Security Unlocked 8.25.21
Ep 42 | 8.25.21

Turning to the Purple Side

Transcript

Nic Fillingham: Hello, and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode we'll discuss the latest stories from Microsoft security, deep dive into the newest threat intel, research and data science. 

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft security. 

Natalia Godyla: And now let's unlock the pod. 

Natalia Godyla: Hello, everyone. Welcome to another episode of Security Unlocked. Summer is winding down. And plenty of folks are happily out of office. I, myself, will be on vacation in a week. But today, Nic is out of office, enjoying some much-needed time off. And I will be introing our episode for today. And it's an exciting one. 

Natalia Godyla: For the first time, we will actually be joined by an industry expert outside of Microsoft, Tanya Janca, who is CEO and founder of We Hack Purple Academy and an expert in application security, a topic we really haven't discussed on the podcast to date. So she is going to talk to us about how to build an application security program - everything from the methodologies and frameworks that you should keep in mind to how to integrate your two teams - the security and development teams - to ensure more secure applications. It's a really great episode. She comes prepared with a ton of practical advice. So for anyone who's looking to dip their toes in the AppSec waters, this is the episode for you. And I think with that, on the pod. 

Natalia Godyla: Welcome, everyone. Today, we have a very exciting guest appearance. So we have Tanya Janca with us, CEO and founder of We Hack Purple. Welcome to the show, Tanya. 

Tanya Janca: Thank you so much for having me. 

Natalia Godyla: Oh, we're thrilled to have you. It'll be a great conversation, I'm sure. But before we dive into all things AppSec, let's just intro you to our audience. So can you tell us about yourself, Tanya? What's your career been like? What are you up to now? 

Tanya Janca: (Laughter) I used to be a software developer for a very long time. And then I guess I caught the security bug. And I became really obsessed with the security of software. And I figured out, to be quite honest, that I could get in free for conferences if I spoke at them. So I started... 

Natalia Godyla: (Laughter). 

Tanya Janca: ...Just applying at (laughter) conferences - right? And it's really expensive to go to all the conferences and, like, get into all the trainings that you really want and, like, finding the secret pathway in. So then I started speaking at tons of conferences. And then Microsoft recruited me to be there as your security advocate for quite a while. 

Tanya Janca: And then I left Microsoft to form my own company. And we are called We Hack Purple. And we have this free online community where everyone can be nerds about security of software and DevOps and AppSec, etc. And then we have Academy courses. And we released a new one today. And it's just - it's very exciting to be able to positively affect lots of people in my industry. 

Nic Fillingham: I think I know the answer to this question, Tanya, but We Hack Purple. Tell us about the name of your company, how you chose that. And what is the meaning of We Hack Purple? 

Tanya Janca: So it sounds weird. But - so when I started in security, I got into penetration testing, which is sort offensive security, where you attack things and you test the limits, etc. But then I discovered I really like hanging out with devs because I've been a dev literally since I was a teenager. And so I just - as a pen tester, I just kept going and visiting them and talking to them. And I'm like, let's threat model this. Let me help you fix that. 

Tanya Janca: And then it turned out that's a job, where you're sort of that person in between the devs and the security team. And you help them with a secure system - development, life cycle, etc. But I also kept pen testing things. And so I kept kind of doing blue team defense things and then red team offensive things. And one day someone said, well, you're purple team. You're that person that does both. And I was like, oh, I had no idea there was a name for that. 

Tanya Janca: (Laughter). 

Tanya Janca: So then when I - it sounds so silly, but I went to make a Twitter account because WannaCry had, like, broken out live at AppSec EU in 2016 or 2018. I was speaking there. And I kept asking everyone for updates. And someone said, Tanya, be a grown-up infosec adult and get your own Twitter account. 

Nic Fillingham: (Laughter). 

Tanya Janca: She was teasing me 'cause I was, like, literally watching over her shoulder. She's like, Tanya, just - they're free. Just get an account. It's free. And so my email address was shehackscomputers. So I'm like, I guess that'll be my Twitter handle. And they're like, that's too long. So I was like, I don't know, maybe shehackspurple. And then that fit. 

Natalia Godyla: (Laughter). 

Tanya Janca: And that became sort of my jam - my purple. So I put some purple in my hair, got some purple shirts and dresses. And I don't know. It just became this thing. And so when I first started my company, I just put shehackspurple and then .dev because developers. But then people thought it was just for women. And I was like, no, everyone is invited. 

Tanya Janca: So we changed it to We Hack Purple so that it would be more inclusive and everyone would know, you know, you're welcome here. You're wanted here. And then also, then it could be, like, separate from my personal identity. So I could just tweet all the silly things that I tweet, like when people drive slow in the left-hand lane... 

Natalia Godyla: (Laughter). 

Tanya Janca: ...And how that is obviously a crime against humanity - and other things like that doesn't come from the company account anymore (laughter). Yeah. My American people are like... 

Nic Fillingham: But should it? 

Tanya Janca: ...No. 

(LAUGHTER) 

Nic Fillingham: I have another question. Can I jump in here, Natalia? I know you've got a very well thought well-thought-out agenda, but I'm going to completely derail it. I want to know who Alice and Bob are. 

Tanya Janca: Yeah. So I wrote a book called "Alice and Bob Learn Application Security." So in the book, Alice and Bob - so it's a textbook, but they have health conditions. And actually, Alice has diabetes, and she has a thing that monitors it and, like, helps her be safe and make sure, like, her levels are exactly where they should be. And I talk about, like, you know, if the availability of that system was not OK, what would happen? Well, Bob has a pacemaker. And the idea is, is if you can see how this could attach to a real person in your life and how the security decision affects, you know, your loved ones or your coworkers or real-life humans that aren't you, it's easier to make security decisions that are better. 

Natalia Godyla: I love the contextualizing of the conversation and the empathy embedded in that. So We Hack Purple and the "Alice and Bob Learn Application Security" book, who are they for? And a broader question - who should really be involved in AppSec? 

Tanya Janca: So "Alice and Bob" was written for anyone that works in tech so that they could understand the idea of, like, why we need to secure software and good habits for protecting your digital privacy and, like, the basics of infosec. So there's, like, a bunch of beginner chapters where literally your grandma could read it and it could help her, and then there's chapters that are specifically for software developers and people who work in application security. But the idea is that you could read this and then go work in application security or design a secure system development lifecycle. 

Tanya Janca: Or as a developer, you're like, I am a security champion now and know how to build secure apps - well, the academy, the We Hack Purple Academy, the idea is that - we have a bunch of different courses now. So we have a secure coding course, where it's kind of fun, and it teaches you how to make apps that are safe enough to put on the internet. That's what I like to call it. And it also has a great, big checkmark for PCI compliance because it turns out that then you're trying to get selected a lot more often, so there's extra kind of bells and whistles to check that big box. But it's an agnostic course. Then we also have this full program that you graduate from and get a certification, and that's how to become an application security engineer. 

Nic Fillingham: Is there a particular methodology or framework that you rally everything behind? Do you try and teach sort of a broad spectrum of approaches, or is there sort of one that you're behind as a champion for? 

Tanya Janca: I don't have a specific framework that I teach. So I - like, I follow the things that my book, I guess. So for application security, there are some frameworks that are out there. So basically, there's BSIMM which is more like a business-related approach. And then there's a OWASP SAMM. So it's the maturity model, where basically - where, like, you can rank your AppSec program and see how mature it is and options for becoming more mature. But I'm like, what if you're starting at nothing? Like, you would not believe how many, like, consulting calls I'll do where they have nothing. These are modern giant companies that do millions and millions of dollars that make custom apps, and they're just hoping their devs handle it. And so I try to assume that they are starting at zero and work up from there and try to help them make good choices. 

Tanya Janca: I also, as weird as this may sound, cover soft skills and empathy quite a bit in the security courses because if you are a security person that runs around and tells everyone how wrong they are, you're not going to get very far. So we talk a lot about how to talk to developers - spoiler alert, with respect. Like, in the AppSec foundation's program, I have, like, an entire section on how to give a lunch-and-learn and not, like, do death by PowerPoint, how to have them feel like you're there to help them, not accost them or insult them. The security team is here to help you do your job as safely and securely as you can. We're not here to get in the way of your deadlines. We're not here to give you headaches. I don't know if either of you have had this happen, but, like, the first time I had someone run a vulnerability scanner on an app that I wrote, they sent me this giant, long report that hadn't validated it, and they're like, your app is crap; we found three things wrong with it. And I'm like, well, three is actually not very bad for UAT testing, so I don't know, like... 

Nic Fillingham: (Laughter) You only found three? 

Tanya Janca: ...Fair? Yeah, I'm like, OK. And they're like, you have to fix all of them. I was like, oh. I was like, can we talk about what they are? And they're like, you should know. And it just felt like a lot of shame and a lot of, like, you're the problem. And it's 'cause they didn't know, and they felt insecure, so they put their insecurities onto me. I've had people say, you know, admitting vulnerability at work, like, that is - it's actually amazing to just say, I'm sorry; I don't know the answer, but I'll look it up, and I'll find it for you. So let's talk to them like they're smart, amazing human beings who have jobs to do. 

Natalia Godyla: I feel like it's all, also, founding a conversation on developing an ongoing relationship with devs as a security practitioner. So I have a couple of questions. I'm going to just start with - how would you establish an ongoing relationship? In the example you share, like, the vulnerability scan - that's a point-in-time event. But I know that you want to find champions. You want to continue the conversation with devs. You want the devs to continuously think about security, even before you bring it up. So how can you bridge the gap between the two teams? What kind of cadence should it be? 

Tanya Janca: I would start working somewhere. And that's a great excuse to, like, walk around and meet everyone. Lots of security teams I've started on, they've never talked to any devs. They don't know any of their names. They send emails to the managers sometimes, and they will send, like, an email saying, there is a new policy; read it. How do you know they're going to follow it? So for instance, if I'm going to do a policy, I'll send an email to all the devs and say, hey, I'm working on this policy. I have a rough draft. I really need feedback from you, right? Like, when you create a security policy, you don't know if you're going to do something where it means they can't get their job done anymore - or that's impossible with this technology we're using. Or we have a bunch of legacy apps, and are we going to be fired as soon as that policy comes into place because our legacy apps aren't compliant immediately? Like, what's the plan here? 

Tanya Janca: And so just having meetings and coffee and talking with people - right? - and I would just tell them about the things I want. So it sounds weird, but I'll have these little silly security newsletters where I'm like, hey, we have this policy coming, and we need opinions, and also, I'm going to do a lunch-and-learn on this topic. And also, I listened to this podcast about this framework; I know some of you use it, and I thought it was neato, and maybe you want to listen to it. The end. And it's just really short and just telling them what's coming. 

Natalia Godyla: How about ongoing threat modeling? So I love the development of the relationship, like you said - the moments in which you're going to have a concentrated conversation about a particular vulnerability. But there's also just the proactive thinking between devs and security on what kinds of threats they should be aware of for their particular apps or for the business. 

Tanya Janca: I am a big fan of threat modeling. However, threat modeling doesn't always scale well. So I've worked places where there's 400 devs and me. And if I try to threat model every app, I'm going to fall apart, right? And there's not going to be time for anything else. So quite often, what I try to do is let them all know, if you need me, I'm here. So a bunch of places I've worked, I've been allowed to start security champion programs. And so that's where you usually have, like, one member of each dev team, and they're a champion for the security team. And so I'll show those ones how to do very basic threat modeling and then hope that they do that and call me in if there's something where they don't know what to do. So if you can do that, that's awesome. Starting a program is a lot of work. You have to meet with them, you know, maybe once a month and talk with them. You have to train them how to do the things you want. It really depends on how many people there are. So most of the threat modeling I have done has been one-off specific projects that I've been assigned to as the security person, like the rep for that project or on consulting. So it's like I'm doing a pen test, and I'm like, well, guess what? I'm going to do a threat model with you now, and I'm going to whiteboard out this app with you. 

Tanya Janca: Adam Shostack wrote a book about - so he used to work at Microsoft, and he wrote it when he was at Microsoft. And it's the Microsoft threat modeling book. And he has a simpler, smaller model that he does. And I believe he asks, so what are we doing? What could go wrong? Did we do a good job? And it's funny he had to add the question, did we do a good job, because it turns out sometimes people are like, well, this is what we're doing - it's like, and is that a good job? And if the dev themselves says, well, no, then it's like, OK, so that means we have some threats we need to mitigate, right? And so just what are we doing is a pretty good way to start a conversation, and especially if you can have a whiteboard so you can kind of draw it out as a picture - do you know what I mean? - and, like, just walking them through and asking simple questions as a security-minded person. Threat modeling is a lot about a conversation. And I know you can be very formal. You can have attack trees. You can have, you know, the PASTA - entire methodology. And I'm not saying those aren't good. Those are amazing. I just usually can't afford to do them. 

Natalia Godyla: So I know we have just a few minutes left here, so I wanted to wrap on some quick takeaways for security practitioners listening to this episode. So for best practices for security practitioners approaching application security, what are the top three things they should be thinking about? 

Tanya Janca: OK. So the first thing you want to do is evaluate the way that you are communicating to the software developers and the rest of IT and make sure you're communicating in a positive way and that you are communicating. Lots of security teams, they just say nothing all the time, and then they don't understand why people aren't following their policies. No, we don't even know that you had that policy. So making sure that you are communicating and you're communicating in a positive way - and that doesn't mean you have to send, like, rainbows with ponies and, like, they have wings and unicorns and stuff. But we have this policy, and we're going to have, like, an open office for these two hours, and, like, we'll just walk you through it if you want or talk about it or if you have concerns. 

Tanya Janca: So communicating the things that you want in a positive, respectful way. And then, two, educating people on what you want - so communicating, telling them, there is this policy, holding a workshop and teaching it to them, to make sure that they know the things you want. You can't assume when you hire a software developer that they just understand how to code securely or that they know how to do security architecture or any of those things because they do not teach it in university. There are some universities that teach a couple things, but there are no universities that I am aware of that are turning out application security professionals or software developers that write perfect code. And so you can't assume they know it. And so offer to share your knowledge. 

Tanya Janca: And then the third best practice or thing that security professionals should be aware of is continuous learning for yourself. So you have to keep learning. You cannot stop. And it doesn't mean that it has to cost you a ton of money. Like, that could mean signing up for some really awesome newsletters and just reading them when you have time, right? It could mean downloading a bunch of podcasts, and then let's say you go to the gym - just, like, listening to podcasts while you're at the gym or while you're driving somewhere doing some sort of mindless task, and you could  be listening to something, and you could be learning. There's buying books - all the things, right? Finding the thing that works really well for you and then investing in that for yourself - or getting your boss to pay 'cause I have had bosses pay for all sorts of interesting things for me or for my team. Like, I had a lot of software developers, and two of them, every year, all they wanted was Safari Books Online. They're like, there's cool videos, and I can read as many books as I want, and I do read them; I read tons of books. I'm like, awesome, way cheaper than actually buying all those books, right? And so it's about prioritizing for yourself to learn and then sharing that information as much as you can with the people that you work with. 

Natalia Godyla: So evaluating how you communicate with the dev team and then... 

Tanya Janca: Sharing knowledge as much as possible. Every opportunity is a teaching moment. 

Natalia Godyla: And then continuous learning - identifying ways that you yourself can continue to learn and therefore share that knowledge back out. Before we wrap up here, I wanted to see if there's anything else that you wanted to share with our audience. 

Tanya Janca: We just made that We Hack Purple community free. So our business is making more money, which is awesome, and so we used to charge for people to join. And I really wanted to open it. And so I held a vote 'cause that's how I am, and I asked all the community members to vote. And it was unanimous - yes, we want more people. And I was like, I still want to have a barrier to entry because I don't want jerks to come in to the community. So you have to answer a couple of questions. And as long as you're not, like, I'm a big jerk... 

Nic Fillingham: Is the first question, are you a jerk? 

Natalia Godyla: (Laughter). 

Tanya Janca: I know, right? Like, I felt like that was too forward. But like, why do you want to join this community? And what are you looking to get out of it, right? And then we have this nice onboarding where it's like, you get to say hi to everyone, and then we send you some resources to start. And you can sign up for, like, content to direct to you. So like, let's say you're super beginner. You know nothing. Or you're like, actually, I've been in the game a really long time, so just send me the really hard stuff. Or I want cloud. I want dev ops or whatever. And so then it's like this nice introduction. And, you know, we have events and stuff. And so it's free now. And if you want to meet like-minded people and, like, to see, you know, articles, conversations, we have, like, live, free online events. Go to community.wehackpurple.com and just answer the nice, little questions. And please don't say that you're a jerk. It's a place for you to meet your peers and learn and hopefully become friends. 

Nic Fillingham: Aw, friends - that sounds great. 

Tanya Janca: Yeah, actually, you know, like... 

Nic Fillingham: Everyone needs more friends. 

Tanya Janca: ...A lot of people have become friends. It's, like, kind of awesome. And, like, a bunch of us had a stream a couple of weeks ago where we just got together and told each other cool sci-fi books that we like. And then all of us, like, we're switching books that we liked and then reading them, and then, of course, we have to check in in a few months and be like, I read this one, and that one, I didn't like it, and here's why, but these ones are really awesome. And, like, are they're more like this? Et cetera. And just all... 

Nic Fillingham: We have to close, then... 

Tanya Janca: Yeah? 

Nic Fillingham: ...With your sci-fi books. What are your sci-fi book recommendations? It's got to be the close here. 

Tanya Janca: Oh, my gosh. I have so many. So, I mean, this is going to sound stereotypical, but "The Expanse." 

Nic Fillingham: I know. I know. 

Tanya Janca: I have no idea - I just - I loved the books. And then I watched the show, and I was like, no, Naomi's way tougher than that. She would just punch everyone in the face. Why have you ruined her character, you know? 

Nic Fillingham: I love the books, too. I'm reading them. I'm waiting for the the next one. I can't wait. 

Tanya Janca: Oh, yeah. I've heard of it... 

Nic Fillingham: What else? What else? 

Tanya Janca: Oh, my gosh. There's so many. So anything by Octavia E. Butler. So she - I believe she's passed away now, but she was the first famous Black woman sci-fi writer. I didn't know that when I started reading her. But I read one book, and it was so good. And then I read another one, another one, and then before I knew it, I'd read I think 24 of her books. She's absolutely out-of-this-world incredible. "Children Of Time" - it's very, very weird, very, very weird. And so, like, that author whose name I can't pronounce, he has, like, so many different, like, just wacky, wacky sci-fi books. And there's another one I just read, oh... 

Nic Fillingham: Adrian Tchaikovsky - is that the author? 

Tanya Janca: Yes, that guy. Yeah, that guy. 

Nic Fillingham: Yes. All right, so... 

Tanya Janca: I'm reading one of his books now, too, yeah. There are so many amazing sci-fi books. But yeah, check out... 

Nic Fillingham: Is there a thread, Tanya, that has them? Or do you have to be a member of the We Hack Purple community to see the list of recommended sci-fi books? 

Tanya Janca: (Laughter) Well, it was actually - it was all in - it was just, like, in a livestream we did. 

Nic Fillingham: Oh, it was all in the chat thing - oh, the livestream. Got It. 

Tanya Janca: But yeah, so I guess that we're going to have a sci-fi channel now. I guess that's all that we can do because we just make channels for whatever we want to talk about. And so, like, we have, like, an OWASP channel where we just chat OWASP-y things. And, like, I made the community so I could hang out there, as bad as that sounds. 

(LAUGHTER) 

Tanya Janca: Like, I made, like, the nicest, funnest, softest kind of - we all just get to discuss, like, you know, we're thinking of getting a new type of this tool at work, and we're looking at these. Like, can anyone tell me, like, secret sauce on them? And it's like, yeah, oh, my gosh, this, that, and it's - I think it's really important. And yeah, we post jobs all the time. And someone wrote me on Friday to say he applied to one of them, and he got it. So yeah, it's just, like, a nice place for people to hang out and kind of share security stuff. 

Nic Fillingham: Well, I'm sold. I'll be joining the community, assuming that you're happy with my answer to whether or not I'm a jerk. 

(LAUGHTER) 

Nic Fillingham: But, Tanya Janca, thanks so much for being on "Security Unlocked." And congrats on the launch of the new training course today. I think we'll put some links to all of this stuff in the show notes. And perhaps we'll see you again on the "Security Unlocked" podcast another day. 

Tanya Janca: Absolutely. Thank you, Nic. Thank you, Natalia. This has been great. 

Natalia Godyla: Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode. 

Nic Fillingham: And don't forget to tweet us at @msftsecurity or email us at securityunlocked@microsoft.com with topics you'd like to hear on a future episode. Until then, stay safe. 

Natalia Godyla: Stay secure.