Episode 105 - More App Security with Tanya Janca
Sponsors
Support for this episode of The Modern .NET Show comes from the following sponsors. Please take a moment to learn more about their products and services:
- ZOOM Platform - ZOOM Platform, no not the video conferencing app, ZOOM Platform! The premier DRM-Free games portal.
Please also see the full sponsor message(s) in the episode transcription for more details of their products and services, and offers exclusive to listeners of The Modern .NET Show.
Thank you to the sponsors for supporting the show.
Embedded Player
The .NET Core Podcast
Episode 105 - More App Security with Tanya Janca
Supporting The Show
If this episode was interesting or useful to you, please consider supporting the show with one of the above options.
Episode Transcription
Hello everyone and welcome to THE .NET Core Podcast. An award-winning podcast where we reach into the core of the .NET technology stack and, with the help of the .NET community, present you with the information that you need in order to grok the many moving parts of one of the biggest cross-platform, multi-application frameworks on the planet.
I am your host, Jamie “GaProgMan” Taylor. In this episode, I talked with Tanya Janca about application security (sometimes called appsec), We Hack Purple which is a community of people who want to help make all applications more secure, the free courses that We Hack Purple are providing, and we swap stories of working to make applications more secure.
Along the way, we discuss Tanya’s new book, OWASP, recommended security headers for HTTP (and most importantly Content-Security Policy), and how important they can be when the spam really hits the fan.
Tanya has actually been on the podcast in the past, back on episode 77 when we talked about her book Alice and Bob Learn Application Security. Interestingly, Tanya has a whole new book planned, which she’ll be working on when this episode drops.
So let’s sit back, open up a terminal, type in dotnet new podcast and let the show begin.
The following is a machine transcription, as such there may be subtle errors. If you would like to help to fix this transcription, please see this GitHub repository
Jamie
So, Tanya, I just want to thank you for being on the show. Again. This is second time you hear. Thank you very much for taking some time to speak to us today.
Tanya
Thank you so much for having me back, Jamie.
Jamie
Oh your very welcome. Very welcome. You’re always welcome on the show. It’s a very niche topic that we talked about. And obviously, you know, you’re an amazing guests. So thank you very much.
Tanya
Awesome.
Jamie
So, perhaps for the people who haven’t heard your previous appearance - which will be linked in the show notes, so don’t worry about not being able find that. Would you mind giving the folks listening just a quick introduction? Is that okay?
Tanya
Yeah, absolutely. So I’m Tanya Janca, and I am a giant nerd who is obsessed with the security of software. I was a software developer for a really long time. And then around eight, or I guess, like, maybe nine years ago, I met this ethical hacker, and he convinced me to switch into cybersecurity. And very quickly, I figured out, “oh, there’s a job where I could do security, but hang out with software developers all day. So it’s like, I get the best of both worlds.” And that is called appsec, or application security. And then I started speaking at conferences, because then you get in free. And then I eventually started a blog. And then eventually, I wrote a book. And then I started my own giant, like learning academy called we have purple. And then some new things happened recently that I think we’re going to talk about at some point. So I’ve done a lot of stuff.
Jamie
Awesome. That really is a lot of stuff. I have to say I echo the sentiment of speaking at conferences, because you get in free. I’ve done that so many times. It’s brilliant.
Tanya
Yes
Jamie
And then you get the bonus of people think that you know what you’re talking about, which is my case, not yours.
Tanya
It is really awesome. Because then everyone wants to come say hi to you. And as a big extrovert. This is like pretty awesome. In my books. If I was an introvert, I probably wouldn’t consider that a plus.
Jamie
Yep, yep, totally get that. I’ve been on the other end of that, where there’s like a queue of people. And I’m in the queue to talk to the person afterwards. Luckily, that’s never happened to me. Maybe because my talks have always been rubbish. But who can say?
Tanya
Or maybe you answered all the questions so well, people are like, “I don’t even know what to ask. He said everything.”
Jamie
I like the positive spin. I like that. Excellent.
So yeah, so firstly, let’s talk about WeHackPurple, because I mean, this is gonna go out and a couple of months after we’ve recorded, but you’ve got some pretty big news that’s happened recently.
Tanya
Yes. So WeHackPurple got acquired by Bright Security around two weeks ago. And as a result, so Bright Security makes it a dynamic application security testing tool, and they make automated security unit tests. And that is very cool. And I’ve been friends with the Bright guys. So they used to be called Mirror Legion. I’ve been friends with them since before I started, WeHackPurple. And then I started WeHackPurple and Bright was getting bigger. And I joined the advisory board maybe a year and a half ago. And I was kind of helping give feedback and trying to basically help them build the best app ever. And then they did a whole bunch of fundraising late last year. And they’re like, “so we just did all this fundraising. And we’re thinking maybe we could spend some money on you.” And I was like, “oh, do you want to like, build more content together?” They’re like, “we’re kind of wondering if our two companies could just be like one company.” And I was like, “oh, I was like, that sounds great.”
And the thing that I always wanted, that they knew, I was like, “listen, I, I want to be able to pay my bills. But I wish I could just give away all my content for free”. Because a big goal of mine is to try to make all software more secure, not just the stuff I’m working on, or just the clients that pay for consulting services, like I wanted to reach a broader audience, which is why I wrote a book - you do not write a textbook to make money, trust me, Jamie. And so they agreed that as part of the acquisition, we would take all the WeHackPurple courses, put them into the community and just make them free for anyone. So if you want to take secure coding, if you want to take application security courses, there’s an Azure Security course in there, there’s like a, how to scan things in like a CI CD pipeline. Like we have like a bunch of courses in there now. And I’m really excited to be able to share that content with everyone with no paywall anymore.
Jamie
Oh, amazing. So how do I go about signing up for a course that what do I do, you just,
Tanya
you go to community.we have purple.com And you have to join. So you have to like make an email like or give your email address, make a password, and then you have to tell us why you want to join. And so you could just say I want to take some courses or I want to learn AP SEC or I’m interested in hacking or whatever your reason. And then you have to agree to the code of conduct. So we all have to be nice and professional to each other, which is super reasonable. And then Basically, yeah, someone reviews it. And as long as your answer isn’t like because they would like to harass others and cause havoc, we pretty much always approve you.
Jamie
Oh, yeah. Fault me All right.
Tanya
Well, we did have one company, it was like someone from a company joined. They’re like, Oh, I’m gonna sell everyone my product. And we’re like, oh, advertising Fallout and your story. You can come and you can learn, but you’re not led advertising these like, okay, cool. I’ll just come and like he still joined. But you just didn’t advertise. But you’re allowed, like, for instance, with like, this area with like jobs, and people are allowed to come in and post jobs or say they’re looking or whatever, and try to pair off together for potential. You know what I mean? Like, it’s hard to hire in security right now. So, yeah, so basically, as long as you’re not going to do bad stuff, you get approved. And people that admit they’re gonna do bad stuff that is like, it’s, it’s not often that people are like, you know, what my intentions are? They’re pretty bad. Let’s,
Jamie
that’s awesome that you sort of said that, at the start, right? Especially with the Code of Conduct I love that if I, if I’m ever attending a conference, or dealing with a client or whatever, they have a code of conduct? That’s a big thumbs up in my book, because it’s like, even how do I put it, I’ve tried to pick my words carefully. It sucks that we have to have them. But it’s great that we can have them, you know, it’s really dreadful, that we have to have these sets of rules that we say like you can’t do this, you can’t do that. You must treat people with respect. But it’s great that we can have them and then he forced them to, that’s brilliant, because then you find the bad apple in the group. And you just know, you’re out. Because you’ve agreed to this, and now you’re violating it or whatever.
Tanya
Yes, and we have a big team of volunteers that moderate and plan events and streams together. And they’re really good about enforcing the code of conduct. So for instance, we had a live stream and someone came on and they’re breaking the code of conduct to say the least. And the presenter stopped and was like, Hey, you’re being rude. And then everyone in the audience was like, That’s not acceptable. We want you to leave now. And then the person left, and I was like, wow, I didn’t even have to You did it. Wow. It was just like, so great. And then it was funny, the person had been like drawing inappropriate things on the screen. And the presenter is like, you can’t even draw buddy get out of here. Like she turned into this funny joke, and then continued on, right. And it was just, yeah, it’s really good to have a lot of individuals who feel comfortable and like, so we have purple. Like as the company, we have these core values, and three of them are inclusion, diversity and accessibility. And it’s really important to us that like every person who wants to participate can and that they feel welcomed and included. And so sometimes that means like, adding lots of descriptions to things. So people that can’t see, as well as everyone else can still consume all the content or adding closed captioning, or just, you know, making sure that we invite people from various communities alike. Now, the courses are free. And that’s awesome. But Previously, we had a diversity scholarship. And we put over 100 people through our entire application security foundations, like series of courses and certification. Because if we want to change the way our industry is, because right now, it is not as diverse as it could be. And that means we’re missing out. Like, even though I feel it is right, to make sure every person is included, I feel like on the other side of that not having everyone included, is harming the industry. Like we don’t have enough people to fill all the jobs, we don’t have enough different viewpoints so that we miss threats, we missed different angles of testing, we miss different outcomes, because we don’t have every type of person involved and welcome. And so yeah, I feel really good about a lot of the awesome stuff we did in there. And a code of conduct is the first step.
Jamie
It is and all of that is absolutely amazing. I, I I’m all about trying to get as many different people into the conversation, whatever the conversation is, right? I’m all about that myself. So this is one of the reasons why there’s a transcript for the podcast, a lot of people say you should do it for SEO, I don’t care about SEO, I care about the one person who comes along and says, you’re talking to this person and they are amazing, but I can’t consume the content. Well, let me try and help you to consume that content. And I’m all about learning as many people into the conversation as possible. And so there’s something that I do like conferences, it’s not something I invented, you know, when people sat around in a circle and they’re having a chat, try and make like a PacMan shape. So that like can you imagine like a Pac Man with with a mouth open? You make that kind of shape so you leaving an empty which so then if someone wants to be part of the conversation, they could just walk straight in. They don’t have to wait around and look for a gap and say, Hey, can I join? They just straight in? Right? And it’s it’s Not a huge thing. But I feel like to the one person who wants to join, that could be a big step right? Like say, you said earlier on about being an extrovert being conferences is great. What about people who are introverted? What about people who have, you know, alternative needs, maybe our neurodivergent friends who need to not have to make a big deal of joining a group? Or maybe someone who’s scared of joining groups, right? You leave that space open? Perhaps? I don’t know, because I’m no expert. But perhaps that gives them a chance to just walk up and say, Hey, can I be part of this conversation? Absolutely. My friend. Come on in. We’re happy to have you. Yeah. Yes. Whether that’s the case or not? I don’t know. But that’s what I do. Yeah, I think it’s great. You’re absolutely right, though, we need more more voices in our community that are not just one type of person. Right? But that is, that is not something for me to figure out. Because I’m not smart enough to figure that out. But I will do what I can to help, right. And if I can make a gap for people to walk into, then let’s do that. If I can produce some audio content by talking to wonderful people like yourself, to help educate people and give them that leg up into right now I know a little bit more. And I can Google around the subject. Fantastic.
Tanya
Yes, yes. It’s so good, Jamie.
Jamie
And I feel like that that sort of leads us on to something that you do every week called Cyber mentoring Monday.
Tanya
Yes.
Jamie
Could you tell us a little bit about that?
Tanya
Absolutely. So when I joined cybersecurity, like, my friend became my professional mentor, and started teaching me about stuff. And then very quickly, I found more advanced mentors, like because I just wanted to learn as much as humanly possible. So I found another one and another one. And I found myself really lucky to find people who were willing to mentor me and spend so much time and energy investing in me as a person and as a professional. And so then I started a mentoring programme and my Oh, last chapter, and we paired tonnes of people together, and it was really awesome. And then I figured out doing that, that I am not an awesome matchmaker, as much as I wish I was that I would be like you and you, I think you’ll like each other and I was not right, a lot of the time, which is fine. And so, um, then people were asking me, Can you be my professional mentor, and I started mentoring for women and one man. And then other people asked, and I was like, oh, like, I can’t, because then I’ll be a bad mentor, because I won’t have time for the people who I mentor now. Right? Like, I won’t give time to them. I’ll be crappy. If I say yes to everyone. So then I was like, Well, I want to find you someone. So I kept making all these introductions. I’m spending so much time. And so then one day, I did this post on LinkedIn, and I said, hey, this person I know is looking for professional mentors, anyone want to mentor them? And all these people came out and said, Yeah, I would love to give back. And then all these other people came and said, Actually, I’m looking for professional mentor, too. And people start pairing off, and I had 900 comments on this LinkedIn post. And yeah, and so then I figured out that, so I posted it on Twitter, and there’s tonnes of people. And so I started a hashtag called just mentoring Monday. And after one or two years, it got so big that all these other areas were using it and you couldn’t find the cybersecurity or InfoSec one. So I took a vote of all my followers, and all the other people helping to run cyber mentoring Monday, because it’s not just me anymore. And basically, if we decided it would be hashtag cyber mentoring Monday, every single Monday on Twitter, and even so like, today’s Monday, that we’re recording this, and some Mondays, there’ll be 2030 retweets, and tonnes and tonnes of comments. And sometimes it’s just one person reaching out. But most of what actually happens is like an iceberg, where we see the top in the public comments and a hashtag. But But no, beneath the surface, there’s tonnes and tonnes of direct messages. You know, one person reaches out. And sometimes people will tweet Hey, did you know your direct messages are closed? And they’re like, oh, and all of a sudden, like, all these messages pile in? And it’s like, Yes, I’m interested in helping you or, Hey, can we have a virtual coffee, etc. And so, over the years, 1000s of people have found mentors now and made friends and found new employees. And, yeah, I went to a conference rate before COVID. And this man walked up to me, and he’s like, I need to buy you a coffee. Because a year ago I did, I answered your cyber mentor on Monday, and I met this nice young lady. And then six months ago, like after six months of, of mentoring her and like just seeing her progress and progress. My boss was like, Listen, I’m gonna let you hire for a junior AP psych role. And he’s like, and we hired her, and the whole thing loves her and she’s just so amazing. And like, she’s like, she’s learning so fast, and I would never have met her if it wasn’t for This and so I want to have a coffee with you and say thanks. And I was like, these are the best stories ever. Yeah, and there’s a zillion stories like that have, you know, this person introduced me to this other person, then I found this job or, yeah, it’s nice to connect people. And See also just how much kindness and generosity that there is in the information security industry, just how many people are willing to give and give and like, take someone under their wing, teach them make those key introductions that help people find their very first job, because that’s the hardest job to find. Right. And yeah, it’s been really beautiful to watch.
Jamie
That’s amazing. Being able to give that many people the chance to reach out and connect with another person directly and say, I want to learn this, or I want to teach this. That’s, that’s wonderful.
Tanya
Thank you. Yeah. So if people want to join it, just go on Twitter and look up the hashtag. So it’s all one word, cyber, mentored Monday. And then look at latest, because it’s been years, right, and then just see what the latest posts are. And then you can read what other people are looking for. And then that might help you carve out your message. Because when you are looking for a mentor, you want to get across that you are interested, you’re passionate, you’re willing to do the work, and especially what topic or topics interest you, that’s very important, like, hey, I want a mentor is really vague, if people don’t know what you’re looking for. And so, hey, I’ve been studying OpSec. And I’m really interested. And one day, I want to become an app SEC engineer. And I’d really love to have a mentor to, you know, teach me the things I need. So that then I can make this career transition, like that’s really easy to answer. Because you know what they want.
Jamie
That’s brilliant. I’ll make sure to include in the show notes, a link on to Twitter that does the search for the hashtag. And if I can figure out how jumped straight to latest as well. So if you’re interested, do you know click through and there’ll be a link there. Now that’s, that’s pretty amazing. That is a after say. So with the we were chatting just before we started recording, and you you i because obviously you’ve written the book, Alice and Bob loan application security. And I showed I was like, Hey, I still have mine. And then you said, Oh, by the way, I’m working on another book. So I was wondering, can you give us a sneak preview as to what that’s about?
Tanya
Yes. So Alice and Bob are not done learning. They want to learn secure coding next. And so I just moved. And I announced on Twitter, I bought a really small firms, three acres, I’m gonna grow vegetables and, and berries and fruit and stuff. And so I’m like, kind of setting things up. And I’m planning basically starting in June to start writing the next book. And so I’ve already arranged some technical editors. And so yeah, I’m going to be putting out some calls on Twitter of if you are going to read a secure coding book, what is important to you? And what do you wish would be covered? Like what is a mystery for you? Or like do you want and I’m really into checklists, Jamie? Ever since I like, made them courses for we hack purple. I’m always like, I don’t want them to forget. So I’m like, what if I make like a little one page summary with checkboxes. And so there’s going to be a lot you can, there’s going to be some checklists involved. But I want to make a book that’s really accessible and easy to read and easy to understand. But you could also use as a reference later, because I have to say, it is so handy Jamie to be able to say, Okay, so just turn to page 98. And the codes there, you can just copy it is really helpful to have like a reference guide that ages well. And so yeah, that’s what I’m going to try my best to do with more silly stories and like funny outcomes of Alice and Bob, and how your secure coding relates to the everyday people.
Jamie
Excellent. Okay. Do you know what you said? It’s going to be secure coding, is it going to be like language and framework agnostic? Are you picking one thing? Or are you sort of jumping around? Was there? Do you have a plan yet?
Tanya
So the plan is going to be so general secure coding, which will be agnostic, so things like input validation, but then I want to cover some of the main languages, and I’m going to be doing some Twitter polls and LinkedIn polls. So I would like to have like a section on major frameworks and kind of gotchas and cool security features they have that you should take advantage of. Right. So obviously, that’s gonna be in there. But I also want to know what people are dying to know if that makes sense. So for instance, like TypeScript is really, it’s a newer language, and but the people that like it, love it. And so it’s like, should I have a couple pages on TypeScript? And like, if you’re into TypeScript, like, here’s some things to watch out for. And like, here are some things because some like you don’t know a feature exists, necessarily, right. And sometimes someone’s like, oh, well, I don’t use this. I didn’t know that awesome. This existed. Why didn’t no one tell me? So I’m going to try to tell you. So I think in the first half of the book would be agnostic things that apply to every language. And then the second half would be more specifics. But I want to make sure if I get into specifics that there’ll be stuff that helps the most amount of people. So get ready for some Twitter polls, people.
Jamie
We all know the first step is for everyone to go and follow you on Twitter. That’s the first thing right?
Tanya
Yes, she hacks purple is my handle. So definitely, I’ll see y’all there.
Jamie
Yeah, go get go get following Tanya on Twitter, not just because of these polls, but because the stuff that you put out there is amazing as well. So let’s do that. Right. Awesome. Excellent. Okay. So we did. So last time we run, we talked to a couple of couple of different things to look at, to do with like input validation, and things like that. So sort of some of the techniques that you should do to make your applications more secure. And I think we did touch on the fact that .NET takes care of one of the big ones for you, which is yeah, see. So force CSRF,
Tanya
cross site request forgery, so they automatically pass the token for you back and forth. Rather than you have to programme it yourself. That’s awesome. Some of the other frameworks do it. But most of them don’t most of them, you have to add, like a third party package or something like that. .NET has a bunch of cool stuff out of the box. And same with .NET Core, because it’s, you know, developed by the same giant company. But the thing that you and I were talking about, but slightly different between .NET versus .NET. Core is security headers. And so some of you might not be aware, but Jamie made a new get package that does a bunch of the security headers for you for .NET Core. So .NET Core out of the box doesn’t have a web dot config. If you decide you want to host an IIS, then I guess we’ll make a web doc config for you. But traditionally, in dotnet, that’s where you would put all your security header information. So when I switched from .NET, over to .NET Core, I was like, Where did my security headers go, I am extremely upset. Because I feel security headers. So you’re gonna, you might laugh at this, but I feel like security headers are just like seatbelts. But for webapp. So seatbelts are not sexy. They’re not exciting. They’re also not that much effort. And when the crap hits the fan, you’re very pleased when you do not go through the windshield. Because if you’re nice, nifty seatbelt, you’re like, I never noticed how much I like the seatbelt before. And so what security headers are just like that, so they do nothing almost all the time. But then when something bad happens, they block it or they reduce the risk or reduce the damage. So for instance, Content Security Policy header, which a lot of people, it’s the most difficult of the security headers, because you have to list out all the stuff you’re using. It’s not from your own website. So let’s say, you know, there’s like a cool front end look that you want. And so you’ve decided to use that. And that’s cool. But it calls out to another web domain to get that stuff, okay. But you have to list it. And so the reason why we do this is because cross site request or cross site scripting is in lots and lots of websites all across the internet. When there’s cross site scripting, the first thing they try to do is see, hey, can I call out to another page? Because usually, if you have a field, it’s like you’re allowed 50 characters, like we’re talking about the pizza you’re ordering before we started recording. And basically, like you can’t write that much badness. In 50 characters, you can’t do that much damage. They’re like, let’s see if we can call out to another domain, like, lots of evil stuff.com, let’s say. And so they tried to call it they’re in content security policies, like No way, man, not cool, not allowed. And so all of a sudden, their, their thing is much less powerful. So then the next thing they do is they’re like, Well, you know what, let’s see if I can steal this cookie. Because I bet the session ID is in there. And then I can impersonate this user. And so if you’ve turned on the cookie settings, like, secure so that it’s only over encrypted channels, and then HTTP only which says JavaScript cannot touch my cookie, then all of a sudden, like, oh, I can’t even get the session cookie. That’s what’s a parklets. And so it really helps protect you against other issues you might have. And so I am really excited that Jamie wrote this security header, kind of nougat package so that you don’t have to do it but there’s, it’s I was telling him I’m like, There’s new security headers Did you know, and so, I’m hoping that maybe I can, or even listeners, we can like try to be bad influences on Jamie so that he adds more security.
Jamie
Totally. I’m happy to add more stuff. I need some stuff to live stream. Let’s do this. That’s awesome.
Sponsor Message
ZOOM Platform, no not the video conferencing app, ZOOM-Platform.com! The premier DRM-Free games portal.
Unlike directionless larger stores, ZOOM operates more like a boutique offering all-time classics such as Duke Nukem, exclusive hidden gems like Hardwar and innovative indies like REKKR: Sunken Land. ZOOM will even take requests and hunt games down for you.
When ZOOM signs titles, they make sure to get every release, version, language, you name it. That’s how ZOOM carves it’s niche. ZOOM hand-scans box art, manuals and other bonus content and even records soundtracks. On top of all this, ZOOM always makes a point of securing rights to obscure expansion packs and mods. When you buy the ZOOM Platform edition of a game, you know you are getting the most complete and definitive edition.
ZOOM’s staff and technology are best in class. In fact, when competitors can’t get a game running on modern hardware, they go directly to ZOOM. They’re some of ZOOM’s best customers!
ZOOM provides unparalleled 24/7 customer service and closeness with its user base. ZOOM’s management interacts directly with customers via Discord. They take their small business approach seriously. ZOOM-Platform.com, your friendly neighborhood DRM-Free games store!
Jamie
I often, I often compare the content security policy to sort of like, you know how if you’ve ever been to a nightclub, there’s someone outside. And the you know, in the movies, they say, if you’re not on the list you’re not getting in. That’s quite literally how I explained it to other people, right?
Tanya
Yes. Yes, exactly. Like you’re not malicious. It’s it’s an approved list. It’s like, these outside things are allowed to come in, like these images, or this script, or this, whatever. And everything else is no way, Jose. And the first time I remember I put it on a website and these devs I was like, Listen, you know, you’re not using any security headers. These are the ones I would like, I’m like, but do you have a list of your outside stuff? And they’re like, Oh, we’re not using anything that’s not from within our own domain. We don’t do that. We turned it on, and the entire websites like just this ugly mess. And I was like, so maybe, maybe we use it like, okay, it turns out, there’s two sites, we do use, like, that’s cool. Like, you can use them. That’s cool. Like anything that some Dev has picked out is probably fine. It’s all those other sites that you would not choose on your own, that are likely to be malicious. Like the first time I called out to an outside website was a zillion years ago. And it was Google Maps. And I was like, I’m just going to call the Google Maps API and just I’m going to feed it stuff. And then I’m going to present maps. And it was an employee directory, because we had 10, or 12 different buildings across Ottawa rights living, and someone would book a meeting with you. And they’d be like, meet me at a meeting room three on the third floor. I’d like of where in my city? Like what? What buildings Hello, how do I get there, and most of them are downtown. So you could actually just walk so I would make it so that you could see like the best path for you to get to that meeting and how much time you needed. Because, yeah, the first couple of weeks, people kept inviting me to meetings. And it turned out they were in other buildings. And I was so confused. And I was like, let’s make this easier. And so you could just go to the internet, look up the person, and it would show you this is how you get to them. And it would even have a floor map of like, this is where they are with this where HR thinks they sit and the building was not always right. But it was mostly right.
Jamie
Totally. I really liked that example, the example that I use. And before we do it, I saw, it’s not exactly a software bill of materials. But I like the content security policy, CSP can give you almost a software bill of materials for the places you call out to right.
Tanya
Yes, all the external things that you use, as opposed to the internal thing. So like your new get package would be an internal thing, because you’re putting it up inside your app, and then building your app. Yeah, I think having a list is important. Because when the crap hits the fan, and there’s a security incident people are trying to investigate often is not the it’s certainly it’s rarely an insider threat, or an intentional insider threat. It’s usually something from external. And, yeah, I have investigated a lot of incidents, Jamie.
Jamie
So the example that I always give is, there was a story. Four or five years ago, I want to say it’s around five years ago, in the UK, most of our sort of government, or public run stuff is all sort of hosted at one domain. So if you want to learn about something to do with the UK Government, you go to gov.uk. And so the great thing about that is it’s all entirely open source. So you can click a button, it takes you through to the source code, you can read through it and figure out how they’ve built their stuff. Brilliant. Or rather, most of it is open source, obviously, there’s some secrets and stuff. But they also have like public API. So you can actually poke at an API and say, give me all of the public holidays. And it returns a JSON object with all of the public holidays. How cool is that? But the I know, right? It’s really good for like if you need to test whether you’re whether your system can call out to an on to like an unlisted or rather and outside of our whole list. Because obviously, you set up an allow list of URLs you can call if I can get to the UK Government, and I’m not doing any business with them. That may allow us there’s a working right. But but the the example that I always use is that our health service offers a screen reader option. So you push a button and half the page read out to you. Really, problem was so this this goes back to what you were saying about about content security policy and almost like a supply chain attack. They were calling out to a JavaScript file. But they were doing no validation as to whether Is this the JavaScript file we originally thought it was. And someone some Brightspark thought, hey, if I can hack that JavaScript file, and insert a bitcoin miner, then anyone who hits the website and wants to have the page redacted which is a legitimate thing, it helps with accessibility. Every time you load that page, regardless of whether you hit play, then a Bitcoin will start mining the person’s computer. And that was they weren’t attacking the actual website. They were attacking something that was called in, which is something you could protect with using a CSP. Right?
Tanya
Yes. Oh my gosh, I, I feel like like, so when I was a Dev, I did so many of the things I tell people not to do now, because I went to college in the 90s. Right, like I graduated in 2000. And, and like, I’d already been working on it a few years at that point, because I started working in it when I was in high school. And so I like, Do you know what I mean? I feel like there’s a lot of people who have been programming a very long time, and like, they’ve learned stuff as they continue. But no one takes them aside, says, Hey, I gotta, I gotta teach you OpSec. And so I feel like, it’s become more popular now, for companies to actually pay for training for their employees, which I think is important, because when I was a software developer, I was allowed one course a year, and I could only take them from this place called Learning Tree. And all the classes I thought, were just like, not really, for me, like they weren’t what I want to learn. So I’d be like, someone else can have my budget, or I’ll just buy a book and read it. And now I think it’s changing. I feel like companies are investing in their employees more. And I don’t just mean like security training, I mean, all sorts of training. And with the great resignation happening right now, where people are like, if I have to come back to the office, I’m not working for you anymore. I feel like training can be part of the attraction of a job. Like when I was in the Canadian government, I had to learn French as an adult. And I remember interviewing, and they’re like, well, we’re not allowed paying you more than anyone else at your level. And I’m like, You’re gonna pay for a one on one French tutor for me once a week. And then I’ll come and they’re like, done. They weren’t allowed to give me a raise, they weren’t allowed to give me a signing bonus. I’m like, to me, this is a signing bonus. And so I got to have a tutor for a year, which was awesome. And then eventually, yeah, I had to do night school for quite a while before I can pass all the tests, but having your employee help pay for that, or your employer helped pay for that. And so I feel like more organisations are like, if we want our devs to do secure coding, we actually like some of them will know. And some of them won’t know, we can’t just assume anymore. And so like I see a lot of app SEC professionals where they’re learning how to teach, so they can teach their teams. Like they’re like I found this bug. Let me show you all how to find this bug in your own code, and how to squash it. So that we don’t have it again. And I’m, yeah, I think it’s really great. Like when I hadn’t done any public speaking before, when I started doing app sec. And I remember my team was like, Well, if you want everyone to start scanning stuff, someone’s got to show them and I think it’s you and I was like, I don’t know how to give a speech. And they’re like, you play music on stage all the time, Tanya, because I was in a band. And they’re like, you, you sing for hundreds of people, you can’t speak to 10 devs. I say, scary, those are my peers over there. I really care what they think. But eventually, I got over my nerves. And I’d be like, Look at this cool bug I found. And so I feel like I find it exciting to see like how many security people are like just learning, learning something and then sharing it with all the people where they work or even beyond, I think that’s really cool.
Jamie
It really is a really is. And I think that’s the that’s the best way for, for someone to spread that knowledge really quickly. One of the things that I used to do at a previous employer was, I used to offer lunch and learns. So it was like, Hey, come to lunch, bring your bring your lunch box, whatever you bring, go get a sandwich or whatever, get a coffee, whatever it is you do for lunch, then come into this conference room, I’m gonna show you something. And I’m gonna show you how to, I’m gonna show you the problem. I’m gonna show you the issues that could cause and I’m gonna show you how to fix it. Because then even if you only show four people, those four people then go back to their teams and go, you know, Tanya just showed me this thing. And it spreads on. Almost like a virus. I’m worried about seeing spreads.
Tanya
When I was a dev site as a dev for 17 years, including the time I was in college, because I worked at a startup for most of the time I was in college, then I worked for Adobe for a while. And then Nokia for a while. And so basically, like as I became the senior Dev, I would realise that not all my devs were created equal or more so trained equally and experienced equally. And so I wanted them to know more modern stuff. And so I remember I had this friend named Wes and Wes is an MVP like you. And so he came in and said It’s like all these secret tricks in PowerPoint, or in SharePoint. And then he came in, and he showed us a bunch of cool stuff in TFS Team Foundation Server, which was cool at the time. This was a long time ago. And then I had this other guy named Ahmed come in, and this other guy named Kareem and I had people coming in for years. And then I joined the OWASP community, the Open Web Application Security Project community, the local chapter. And then I was like, I really want to know about, like, how to do code review. I feel like I’m not very strong in that. So I would just ask around, so I found someone I feel like, could you give us a presentation on that, please? And so it’s like, this is so cool. All I have to do is organise a meetup and this person will teach me for free. Oh Ha ha ha ha. I did like basically, between all the stuff I was doing at work as a dev and then switching to security. I was actually organising talks for like around seven or eight years before I had the guts to actually do my own. I was like, Nope, still looks terrifying. And my co leader from OWASP, his name, Sharif Kusa, he’s like, Tanya, you can do it, you will not die, I promise. I’m like, You don’t know that. But he was really great. And like the whole, like, the whole chapter, like a bunch of them, let me like practice presenting to them. And it was really brutal, Jamie. So when you see me now you’re like, Oh, she’s so good at presenting. It’s not good, then it was very bad. I was like, I’m gonna die like you are sure not gonna die. And I don’t know, if you’ve ever been like really nervous, and you like, feel like you can hear your heart beating out loud. Like, I was like, how can they hear me talking? My heart is so loud, but they’re right, I did not die. And now like, I don’t even get nervous at all. Now I get really excited. I’m like, This is gonna be so much fun. But it was, uh, so to anyone who’s listening, and you’re thinking like, oh, I can’t do that. You can. You can, and it’s less scary every time. And eventually, it’s not scary at all. And you just get to share this thing that you’re super excited about. And that is, that’s the thing that I like the most, if that makes sense to me, like, you do this podcast, and you just get to talk to people and basically interview them and ask them these awesome questions. And you get to, I don’t know, in my opinion, it’s like just this really fun, exciting thing that you get to do to share knowledge. Yeah.
Jamie
Yeah, cuz like I see it as I get to talk to all these amazing people in the community. And I’m learning at the same time as the listener is learning. And I was actually asked this the other day, I was asked, what is success for you with this podcast? And they said, If one person walks away from listening to a conversation, and they know one new thing, even if it’s just enough to be able to go and google something to get the full context. So like asking for 45 to 90 minutes of someone’s time is a huge investment. But if they walk away going, Oh, they were talking about content security policy. Let me go look that up. Boom, right. That’s it. When?
Tanya
Yes, yes. And when you host so I have my own podcast that we had purple podcast, you get to just send invites to people that you admire. And a lot of them say yes, to be on the show. Like I might joke’s on you. I get to meet you. This is so exciting. Like edits both ways. Because when you’re a guest on a podcast, it’s like an honour to be invited on someone podcast, but then when you’re the host, and like, I get to disinvite all these people that I’ve always wanted to meet or have the chance to talk to, and then they are gonna teach me something. I’m like, this is such a good deal.
Jamie
Yep, that’s why I do it. So let’s, let’s talk about that real quick. The the, the, the podcast, let’s talk about that.
Tanya
Awesome. Okay, so the we have purple podcast, the first year, we concentrate. So the first season, we concentrate on every single type of different job and information security, because there are so when I joined InfoSec, I thought you were the firewall person. You had to do risk management, which looks like a lot of paperwork and is not really my jam. Or you had to be an ethical hacker pentester. So I was like, Well, I guess I’m gonna be a pen tester because I don’t understand firewalls very well. And then I discovered there is the, you know, application security, which I consider sort of the bridge between the security team and the software developers, you kind of join them together and make sure you basically get to hang out with devs most of your day, which I think is awesome. And but then there’s, there’s threat hunting, there’s security analysts, their security architect, there’s malware analysis and reverse engineering, and there’s so many different jobs. I was I was curious. So I was like maybe audience members will be curious and it turns out there were but then we did my my opinion, almost every single type of job and it took 50 episodes. So I was I worked really hard on it, but um So I just got to meet cool people. But then season two is now teach me something security. So it’s a little short lessons about whatever the thing is the person is really good at. So we had someone come on and explain, like, what the heck is pentesting? What is pentesting as a service, what is bug bounty, like how the differences of that are, and that is Caroline Wong. She’s pretty awesome. And then I had someone that we just recorded it. And I’m hoping we’re gonna get it later this month, this woman named Nicole Dev, and she was telling me what a B so is. So a CISOs, like the Chief Information Officer. But a B says this brand new role that did not previously exist, where you’re a business information security officer, and like she was explaining, yeah, so it’s like a person that’s in charge of a giant business unit. And they’ll be responsible for all the security within that business unit. But for instance, if the security team screws up something royally, and then the business is her, it’s their responsibility to get that cleaned up. And so it’s very interesting, because if you’re a Chief Information Officer, like how, basically they didn’t use to serve different business units, separately, it was like one tablespoon of security, swallow it for everyone save medicine. And that’s not actually the best thing for business necessarily. Like, I would like when I did security training, like at a company full time, I was like, well, we can’t give the helpdesk the exact same training that we give like sales and marketing. That’s just ridiculous, right, and even the domain administrators versus the help desk, I want to give them slightly different training, because there’s slightly different things that affect them. And I really want them to be prepared. And I don’t want to make them sit around for two hours in training so that I can cover everything for everyone. I’d rather have like, just 25 minutes with Help Desk if that’s how long it takes. And I’m only taking up as much time as I need. And so like, this new role is exciting and like learning what it is and like how you can get that job or whatever. So just like little short lessons to kind of help you understand like a specific thing, and then leave. And so I’m, I’m finding it interesting to get to just ask a lot of questions about things. Because like, I’d heard if the CIO up and like, would it what does that actually mean? Is it hard?
Yeah, yeah, it turns out, though, one thing across every single episode of the React purple podcast has been, it turns out, you’re just better at doing security. If you have empathy. It turns out that that is a so it took a while it was actually my video guy that pointed it out, after maybe 2030 episodes, he’s like, you know, every single person has described their job. It’s like even even pen testers like that, if you have empathy and can understand where the person that designed this or created this, or the customer that would be using this, if you could just put yourself in their shoes, that you can constantly deliver significantly better security, you can imagine threats better, you can imagine how to solve those threats and better ways for the people you’re serving. It’s very interesting, like, so then I started asking eventually and be like, would you say that? One of the skills that like you would need to do this job would be empathy, and then every time but yes, you could not, you cannot do a good job of this without. And I found that very interesting. Because as a software developer, I didn’t feel I needed a lot of empathy to do a good job. But when I switched to app sec, and I was working with this, I joined this team of people that we’re all close to retirement age, and they’ve all worked, you know, more than 20 years doing risk analysis. And they’re pretty ticked off at the world, because they’ve seen so many bad security things happen. And they’re just like, I don’t care if the devs have a deadline on Friday, they have to do these 12 things or they’re not going to prod I just don’t care. And I was like, you know, we could go out of business if we don’t meet our deadlines, right? You know, that, like a dev could get fired. If they don’t meet their deadlines, you know, that and I just like telling them all the different things and like, you know, the devs have a bunch of people asking for stuff. And also like they’ve been doing this project for a year. Why is this the first time you’re telling them this? Well, I didn’t have time I was busy. And I was like, We need to rethink our entire model. Because we’re of how we serve them. They’re like, we’re not serving them. I’m like, Yes, that’s the problem. And I was just like, silence in this meeting. And like, it’s our job to help them to do their jobs securely. That’s our job, our job to help them it’s not to make them through jump through stupid hoops. It’s not so that we can check boxes on a list. It’s because we want things that they’re building to be safer. We have to adjust ourselves until we’re doing the best job of that weekend. And like yelling at them in meetings is really not getting us what we want. So let’s try to get out of a new way. And some of the people were like Yes, and I have to say most of them were Below 14 years old. And one of them that when she was older, she was like, so funny, she was like, so energetic was great. But some of the people were just like, I’m not interested in this. And after a few months, the manager spoke to two of them, who just could not get along with anyone. So I remember I walked in on the two of them. And they were both looking at each other. And there’s no video in this podcast. So you’re gonna have to imagine what they’re making these faces at each other in the hallway, and then laughing and the other one would make a face and laugh. And they’re going back and forth. And like, what are you doing? And they’re like, Oh, we’re, we’re practising the faces we make when developers say stupid things. So they notice shut the EFF up and stop asking their dumb questions. And I was so flabbergasted. I’m like, You’re grown adults. And you’re talking to other grown adults. And you’re practising how to mock them in meetings. That’s what you’re doing. And they’re like, we’re just joking around. I’m like, no, like, you’ve really clearly stated what you think. I’m like, I don’t know if you’re in the right job. And they’re just like, Who are you like, little girl, and I’m like, at the time, I’m, like, 36, shut up. But, but basically, the manager ended up talking about them and saying, like, You’re too bitter to be in this role. You can’t be bitter and do OpSec, you need to go do something else. Maybe you can come back someday, but like, you’re in the wrong job now, because all you are is angry. And like, I know, Tonya was talking about how the two of you were like practising faces, and you’re joking around and whatever. But she’s like, No, I’ve just seen it in meeting after meeting, you don’t respect the people we’re supposed to serve. And I had a lot of respect for her to say that that’s a difficult conversation. She’s like, I’m not saying you’re fired. I’m saying we need to find a different spot for you in this organisation. You have lots of corporate memory, you’re both really intelligent, but you hate your job. And you can’t do a good job if you hate your job. So let’s figure out where you’re gonna go from here. And I was like, Whoa, she’s very interesting, boss, very smart lady. But I was like, How’d it go? She’s like, one of them said, Oh, my God, you’re so right. And the other ones like, fu bad, blah, blah, blah.
Like, well, you’ve got 31. That’s great. But yeah, we can’t. But that was like just this flowing thing over every episode is just like, if you don’t care about the person that you’re trying to do the security for. The security thing you make will be unusable. Usually. I mean, you could stumble upon success, but it’s rare. Sorry, I didn’t mean to get on like this high horse thing. But it really struck me when I switched from software development to security, because developers want to solve every problem. Like they love solving problems. And they’re awesome at it, which is why their software developers. And so like, whenever you talk to a dev, and you’re like, oh, I need to do this, like their brain immediately starts to solve this problem for you offer solutions and ideas. But with security, it was some people was like, Nope, no, no, and like just such rigidity. And I’m like, you know, we still have to do this. For our client, we still have to do it. So it doesn’t matter if you said no, like, we still have to accomplish this. So what if we think outside the box a bit?
Jamie
Yeah, no, that’s that’s, don’t worry about that. I think that’s an important conversation that we have to have. And it’s interesting that you brought up empathy, because I’m actually working on a talk at the minute about empathy in development. Because one of the things that I’ve noticed, over the last, maybe time related, I’m not sure. But over the last few years, I try not to talk about the current situation, I don’t tend to say just the wobbliness, or, you know, the last 2627 months, but primarily, because the shows are about that. But I’ve noticed that over the last few years. There’s a lot of developers out there who will pronounce the word user, but put a silent L at the beginning. And I’m like, that’s that isn’t helping anyone? What are you doing? What do you call it? Calling the user names? If it wasn’t for the user? You wouldn’t have a job? Yes, quite literally, you are quite literally out there. Not not their beck and call, but you, they require you to exist. So it’s down to them that you have a job. So let’s let’s just let’s just try and see it from other people’s point of view. Let’s try and, you know, be respectful to each other. You know, and it goes back to what I was saying earlier about codes of conduct. I absolutely love that they exist, but I hate that they have to, because, you know, people are horrible to each other. So maybe we need a developer or a developer security OpSec code of conduct, you know, if you if you’re going to talk Yes, we will get upset. Yes, we all get frustrated. But don’t walk around calling the users names. Don’t make fun by making faces at people you know, is these common decency stuff? Yeah, I just thought that was quite interesting. You brought that up and I’ve been working on a on a talk about that.
Tanya
I can’t wait to see it. I hope that when it comes out you you shared online so I can check it out.
Jamie
Oh, I certainly well, it’s going to be, it’s starting off as a lightning talk. So it’s only going to be 10 minutes. But yes, I believe is going to be live streamed by the meetup folks who are coordinating it. But I’m also going to see if I can record it for the podcast. Would you
Tanya
like to do it at the we have purple community? So almost all of our events are actually community members that speak and present to each other? Oh, and we have, we have 2000 people. So I would love to see it.
Jamie
I mean, you’re asking me all the podcasts.
Tanya
Okay, well, you’re dying. be something that would be really receptive to that really speaks to our community? For sure.
Jamie
Sure, why not? Oh, yeah, I can I can give it give it a well, let’s see what was the worst? There we go sorted.
Tanya
It’s true. None of our speakers have ever died as a result of speaking or died at all, actually, which is really good odds.
Yeah, well, our community members are really, really nice. We have like a lot of first time speakers present for us, which is awesome. And so it’s a very, like soft and friendly audience to like, so whenever I’m going to like write a new talk, I usually ask, is there anyone that has some free time and like, I can present you and you could give me some feedback? And then everyone’s always like, yes, this would be great. And so a lot of people were like, read each other’s blog posts, or help them prepare a presentation. It’s really nice to have like this little group of people. And I know the group is getting bigger and bigger. So I shouldn’t call them little anymore, probably. But when you measure the 1000s, you should probably not use the word little. But yeah, it’s, it’s a very nice, warm and inclusive community.
Jamie
Awesome. Well, I mean, there’s another vote for going and joining the community. Thanks. Okay. We’ve talked a lot about some security stuff today. And I’m very, very conscious, you have other things to be getting on with, because you’re a busy person, you know, you’ve just been a company just be purchased, you’ve got a whole life to live. So what I’m thinking is about, we do a quick roundup of places where people can go to learn about you. And we have purple and the book that you have already written and a little bit of a reminder about the book that you are writing, and then again, go join, we hack Purple’s community, and then you know, then you can get on with your day, you don’t have to keep talking to me.
Tanya
Okay, so if you want to learn just about me, specifically, there, she has purple.ca. And I have I’m Canadian, that’s the accent you hear. So if I said Abu to at some point, I’m sorry. But I have a blog there. And it’s a personal blog. And then I have a newsletter and all sorts of stuff. But if you go to we hack, purple.com, then you can visit the community, you can see the podcast, there’s a bunch of other resources there just to help with things, they have a newsletter as well. And like I say that it’s us. If you want to learn more about bright, who bought us, you can go to bright sec.com and or look up a bright AppSec all one word on Twitter or GitHub, et cetera. And if you want to join me, the community specifically just go to community.we have purple.com. And basically, like, that’s the main place, you know, I found that over the years, if you if you want to have a thing that is just right for you, sometimes you have to build the community yourself, so that you can have your favourite place to be. And so that is what I have done over the past two and a half years. And so you’re all invited to join me. And it’s so many other people who just want to talk about how we can make the world a more secure place. There is no upsells or anything like that. It’s just, it’s just free. And all you got to do is be nice,
Jamie
pretty good deal. I’ll make a point of putting all of those links into the show notes. So no one has to try and remember, what was the website and then scrub back and forwards and full transcription as well. So you know, don’t worry, folks, if you missed any of those links, they are in there in the show notes. So don’t worry about that. So whatever you’re listening to this on, there’ll be a list of click here to go to this website or to go to that website. You know, so there’s nothing to worry about there. Because that was a lot of links that we were just given. So don’t worry about that. But yes, what I’ll say Tanya is, thank you ever so much for giving some more of your time to myself and to the listeners. I really appreciate it. And I feel like part of it was a bit of a sort of meeting of the minds in a bit of a nerd, no doubt about security. And I learned a whole bunch of stuff too. So thank you ever so much.
Tanya
Thank you so much for having me back. Jamie, have a great day.
Jamie
Thank you you have a great day too.
The above is a machine transcription, as such there may be subtle errors. If you would like to help to fix this transcription, please see this GitHub repository
Wrapping Up
That was my interview with Tanya Janca. Be sure to check out the show notes for a bunch of links to some of the stuff that we covered, and full transcription of the interview. The show notes, as always, can be found at dotnetcore.show, and there will be a link directly to them in your podcatcher.
And don’t forget to spread the word, leave a rating or review on your podcatcher of choice - head over to dotnetcore.show/review for ways to do that - reach out via our contact page, and to come back next time for more .NET goodness.
I will see you again real soon. See you later folks.