Once, at a new job, I reported 27 security incidents. My boss was so pissed. She said "We never had any security incidents before YOU got there!" I tried to explain that they had always been having incidents, they just never had someone before that knew how to find them...
Follow
Tanya Janca
@shehackspurple
Best-selling author of Alice and Bob Learn Application Security. Education and community at #AppSec #sast #SCA #devsecops she/her
Tanya Janca’s posts
Announcement: I have resigned from Microsoft to follow my dreams and start my own company. Thank you for the absolutely amazing experience over the past 2~ years. Microsoft helped me reach a potential I never knew I had, and I will be forever grateful. 💜
I won the Cyber Security Woman Hacker of the Year Award. 😊 THANK YOU! it was all of you who made this happen. ❤️
OMG. My sweetheart just walked into our new garage and a cat came running out. WE DO NOT OWN A CAT. Is this how people end up with cats as pets? They just show up and now you have a cat?
Dear ,
You should be ashamed of yourselves for publishing a story that encourages people to abuse their spouses. techtimes.com/articles/24897
What is wrong with your editorial team that you would think this is okay? Take this story down and issue an apology. NOW.
Please pre-order my book 'Alice and Bob Learn Application Security'! It will teach you how to create secure software, from A to Z!
amazon.com/dp/1119687357/
Dear , I'd like to use multi-factor authentication on my accounts online, why is not not available yet? Security should be a priority for every bank, and MFA is #1 in protecting accounts.
Retweet please. Let's force change, together.
I lost over 100 followers overnight for posting my approval of the gay community taking back the #ProudBoys Hashtag.
Love over hate. Every time. 🌈
Byeeeeeeeee 👋
Please visit my new site, SheHacksPurple.dev, a learning platform dedicated to teaching Application Security, DevSecOps, and Cloud Security.
The big news: I have resigned from the public service to follow my dreams! I will be joining as a senior cloud advocate! I will pursue security research, teaching, speaking, and all things 'Application Security', full time! 2018 is going to be amazing!
GIF
Small announcement; I'm officially back to my pre-microsoft weight. I put on 30—35 lbs while I worked there. Just going back to my normal lifestyle and eating habits it slowly melted off. I don't think I'm going to let my job get in the way of my health again....
Thread 🧵about yelling
In my early twenties I had a boss that yelled and screamed at people. I was new, but had heard it happen to others. One day I reported a design flaw to him, for a new app we were about to build.
He started to get upset, like he was going to yell.
Hey , I would like to politely ask if you could please verify my account? I've applied several times, but am always denied for not having enough followers. But I am a subject matter expert in my small field of application security. Please consider. Thanks!
Tanya
I heard someone say “open-source is like soylent green, it’s made of people.” And now I can’t stop thinking about it.
Them: what’s your mother’s maiden name?
Me: wkH7_vhpdypV2r!8qcY@N Nwz_ddbNcicDC@cTbY3VGvMwXbd6DQFjrCYx8Vc-
One of my banks instituted MFA using SMS (texts to a phone number) recently. THEY LET YOU CHOOSE THE PHONE NUMBER that the text goes to. There is therefor zero extra security protection, just extra time to log in. Facepalm.
I just published "Jobs in Information Security (InfoSec)" on #Medium. If you want to know about all the different types of jobs in InfoSec, give it read. Also, let me know which jobs I missed!
Thread for Software Developers who want to know about this #Log4J thing.
Lots of people are talking about how this affects servers, but you want to know about your apps. Let's talk about what the problem is, how to figure out if you have it, then what to do about it.
Dear / .
In 2019 I made a HUGE deal about having you permanently delete my data before Google bought you, and your helpdesk said you erased me. Yet I just received an email from you at my private email address. How did this happen?
Tanya Janca
Hey ,
I love your product. You know what would be a cool feature? Autosaving my security question answers. All of mine are random 64-character strings, which I manually save into my password manager. If you could add a feature for this I'd love it!
Thanks,
Tanya
Hi. I'm Tanya Janca. If you just started following me; prepare for endless tweets about securing software, MFA, links to content I've created, me saying nice things to others for no particular reason and jokes that are likely self depreciating but also work appropriate. Hiya! 👋
Replying to
This situation taught me that NO ONE is ever allowed to abuse me or my staff.
And how to deliver bad news. When I became a pentester, it was extremely helpful to know how to de-escalate. How to word things more gently, and remember that no one wants to hear their baby is ugly.
Dear ,
I do not want my data that I consented to you collecting transferring to Google. With news of the acquisition of your company I intend to sell my fitbit & delete my account.
How do I ensure that none of the data I allowed you to collect ends up in their hands?
If you use google Chrome, update it right now. There's an emergency security patch. You want version Version 99.0.4844.84. Go to the 3 little dots and hit "about google chrome" to see which version you are on.
Replying to
As you might have guessed; I'm writing another chapter of my book! #7 is well on it's way, and I'm finally starting to feel like there is an end in sight.
I love writing, but it's SO MUCH WORK.
Anyway, that is a story for 'Alice and Bob Learn Application Security'.
People who are recruiting: Don't write me and ask me to help you find someone for a junior/entry level role and then send me a job description that says 5+ years. Please stop wasting my time, and job seeker's time. It's not cool, and it will get you blocked by me.
Every time a conference or vendor sends me a men's shirt (unisex) it feels like I don't matter. As a keynote speaker for conferences worldwide, I don't matter enough to have a t-shirt that fits my gender. I'm a woman. I'm here. Fuck you for making me feel like I don't belong.
Thread: Are you looking for a mentor in the InfoSec field? Are you willing to take someone under your wing and become a mentor? Many people ask me to help them find someone and other's offer to help, this thread is for all of you.
Please reply if you are looking or offering.
Shoutout to my networking teacher who failed me in college in the 90's because I didn't memorize all the settings for creating users in Novell. I said Novell was dead and I would never need it. Mohahahaha! 26 years in tech and exactly ZERO Novell!
Super exciting announcement! #MSFT released their very own Web App, Linux app and Windows Desktop App Security Scanner (fuzzer+) TODAY. It's the tool that all of Microsoft uses to secure the software that WE make.
microsoft.com/en-us/security
Now with a working link!
OMG I love this site: Oh Shit Git! If you've made git mistakes and don't know what to do.
ohshitgit.com
Replying to
So I put up my hand and said in a normal voice “Are we going to yell now? Are we doing that? Because I sing for a hardcore band, so I can yell with the best of them.”
He kind of deflated a bit and took a breath.
3/?
The CDC says that even fully vaccinated software developers must continue to validate all inputs to their code, encode all output, and use parameterized queries.
Question: if I open sourced one of my talks or workshops, with training so that you can reproduce it, common questions, slides, speaking notes, etc. but the rule for using it is that you can't charge money when you give it, would anyone be interested in that?
Replying to
I personally feel that people yelling and screaming is completely unprofessional in an office setting. It is losing control and not regulating your emotions, making others sufferas a result.
That said, I was in a hardcore band at the time, and I CAN yell very loud.
2/?
Replying to
You still need to get to get the message across, and often the message is not good news.
That said, don’t let people yell at you at work. We all deserve to work in safe places, and for most people being yelled at doesn’t make us feel safe.
Just a random memory and thought.
I want YOU to enable MFA. Passwords are not enough.
Tell your friends.
CC:
Have you heard the news? , , , , , , and more have banned together to creat the OPEN SOURCE SECURITY FOUNDATION!
openssf.org
More secure (open source) software, now! 💪
A thread 🧵 on why we use source control.
Years ago I went to fix a bug on someone else's classic ASP app (he was away). When I ran the app locally it looked completely different than what I saw in prod. I quickly realized the copy in source control was 3 years out of date
Hi. My friend that was asked to do something illegal at work has now resigned, as per my thread last week. She is looking for work and is highly qualified. She's Toronto-based, but willing to relocate.
DM me for an intro to a very ethical security professional.
Thread.
I ordered an iPhone. I've never bought such an expensive phone/camera before. Although I'm a Mac user, I've never owned an iPhone before. Feeling a bit nervous. I'm frugal so this is hard for me, as weird as that may sound.
Tell me it's okay to own expensive things?
Both my parents deleted WhatsApp and installed Signal. My dad is 72.
#byebyewhatsapp
Replying to
I don’t think someone can be great at application security without learning empathy and how to phrase bad news in gentle ways. And believe me, I had to learn it, I was not always so sensitive of others (not maliciouly, I was just oblivious).
One of the best things about being in a senior position now is that I can wear a dress whenever I want to. When I was younger many bosses instructed me to "go buy some jeans" because my dresses were making others feel underdressed/uncomfortable.
I love dresses. Get over it.
Software Developers: If you could have any information in a book to teach you about security, what would it be?
Security practitioners: if you could tech software developers anything about security, what would it be?
All ideas welcome.
I just sent an offer of employment for someone who will be our SIXTH member of !!!!! Six of us now!!!!
I just got accepted to a conference and I'm not allowed to announce it yet but I'M REALLY EXCITEDDDDDDDDD!!!!!
Who are the most amazing women in InfoSec? Please tag them and tell me whyyyyyy they are awesome!
Replying to
Then I said “I’m listening. You don’t need to yell. I want to hear everything you have to say. “
Then he calmed right down. I did too.
Then I explained the flaw, and said i wanted us to find a fix together, and we did.
From then on others asked me to speak to him, for them.
I'm not sure who needs to hear this but... X-XSS-Protection security header is dead. It's only for backwards compatibility, but recently (2019) vulnerabilities have been discovered and it's been used successfully to attack apps.
Use Content Security Policy (CSP) instead. 🌞
If you are a man and you want to support women in tech, you are not weird, you are wonderful. To all the kind and supportive men in my DMs who want to find ways to show support to women and are asking advice. Thank you.
That is all.
I'd like to ask you all a favour; if someone is saying something outrageous about me, please ask before you decide. One of my publishers told me two weeks ago that someone told them something awful and suggested they stop publishing me. The claims were untrue.
My book is out! 🎉🎉🎉🎉
Quote
Please pre-order my book 'Alice and Bob Learn Application Security'! It will teach you how to create secure software, from A to Z!
amazon.com/dp/1119687357/
OMG!! I've been nominated for Canada's Top Women in Cyber Security!!! Join us TODAY at 10:00 AM PDT/1:00 PM EST buff.ly/2XOCHhM
Replying to
Lol, the director basically wanted to string me up by my toes at that point. It wasn't a good fit. They wanted to check the "we hired a pentester" box, and I actually wanted to secure software. D'oh!
What are your favourite security podcasts? Name as many as you want. :-D
All the people who were upset that I gave free courses to women of colour this weekend had less than 25 followers. Coincidence? I don't think so.
I'm more than happy to use the mute and block buttons more liberally, in order to help others.
You know how in movies there's an emergency and then someone says "Don't worry, I'm a doctor", then they save the day?
I want a movie where I bust in and say "Don't worry, I'm a nerd " Then I save the day.
IS THIS TOO MUCH TO ASK? TO HAVE A NERD ON TV WHO DOES GOOD?
</RANT>
What's the #1 best way to secure a software application? All answers welcome.
Dear everyone; I developed a cough after RSAC/BSides (SFO) and have been in quarantine since last week. I just got the results; I am negative.
All I have been able to think about was "What if someone I love caught it from me?"
I will be cancelling much of my upcoming travel.
I had new press photos taken. I really enjoy the superwoman pose!
I need to say something. When security professionals say "Shift Left" they mean for us to start security earlier in the SDLC. They DO NOT MEAN that we ONLY do security early in the SDLC. We mean the entire way through, even after they are deployed.
Just needed to clear that up.
Me at airport security.
TSA EMPLOYEE: Why do you have three laptops?
Me: I'm a nerd. (makes eye contact, straight face)
TSA EMPLOYEE: (nods as though that answer is acceptable and makes perfect sense. Does not make me take out third laptop. )
Me: (as if that worked!)
AWESOME!
Real question: how can we make web applications more secure? I mean in general, not a step by step instruction.
I personally believe that security should be a part of every coding course.
What do you think?
FYI Folks, I've installed something called Which means if you have no profile pic and/or less than 100 followers, I won't see your comments. This is to help me not see so many hurtful comments if I am harassed again. Hope I don't miss out on any of you.
My publisher told me that I've sold 74 books on amazon.com. He also told me that the 'record' for a security book from Wiley is 300 pre-sales on amazon.
We can do this, right? Please help me, I'm extremely competitive!
Someone asked me “if I open a port in the firewall for you, how can I be sure no one else uses it?”, and since I’m AppSec, not NetSec, I didn’t know how to explain. Could someone help me explain how it works?
Pic just for fun.
I wonder if all the people in Silicon Valley know that #TechIsland (Victoria BC, where I live) is Canada's tech hub, real estate is way cheaper, we have beautiful beaches and nature everywhere, and that Canada welcomes immigrants from everywhere. It's awesome here. Just sayin'.
My income last year from #Medium was $61 USD, for the last 3 months of the year when I clicked the "monetize" button. In case you're wondering if putting your content behind a paywall is worth it.... I personally have found it is not.
I had 34,000+ reads. $61
Look what my sweetheart made me, a farm stand to sell the veggies! Almost 100% is made from reclaimed wood.
I just had my one year anniversary at 💜
I'm grateful. For having the opportunity to work with brilliant and wonderful people, to travel the world, to be able to give back to my community, and be able to learn more than I ever dreamed.
#gratitude
Industry secret; a lot of us who are business competitors are actually friends or at least friendly acquaintances. We even help each other, send each other potential customers, and share info.
For students Grades 7-12, here is a Cybersecurity Fundamentals Course!
This program will help your students learn how to protect their digital identity and develop the digital literacy skills required for learning remotely! #EveryDAYisCYBERDAY programs.fairchancelearning.com/ictc-cyberserc
My book arrived! Alice and Bob Learn Application Security!
amazon.com/Alice-Bob-Lear
OMG!!!!! Coming soon: Microsoft Azure Security Technologies Certification! I will finally have a cert that I want!
Hi. There's no SLA on my Twitter account for answering DMs. I get back to people when I can. I feel a bit upset when people get impatient with me. I receive a lot of messages. And a bunch this week were rather impatient. I answer for free. Please be patient. Please be kind.
I don't know who needs to hear this but... If you work full time somewhere, and you share or ask questions about very specific security issues, you are not only breaking your NDA, you are endangering your organization. Threat actors follow employees of organizations they target.
My first subtweet: don't tell me another woman in tech is shitty and I shouldn't associate with her. The way I see it, it's more likely you are the problem.
Bullying young women is absolutely unacceptable, and coming from a 'community leader' is repugnant.
Blocked.
Remember when people talked about the 10X engineer? What's it called when someone makes everyone else around them way better? That person, makes everyone else, 10X? Is there a word for that?