Identity in Cybersecurity Ep. 4 — Seeing the Big Picture

Ian L. Paterson talks to Tanya Janca of SheHacksPurple about the importance of privacy and transparency, creating equality and diversity in the workplace, how to create and keep security talent, and more.

As a cybersecurity professional, how do you balance privacy and transparency? How about equality and diversity? Security and usability? How far do you go in preventing that proverbial “rm -rf” from being executed?

In this episode, Plurilock CEO Ian L.Paterson talks with Tanya Janca about the big picture—about finding these and other kinds of balance in cybersecurity.

Host:      Ian L. Paterson
Guest:      Tanya Janca
Length:      37 minutes, 35 seconds

Ready to listen in? Click play below.

 

Transcript

Ian: Welcome to the Identity in Cybersecurity Podcast, I’m your host, Ian L. Paterson, and in this episode, I’m talking to Tanya Janca, startup founder, application security consultant, and community leader with previous roles at Microsoft and the Canadian Government. In this episode, we discuss the importance of privacy and transparency, the LifeLabs breach, creating equality and diversity in the workplace, and how to create and keep security talent. Let’s get to it!

Ian: How did you get into cybersecurity?

Tanya: It was sort of an accident. [laughs] I was a software developer for years and years and years. And then I was also a professional musician, so I would be in bands and play in bars all around town and other cities and stuff. And in one of my offices, there was a penetration tester who would come in sometimes, and he was in a band and we became friends. And then he started saying to me. “You should be a hacker man, so good man—it’d be the best.” I was like, “No, software development is my favorite. I get to make something out of nothing every day. It’s totally awesome. You know, when I fix a bug and my client’s super happy, I’m like, yeah, I’m awesome.” But then he just kept convincing me and then he would like, show me how he broke some of my apps, (like when he was doing pen testing, like not breaking any laws or anything). And then he’s like, “How about this? How about that?” And then eventually he told me I should be his apprentice. And eventually, I said yes. It took about a year and a half of convincing, so it’s the opposite of every other person who joined security. He was great. He taught me a lot of stuff. But then I joined OWASP—and then, OWASP is where everything just exploded for me. And then I met another professional mentor and another one I started DevSlop project with my friend Nicole Becker. And it, it just sort of snowballed and snowballed. And then now I’m here!

Ian: And so what is here, what keeps you busy during the day? So last year I was working for Microsoft and I left them to start my own startup company, which was, creating a cybersecurity product, but like many startups, we sort of fell apart. It’s kinda—you can start a company with one of your best friends, but still have different directions and ideas of where you want to go and so rather than ending up hating each other, it’s like, maybe we should just split now and you do your thing and I’m going to go off and do mine. So, now I’m starting my own company again because startups are so addictive, Ian! And so my new company is going to be a training company, so I’m going to give application security, DevSecOps, Cloud Security Training in person and online. So, I’m going to make a lot of online content where people can follow through and do exercises at home, and then eventually—hopefully—become AppSec engineers. That’s what I want. I want lots and lots of us to go off and secure all the software!

Ian: How has the industry changed, you know, in the last five years? And then can you, can you draw any parallels to what you think will be coming up in the next few years?

I would give Lunch & Learns on the things that I felt were the biggest problem. And that helped me meet a lot of developers and find lots of allies within the software development teams and identify potential champions.”—Tanya

Tanya: Oh my gosh, Ian. So many things have changed! Okay. So first of all, security didn’t used to be a thing. So there’d be a security team that would do things like certificates and you know, like not allowing people to have admin rights. And generally, they got bulldozed a lot and it didn’t seem like it would be that fun to be on the security team. Then security became more of a priority. Awesome sauce! And then by the time I joined, we became glamorous. At some point, penetration testers and hackers were so cool. That is the first time a nerdy thing has become so cool. Then it became more high pay, cause there’s not enough of us and it turns out it’s really easy to make a lot of money being a criminal online, so you need more of us to help make that a less profitable venture. And so what I’m seeing now is companies taking it a lot more seriously, seriously, companies instead of just bulldozing the security team, actually like listening, making some of their plans a priority. Some of them are going so far as to actually making a complete, secure system development life cycle, which is amazing!

Tanya: There are other companies doing really, really cool things. So there’s like the big ones. Like Microsoft and Google do lots of really cool security things, but even companies where they’re not really a tech company. So like Netflix is not a tech company, but gosh, they do cool tech and their AppSec team keeps making tools and giving them away to the industry for free. And I’m like, that is so cool! Like making a security tool and then sharing it! So, I’m seeing a lot more automation of security tools. So right now there’s a lot of older applications, security tools that are tried and true and work really well for the waterfall method.

Tanya: And right now a lot of them are like, are trying to tell their customers, “Oh yeah, you could just put us in your DevSecOps pipeline”, but I can’t have my pipeline run three days. That will make my developers mutiny! So they’re going to have to adjust for this DevOps thing because it’s not going away. And in fact, I hope everyone goes there because it’s just such so much more delightful way to create software and maintain it.

Tanya: I also think that there’s going to be a lot more companies adding machine learning (for better or—worse) to everything they do. I think there’s going to be a lot of ethical issues…not in security so much, but in privacy. I already have a lot of concerns that really upset me as a consumer. And even though I’m not a privacy expert. I don’t know if you saw how Google bought Fitbit.

Ian: Mhmm.

Tanya: I was an avid Fitbit user and so I very publicly gave up my Fitbit. because I don’t want that aggregation of the two datasets. And I found a way to work with Fitbit to completely remove my presence from their dataset and well, people online are like, “why do you care? Like that’s not a big deal.” I’m like, Fitbit knows a lot about me. For instance, if I’m trying to get pregnant, if I am pregnant and what my cycle is like… if you can record how many partners you’ve had, all sorts of other things. Also, they don’t make physical whereabouts 24/7. They know when I want to wake up in the morning and if I actually wake up or not, they know how I sleep. They know like they know a lot of health things about me. And then Google knows all this other stuff. And together the aggregation of data is the thing that upsets me. And so as we go from site to site right now, there are trackers all over the place knowing everything about us. I was explaining at the conference where we met, at the Privacy and Security Conference by Reboot in Victoria, British Columbia, how your webcam tracks your eyes on websites. Like I was looking at some products, cause I wanna make some online training and one of them said you can watch your users view—like while they do your tests. So you can see. And I, you know, as someone wanting to buy this as a service, I’m like, that’s really amazing from a testing standpoint, but oh, that’s gross! Right? And I predict that there’s going to be some sort of revolt at some point by the public when they understand how technologists have been treating them.

Ian: So talking about AppSec or a sec DevOps, we Plurilock are coming from the angle of digital identity. And so we tend to view the world with that lens. And I’m curious as somebody in the AppSec ecosystem, how do the two intersect? How does digital identity affect how you develop applications in today’s environment?

Tanya: When you say digital identity, do you mean your identity within one system or your identity on the internet?

Ian: Well, both, I think for us, where we spend more of our time is working internal to regulated entities: so banks, power plants, hedge funds, that type of thing. And so when you’re developing that payroll system for the bank to use in the back office—how does today’s technology around digital identity affect how you develop that application and make it secure?

Sometimes we are so busy putting out fires all the time. It’s hard for us to see the big picture.” —Tanya

Tanya: Well, certainly there’s a lot more single sign-on happening and—so basically I don’t think we should reinvent the wheel. And when I was a software developer, I’ve worked out a lot of places where we would make app after app after app where you had a login screen and people had password after password after password, and now with a digital identity instead, we can have one authentication system. So we know you are the Ian we mean, the Ian we want, and then we authorize you based on all the different apps. So Ian is allowed here and Ian is not allowed there and then re-verifying often depending upon what you’re doing. Wait wait wait, so is this still Ian? Okay. You are allowed to take that money out of the bank. But perhaps if you are posting to a social media platform, we don’t need to check again. That makes sense.

Ian: So it’s more of a risk-based approach depending on the severity of whatever the transaction is at hand, whether it’s wiring money or whether it’s posting to Twitter.

Tanya: Yeah, I definitely feel that we need to re-authenticate for important decisions. So, definitely spending money, definitely deleting an account, things like that. When I left Microsoft, I had to shut down all my employee accounts and I had a whole bunch of demos in Azure, so I went to delete a bunch of them. And Azure has an emergency feature, which is really cool. So I deleted my database that I had, and then I deleted the backup and it said, “I’m sorry, but as a precaution, just in case there’s a 14-day countdown, and then we need you to reconfirm.” And so I had to get my boss and it was no problem. I had to reconfirm after the 14 days that it can be deleted. But I found that really cool because, the thing that happens sometimes when employees quit—not in a nice way, like where I did and I got hugs—sometimes they delete a bunch of things and make a big mess and do malicious activities. And I thought it was really cool that, that a precaution and built-in against that, but not every place does. So definitely having multiple layers of not just authentication, but re-authenticating when necessary. Definitely.

Ian: It’s interesting because I think one of the challenges with re-asking or re-authing the user is that you’re throwing up additional roadblocks and in some cases, like your example just now about deleting data, maybe you want those additional checks in place to, to really make sure before you “rm -rf”, you know, the entire dataset. But how do you actually, as an app developer developing for end-users—how do you make that decision about how much security to put in place versus how much convenience and friction you eliminate for those users? Cause it always seems to be that balance, right? And if you go too far in one direction, it’s going to be too secure and not usable in the other direction… completely insecure, but you know, a dream to use from a user’s perspective. So how do you find that balance?

Tanya: Sometimes you can react without needing to interact with the user. So an example would be—for instance—there used to be a big problem with something called cross-site request forgery. So let’s say I’m logged into Amazon and I’m shopping for shoes that will take hours, trust me. And so then I’m logged in all day, but then I get a phishing email, and that email has a link. And in it, it sends a command to Amazon to buy something and send it to them instead of me. And if I’m logged in, and if Amazon wasn’t protected against that—if they’re vulnerable to it, then that transaction would happen invisibly and I wouldn’t know. And so what most sites do now, is they pass something called an anti-seize serf token, and it’s a secret token that just gets passed back and forth and any sort of transaction that you would be doing. So like, buy, delete, update, it just re-verifies the token silently, behind the scenes.

Tanya: There’s also, depending upon the systems that you’re using, possibilities could be like facial recognition like this. So in Windows Hello, when you just look at the screen, it recognizes your face and lets you in, right? So what they could do is, if you’ve given it permission, you could have it re-authenticate like that. There’s a lot of different ways that you can re-authenticate—for instance, my phone, I use my fingerprint, but every once in awhile it says to me, “no, I want a pin.” And I get so annoyed. But then I remember, “Oh yeah, that’s okay. So I guess it’s about patience as well. But yeah, a lot of it is talking to your business and figuring out what’s okay and not doing captchas because everyone hates those.

Ian: So if we shift gears a little bit, I think one of the challenges that certainly our customer’s voice is trying to attract and retain talent, right? Cybersecurity talent: I think the statistic is a million cyber jobs left unfilled in 2020 I’ve seen numbers that actually go quite a bit higher. What have you found to be effective in getting people engaged? Getting them in the door at companies and then keeping them and making sure that they’re happy.

Tanya: I am a big fan of security champions programs. So if you have an application security team, or even just one person, if that person can engage with developers and Ops folks or the rest of IT, assuming this person’s a superhero and able to engage with that many people effectively—there’ll be people that self identify as interested. And then if I’m allowed to, I give them more and more security type information and training and tasks until I can hire them to my team. That’s what happened with me! I kept just showing interest to the security team and I was in charge of a Dev team and I made sure that I was the person that hired the pentester as the person that fixed all the results. And I just kept reporting security flaws and incidents to them. And then one day they let me on the team, but they said I had to do architecture—that’s fine. And then I got to go on an incident and then there was code, and I’m a software developer so I could read the code and I recognized it. And I’m like “that is an SQL injection. I know what’s happening!” And so I just kept proving myself useful. And then eventually they’re like, “Do you want to be on our team?” “Yeah!” But if instead, we tried to encourage people like that—if you can make your own AppSec people, that seems to be the easiest way to recruit them and give them lots of training and ask what they want. And then what? Listen!

So definitely not putting constant red tape around your security team so that they can’t breathe and then they quit in frustration. ”—Tanya

Tanya: Also hiring students and interns. So I remember hiring a bunch of students and the rest of the security team told me that they felt that was a waste of time. They’re only here four months. And I said, “they’re here 4 months. Then they go back to school for four months. And if we have treated them well, they come back and they know more stuff in four months from now. And if we’re lucky, they’ll come work part-time at that time.” And the students ended up just absolutely blowing us away. They’re amazing! I had them running a phishing campaign. I had them investigating small incidents. I had them just doing all sorts of things. I had them make a placemat that security stuff on it, like security puzzles and crosswords. And then we gave them away at an All-Staff with crayons, and everyone thought it was really silly—except for it was actually awesome because we taught them a bunch of our policies—so the joke is on them.

Ian: Awesome! I know one of the challenges that some people face is that even though there is such a lack of qualified individuals, that once you have a team, how do you make sure that it’s a diverse team? Because I think most studies and data show that the more diverse a team you have the more schools of thought that you can draw from and ultimately the more perspectives that you can attack a problem from. I think one of the challenges though, is that if you’re a typical white guy in that environment, how do you create that setting such that you can be inclusive and how do you get those different perspectives into the roles?

Tanya: So part of it is if you have someone that’s already there that is not a white dude, ask if they’re happy and see if stuff is wrong and if it is wrong, fix it because they are your biggest advertisers, whether that be attracting or repelling people because women will ask other women, “oh, so you work there, how is it?” So that’s really important. So fix whatever it is that they say and check in with them and make sure things are okay. So one thing I suggest in all cities is if you can offer to host meetups that are women’s specific or minority specific or neurally-diverse-specific or whatever would be more diverse than what you currently have…if you can offer to host those meetups, then your employees can mingle with those employees. And some of those meetup attendees might become your employees. Also, you can sponsor meetups like that, that helps to show that this is something that’s important. I would say that actions are the most important thing though, I’ve seen a lot of places where they say, “Well, we want more diversity, where are all the chicks?”

Tanya: And as you can imagine, most women are like, “Oh, I don’t need to apply there anymore. Especially if we’re treated just as tokens”, if that makes sense? Like “We have a woman, she’s right over there!” A lot of women I know, especially women of color tell me that, like whenever there are photos taken at their office, they’re demanded to be in every single photo. And I’m like, “Oh, that’s weird. Are you getting paid extra for also being a model? No?” Like at least acknowledge that that’s happening and ask their permission rather than pretending that that’s not what’s happening. Like one of my friends is black and a female developer, and she’s like “Every single photo, and I’m the only black developer in the entire company, including every single location and the only woman developer, and every single photo there I am right at the front! She’s just like “don’t parade me around!”

Ian: Got it.

Tanya: Also, making sure that they are promoted at the same rate and engaged at the same rate as everyone else. You’ll just see things where women get either pushed into management or pushed into non-technical roles. I’ve had that happen where the big boss told me that he didn’t see me as technical… “Like really, cause I’m in charge of all your custom apps and have been for years…”

Tanya: So, not pushing them into non-technical roles unless that’s where they want to go. And making sure that they’re actually getting promoted at the same rate. There’s a lot of issues where women will see men promoted past them over and over. And if that’s happening… “Why, right?” And it might be that the manager has an unconscious bias he doesn’t know about. But it also might be that the manager is looking for a specific skillset and does not see it in this person. And it’s like, well, then coach them and give them the skillset!

Tanya: Like as manager, it’s your job to prepare all your employees to basically surpass you, right? And become more and more amazing and grow their careers within the place where you work so they don’t leave you. So why are you not doing it for this one person if they clearly need some help, right? If that’s the real reason why they’re not being promoted. So those are ideas off the top of my head. I am not an expert in this. Just to be clear. And I’m a woman in tech, but doesn’t make me an expert at what works.

Ian: Makes sense. So you talked about promotion and getting new people into jobs, I’m curious, when you are first into a new role, so let’s say you’re, you’re assigned to take over an AppSec project at a new company, what are the first things that you’re doing in that 30, 60, 90 day period?

A really big reason why some security people leave jobs because they’re not enabled to get things done and they just quit out of frustration. ”—Tanya

Tanya: Metrics! I really love seeing, you know, all their previous scan results and pentest results or incidents that they’ve had, and looking over all of it and seeing if there are systemic issues here or problems that are happening over and over again? So I’m really good at public speaking now, but I was not always, I would give Lunch & Learns on the things that I felt were the biggest problem. And that helped me meet a lot of developers and find lots of allies within the software development teams and identify potential champions.

Tanya: And then also if everyone has cross-site scripting (all the time, they do). If you do a deep dive into it and teach everyone how to look for it, teach everyone how to fix it, then you can end up, making like a big positive dent and then being able to point out and say, “See, that’s why you hired me. Look what I did!”

Ian: So everybody seems to have a horror story, something that keeps them up at night. What is the highest stress cybersecurity incident that you either have been involved with or I’ll give you some air cover… may have heard from a friend.

Tanya: Well, obviously I’m not allowed to talk about any incidents that I was involved in because of NDAs. I’m trying to think of ones that I’ve heard of cause I’ve heard of so many that were so bad. But basically anything that involves any sort of data breach involving personal data or government secrets is pretty darn scary. Like recently LifeLabs was breached and you are a citizen of British Columbia, and I am too. However, the breach was from before that, but I was a citizen of Ontario then and they also say Ontario. So I am definitely somewhere in that breach. And the idea of my test results, what my health conditions are or are not, or what I was concerned about that being on the internet and in the hands of criminals is really disconcerting. And also the fact that LifeLabs paid the ransom!

Ian: Mhmm.

Tanya: …Which means they didn’t have a backup of any other medical data. So whoever’s on that team hug-ups for you, cause that must’ve been really bad past couple of months for them! Although maybe the security team is able to use that as leverage now in order to enforce higher standards for security. I’ve done that before where I’ve taken the results of previous incidents, sorted them out into types of incidents, showed them how much it costs and how much damage there was and how much time we lost because of it. And then said, “I can fix this or reduce this by this amount for this amount of money to, you know, do this AppSec program or to do this specific thing.” You can’t fix all the things, but I find you can greatly reduce things if you attack them from a high level. Sometimes we are so busy putting out fires all the time. It’s hard for us to see the big picture.

Tanya: One place that I worked, I was supposed to be doing AppSec, but I would do around three weeks per month responding to incidents. And I told them like when we had this discussion one day and I told them I was gonna look for a job. They asked why, and I said, “because you won’t let me do any AppSec.” All I do is fight incidents because you won’t let me do any AppSec. Like I want to talk to developers. I want to create a standard for this. I want to engage them. I want to have more freedom to run more security testing. Like give me a real environment as opposed to making me make an appointment weeks in advance to test one thing—I have crap to do and I need you to enable me to get crap done or I’m going to go somewhere else because I don’t want to respond to incidents… three out of every four weeks, all my hair is going to be gray. And they said no, so I left. Yup. So definitely not putting constant red tape around your security team so that they can’t breathe and then they quit in frustration. That is a thing for keeping people. Security testing is scary, but you can make a safe place to do security testing. Does that make sense?

Ian: It does.

Tanya: Like you really can, and especially during an incident, I need to be able to test out if there’s a zero day that’s out in the wild, being exploited and you are really concerned and you want me to—manage and investigate as to if we are vulnerable for this, let me do a test on a dev system to see like—there has to be a safe space for me to do testing, and if there isn’t, that’s our first problem. Don’t just yell at me at midnight why I don’t know the answer when I’m like, I know why I don’t know the answer because you won’t let me get any work done! That’s actually, now that I think of it, a really big reason why some security people leave jobs because they’re not enabled to get things done and they just quit out of frustration.

Ian: So let’s go from that negative to a positive. What are you proud of but never have an excuse to talk about?

Tanya: Oh, yeah. Wow. That’s such a good question.

Ian: It was a list of top 10 best questions on Google. [laughs]

Tanya: So I was the CISO for the general election in 2015 in Canada, and I helped make sure that was a success and I’m really proud of my team and of that—we’re not in the newspaper and nothing really bad happened. We spent a really long time preparing for that. And it’s pretty magical. To see democracy happen and help enable that to happen to make sure that people, in the Arctic, we’re able to vote over 32-kilobit modems safely and securely, to make sure every single Canadian had the ability to vote, even if they were somewhere else on the planet, and to make sure their vote was counted and to make sure that the public could trust the results because when we count, the media is invited into the room, every single party that had a candidate is allowed to send someone to be in the room, sometimes there are up to 40 people counting by hand all of the ballots. And you know, obviously, you have a consensus then. Right? And I’m making democracy happen. Made me really proud.

And I’m making democracy happen. Made me really proud. ”—Tanya

Ian: So I think that topic is still highly relevant. What advice would you have for the people who are on those teams and who have to do similar jobs again in the future, and not just necessarily in Canada, but also in the States and in other European countries? How can people learn from what] you did?

Tanya: So in Canada we do things a lot differently than a lot of other countries. A lot of people who’ve talked to me about their electoral systems, there’s a big push to have electronic votes. One of the problems that some people see with that is that theoretically, so let’s say I’m the boss of 20 people and I tell them, “You’re all going to vote electronically in front of me and you’re going to vote for the candidate I tell you” that is something that could happen. And also, a lot of people are concerned that if they vote electronically, their vote will no longer be confidential. And it’s your right to vote for who you choose and for that vote to be confidential and for someone else to not be able to force you to vote something else.

Tanya: I know that in the United States, they have quite a few concerns about the security of their voting machines. I find it very odd that they would have a federal election that is not run by one body and instead it is run by every single body. But I find it strange because I live in Canada and that’s not what we do, and therefore everything else is literally foreign, right? And so in Canada, elections, Canada runs every federal election period. That’s what they do. One group runs it for the whole country, but in America they have many different groups that do it. Our centralization seems to—be working quite well. Canada seems to like it. Even if the Wexit people were upset about the results. There was never a question of, well, we think this got hacked. So, centralization, standardization might be good. I’m not a big fan of reinventing the wheel—I’m a big fan of automation, so in, in general, one country having one voting machine might make more sense and then test the living crap out of it, rather than having, you know, 50, 60,100, 200 machines. That might make more sense so that the public can trust that machine.

Tanya: And also transparency. So the Canadian government is quite transparent with allowing people to be in the room while they count the votes. The Swiss government is quite transparent, so they shared the design plans, they offered a bug bounty program and all sorts of other things on their electronic system, and they still have a handful of people that are quite pissed off, but a lot of the Swiss public seemed fine about it. I think being as transparent as possible would be a good idea too. I know not every country is a fan of transparency. It’s uncomfortable. Trust me, I know! It is uncomfortable if you have to report to the Information Privacy Commissioner, that there’s something bad happening and it’s uncomfortable to face the music. but then as a citizen, I feel I have trust because we show our dirty laundry, if that makes sense.

Ian: It does. So how do you go from a small number of employees to a massive number of employees and still maintain assurance of that digital identity of the person?

Tanya: So, I feel that that would be revealing secrets.

Ian: Fair.

Tanya: I’m not supposed to tell you how they do their security. However, in Estonia each citizen has a digital identity and everything is digital. So Estonia has started their tech revolution quite late compared to the rest of us, and they are in this magical, magical position where they have almost no technical debt. It’s amazing—I’m so jealous! And they have like everything, everything is electronic you and it’s so fast and so efficient—if anything, we should consult them. They are quite often as an example of a country doing it right. I know that a lot of government officials from many, many countries go visit Estonia to find out what they’re doing.

Tanya: There’s so much super cool stuff that the government does, and I wish that they would brag more so that they could do a better job of recruiting. Like I have had a lot of very, very cool different jobs, I did antiterrorism stuff for a while, which I wouldn’t say it was enjoyable, but was highly interesting, difficult and challenging. I’ve built fun web apps that were just cool and neato. Like I remember a boss saying to me, I built, we called it “the phone book”, but basically, kind of, if you can imagine the first digital phonebook where you would be able to have a picture of an employee play in a map to their desk and who they worked for, and see a tree of where they are in the organization and see like everything about them before you have a meeting with them. Or if you’re having trouble finding someone, you’re like, “Oh, I know they sit on this floor and I need to whatever.” And it was just private for our employees, but he’s like, “Make it as Web 2.0 as you want, like just put all the bells and whistles, just everything you could think of, just go wild, Tanya! And I was like, really? I get to just build whatever I want? He’s like, “Yeah, yeah, I’m sure it’ll be awesome.”

Ian: And was it? Oh, it was super fun! It was so fun. I’ve had employees tell me like a few years ago even, they’re still using it and they just like would update it. I’m like, that’s so exciting. Like no requirements, just give ‘er! So there’s like lots of really cool things that can, that can happen, but they don’t share a lot of that publicly and I think that that’s too bad because it’s nice to serve your country. Does that make sense?

Ian: It does.

Tanya: And there can be a lot of pride in knowing, you know, I helped, again, like so many examples I can’t give, but like I helped make a difference in people’s lives in this way or that way and protected them in a way that they might not have even been aware.Like all of our food is generally not poisoned, all of our water, you can drink out of basically any tap. Like these are things that we take for granted that the government works really hard to make happen, right? I walked down the street and then I just walked down the street and that’s the whole story. No, like I’m just safe basically almost anywhere all the time. And yeah, our government works really hard on all of those things and they should brag more—I’m going to tell them next time I see them.

I helped make a difference in people’s lives in this way or that way and protected them in a way that they might not have even been aware..”—Tanya

Ian: Let’s do it.

Ian: Hey Tanya, are you involved with any community associations we should know about?

Tanya: Yes! So I am one of the leaders of the WoSec Women of Security Chapter in Victoria, and also my friends Chris and Roberto I are starting a OWASP Chapter which stands for the Open Web Applications Security Project and our first meeting is April 23rd so please come join us, it’s going to be awesome.

Ian: Excellent. Where can people find out more and engage with you online?

Tanya: So online, my Twitter handle  and YouTube channel  and everything is SheHacksPurple and I’m launching my training site in the next few weeks and it’s shehackspurple.dev  because it’s for developers. And yeah, if you just look up Tanya Janca or SheHacksPurple, you’ll stumble upon a lot of results and be like, “oh, is that all one person?” Yes, it is!

Ian: Awesome. Thank you so much.

Tanya: Thank you for having me on the show. This was really fun. And thanks for accepting when I can’t answer!

Ian: Not a problem! ■