Breaking Badness Cybersecurity Podcast - Voices from Infosec: Tanya Janca
The Breaking Badness Cybersecurity Podcast is pleased to share our Voices from Infosec episode with Tanya Janca! Tanya (also known as SheHacksPurple) is the best-selling author of Alice and Bob Learn Application Security and she is the Head of Education and Community at Semgrep. In our conversation, Tanya shares a bit about her background, busts myths, discusses the paved road and secure guardrails, writing two books, and so much more! Here are some high level notes from the discussion, but for full details, be sure to check out the episode on your favorite podcasting platform.
Creating Secure Guardrails in Software Development
One of the concepts Tanya is particularly passionate about is the idea of creating secure guardrails. But what exactly does that mean? Implementing secure guardrails in software development ensures adherence to secure coding practices and prevents security incidents. This idea functions very much like guardrails on the road keeping cars from dangerous offroading situations – which is ideal!
Key Steps in Creating Secure Guardrails
- Establish Secure Defaults:
- Define the most secure way to perform tasks by default, such as enabling multi-factor authentication or conducting scans before code check-ins.
- Implement Secure Guardrails:
- Develop technical controls that nudge developers back to using secure defaults, like IDE plugins or pre-commit hooks that flag insecure practices.
- Education and Training:
- Provide training on secure coding practices and the importance of following guardrails to prevent security incidents.
- Continuous Improvement:
- Regularly review and update guardrails based on evolving security threats and best practices.
Cautionary Notes
- Guardrails should not block developers but serve as reminders and guidance to follow secure coding practices.
- Encourage open communication between security teams and developers to address any security concerns or incidents promptly.
Tips for Efficiency
- Use infrastructure as code tools like Terraform with policy enforcement tools like Open Policy Agent to automate security checks.
- Implement pull request reviews to catch and correct security issues before code is merged.
- Encourage a culture of security awareness and collaboration between development and security teams.
Semgrep Academy
Speaking of secure guardrails, you could take a free course on the subject with Semgrep Academy. Semgrep Academy opened in May 2024 and includes all the content Tanya created at WeHackPurple and they continue to expand on their offerings, all of which are free. The only payment requested is your email address to receive a monthly newsletter (which Tanya writes, so we feel like it’s worth it).
Regarding free content and marketing, Tanya believes in treating people the way she would like to be treated. She aims to build trust with the community by providing amazing, relevant content. And in doing so, she’s helping others on their infosec journey and keeping her organization top of mind regarding solutions they can provide.
Textbooks, But Better
Tanya began writing her blog on a double-dog-dare (I mean, you kind of have to – how can you go back on a double-dog-dare??) But the cosmic joke is on her, because she found she really enjoyed the writing process and sharing her knowledge. Publishers began to approach her and one asked if she thought about writing a textbook. Tanya shared that she is dyslexic and found textbooks painful. The publisher challenged her: “What would a textbook that’s not painful look like?”
When learning French, Tanya attended the one school in Canada specifically for dyslexic adults where she learned the 21 learning styles, which she incorporated into her book (and now her second book). The purpose is to explain concepts in multiple ways to ensure comprehension. Her publisher was unsure about that writing style at first, but she made the argument that she needs to know readers understand these potentially confusing concepts, otherwise they won’t have good implementations. There’s also an audiobook option available and as someone with training in acting and comedy, Tanya reads it herself!
#InfosecGardening
Tanya mentions music a lot in our conversation, and one might assume that is her #1 passion. If you asked her a few years ago, that likely would have been the answer, but for the past decade, she’s gotten into gardening. Gardening checked all the boxes of overcoming burnout she experienced: it provided grounding techniques, interaction with the earth, and exercise. As a self-described perfectionist, she completely landscaped her downtown property and planted a vegetable garden. Fast forward to now and she and her partner have a farm spanning multiple acres where they grow and sell flowers, vegetables, and fruits.
She feels at peace while working in the garden and shares her progress online. She mentioned the #InfosecGardening hashtag where other infosec/gardening enthusiasts can share pictures and tips with the community.
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
