? And then people message each other and then a lot of things happen in direct messages so you can’t see what’s going on. But people put themselves out there and say, Hi, I’m looking for this. And then someone else just comes and says, hey, want to have a coffee on Zoom with me? And then they meet and the friendships form, mentoring relationships form. Sometimes people end up getting hired. And so that is one good way to say, like, I’m considering becoming law. Would anyone want to talk with me about it and tell me what it’s like to do that job?

[00:29:12.550] – Tanya
I’m super passionate about trying to get people to join our industry. Another thing I did for the first season of the We Hack Purple podcast, every single episode is me interviewing people who have different jobs in information security and asking them, like, how did you get that job? What is that job like? How did you meet those people? What did you study so that you had enough experience to do this? What jobs did you have that led up to this? Does this job pay well? Are there lots of opportunities in this job? Is this a job where I have to have a PhD to get it, or can I do this with just high school? And so we did 49 episodes of that. So that’s really helpful resource, which of course is free so that we have Purple Podcast season one. Season two is like cute, fun little security mini lessons where we’re learning a little thing each time. Okay, so the last thing that you could do if you’re interested in app SEC, which is what I do, like software security, DevOps, things like that, is join the We Hack Purple community, which is free.

[00:30:14.520] – Tanya
So there’s no upsell, there’s no like, after this amount of time, we try to charge you. It’s just free. And basically there’s a whole bunch of us in there and we have Liberal streaming events. So at first I was presenting, but now community members present to each other, which is really exciting. And we have little discussions and we have little panels and we write little articles and basically people will say, I’m having this problem at work. How do I do this? Or I’m really interested in that? And so people are making friends and networking and we do some cloud security, we do some other things, but mostly it’s AbSec because I love AppSec. But yeah, so join a community about the thing that interests you and be social.

[00:30:59.830] – Ethan
Are there entry level opportunities across the board there? Like, if I want to get into abstract, is that a ground level opportunity or do I need to be in the cybersecurity world for a few years before I can step into absac.

[00:31:10.750] – Tanya
That is a ridiculously excellent question. And I’m going to give you the it depends answer. So the law of organizations will post, I want ten years experience in abstec for this job. And I’ll tell them, well, I wrote the book literally about AppSec. I wrote the only book in English that is about app SEC, and I don’t qualify for that job. Do you want to rewrite it? Are you telling me I’m not qualified to do that? So they’re like, no, of course you are. I’m like, You’ve just eliminated everyone like me. Eight years is a ton of experience in app SEC. And also, if someone I was a software developer 17 years before I switched to APPSC, I’m like, why don’t you include any other It experience as part of the level of experience? So let’s say someone did help desk for two years and then they switched over or they were a software developer for five years and then they’re switching over. That person has a wealth of knowledge already, and they also understand, like, how to work in an office, how to do projects, how to get things done, how to have a Zoom meeting.

[00:32:11.680] – Tanya
So there’s all this experience that they already have, and you’re just like, none of that counts. What are you doing? Do you want to hire someone or do you want to try to find God because you’re trying to find a perfect human being that I don’t know where you’re going to find that person. And when you do, you can’t afford them.

[00:32:29.570] – Ned
True.

[00:32:30.790] – Tanya
So what I’ve seen happen a lot. So I was upset that there’s not enough apps that people to fill all the jobs. So that’s part of why I started. We had Purple and so we’ve had a lot of companies reach out and hire our grads. So they take three courses and then they graduate. And the idea is that they’re ready to be junior and they might not know how to debug an app or they might not know how to do super advanced hacking. But the idea is they have this big foundation and they know the things that need to be done and they know where to find all the answers. And they’re like, raring to go. And so we’ve had a bunch of companies hire those people and a lot of them, by a lot, I mean, 90 plus percent have found jobs in their field within the first three months, which is awesome. We used to have a 100% rating, and then now it’s been a bit lower because we used to help people find jobs. But then the person that did that went back to school, she was like, so awesome at it.

[00:33:24.560] – Tanya
But anyway, this is what happens when you only have, like five or six people that work at your company. Someone leaves and you’re like, oh, my gosh, that’s such a huge dent. But anyway, so basically, if organizations are open to hiring a junior person and having a senior person teach them, that’s a great way to do hiring if you are a junior person. So I’ve gotten almost all my jobs from networking. And so a lot of people post jobs inside our community and inside OAuth Channel. So OSP is another really fantastic, amazing community that you could join where everyone loves software security and they have different chapters around the world. They’re really amazing. And so meeting people there, meeting people, we hack Purple or like, let’s say you want to do threat intelligence and threat hunting. So you would join communities where people are into that. You talk to people, you tell them, I know, I’m junior. Can you mentor me? Can you teach me? And then eventually that person will likely introduce you to someone that will give you a job. So a lot of the jobs, it’s not someone applying on the Internet for the job.

[00:34:27.820] – Tanya
It’s that they got introduced by someone else. And they’re like, for six months, this person has been doing every single thing I told them. They read the book, they did the proof of concept, they wrote the app. They did the pen test for my first job as a pen tester. They said, you don’t know what you’re doing. We’re not hiring you. So I did an entire pen test for free. And then they still said that wasn’t enough. So I went and remediated myself. I patched the servers, I fixed the app, I did everything. And they’re like, well, you’re just not going to go away, are you? It’s going to give you a job.

[00:35:00.070] – Tanya
And then I got hired. I also had my professional mentor, went to go consult there. And he’s like, well, I don’t want to come if Tanya’s not coming. What are you thinking? You can’t afford someone with more experience than her, and I can’t do all the apps. So what are you going to do? Like, get her? You’re being dumb. And so the client, they hired me. And then eventually I moved up and up and up. Once you have one year experience in infosec, like, the world is your oyster. It sounds weird, but one year, all of a sudden, tons of things open up to you, and you might do so. I know someone that did one year in app SEC. And he decided, no, I definitely want to do red teaming. That’s definitely what I want to do. I want to smash all the things, which is awesome. We need those people. And so he switched over, and he had multiple job offers, and he was so shocked, he’s like, I just have one year plus, like, your little certificate thing you gave me, plus, like, this little Microsoft course I took for three weeks, and people are offering me $100,000.

[00:35:59.280] – Tanya
Tanya like, take it, do it. And so once you have a bit of experience, the world is totally your oyster. There Azure tons of opportunities then. But getting that first job, I find networking, meeting people, and especially if you can volunteer to be part of something so you can show people your work. So joining an open source project, for instance, like finding an open source project and writing them and saying, hey, can I do a security assessment for you and help you make your thing more secure? I’ll do some testing, I’ll walk some bugs, and I’ll help you fix them so that I can put this on my resume. I never believe it. They’re going to be like free security testing. Yes, this sounds quite good. Thank you.

[00:36:41.530] – Ned
Yeah. Those open source projects, they don’t usually have much of a budget. So, yeah, if they can get security for free, that’s pretty nice. So I’m seeing a progression here. If you’re coming from the outside, you don’t already have that network built up. Then get on Cyber Mentoring Monday or something similar and get hooked up with someone. That’s your starting point. That’s kind of an anchor or join a community. Like you were saying, you don’t need to know someone to join a community. You can just do it. And then from there, you build that network of people who assuming you’re a good person, who does work hard, good things will tend to come to you. So that’s absolutely fantastic advice. And Back Channel been watching the whole Cyber Mentoring Monday thing growing. It looks really awesome. If I was going to try to get into the cyber world, I would probably go that route. And we talked about all the different jobs that are out there. I really wish that something similar had existed for, like an operations infrastructure person when I started in the industry almost 20 years ago, because at the time, I had no idea what the roles were out there.

[00:37:53.400] – Ned
I was like, I guess it’s help desk or patching or installing servers. I didn’t know about any of this other stuff. So maybe I need to write a post like yours.

[00:38:05.170] – Tanya
Yes. Actually, there’s one more resource I just thought of. So this woman named Alyssa Miller. So she speaks at conferences a lot, and she has a lot of Twitter followers. She wrote a book, and I believe it just came out maybe two weeks ago. And it’s specifically how to get a job in cybersecurity and all the different types of jobs that exist. And she interviewed a ton of people over the course of two years for this. And so I haven’t bought a copy yet, but I absolutely intend to. And she’s worked in Infosec longer than I have. And she’s very passionate about trying to help people get into it. So I think that would be a good resource, too. I’ll get you a link to that book to add to the show notes.

[00:38:45.700] – Ned
Oh, I already found it. We’re good. I follow Alyssa on Twitter, so it’s right there on her profile.

[00:38:54.250] – Tanya
Awesome.

[00:38:54.700] – Ned
Perfect. So we will include that in the show notes as well.

[00:38:59.050] – Ethan
We pause the podcast for a couple of minutes to introduce Sponsor strongDM’s secure infrastructure access platform. And if those words are meaningless, Strong DM goes like this. You know how managing servers, network gear, cloud VPCs, databases, and so on. It’s this horrifying mix of credentials that you saved and putty and in super secure spreadsheets and SSH keys on thumb drives. And that one Doc in SharePoint. You can never remember where it is. It sucks, right? Strong DM makes all that nasty mess go away. Install the client on your workstation and authenticate policy syncs and you get a list of infrastructure that you can hit when you fire up a session. The client tunnels to the Strong DM gateway and the gateway is the middleman. It’s a proxy architecture. So the client hits the gateway and the gateway hits the stuff you’re trying to manage. But it’s not just a simple proxy. It is a secure gateway. The StrongDM admin configures the gateway to control what resources users can access. The gateway also observes the connections and logs who is doing what, database queries and Cube cuddle commands, et cetera. And that should make all the security folks happy.

[00:40:04.360] – Ethan
Life with Strong DM means you can reduce the volume of credentials you’re tracking. If you’re the human managing everyone’s infrastructure access, you get better control over the infrastructure management plane. You can simplify firewall policy. You can centrally revoke someone’s access to everything they had access to. With just a click, StrongDM invites you to 100% doubt this ad and go sign up for a no BS demo. Do that@strongdm.com PacketPushers they suggested. We say no BS, and if you review their website, that is kind of their whole attitude. They solve a problem you have and they want you to demo their solution and prove to yourself it will work. Strongdm.com packet pushers and join other companies like Peloton, Sulfi YXT and Chime. Strongdm.com Packet Pushers And now back to the podcast.

[00:40:59.170] – Ned
I love catching up with you, Tanya, and hearing all the cool things that are happening to you. And you have a bit of a big news that you told us about, and we kind of pushed out the recording a few times to make sure we could include it. So why don’t you tell the listeners out there what is your big, cool, awesome news?

[00:41:17.710] – Tanya
So we have Purple joining Bright Security. So our companies are becoming one. And basically what that means is that I no longer have to make money, which is awesome, because now Bright basically they take care of us and we’re opening the Academy. So what we’re going to do is we’re going to take all the courses from the Academy, we’re going to move them in the community, and we’re going to make every single we hack Purple course free for the whole world. I’m so excited. So then that means people can just study secure coding for free. It means they can study application security for free. We’re going to stop giving away certifications because we can’t watch you like a little Hawk and make sure that you did the things. However, this means that anyone would be able to study on their own time. And so some of the courses are quite long, like the three application security courses. It might take you a few months to do if you’re just doing one video per day or something like that. But that means that someone who is a nurse who works the night shift, who could attend a course at a regular school, would be able to slowly study it and then switch into this field.

[00:42:24.140] – Tanya
It means that any software developer around the world could go and take the secure coding course and immediately start writing better code. And I’m just so excited because I’d always wanted to just be able to share knowledge with the whole world. I’ve been friends with the bright guys since before I started. We had Purple, and I wanted to join them by really, I don’t know how to explain, but I need to share this knowledge with the world. And they’re like, okay. And so we’ve been working together, doing workshops and other things. And then I joined their advisory board. And so I helped them design their product and stuff. And then they’re like, we just did, like, a big series a and you know what we’d like to spend our money on? And I was like, what?

[00:43:07.430] – Tanya
Yeah. So we’re joining forces, and I’m really excited. And yeah, so that basically is happening immediately. We signed a lot of fancy pieces of paper last week, and life is really good. So I’m just so excited. And I don’t know if you can imagine, but having a company that you’re sort of friends with, you just get to meld the two companies. And so now I have access to so many things. Like, for instance, I get to use their tool whenever I want. But also just like, they have a team of marketing experts that know more than just developer relations, which is what I’m going to do for them. They have Editors, they have videographers. They just have all tons and tons of people that our tiny company didn’t have. Now I have support in a way that I never did before, because running your own company and bootstrapping, it’s like you don’t have money for every single thing that you desire. And so now I kind of do. If that makes sense.

[00:44:04.370] – Tanya
I just have all these helpers, and they hired me some new staff, and I’m just like, this is incredible. And so, yes, I’m really excited. And it’s sort of like my dream come true to be able to just give the courses to everyone so everyone can learn there’s no more like, I don’t know what apps is. I’m like, yes, you do. Just sit your bum down, get some Internet. Let’s go.

[00:44:25.790] – Ned
I want to back up to something that you said that really hit me is you talked about a nurse who’s working a night shift and can’t attend the courses like they might want to. And that’s someone who’s not in technology at all today. So the courses that are now going to be available completely for free, do they start at that basic level where someone who is not in tech today would be able to build all the way up to the point they’re hiring?

[00:44:55.190] – Tanya
So the abstract foundation courses do. So a big part of appetite is vulnerability management. And like the project management of making sure that the devs actually fix things and getting them the content they need and getting them all the things. And so someone with absolutely no tech experience can do that job. So if you’re joining a company where they have four or five apps, tech people already, you could be that person that chases around all of the devs, making sure they get the things done, making sure they follow the secure system development lifecycle. So that’s called governance. And then you can slowly build out more of your technical skills over time. And so that course, the application security foundation courses, the three of them, they’re not technical. It’s about how to create a program for your organization that will get you the absolute best value and then how to execute that program and get all the things done. Because a lot of companies, they don’t even have a system development lifecycle that everyone follows. Like some of us use. We’re doing DevOps, but really they’re just using a pipeline and it does like one test and then it just releases no matter what.

[00:46:02.210] – Tanya
And so the idea that they would follow, like everyone would follow the same system development lifecycle and that there would always be these steps. And so we give you policies and guidelines and secure coding this and all that so that you have the things you need to start running the program immediately. And so you can do that immediately, but you’re still going to need to learn. So for instance, we have another course about basically how to hack apps with a Daft tool. So you can follow that from the beginning. And we start with the idea that you’ve never even made a GitHub account before. And we explain every single result that you get and what it means so that you could just watch that video again later before you go meet with the Dev and be like, yes it is. And you’re like, look at your thing, you’re like blah, blah, blah. But we want to be able to build you up so that you can do the job, but you are going to have to do learning on your own. So for instance, we show one Das tool which is bright no surprise. But eventually you just learn how to use the tools over time.

[00:47:06.850] – Tanya
And that’s the thing that takes time. When I went from one app tech shop to another one, they used a different desk, a different staff, and a different sea. So I just had to learn them. It’s like, oh, instead of doing this, I do that now. And some companies, they don’t have any of that. And so you might be the person that is bringing in a tool for the first time. And then that means everyone’s learning with you as you learn. And so, yes, we’ve had a bunch of people come from, especially for some reason, nursing and teaching a lot of women. So we have a diversity scholarship. So I’ve already been giving away things for free forever. And so basically, people could apply and then big sponsors. So it started with Luta Security. I don’t know if you’ve heard of them, but they do, like, bug bounties and stuff and basically their own arcade. Missouri and I are friends. And she’s like, hey, how much would it cost for me to send ten ladies through that? And I’m like, $10,000. She’s like, okay, just do it.

[00:48:08.530] – Ned
Wow.

[00:48:09.280] – Tanya
And then what we do is we match every single sponsor two to one. So that sent 30 women through our program. And so basically, I think we sent something like 80 women of color through the entire program and then men and all sorts of other people that for whatever reason, are underrepresented in tech. And so we let them explain why they’re underrepresented. So, for instance, anyone from any African country is underrepresented in tech because there aren’t the same programs there. There aren’t the same opportunities there. So I’m automatically approved. And so we’ve sent over 100 people through the program, completely free as a result of awesome sponsorships from companies like Slack, Solv, Cloud Bridge Crew. Like, a whole bunch of companies are just like, we want to put our money where our mouth is. And so, yeah, so a lot of those people, for whatever reason, are teachers and quite a few number of nurses. But any type of job that you have before you can learn this new job, it just takes time. And there’ll be moments where you stumble. We had Purple hired someone that had been in the trades but who did lots of videos for us.

[00:49:17.710] – Tanya
And we had some things where his trades are so different. So, for instance, we’re all in a meeting and he just got up and walked out part way through and didn’t say anything and laughed. And we’re like, what’s wrong? And he’s like, oh, I have to just go pick up my kids. And I guess that’s what you do at a construction site. You just get up and leave and you just only build those hours. I’m like, no, you have to tell us when you’re leaving. And also you should have just told us this meeting is not a good time for you. He’s like, I can tell you that you’ll put the meeting around me. We’re like, yes, you’re the important dude for this meeting. And just like, learning those little things. He’s like, you’ll work the meeting around my schedule? I’m like, yes, because we need you there. And he was just like, that’s so easy. Wow. Thanks. And they’re learning those things. And it seems so obvious to us because we work in offices. But you better believe it. If I went on a trade site, I’d be useless, right? They’d be like, she’s in the way.

[00:50:08.050] – Tanya
She’s doing this. Where’s your hard hat? So it’s things that you learn by doing the job.

[00:50:16.770] – Ned
That’s fantastic news for you. I can’t imagine happening to a better person. And I’m Super pumped for all the people who get to take these courses now because they were paid courses before, which means, you know, their quality. You were expecting someone to pay money for this course. So it’s not like you slapped it together. Sometimes you get what you pay for. In the world of YouTube and training, there’s good stuff out there, but there’s a lot of stuff that is not great. I know this stuff is going to be great, is great. And now people can get it for free. So Congratulations again. That’s awesome.

[00:50:48.200] – Tanya
Thank you.

[00:50:50.010] – Ned
If folks want to get more information about you, want to follow you like, what are all the different places to find you? And we hack Purple.

[00:50:59.190] – Tanya
Okay. So if you look up she AKS Purple, that’s me. So there’s shehackspurple CA that’s my Twitter handle. It’s my YouTube channel. It’s my Instagram handle. So basically, if you look up either Tanya Jenka or she has Purple, you’re going to find me. And so whatever your medium is that you prefer, except Facebook, I really don’t go on there. But you can talk to my Internet if you want to. And then for we hack Purple. So we have the same thing. So we have, like, the Twitter handle that is we hack purple, you go to wehacpurple.com, that’s us. If you want to go on Instagram, YouTube, LinkedIn, like, all the places were just named. We hack purple. And there’s going to be a bunch of friendly people there waiting for you.

[00:51:44.570] – Ned
Awesome. That is epic. Tanya, thank you so much for being a guest today on day two Cloud. It’s been a pleasure to speak to you. And I hope you’ll come on again sometime and bring us up today and what’s going on in the world of app, SEC and information security.

[00:51:58.650] – Tanya
Thank you so much for having me. Ed and Ned and Ethan. I really appreciate it.

[00:52:06.870] – Ned
Hey, listener, thank you as well for tuning in and listening today virtual highfives to you. If you have suggestions for future shows or future guests, we want to hear them. Let us know. You can hit either of us up on Twitter. The handle is at day two Cloud show, or if that’s not your thing, you avoid Twitter like I avoid Facebook. You can fill out the form on my fancy website Ned in the Cloud.com if you like engineering oriented shows like this one visit PacketPushers netsubscribe. All of our podcasts newsletters and websites are there. It’s all super nerdy content designed for your professional career development. Until next time. Just remember cloud is what happens while it is making other plans.

More from this show

Day Two Cloud 147: Google Cloud Is Not Just For Devs

Today on Day Two Cloud we peel back the curtains on Google Cloud with a GCP insider to find out how Google Cloud differentiates itself, its embrace of a multi-cloud approach, and more. Our guest is Richard Seroter, Director of Outbound Product Management...

Episode 143