Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 87
Afternoon Cyber Tea with Ann Johnson 12.12.23
Ep 87 | 12.12.23

Beyond Basics with Tanya Janca

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea" where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancement shaping our digital future, we will bring you the latest insights, expert interviews and captivating stories to stay one step ahead. Today, I am joined by head of Community and Education at Semgrep and the founder of We Hack Purple and a very famous cybersecurity professional, Tanya Janca. Tanya, also known as SheHacksPurple, has been coding and working in IT for over 20 years and has been everywhere from startups to public service to tech giants including Microsoft, Adobe and Nokia. Tanya has worn many hats: startup founder, pentester, CISO, AppSec engineer and software developer. She is an award-winning public speaker, active blogger and streamer, and is the author of "Alice and Bob Learn Application Security." Welcome to "Afternoon Cyber Tea," Tanya.

Tanya Janca: Thank you for having me, Ann.

Ann Johnson: It's just great to have you here. So, you have a diverse set of experiences from developer to educator to founder. Can you take the audience back to the beginning and briefly explain your career journey? Why did you get started in cybersecurity in the first place and what has kept you in the industry throughout your career?

Tanya Janca: I was a software developer for a really long time. And it sounds weird, but, after 17 years of doing the same thing, sometimes you get - not bored, but maybe you kind of want to expand or learn more. And, on top of that, I was a professional musician. And, so, I would perform in bars all over the city and travel to other cities and play festivals and stuff as sort of my hobby, because, apparently, I have a lot of free time. And, so, I was in a band and this pentester in my office, he was in a band. So, obviously, our bands had to play together and we became friends. And, for the next year and a half, constantly, he would say, "You should be a pentester. You would be so good. You should do that. Forget deving. Change - like you should change." And, so, he convinced me to become his apprentice and I learned about pentesting. And then I discovered AppSec. It sounds weird, but it's like a fish to water. Immediately, it made sense - more sense to me than pentesting. So, pentesting requires a lot of patience, a lot of attention to detail and a lot of alone time, where AppSec is very social, you do a whole bunch of different - like every single day is different. And like, as an extremely extroverted person, pentesting was hard for me. I'm like, "I never talk to anyone. Like I just spend so much time by myself." And it's weird, because coding, I spent a lot of time by myself, but I never found it lonely at all. But I found pentesting, like being in a data center freezing my buns off, not really - it didn't work for me. Yeah. And, so, I switched over into cybersecurity basically to try something new. And it turned out I really liked it.

Ann Johnson: That's fantastic. And I love that story, by the way. I love just how you first even heard about it. That's unique. I - more people I talk to in the industry, most folks did not have a traditional path.

Tanya Janca: It's true. I don't think there is a traditional path for cyber.

Ann Johnson: That is so great to hear, especially when we think about hiring. But we'll get to that. Anyway. So, among the many ways you engage with the community, you obviously were the founder and the CEO of We Hack Purple. I actually met you during - a little before that journey and then during that journey. That was acquired recently by Semgrep. But can you talk a little bit about the We Hack Purple mission, why'd you found it, if it's changed since the acquisition and how our listeners can engage with the organization?

Tanya Janca: Awesome. So, I started We Hack Purple because when I switched into cybersecurity there was no path and I wanted to learn about application security and I just - I didn't know how. I joined OWASP, I got a mentor, I got several mentors, like I met people, I started an open-source project and it felt like I had to do so much work to learn how to do this job. And there was no clear "this is what an AppSec engineer does." And, so, I started writing my first book, "Alice and Bob Learn AppSec," and I decided that I would make an online academy. And, so, I started first by just making one course and just seeing if it sold like a minimal, viable product. And, so, we sold 100 the first month. So, I was like, "Okay, so, apparently, there's a market for this if people do like it." So, then I redid it and made it way better. And then we created a community to support the academy. And it sounds weird, but it wasn't until year two where we started doing enterprise training. So, enterprise training pays very, very well compared to consumer training. So, individuals have less money than a giant enterprise company and making one small sale at a time is a lot harder than doing one big gigantic sale. And, so, we sort of started splitting our efforts where it was maybe like 20% was enterprise sales where I'd come in and do live training. And then that helped support this community that exploded. We have over 8,000 people just in the community and then over 6,000 students in the academy and then, you know, lots of followers online. And, so, basically, the mission was I wanted to create new AppSec engineers. I wanted people to be able to have an affordable education choice. And, so, now, thanks to Semgrep, all the classes are free, not in the academy, but in the community. And then - so, the mission is kind of expanding, if that makes sense, with Semgrep. So, I was just teaching AppSec and secure coding and like incident response and more generalized topics. And I had wanted to teach more products, but then you have to get licenses and then you have to negotiate. And I met with AppSec company after AppSec company and all of them - they wanted a ton of NDAs, they didn't want people to be able to really see their whole product. It sounds weird, but each company, it was so complex. And, so, I didn't want to teach products that were paid products, because every single company was so difficult. Like I couldn't get any of them to agree. And, so, then when Semgrep approached me, they were like, "Oh, yeah, you could totally - like we would love for you to teach people our product. We'd love for you to teach people how to make awesome application security programs." And like one of the steps is the things we do. Right? Like threat modeling, we don't do that, but people still need to learn it. So, my new job, I do customer training, which is like on the private side, but the public side of my job is I'm going to take their community of 3,000 people, my community of 8,000 people and try to smush them together into one big community and continue to have live free events all the time. And then, on top of that, open a new academy with the same courses, but more courses and make all of them free, because I don't have to pay bills now, that's their job. I just have to educate. And, so, we're going to open up, I hope, the Semgrep community in around January of next year, and then the academy, hopefully, by March or April, again, next year. Yeah, I'm already starting to build like new content, which is really exciting. Ann, this sounds so weird, but I just - I was so frustrated when I was trying to learn. There were so few resources. And I'm like, "I want to make it easy for someone to become an AppSec engineer." And like you don't have to use Semgrep to do it. You can use other products and that's okay. But I want there to be more people fighting the good fight alongside you and I.

Ann Johnson: It's awesome because, to your point, it's hard to learn. There aren't a lot of good resources. And I know, because I hear from people, you've made a tremendous impact on the industry, the community, through all of your roles. And it's an important topic. Right? You know, security and AppSec are very important, especially right now. We talk about it all the time. And you have a perspective that others don't have. Can you talk from that perspective? Talk about what developers should be doing differently or thinking about right now to ensure their building more secure software.

Tanya Janca: Okay. So, if you're a software developer and you're listening to this, probably when you went to school to become a software developer, whether it be a boot camp or a university or a college, you probably didn't learn secure coding. So, the first thing I would suggest you do is try to find a course on secure coding. And, so, selfishly, I have a free course in We Hack Purple Community that you can just go take right now. And if you are listening to this and the Community is closed, so in about a year we're going to close it once we've moved everyone to Semgrep Academy, so just go to Semgrep Academy and take it there for free. There's other free courses. I don't know of one that's as intensive as ours, which - that's free, which is fine. If you work somewhere and your boss will pay, pay to take a secure coding course. That's even better. Do both. There's also this thing - so, sometimes they're called cyber ranges, sometimes they're called capture the flag, so sometime - there's all sorts of different names for them, but there are systems that you can buy a subscription to where they'll do secure coding exercises with you. I don't want to name a whole ton of companies because I don't want people to think I'm saying, "Do this one, not that one." But like look up "secure coding hands-on training," and do that. This is a great way for them to learn how to just make better code every time. Another thing you can do is let's say you're going to look up how to do something, so what I used to do as a dev is I would do that and I would end up on Stack Overflow quite a bit. Instead of just taking the first thing you find on Stack Overflow, look for the most secure way to do whatever you're doing. One way that I've been able to do that is like let's say I'm looking at authentication or authorization or whatever, I'll add "OWASP," O, W, A, S, P, to my search terms and I find that the results just improve drastically, as ridiculous as that sounds. So, they're an international nonprofit, they're a community, they run conferences, they run training, they run local meetups, they have open-source projects. I am a super, big, giant fan of OWASP. I'm a lifetime member. And they have so much content online. And, so, if you add the term "OWASP" to your search engine, I find the results' quality just goes way up. And the other thing you can do is learn how to do a secure system development life cycle. So, if you're doing DevOps or Agile or Waterfall or some other wacky SDLC, that's okay, but when you're doing requirements, maybe there should be a security requirement or two in there. When you're designing, maybe you could have the security person where you work review your design, or maybe you could invite them to threat model with you. So, each phase of the SDLC can have some sort of security activity. Ideally, your security team's going to initiate this with you, but, if they don't, you could ask, "What security stuff are we going to do as part of this project?" It sounds weird, but sometimes, Ann, if just ask the question, you might find out you initiate quite a lot of activities later.

Ann Johnson: All really, really good prompts for people to understand where to go learn. I really appreciate you sharing them because I think, to your point, there isn't a lot of open knowledge. I also saw something in your blog that resonated with me, the concept of a security champion, someone who is a developer, by the way, who sits outside security, but helps promote secure development. Can you talk a little bit about the concept and why do you think these security champions are so important?

Tanya Janca: Absolutely. So, a security - the idea of a security champion program is that they're a person that is part of the regular business unit, so not part of the security team, that champions the cause of security and usually is responsible for the security work for their team. So, you could have a marketing person that's a security champion if you want to. Most security champions programs, though, we focus really heavily on software developers and/or software architects. And that's because they have so much security work to do, they have so much security work. Like their job is extremely important. And like, when they're building the software, testing the software, maintaining the software, there's so many different security activities and efforts that we need from them. And, so, my first AppSec program, I didn't even know what a security champions program was, but I accidentally built one. Just, basically, I taught everyone how to do dynamic scanning and I gave them a safe place to do it. And then, before I knew it, I had one person per team that was my person, they were my champion. And, so, I would always go and I would talk to that one person and say like, "Hey, did you scan this app? Like what did you find? How's it going? How can I help? What do you need?" And then, eventually, I got them to all meet each other and then I would just meet with them every month, instead of meeting with everyone. And then I, years later, read an article about security champions, I'm like, "Oh, that's how I run my AppSec programs." That's how I scale my efforts because I can't run 2,000 scans. I can't go through the results of 2,000 scans and then try to assign those bugs. I'm going to assign it to the wrong person. Right? So, if we have a person on each team that can tell me, "Hey, we need help with this," or "we're having this problem, can you assist," of course. Right? But I don't know unless there's that communication. I can't go and check on hundreds of people. And, so, a champions program just helps you scale out your security. It also, quite frankly - I don't know if I'm supposed to say this, but it's a great recruiting tool for the security team. So, if you have security champions and you have one that's just like so amazing and so curious and so passionate and interested, and then you end up having a junior role on your team, like this is the most perfect person you could ever hire, because they have corporate memory, they're fascinated and you've already trained them into like doing half the job you want them to do. Right? So, like it's the perfect combination of all the things. And, so, quite often, I end up recruiting from my champions, but, shh, don't tell anyone.

Ann Johnson: It's amazing. Right? And, to your point, scaling the program, but also having people who could speak a different language and don't always speak in cyberspeak, like having a marketing person be your security champion to go drive a culture of security in organizations is incredibly important.

Tanya Janca: Yes. And the marketing people have different security and privacy concerns than someone on the sales team or someone in the accounting team. Right? Like the accountants are really worried about fraud, where the marketing team probably really needs to worry about privacy and like respecting, you know, GDPR and things like that, like California privacy law, et cetera.

Ann Johnson: Exactly. And that's why you have to have so many people involved. So, can we talk about community? Look, you're a superhero in community. Right? And there are, you know, more women in cyber than there used to be, but we still have a long way to go to attract, to develop, to retain more women. From your perspective, what should industry leaders, founders, CEOs, everyone actually, be doing to ensure that we attract more women into the industry and we make it a more inclusive industry in which people want to stay long term?

Tanya Janca: I have a whole bunch of ideas. So, one of the first ones is mentoring. So, I mentor a bunch of different women. And I started a mentoring program, which we'll talk about later, because I couldn't mentor everyone. It turns out, I have limits, which is ridiculous, totally unfair. But, so, I find if you can - so, if you're a man or a woman, if you could mentor a woman or mentor someone else from like an underrepresented group in tech, so people that are disabled, people of color, all - like there's all sorts of people where there's not enough of them in tech, we need them to be fully represented. And, so, if you could reach out and lend yourself to mentoring those people and help basically give them a hand up so they can get to their first job or get promoted to their next job or that special introduction that leads to the job interview. So, mentoring is one part like which is more - mostly around learning, I often, quite frankly, confuse it with advocacy, so advocating for this person. So, stuff like making sure they meet the right person. Or, for instance, so I got accepted to a conference in California and I can't make it, and there is this woman I work with who's totally awesome, but she's way less well known than me. And I was like, "Will you please have her in my place? She's really great. Like I'll go over the presentation with her. I promise she'll be awesome." And there were like, "Okay." And, so, she's getting this shot on the main stage that she wouldn't have had. Right? And that was this morning. And, so, there's all these like opportunities that we have, especially later in our careers, where lots of doors are open to us and it's like maybe I could take someone's hand and bring them through the door with me. So, I would say that mentoring and advocacy is like a place I try to start. Another thing is if you know a woman and they don't have anyone else that they know, suggest some of the different communities that they could join where they're not the only woman in the room literally constantly. So, one of - one I really like is Women's Cyberjutsu. There's another one called The Diana initiative and Day of Shecurity. Those are more like great, big conferences where it's mostly all women and allies. It's such a - I love Diana Initiative, it's just such a wonderful space. So, if you can find, you know, women focused or LGBTQ focused or people of color focused, or whatever it is, a place where they're like, "I'm the majority. I'm comfortable. Everyone's had similar experiences to me so I can share with them and feel supported," if you can help them find those communities and connect. Another thing you can do is just make introductions. I have people introduce me a lot. Sometimes it's overwhelming. But introduce them to another woman that you know in cyber. And it does not have to be a famous woman. If anything, like if you see her on stage all the time, she's probably pretty busy, if you introduce her to someone else who is like maybe the manager of the AppSec team, right, that person will have more time for her, that person will be able to give her more attention. And, so, making some introductions so that they have someone that - where they recognize themself, if that makes sense. I feel like representation really matters. And I know there are a lot of groups working really hard to help ensure we have more representation, whether it be on podcasts, at conferences. Like whenever anyone says to me like, "Oh, I can't find any women who are qualified to like speak at my conference, it's just totally impossible to find a podcast guest," I tell them I did 80 episodes of the "We Hack Purple Podcast" so far and 70 - or 68 of the guests were women in cyber. So, like just take a look and write one of them. There's not really any excuses anymore.

Ann Johnson: It's interesting. I want to pull the thread on a couple things you said. One, allyship is incredibly important. So, even if you're are not a member of the community that the event is targeted to does not mean you should not be there. Those events are all inclusive and a lot of them are amazing. And, you know, Diana Initiative, Cyberjutsu, Executive Women's Forum, the work that they're doing in so many different communities, WiCyS, et cetera, I'm going to forget somebody, Girl Security, but there's a lot of different organizations that are doing just amazing work. So, don't feel like you have to be a member to show up and be an ally. I think that's incredibly important. The other thing you said that resonates for me is, obviously, we're doing a podcast, obviously, I host a podcast. There are more women in cyber than - I started in cyber almost 24 years ago. There are a lot more women than there were almost 24 years ago. I have a lot of female guests. Right? I have a lot of guests across a lot of different spectrums. But they're out there, you just have to ask. And I know, for me, Tanya, people just send me emails to say, "Can you speak at my x, can you do y," and I say, "Yeah, happy to." Right? So, it's - if I'm available. And if I'm not available, I suggest two or three other people. It's having the courage I think to send that initial email or to send that LinkedIn note. And I try to be responsive. It doesn't mean I can respond to everyone, but I really do try. And I know you do also.

Tanya Janca: Yeah, I actually have a list of women that I recommend if I can't do something. And, so, then it's like, "Well, at least they have a choice of like these 10 ladies." And then I cycle through the list. So, once one of them's been on a whole bunch of podcasts and done lots of things, I'm like, "You don't need to be on my list anymore. You have got this," and I put someone else on. And, so, even just, "No, I can't do it, but one of these ladies can do it for you," so the door isn't closed and there's no like, "Well, I asked this one super famous woman and she said no, and therefore all women are impossible." Yeah.

Ann Johnson: Exactly. Well, let's switch for a minute. You were a founder. Right? You had the courage, you left a big company, you founded your own thing. What challenges and concerns and advice would you like to give people in the industry who are trying to get something off the ground? What did you go through, what learnings, and what advice can you give folks that are saying, "You know what, I want to go found my own thing"?

Tanya Janca: So, I have a bunch of advice. Actually, someone at Diana Initiative asked about this and we ended up talking for quite a while. So, pick your cofounder very carefully. So, when I left Microsoft, I actually started a company that no one remembers because we failed very fast, just like DevOps, in only nine weeks. We had known each other quite a while, but it turned out what he thought versus what I thought didn't really gel, and like where he wanted to take the product versus where I wanted to take it. And, at the nine-week mark, I was like, "You know what? We could just fight about this for the next couple of years or we could just call it quits now and you go off and keep being awesome and I'm going to start something new." And, so, he went off and he did his own thing and is successful in his own right. And that's awesome. I was just like, "This is not feeling right." And if you're going to dedicate like 12 hours a day, because when you're a founder, you're dedicating a lot of time, and like it needs to feel right. So, pick your cofounder carefully. Another thing is that you should be very careful with the finances of your company. So, you personally, even if you're exhausted, should be reviewing your bookkeeping every month because things can get out of hand. There can be accidents, there can be mistakes. And I definitely have seen employees, I don't want to say be careless, but miss something that I wouldn't have missed, sign up for something or forget to cancel something that I'm - I would have noticed. And, so, I've always had to like watch things like a hawk. And I've had a lot of cofounder friends where they've had, you know, five, 10, 20, $30,000 mistakes from employees. Another thing is firing people does not feel good, but that is part of your job. And if someone needs to be fired, you've got to do it. So, you want to talk to them first. You want to try to resolve the issue, give them maybe one, two, three chances, and be very blunt with them about what the thing is. Like, "Hey, I give you assignments and you don't do them. What gives?" Or, you know, like, "You missed these three things. I asked you to double-check and you still missed them. So, what's going on here?" Whatever the thing is. And then, if you need to fire them, you should do it quickly, respectfully and immediately. I've seen it where people just keep someone on, they give them more chances. I had one of my leaders just fight with me to keep someone for a lot longer than I should have. And, when I fired that person, it turned out there were way more problems than I'd realized. Like when you let someone go who's causing problems in your team, the rest of the team suddenly soars. It was like we'd all lost 100 pounds and we all of a sudden could fly. Like when you take that person out that is causing friction all the time, or who is causing a lot of mistakes, you have no idea how hard the other employees have secretly been working to cover or fix the work of that person. And, so, it frees up your whole team. Firing people, it sucks, just to clear. Like I've had employees like cry and be like, "Noooo." And it's like, "Listen, we've talked about this three times. I gave you three warnings. Like this is the fourth time. Like we're done now. You need to move on and like I don't suggest you work doing this job again because you're not good at it," or whatever the thing was. I didn't have to fire very many people, I think just three, the whole time. But, each one of them, it was like the whole team could soar all of a sudden. And then, lastly, read lots of books, talk to lots of people, get a professional mentor and learn as much as you can. So, I actually had already run several companies before, but they were property management companies, like concert hall promotion and stuff like that, like different types of small businesses, and this was the first time I did a company that scales, like a startup, where it got quite big. Like we had thousands of customers. Previously, I would have like 10 customers or five customers. Right? And learn as much as you can and don't assume you know everything. I still definitely do not know everything. So, maybe that is some pretty good advice to start with.

Ann Johnson: That's phenomenal advice. It's really great advice for somebody who's particularly never done it before. Right? You're super busy, you have lots of irons in the fire. Can you tell us a little bit about what you're working on today and what you're excited about?

Tanya Janca: Yes. Okay, so, right now, I'm trying to figure out how to combine the two giant communities, Semgreb and We Hack Purple, without losing anyone, if that makes sense. And, so, I'm really excited as we're like designing out the new community and all of the things that we're going to have and having a lot more support. So, before, I had to run a lot of things with a very small team at We Hack Purple, but Semgreb's a much bigger company, and there's so many people that work there that it's not their job, but they're very passionate about helping. And, so, they'll just go way out of their way, off the side of their desk to help me with various projects. And it's very nice. And then, so, I'm building up the plan to then try to migrate the two communities to this new platform. And then we've already started having lots of events. So, we had an event yesterday with Leigh Honeywell, who I believe you know, who's pretty amazing. And she gave this big talk about digital privacy and then answered questions for our community about how to, you know, like help protect your children, protect your elderly parents, et cetera, on the internet. So, that's one thing, like this giant community project. And then I'm going to be the full-time community manager of that. And then the other project is the Education Project. And, so, I'm designing lots of training. So, we're going to take the We Hack Purple training, but I'm designing more training, and not just product training. And the idea is that then, as soon as I've practiced it on enough customers, then I'm going to record it and turn it all into on-demand courses where anyone in the world could take it. And I'm excited that when you have things on-demand then it can scale. Right? Because I can't teach every single company or every single person, but if we have an online system, like a learning management system, or an LMS, it can. And, so, that was some of the magic with We Hack Purple. But I had much smaller budgets with We Hack Purple. Semgreb's like, "Let's do this," because I was like, "I want to be able to, you know, buy a system where we can easily have 20,000 students." They were like, "Okay, go find one. Let's do it." And, so, that's pretty exciting for me, the idea that - not that there's no limits, but the limits are much, much, much bigger than I could do before. I'm also working on my second book, which is "Alice and Bob Learn Secure Coding." I am almost on chapter five. And I want this book to be a book we could just give to developers or that could be part of a computer science program. Because when I wrote my first book, I wrote it because it didn't exist, there were no books that were "this is how to do AppSec." And now there's three, which is awesome. Thank you, Derek, and thank you the other person who wrote the other one. But now there's more content. Right? And I know that there are several secure coding books that exist already. But my books are weird. Let's face it, Ann, my books are weird. I am dyslexic. So, I teach - I'll teach in like a whole bunch of different ways. I'll have pictures and drawings, I'll have stories about Alice and Bob and how these things affect them. And, so, like it's not necessarily like a normal textbook. And, so, "Alice and Bob Learn" is going to cover like generic like rules that apply to any language. Then we're going to dig into very popular languages and frameworks. And then we're going to talk about a secure system development life cycle, because I cannot help myself and I always talk about that. But I'm hoping this is a book that they might actually teach in university, because I know that a lot of organizations that I've spoken to, they're like, "We don't have a person that can teach AppSec. So, we can't have your textbook." And, so, what I did with it was I taught it online for free and made lessons and put them on my YouTube for free. And they've had thousands of views. So, clearly, people wanted to attend the lectures. But I'm hoping with this book, because it's for computer science students, that the computer science professor will be able to teach to it. And I might have to make a lesson plan, we'll see, but I want to try to scale myself. And, Ann, you work at Microsoft, so you know. When I worked there, my boss was always like, "That's great, but how can it scale, Tanya?"

Ann Johnson: Exactly.

Tanya Janca: Cloning machine's still broken. So, until we have that, we can have 100 Tanyas, how can we scale this and writing a book instead of writing one email, right, streaming something or recording it instead of getting on an airplane. And, so, if I can make it a way for university or college professors to teach this for themselves, everyone wins. So, I have a lot of big goals.

Ann Johnson: They're all fabulous. And, to your point, you said you write a different book, but everybody has different learning styles. And I bet you there aren't a lot of books out there for developers who are also dyslexic. And I'm sure there are many that are. So, it's fabulous that you're writing with a different style and a different learning style, and also probably developing a lesson plan. I want to thank you. I know how busy you are. I want to thank you for chatting with us today. I want to congratulate you for all the success you've had in the industry. And I know you're a leader that many, many people follow and women look up to you and aspire to be you. As we close, also, I'm a cyber optimist. I always believe that we're one step ahead of the bad guys and there's millions of events that aren't reported and there's a couple you see in the news that get all - you know, they get all the attention. And the ones that aren't reported are because we've stayed ahead of the bad guys. With that in mind, as we wrap, what are you optimistic about, the future, your perspective and how we continue to come together and defend the digital world?

Tanya Janca: I am optimistic that we are getting a lot more help than we ever got before. So, the governments are starting to take this seriously and they're actually educating their citizens. I never thought I would see the day where the Canadian government made lessons for the Canadian public. They even released an anti-malware tool so that you can scan things to see if they're malware, and made it free. Right? And I know the American government, CISA and NIST and other parts of many different governments, are like actually working to secure their citizens rather than "that's an individual problem, you deal with it." Now it's like, "No, this is our problem. If it's hurting our citizens, we're going to take responsibility." It's not perfect yet, but they're starting. I'm seeing tools actually work. So, when I started in AppSec, I remember I used a stack analysis tool and I'm like, "Is this thing on? It's been running 18 hours, what's going on?" And then it printed out hundreds of results and it was almost only false positives. And I'm like, "This is garbage, just throw it in the garbage." And now we have tools where it's like 98% true positives and it runs in three minutes instead of three days. And I'm just like, "Wow, things have really improved." I am also seeing - so, I'm - education, post-secondary academia is very slow, but what I'm seeing instead is individuals deciding they want to better themselves and attending a talk or attending a conference or attend - like watching videos and doing on-demand classes and stuff like that. So, I'm seeing individuals step up, even if I'm not seeing academia do it as often, but I'm hopeful still with academia. Please, we want to see you do this, too. Another thing is with AI and ML, I know everyone's talking about that, and it is a very popular topic. But I'm very hopeful it's going to help us do security better. Right? I'm seeing so many vendors adding it to their products like to help check - you know, to remove false positives, to help triage, to give advice, to help show you how to fix things. Like Microsoft Security Copilot, yeah, I'm excited.

Ann Johnson: It's very cool. Thank you.

Tanya Janca: Right? No, but, first, we started with Copilot and I was like, "Oh, no, it's learning that crappy code." But then we changed, right, and we're like, "We're going to give you higher quality advice." Like OWASP created an LLM as well that's just trained only on all of the OWASP Wiki, which is created by hundreds and even thousands of AppSec experts. Right? And, so, I feel like, at first, maybe we stumbled a little bit with AI and ML, like we do with every new technology. But I think that this could be a tool that could make things way, way, way better. And then, lastly, community. I am seeing the cybersecurity community grow and grow and grow and become more positive and become more diverse. Over time, my OWASP chapter changed to be all ages, all genders, all races, all like just all sorts of people. And it started to look like my city instead of just looking like tech. And, so, I'm very optimistic about how community is bringing a lot of us together and helping us learn and grow. And that it's just helping our industry change for the better.

Ann Johnson: I agree that OWASP and other, you know, industry consortiums are doing a whole lot to make cybersecurity more accessible and also improving the industry. Tanya, thank you again for taking the time to join me today.

Tanya Janca: Thank you so much for having me on. And you're a woman that a lot of people look up to, too. So, I just want to say I see you and I love what you're doing as well.

Ann Johnson: Thank you. And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." I invited Tanya on the podcast because I just thought she - well, it's not my thought, I know, she's this exceptional woman in cyber that people look up to and she's done so much in her career from founding her own company, working at big companies, writing books. She is fully committed to secure application development, has a point of view on it. And she was an exceptional guest. You will get a lot out of this episode.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft