Evangelizing Security With Tanya Janca

"Tanya Janca: The number one thing is that we can't expect to do the old security model if developers, operations and all of the rest of IT are doing a completely different thing. Communication is hard. If you've done your job two or three years, you know enough to teach someone else. Because, otherwise, you'd be fired. There's so many people who are interested in AppSec. A lot of people who thought, ‘Oh, I don't know enough to be a mentor,’ I’m like, ‘Do you know enough to do your job?’ Because there's someone who wishes that they could have a job like yours.”

[INTRODUCTION]

[00:00:34] Guy Podjarny: Hi. I'm Guy Podjarny, CEO and Co-Founder of Snyk. And you're listening to The Secure Developer, a podcast about security for developers, covering security tools and practices you can and should adopt into your development workflow. It is a part of the Secure Developer Community. Check out thesecuredeveloper.com for great talks and content about developer security, and to ask questions and share your knowledge.

The Secure Developer is brought to you by Heavybit, a program dedicated to helping startups take their developer products to market. For more information, visit heavybit.com.

[INTERVIEW]

[00:01:08] Guy Podjarny: Hello, everybody. Welcome back to the show. Thanks for tuning back in. Today, we have a guest that I've long wanted to have on the show here. It's Tanya Janca. Welcome to the show, Tanya.

[00:01:17] Tanya Janca: Thank you for having me, Guy. 

[00:01:19] Guy Podjarny: You talk a lot about security, and we're going to dig into a lot of advice, and sharing, and what we've observed. But before we dig into that, why don't you tell us a little bit about how you got to what you're doing today? Your journey into this world of security. 

[00:01:34] Tanya Janca: I think the exact opposite story of most people. I did start as a software developer. I know a lot of people start as sysadmins, network engineers, or software developers, but I didn't want to switch to security. I met an ethical hacker. And he kept telling me, "You'd make a great hacker, man." And I was not interested. I thought nothing was better than software development. And for a year and a half, he had worn me down. 

And he was in a band. And I was in the band. Of course, our bands had to play together. And we're friends. And he's a super awesome person. And then after a year and a half of him – I'm like, "Fine. Okay. Just show me some stuff." And then before I knew it, I was like, "Get out of my way." I think, for most people, instead, they're very interested and they're trying really hard to find their way in, while I got dragged in kicking and screaming.

[00:02:24] Guy Podjarny: It sounds like it. 

[00:02:24] Tanya Janca: Yeah.

[00:02:25] Guy Podjarny: Well, you owe somebody a beer there. You know? 

[00:02:27] Tanya Janca: Definitely. 

[00:02:29] Guy Podjarny: What were you doing? You were doing software development in general? And I guess when you got kicked in, what were sort of these first things to show you to get you hooked? 

[00:02:39] Tanya Janca: I worked for the Canadian government for a very, very long time. I led several different software teams, giant projects, to make custom software, to do all the interesting things that governments do. I was assigned a team of smart people who had not had much training for a very long time, and our training budgets have been slashed to less than the cost of one course per person, which meant I couldn't send anyone on any courses. 

But I'm really good at making friends. I just kept inviting all of my friends to come in and speak. And then those people introduced me to other people. I have this friend, named Wes McDonald. I just happen to be friends with almost all the MVPs, Microsoft Valuable Professionals, just because we're a dot-net shop. I'm just friends with all of them. 

Wes came in and spoke. And then he invited Joel. And then everyone just kind of kept inviting everyone until we'd had 40, 50 lessons. And then a hacker came in and then she introduced me to another hacker. And then before I knew it, unbeknownst to me, people that charge thousands of dollars to speak were speaking for me for free. And they told me later it's because I was just so excited to learn that it was so fun. And my team, 12 of us, are just on the tip of every word listening. Right?

They said the more excited you got and the more specific about the things she wanted to learn, the more it was like, "Well, she needs to meet this guy. And she needs to meet that person." And ended up winning six different awards for this training program. They ended up starting to webcast it across other government departments. And we had nutrition and all sorts of – just anything I felt like, they just let me do it. Then they're like, "Why is every talk about security now, Tanya?" I don't know. Yeah. And then I started  a formal apprenticeship program with someone. And then, yeah, it all flowed out from there.

[00:04:35] Guy Podjarny: And today you just kind of work at this, right? You're officially a security advocate or a Dev advocate?

[00:04:42] Tanya Janca: I have the weirdest job, I think, ever. I was speaking about security and teaching people about security. Kind of giving back to the community that has given me so much. Then, people started inviting me to speak at conferences. And I said, "Oh, I can’t really afford to come to Switzerland." And then they said, "How about we send you a plane ticket?" I said, "Oh, okay." 

And then I kept doing that more and more. And people started paying me to show up. And then I was doing it all the time and not going to work a lot anymore. Then, Microsoft said, “What if you just did that but you said you were from Microsoft?” And I'm like, "Is there a trick here? You're going to give me money?" “We'd like it if you would bash around our products a bit, please.” Oh, really? It just kind of all stemmed from that. 

And so, I get to go, I get to write my blog, and it's considered work time, which to me is – wow. Previously, I've just been sort of like – I don't want to say punished. But it felt like punishment for  doing extracurricular activities. Why are you going to another conference? Because I don't know enough yet. Because they're letting me in free because I'm speaking. Don't you want me to come back and bring all the smartness with me? Yeah, it's nice to be in a place where they're as excited as I am about learning.

[00:06:06] Guy Podjarny: Yeah. That's awesome. I think, oftentimes, when you get into like this advocacy, or like Dev relations, or whatever the title may be, oftentimes, effectively, it's an educator's role. Right? You walk around and you sort of get to spread knowledge and learn in the process. For a lot of people, the perception is, "Oh, I got to turn my side job into my full-time job." That sounds like a pretty good deal as long as you enjoy doing it. Right? Enjoy getting up on stage and doing the workshops and doing the writing.

[00:06:35] Tanya Janca: Oh, I love writing. And I love speaking. But for opposite reasons. Speaking is exciting and exhilarating and I love seeing people's eyes light up. Either they've had the same experience and they're really excited because I've validated their feelings or their learning, or they are so excited to go off and try something new. But then with writing, I feel like it's so calming and I get to really think out very clearly what I want to teach people and get really deep into the weeds on one specific topic in a way I don't feel like I can do in a talk.

[00:07:12] Guy Podjarny: Do you have a favourite security blog that you've written?

[00:07:14] Tanya Janca: There's one that I'm right about to release where I did a threat model with a friend from work. He was telling me, "Oh, I'm creating this proof of concept for this conference." And when I started telling him about, "Well, what about this? What type of data are you collecting? You know, you'll be in Europe and you're subject to GDPR." And I'm like, "Well, what if your users get hacked because of this?" And he said, "Can we please have a meeting about this?" 

And so, the blog post is about, if you're doing a serverless app, all the different things that apply and us dissecting, layer by layer by layer, of each different thing. And so, he's going to write up his side, "I'm a developer. Holy crap, talking to a hacker is terrifying. But, also, I can't believe how much stuff I know now.”

[00:07:59] Guy Podjarny: Yeah. Education sifts in without you noticing.

[00:08:02] Tanya Janca: Yeah. And I don't know how to explain but it's kind of like crash training for my brain. I feel like it's so exciting to stretch my threat-modelling muscle. I feel like I learned from him even though he feels like he learned from me.

[00:08:15] Guy Podjarny: Yeah. Well, it's the beauty of collaboration.

[00:08:17] Tanya Janca: Yeah. I guess let's dig into the topic. You got pulled into this world of security and now you talk a lot about it. And I know that a lot of the conversations or sort of the talks that you give revolve around this kind of modern security or security in this DevOps world. I guess what's your view on that? What are sort of the highlights of doing security right in this DevOps space?

[00:08:41] Tanya Janca: I'd have to say the number one thing is that we can't expect to do the old security model if developers, and operations, and all of the rest of IT are doing a completely different thing. We can't say, "Oh, well, we want you to stop for three weeks and have a code freeze while we do a code review." No one is ever going to do that ever again for you, or for me, or for anyone. Unless you work in a place where I guess they don't like money. 

We as security people, if everyone else is sprinting, we're sprinting. Right? And we need to learn how to do security sprints because it's different. The first code review I was involved in, I remember the security person said you need to do a three-week code freeze. And I was the dev lead. And I just looked at him and I was like, "It's so cute. What are we actually doing?" I thought he was completely nuts. We're not stopping for you or anyone. 

And I remember someone way above us telling us to stop coding for three weeks. And in the meeting, I was like, "Oh, yes. Of course. And then as soon as everyone left, all the developers looked at me and they're like, "Tanya, no. We're not going to stop. Are you kidding? No. Just ignore them. Of course, we're not going to stop." I'm like, "But here's what we're going to do. Let's dig into the backlog and let's like – we're going to branch off here and do this." No. Right? And so, I think that actually speaking to developers and having a conversation, which is hard. Right? Listening to someone else's point of view and what they actually need. Operations folk, they want stuff to not crash and fail, and developers want to create a thousand new features, and security people are like, "Could all of that be done securely, please?” Communication is hard.

[00:10:29] Guy Podjarny: Yeah. How do you do it? Accepting the premise that I am fine with as well. Right? That you want to sort of switch security work to be sprints. What do a security sprint look like? 

[00:10:40] Tanya Janca: Definitely, we need to break things into smaller pieces. Let's say you want to do static application security testing or code review. Previously, it was like let's run this giant, really expensive scanning tool for 16 hours and then spend three weeks investigating the hundreds of pages results. And then there's going to be maybe 200 results. And then we give those to the developers. And the developers are annoyed. 

Instead, what if we run the scanner but we only look for one bug class? Let's say we just look for injection vulnerabilities and we manage to get through all of the code, and then we just give them that one type of bug. This one sprint. And we attach to it, "Here's how you fix it." Right? And then we try to just obliterate the one bug class. And then in the next sprint, we try with another one bug class. I realise that that's not as thorough. But we're sprinting. Right? 

And the idea is if, let's say, you managed to find all injection things in that one sprint and then you've taught developers how to fix that during that sprint because those people made that mistake somewhere, right? Then the hope is, is that they're not going to keep making that mistake later because they learned it in that sprint that might not be perfect. 

Another thing that I've been experimenting with is having another pipeline. You know, you have the one main pipeline and it goes Dev, QA. Let's say, UAT, prod. And it goes out into the wild. What if you had one that went from Dev to another different spot that's not connected that goes nowhere? And then I get to run every test I've ever dreamed of. But it's not publishing and it's not slowing anyone down. It's off on another instance in the cloud. It's not bothering you. It's not ruining your Dev server. It's going to nowhere. It doesn't publish. Or it does to like this one area that's like the security area and I run my 18-hour static code analysis on it but only I receive those results and developers don't see those. And I can fool around with them for three weeks if I want to. And then I come back with, "Okay. I found a bunch of memory leaks. And here's where they are." And maybe half of them don't anymore because the code has changed. But I've had enough time to deep-dive into that and not stopped everyone and made them wait for me.

[00:13:07] Guy Podjarny: This is kind of like asynchronous testing.

[00:13:09] Tanya Janca: Yes. Exactly. 

[00:13:10] Guy Podjarny: If the first one is more about the sort of take the sort of large unit and break it up. This is more about can you take a bunch of these testing be out of band. 

[00:13:18] Tanya Janca: Yeah. Parallel security pipeline, asynchronous pipeline. Another idea could be – for instance, I worked at a bunch of places where we paid a small fortune for pen tests. And then we get the results. And we go through. And we're fixing them. And I'm like this is a shopping list. Those developers create all of our other apps. And I'd like you to take this shopping list and go shopping with all of our other apps, please. Oh, are we using RC4 on these servers from whoever provided them to us? Because we were using like a third-party infrastructure team that did not work for us directly. Hello. I would like you to go check all of our servers. And you mean for this app? I'm like, "No. 100% of them." Because it shocks me. We had RC2 on like three out of hundreds of servers. But I was like – this is – no!

And so, I used those pen test results to look for all sorts of other things. But someone recently was telling me that they took those pen test results and they turned them into unit tests. Once the thing was fixed, they're like, "Oh, okay. We have unit tests on some of this code. Great. I'm going to copy the hard work of this developer. I'm going to copy their unit test. And then I'm going to add in this payload that they created as part of the pen test. I'm going to add it to that. So when they run their unit tests, they're going to run these extra couple of tests to make sure that we don't regress back to that and make that same mistake by accident somehow." Right? 
And unit tests are really fast. If we add 10% more tests, it's still really fast. And as long as we keep up the maintenance on them or work with developers so they're not like, "Oh, you just added 10% more work to my backlog. I don't like you." If we could partner on that, which means security teams that understand how to write tests, which is not always the case.

[00:15:12] Guy Podjarny: Okay. Cool. Some good short stint with some concrete advice here. One, take up your sort of tasks. Take these security actions, try to sort of break them up into something you can actually complete in a couple of weeks, which basically is the same as you do in development to create maybe an asynchronous pipeline so that you can tap into the automation bit and not everything can be run in sort of the pace of the build. You can run them on the side but still tap a little bit into the automated workflow. And then maybe try to sort of embed or automate some of those results or the unit tests into those components, which I guess is, at this point, you're collaborating with the Dev team. Or maybe you built up some Dev skills within the security team. 

And I guess kind of in between, it's frankly just sort of a good idea even above and beyond DevOps is to, "Okay, if you've kind of bothered doing the effort or the cost of doing a pen test in one app, do share and kind of bring that across the different teams." Because it's likely that there's some practices here, maybe even some shared code components. These same vulnerabilities exist there.

[00:16:14] Tanya Janca: Definitely.

[00:16:15] Guy Podjarny: What do you think about who owns the results, right? For instance, you described a whole bunch of things around, "Hey, if I ran this analysis and some miraculous AppSec person kind of ran through those results and kind of went through and gave them to Dev to fix,” I always kind of have some challenge a little bit with this. Like, on one hand, yeah, for sure, minimal disruption to the Dev team. Maybe less effort. But is that the right way to do it in your mind and you need to scale the AppSec team accordingly? Do you think it's more about rolling a lot of these into Dev? How do you see that? 

[00:16:45] Tanya Janca: I think it depends on the team, and their capacity, and their knowledge. I know some AppSec teams, where if it's one or two lines of code, they just go and fix it and create a pull request. They're like, "I'm right there. I'm verifying the bug. I see it with my eyes. It's like I'm just going to do it because it's faster." And then bigger things, they check into the backlog.

I think a lot of it depends on speaking with the developer team and the business people sometimes because I have definitely had business people tell me, "Well, we're going to do all of that after we launch the product in 1.1, not 1.0." Some things can wait, for sure. As a security person, I'm wicked biased. I want it to be perfect from a security standpoint. I'm lucky because I know I'm super biased, and so I try to remind myself, "Tanya, you are super biased. You want 100% of things fixed." But, often, the business thinks, "I don't need any of them fixed." And so, it's kind of a negotiation as to which things need to be fixed and which things don't. 

Also, I've checked a lot of things into backlog before and then caught my lead developer marking them as fixed behind my back. I walked to his desk, and it's so funny because I use – we're friends. My friend, Ahmed. I'm like, "Ahmed, I saw you." And then he turns bright red I'm like, "Mm-mm-mm. Negotiation time." And so, he's like, "These two are going to take forever. And this one doesn't seem like a big deal." And then we would discuss and then I would put one back in and then two were for the following sprints, et cetera. Or maybe we could knock one off and accept the risk. But I'm like, “This is not a decision for you, Buster.” And he's like, "Oh. Our last lead would never have noticed this." I'm like, “Whoa."

Definitely, you need to communicate. But security bugs are bugs. And, usually, developers fix bugs. But we have to be realistic. Just because I found a low-level bug does not mean that it's an emergency. 

[00:18:46] Guy Podjarny: Yeah. I like the product analogy a little bit. Product management manages the sort of the backlog of priorities of capabilities, per the needs. In a perfect world, security capabilities would just be a part of that backlog. There would be a full appreciation of security there. Maybe in the sort of runner-up perfect world, there is an allocated security investment that is being made and the security person manages that backlog. And then, in reality, none of that is defined. There's implied – you have somebody who's good at making friends like yourself who sort of convinces the Dev teams to do it.

Does that make sense to you? I mean, how does that align? Is it the product analogy? Or is it more the sort of Dev QA that you find a throughline? Because you wouldn't really find a product manager saying, "Oh, this is just a small feature. I'll build it." That doesn't happen.

[00:19:38] Tanya Janca: No. No. No.

[00:19:40] Guy Podjarny: Do you think it's more the product analogy? Is it more almost outsourced development a little bit with expertise? Are all of these analogies flawed? 

[00:19:48] Tanya Janca: I think every single Dev shop is different. And I also think that I've had friends and colleagues say this before, that there's a Tanya factor. Sometimes I give advice and people are like, "That only works for you, Tanya." I'll get a table at a restaurant really fast because I smile, and I'm really friendly and outgoing, and I will get better service. I'll say to my friends, "Oh, you just go and you just do this." "Oh, that's the Tanya factor. Your big smile. And you're charming and flirty all the time. You never turn it off. And so, you get these things other people don't get." Right? 

That Dev team listening to me while I was the boss of the Dev team. Or when I switched to security, I had previously been the boss of the Dev team. Again, they're my friends. I've made them cute little stickers that are all at their desks. I had a different relationship with them. And it's not as friendly at every office. Eventually, I started trying to attract developers into becoming security champions. And those people would champion those things for me on the team. As I went to larger and larger Dev centres because the place where I started doing security was so small compared to places I worked later where I was outnumbered exponentially. If you're working where there's 50 developers and you, it's not the same as 400 or 2,000.

When I went to the place that was 400, I looked at all the metrics. I'm like, "Okay, everyone here is allergic to security headers. And people are huge fans of writing cross-site scripting into every app. Okay. Great." I wanted to try to eliminate those bug classes as quickly as possible just to have a really big, fast win because I just arrived. Aren't you glad you hired me? Yes. I held lunch and learns with deep dives into these topics and dared them to go run the tests on their legacy apps. And dared them to go do things. And then people started becoming my champions for me. And then it's not Tanya convincing them. It's their own lead of their own team convincing them. And that is a person they trust. 

And so, I have to convince these four people. But these four people go out and convince the other 25 people and, slowly, it was growing like that. And that is a thing that isn't me specific. It's about will the right person identifying themselves? I find security advocates self-identify if you're paying enough attention.

[00:22:18] Guy Podjarny: Yeah. Okay. I guess that is also like a scale element. You can scale through automation through sort of writing the unit tests element. You know you can scale through sort of hiring more AppSec people, and then those AppSec people maybe can take on some security responsibility and build tests or fix minor bugs into the team. Or you can scale through I guess kind of security champions. Whether it's a program or it's the Tanya factor. Sort of make people around be champions and figure out the sort of the gap that you need to close to get them to that point. Does that sound about right? 

[00:22:51] Tanya Janca: Yeah. And it's also a great way to recruit to the AppSec team. Because that's how they got me. This really cool guy named Eric said, "You know, there's this security incident. You want to come check it out?" And I did. And then I asked if I could sit in on another one. And before you knew it, I was managing incidents. I told him, like, "I don't know how to manage an incident." He's like, "You've seen me manage a bunch. I'll be right here. I'm going to assist you." And before I knew it, he wasn't even in the room anymore. Oh, my gosh. I'm managing incidents. He turned me into the security champion. It took me a while to realise he did that.

[00:23:34] Guy Podjarny: Is your guess that he did it intentionally? Fully intentionally? 

[00:23:37] Tanya Janca: Oh, yeah. He is a smart man. He is a smart, smart man. 

[00:23:40] Guy Podjarny: This is really an episode about social engineering.

[00:23:42] Tanya Janca: Right? 

[00:23:43] Guy Podjarny: Security people are good at social engineering. Why don't you social engineer more people into security and solve the security talent shortage, you know? 
But let's talk a little bit about that, about pulling people into security. You seem to be paying it forward or maybe looking to “do unto others” and pull some others, hopefully, a little bit less kicking and screaming into the world of security. You do a whole bunch about this. But I think maybe we start with Mentoring Monday. Do you want to tell us a little bit about it? 

[00:24:10] Tanya Janca: Yes. I joined security because I had a mentor. And, quickly, I found new even more amazing mentors. And I am really lucky that people seem to see possibilities and potential in me. And then I have noticed that if I pay my attention to someone else and show them the things that I know that they can blossom in ways I never even dreamed or they never even dream. 

People started asking me to be their mentos. And I said, "Oh, I already mentor for women." And, honestly, I feel like I don't even give them enough of my time. And I still haven't figured out how to make a cloning machine. And so, until then, I thought, "Well, I'll just find you a mentor." 
I started introducing people to each other one-on-one, which took a lot of time. Then one day I just tweeted this #MentoringMonday. Are you looking for a mentor? Are you willing to share what you know with someone new to you? And then people start matching themselves. And people started searching the hashtag each week. So people that are like maybe less public about their offerings, they'll see someone's call for a mentor and then they're messaging them directly and they're having private conversations and branching off. 

And several people have written me the most wonderful messages about I now have these two people in my corner who are giving me advice. One's giving me career advice. And one of them is giving me technical things, like read this book. Or like you know you should ask for a raise. Or have you tried applying here? And all of these people that are senior in our industry who didn't even realise, if you've done your job two or three years, you know enough to teach someone else. Because, otherwise, you'd be fired. Right? If you still have this job, it's probably because you're good at it. 

And so, a lot of people who thought, "Oh, I don't know enough to be a mentor." I'm like, "Do you know enough to do your job?" Because there's someone who wishes that they could have a job like yours. There's someone who wishes that they knew, when they looked at the sim, what all of that stuff means. There's so many people who are interested in pen testing and then a lot of them end up learning like I did that they actually want to work in AppSec. Or they actually want to build cool tools to help people do testing. 

And the more people you have in your corner that are willing to give you just even an hour of advice one-on-one, it's so valuable. And so, just so many senior people have told me that it is so rewarding to see the person they're mentoring just break through every goal that they had. I have to say, the people I'm mentoring, it shocks me how they're like, "Oh, I would never speak." And then they're speaking all over Europe. 

Or one of my mentees is coming with me and we're speaking at AppSec Europe together. And she said, "I will never ever speak, Tanya." And she hosts a streaming show. She started her own company. It's like, "Wow." Right? And she just keeps setting bigger goals and then destroying each one of them. Sometimes, it's just having someone that I introduce her to the right person.

[00:27:20] Guy Podjarny: Give us some examples that will sort of inspire the listeners a little bit. Maybe some examples of topics that people kind of reached out to mentor on or to be menteed on.

[00:27:32] Tanya Janca: A lot and a lot of people are interested in learning about forensics. How do you even break into that? Or people want their very first AppSec job. A lot of people who used to work in networking, they want to work on a sim. They want to be an information security analyst. And they just have no idea where to start. And they've got like a demo of a sim and they're like, "What does that mean?" 

Or a lot of people come to me and they're like, "I want to be a badass hacker." I'm like, "Oh, you probably shouldn't ask me. Because I'm a care bear hugging, AppSec person." But when they learn just how to run a scan for the first time, I'm like, "Okay. Now what do these results mean?" And they look at me with these wide doe eyes, I'm like, "Go. Go off and try to figure them out. I want you to try to fix a bug." 

Or a lot of people are interested, they're security people and they're like, "I want to learn about DevOps. There's like five million books. Which one do I read?" I'm like, "Okay. Read this book. Then watch this talk. Then read this book. Then follow this guy." And the thing things that have helped me the absolute most can give someone a more direct path. 

I met Troy Hunt in Australia and I told him, "I'm receiving 500 or more messages a week. And I don't understand how to answer them all." And he's a gazillion times more famous and well-known and probably receiving many, many, many more messages. He gave me a lot of really, really, really helpful advice about how to prioritise my time so I could help the most people. 

It's not helpful for me to write a one-hour message to each person. Instead, he's like write a blog post about that and then share it to everyone. Because if one person had the guts to write you and ask you, a lot of people want to know. And so, asking someone that has success in the areas you're interested in. And I was just so happy he spent 45 minutes talking to me. You know what I mean? And he's like, "If you have more questions, just write me. It's cool." "Oh, wow. Thanks.”

[00:29:26] Guy Podjarny: Well, I think you never finished the need to learn. There's always good advice to receive. There's always kind of experience that you have that is a good idea for you to share. If people want to engage in this, this is on Monday, I imagine? 

[00:29:41] Tanya Janca: Every Monday. Yeah. Just either you can respond to my tweet to mentoring Monday. Or just tweet your own with the hash – you have to use the hashtag. A lot of people are responding to my tweet. They don't use the hashtag. And what that means is if a less attention-seeking or, more likely, just a shy person rather than them tweeting. Or they don't want to be overwhelmed. Some people told me they've had 25 people answer their tweets. Use the hashtag so that they can search and find you. 

And if you are a person who's more senior, respond to tweets or search the hashtag and look for someone that's looking for what you want. And if there isn't anyone, just offer. People will be over the moon to respond to you. And if too many people respond to you, have coffee with each one and choose the right one, or two, or three that you feel. And then set the others free. If you don't have time, it's okay to say no. And then send them back to me and I will keep sharing and matching people until they find someone. 

[00:30:39] Guy Podjarny: Cool. That's a great kind of mentoring matchmaking. I think the other activity you do around inclusiveness and security is around women in security. Let's dig into that one a bit. You started a group, The Women of Security.

[00:30:51] Tanya Janca: We're pronouncing it WoSEC. I know it's hard. 
 
[00:30:53] Guy Podjarny: Yeah. Pronunciation is hard. Try tweeting how do you pronounce Synk. 

[00:30:57] Tanya Janca: I know. I tell people it's called Snyk. And they're like, "Really?" I have a couple really cool friends there in security that are women in Ottawa. And I'm selfish. I want to make more cool friends. I have 500 male friends and then three female friends that work in security. 

In Israel, there's this cyber ladies thing. And they all got to meet all sorts of cool women that they're friends with now that work in security. And then there's networking opportunities and all of that. My friend Don and I decided we would start our own thing in Ottawa. And we made a little meet-up. And then were thinking, "Oh, hopefully, Nancy shows up and the three of us can have brunch." And then 25 women showed up. We were astounded. We're reaching one-year-old this month. I know. And we have 250 members in little, teeny-tiny Ottawa. And they're all women. And we have 10, 20, 30, 40 women that show up every month to brunch. We call it brunch and bitch. And then we started crashing boy meet-ups. 

A while ago, I wanted to go to a capture the flag. I had tweeted and put on LinkedIn, "Oh, I want to start a capture the flag team. But I don't want to be the only woman there." I ended up having so many women respond. We made two teams. And, actually, there were so many women there. And then we dressed up and looked cute. Because women like doing that sometimes. 
I wore this cute polka-dot dress. And like we ended up making the news twice because so many women had crashed this event. We started this thing where we'll crash an event together. We sign up. We'd follow the rules, and the code of conduct, and everything. But we go as this big group so it's not scary. We crashed RSA this year. And we had our own little thing where we all got to meet each other and then we could attend talks together. And you have new friends and you don't feel intimidated going into a room with 200 men. Because you have three women with you that are your friends. 

And at RSA, we had a woman breastfeeding in our meet-up. It's so amazing we made such a safe space that she felt comfortable to just do that openly. And then we also have women-only safe spaces for learning where we have workshops or talks where it's just women only. I've given a cloud security workshop. We had another woman do a web app hacking workshop. 
And women just started writing me. So, my friend, Duha, wrote me from Vancouver. We didn't know each other. And she said, "What you're doing is cool. I want to do it. How do I do it?" She started a meet-up. And then this woman, Judy, from Nairobi wrote me. And she's like, "What you and Duha are doing is cool. I want to do it. How do I do it?" And so, now we have 15 chapters and we're just opening up two more today. One in Victoria, Canada, and one in Milwaukee. We just opened up another one in Johannesburg. We have Paris, Zurich, Boise, Dallas, San Francisco. It's so wild to me. Like, Montreal, where they meet in French. In Switzerland, they meet in French. 

And so, I started this little Twitter account. Because I just like tweeting happy stuff about women. I figured out that people follow me, SheHacksPurple, because they want security content. If I just tweet cool stuff at women constantly, that that's a different crowd. I started this other handle just for my meet-up where I just follow tons of women in Infosec. They aren't even involved." And I'm just like, "Congratulations on your new job." Or I'll just like – they only have 46 followers but I'll like retweet their cool accomplishment and congratulate them. And invite people to come brunch like badasses with us. 

And we're crashing Microsoft Build next week. And I convinced them into giving us like this huge boardroom that's like right after the keynote where we can all meet each other and then have friends to go do everything together. And my hope is that people will make friends that last for a long time. Because now I have so many female friends in Ottawa and it has resulted in so many things. Two women from my chapter started a business together. There was a woman in a very difficult situation, which I won't reveal here. But because I have enough connections in the community, I ended up talking to the person's boss's boss's boss's boss. And then he was dismissed for wildly inappropriate behaviour in four hours because it came from me. 

And then she was in such a trusting relationship with someone else in our group. And then that person trusted me that she would open up about what had happened. And the company was just like, "Oh, my God. Thank you. That's not acceptable. And we wouldn't have known." 
We’ve been having these like magical things happen because of trust relationships and people meeting in person. And we've been helping people find their first job in Infosec, or find a co-op, or find someone – like later today, another woman that's in WoSEC, she's like, "You're a great public speaker. Will you watch my talk? I'm doing my first talk ever tomorrow." I'm going to do one-on-one with her to try to make sure her talk's extra good.

[00:36:19] Guy Podjarny: I guess that ties it back into that mentoring just for that specific audience to sort of help it grow.

[00:36:25] Tanya Janca: Yeah. And so, I'm helping women. But then all those other women are helping other women. And it's like passed down, and down, and down, and down. And between someone just sharing their hotel room with another woman so she can afford to go to a conference for the first time. Each one of these things multiplies in positivity. I'm shocked at how many amazing human beings are like, "I want to participate." And they're making it like a thousand times better than I ever could on my own. And, oh, my gosh. WoSEC is the most happy thing I've ever done. It's brought me so much joy.

[00:36:59] Guy Podjarny: Yeah. It sounds amazing and kind of making a real impact. It's WoSEC. 

[00:37:03] Tanya Janca: Women of Security. And if you just look us up on Meetup or WoSEC tweets, because we tweet, that's our account on Twitter. And if you want to get involved, just message us. Everything's free. That's part of our rules, is it's free. 

[00:37:17] Guy Podjarny: One of the questions I always have, I'm kind of a big fan of helping make security more inclusive. Frankly, the world of tech. But security is in a little bit worse shape than others. And one of the questions as a white dude is how can men in the industry sort of help support something like WoSEC? 

[00:37:37] Tanya Janca: You could offer to host our Meetup. You could offer to sponsor a Meetup by paying the meet-up fees, which are $130 a year. You could offer to teach something. In Nairobi, they have men teach and women teach because they want to learn. Judy, who leads that, is so amazing. She's having lessons every two weeks. Intense workshops every two weeks. And she has men, women, anyone teaching. Just offering to teach would be amazing. A man amplifying a thing that a woman says sometimes will let other men want to see it more, if that makes sense. 

If I amplify a thing that a woman says, lots of women will listen and a lot of men will listen. But if a man retweets a thing or comments positively on a thing that a woman does, sometimes that means more to other people. To men and to women. Just doing that little thing or partnering with a woman on things. This year, I've made like a huge personal goal to try to collaborate more with other people. I've been collaborating with other women and other men. I'm doing like a lot of joint talk submissions even though like I'm like obsessive, and I'm a control freak, and I know this. It's really hard for me. Because I'm like, "I'll just write the entire talk. Okay?" And they're like, "No. We're collaborating." 

I'm trying really hard to get outside my comfort zone and do that. And then that shares my spotlight with another person. If you give a talk with a woman and you could do it on your own. You totally could. But doing it together means you share the spotlight together. And, also, they'll have all these different amazing Ideas to add to your talk if you are willing to listen, which is it's hard for me. And I know that. But that's okay. That's another way that you could do things, right? 

I've had a lot of men offer to collaborate with me. And I'm like, "No. No. Don't collaborate with me. Offer to collaborate with someone that no one's heard of but that you've seen cool things they're doing." I mean, don't just pick some random woman that's not doing anything. 

[00:39:43] Guy Podjarny: I try, not nearly enough. One of the challenges that sometimes happens is just finding. Because, especially, if those are people that are a little bit maybe more timid or sort of more shy to sort of – or that just haven't built renown yet, do you have any recommendations for like lists of Twitter accounts to follow or places to find these great women that do security work? 

[00:40:07] Tanya Janca: WoSECtweets follows two-and-a-half-thousand Infosec ladies who are doing lots of cool things. And what we did is we just asked, "Are you doing cool things in infosec and want us to start retweeting you? Because we will follow you. Just please self-identify." And then over 2,000 women did, which was cool. 

Also, Irena Damsky has a list just on her Twitter and I think it's called Cool Infosec Hacker Women. Something like that. If you just go to Irena Damsky, she has like a long list of maybe 400 or 500 really cool women that like she's met that she knows are good speakers. 
I have a private list that I give. If someone invites me to speak and I can't make it, I suggest here's 15 other women who I have seen speak, who I respect greatly. And I'd like you to consider choosing one of them instead of me. And so, I'm trying to encourage all the other women in WoSEC who speak to create a list of two or three other women that could speak if they can't make it. I get a lot of invites, as you might imagine. If I can't make it, I try to recommend those. 

Also, of course, you should interview all the women that are part of the OWASP DevSlop Project. I feel like recommendations really help. For instance, you've had me on your show, you could recommend me to someone else. Your recommendation – because you do lots of cool stuff, Guy. Your recommendation is worth a lot. Right? You could use your recommendation a bit more liberally. 

[00:41:36] Guy Podjarny: I think, in general, Tanya, this is an excellent list of very concrete things that you can do that frankly don't require that much effort as much as intent if you follow the right voices, you make that effort, and then all you do is pay attention and amplify.

Whether it's a retweet, or it's an email, or it's a recommendation, or a tip, or – probably even from a confidence perspective just a reply with a kind of strengthening statement goes a long way. I think all of those are very concrete, very immediate, and really, really great tips for everybody. But, specifically, including white bearded dudes like myself to sort of help participate without being overbearing. 

[00:42:18] Tanya Janca: Thank you. Thank you for asking. I really appreciate that you ask instead of telling. Thank you. You're awesome.

[00:42:26] Guy Podjarny: I appreciate that. A lot of great tips. We've kind of gone – I do feel like to an extent there's this theme of inclusiveness kind of throughout the element. We started with a little bit of things that might not fall under that title around the DevOps tips and splitting tasks into work. And I really love the sort of conversation around inclusion both from a mentoring perspective and from sort of women in tech. And it's probably worth saying that we talked about the Women in Security initiative here. But there's other sort of similar ones around under-represented minorities. 

[00:42:55] Tanya Janca: Oh, yeah.

[00:42:56] Guy Podjarny: We can probably do another episode. There's a whole ton of stuff to talk about. Before I let you sort of off the hook here, I'd like to ask every guest that comes on the show, if you had one tip or if you have like a pet peeve or something like that that you want to get off your chest to a team looking to level up their security game, what would that be? 

[00:43:15] Tanya Janca: Okay. Some security people are going to get really defensive and angry when I say this, but I don't feel that it is ever acceptable to respond to a developer who has asked for help with a specific question, they're asking specific advice about something, to never reply with read this book. 

I mean if someone's like, "What book should I read?" Of course, read that. But I was asking someone for help, specifically with advice for GDPR for a serverless app, and it was really specific advice, and he wrote back, "Read this book." And I said, "Clearly, you don't have time or don't want to help me. Could you please recommend someone who actually will? Because, clearly, I'm not going to read an entire book in the next week. Because that's how much time I have to make these changes. Do you have someone who wants to help me?" And he got really defensive. And, yes, that was a really rude response on my half, but I kind of wanted to send back something that was way less rude I won't repeat on air. 

Because to me, that's offensive. To me, that's saying, "I don't want to help you. Go away." To me, that says, "Go away. I don't have time for you." And if you don't have time, then recommend someone that does have time. Or if you don't have time, tell your boss, "This is an important thing that I don't have time to address because my workload is incorrect or whatever. And we need another person." 

But telling me to go read the legislation on GDPR, to me, you just gave me the middle finger. That's what you did. I was asking on behalf of a developer on my team. I'm like, "I am not GDPR literate." I know the basics. But I cannot give good advice on this. I'm asking you, and I told you're the expert, and if you don't want to help, don't send me a link to the legislation. I know how to use Google.

[00:44:57] Guy Podjarny: Yeah. It's a very, very good tip. The information that's out there is not equivalent – 

[00:45:02] Tanya Janca: Software developers already know how to use Google. Thanks. But I want the genius that's in your brain. That's why I asked for and you just said no. I've just seen so many people send a link to NIST or something else like that. And it's just the developer that gets that is like, "I guess I'll just guess. And, also, I'll never write you again. Because you don't want to help me." Please stop doing this. Please. 

[00:45:27] Guy Podjarny: Yeah. Excellent advice. I don't know if it falls under pet peeve or advice. But in both of those cases, it would work very well.

[00:45:33] Tanya Janca: I think it's both. 

[00:45:35] Guy Podjarny: This was really excellent. Tanya, if somebody wants to – you kind of mentioned it a little bit. But if someone wants to sort of find you on the Twittersphere or the likes and ask you further questions, how can they find you? 

[00:45:45] Tanya Janca: I am @SheHacksPurple on Twitter. And, also, I have a blog. That is She Hacks Purple on dev.to and on Medium. If you just look up She Hacks Purple, you're going to find a whole lot of Tanya. I have YouTube channel now too. And you just YouTube/shehackspurple. I'm trying to like be that thing. I'm going to make a website someday. Anyway, it has to be the world's most secure website, right? I feel the pressure is really on.

[00:46:11] Guy Podjarny: Indeed. [inaudible 00:46:11]

[00:46:12] Tanya Janca: Yeah. Thank you so much for having me, Guy. I really appreciate you and all the work you're doing in our community. Thank you. 

[00:46:20] Guy Podjarny: Cool. No. Thanks a lot, Tanya, for the great advice, for the work as a whole. And thanks, everybody, for tuning in. And I hope you join us for the next one. 

[OUTRO]

[00:46:30] Guy Podjarny: That's all we have time for today. If you'd like to come on as a guest on this show or get involved in this community, find us at thesecuredeveloper.com or on Twitter @thesecuredev. Visit heavybit.com to find additional episodes, full transcriptions, and other great podcasts. See you next time.