Multi-Factor Authentication (MFA)

** This article is for beginners in security or other IT folk, not security experts. 😀

Recently you may have noticed me calling out several Canadian banks for not allowing users to add multi-factor authentication (MFA) to their online banking accounts. This blog post will detail what I mean by this, why it’s important, and why I’m pushing for it.

Update: you can follow community activities online on this topic with the hashtag #MFAally.

Me, hassling a Canadian Bank about their lack of MFA. They have since implemented MFA!

Two-factor or multi-factor authentication (2FA or MFA) means using more than one factor to prove that you are the real, authentic, you. A “factor” of authentication is a method of proving who you are, to a computer. Currently there are only 3 types: something you have, something you are and something you know.

  • Something you have could be a phone, computer, token, or your badge for work. Something that should only ever be in your possession.
“Something you have” can be your laptop, phone, a token that generates codes, your badge, and more.
  • Something you are could be your finger print, an iris scan, your gait (the way you walk), or your DNA. Something that is physically unique to you.
“Something you are” can be your fingerprint, an iris scan, the gait of your walk, your DNA, and more.
  • Something you know could be a password, a passphrase, a pattern or a combination of several pieces of information (often referred to as “Security Questions”) such as your mother’s maiden name, your data of birth and your social insurance number. The idea is that it is only something that YOU would know.

When we log into accounts online with only a username and password, we are only using one “factor” of authentication, and that is less secure than using 2 or more factors. Many times accounts that are broken into or data is stolen, it is often due to someone using only one factor.

When passwords are breached, users that have a second factor of authentication are still protected. When someone tries to brute force a system or account that has MFA enabled, even if they eventually get the password, they won’t have the second factor in order to get in. Using a second factor makes your online accounts significantly more difficult to break into.

Microsoft Authenticator app

When Cloud Shell logged me out on stage (how embarrassing!) at MSIgniteTheTour in Hong Kong this past winter, I used my username and password (2 things that I know, meaning two of the SAME factor), plus the Microsoft Authenticator app (something I had), on my phone (something else that I had), which asked for my finger print (something that I am). That means I logged back in using all three factors of authentication. Even though I know it inadvertently made a great demo of the Microsoft products I was using, getting logged out mid-demo was embarrassing…

Demo-failure aside, let’s talk about what MFA is, what it is not, and why it is so important.

Examples of MFA

Multi-Factor: Entering your username and password, then having to use a second device or physical token to receive a code to authenticate. The username and password are one factor (something you know) and using a second device is the second factor (something you have).

Not multi-factor: a username AND a password. This is two examples of the SAME factor; they are both something that you know. Multi-factor authentication means that you have more than one of the different types of factors of authentication, not one or more of the same type.

Not multi-factor: using a username and password, and then answering security questions. These are two of the *same* fact, something you know.

My attempt to demonstrate “Something you know”

Many in our industry are in disagreement as to whether or not using your phone to receive an SMS (text message) with a pin is a “good” implementation of MFA, as there are known security flaws within the SMS protocol and some implementations of it. My (potentially unpopular) opinion is that I would rather have a pretty-darn-good second factor of authentication rather than only one factor, and that if this is the trade off (convenience versus perfect security) to convince the average user to adopt 2FA, I’m in favour of using SMS as a second factor.

The number one piece of security advice that Azure Security Center gives anyone and everyone is to enable multi-factor authentication on all of your subscriptions; protecting the keys to your (cloud) kingdom is paramount. In fact, enabling multi-factor auth (MFA or 2FA for short) is industry best practice, and is constantly prescribed by security professionals to technical and non-technical people alike for all of their important accounts. Yet strangely, less than 10% of accounts on Google and other popular platforms have 2FA enabled. Why?

I suspect that the reason is 2 fold; 1) it’s not always convenient and 2) the public simply does not understand the risk. And while most of us are not in a position to change #1, every one of us can work on changing #2.

I’d like to appeal to you, dear reader, to try to explain MFA to someone in your life, at work or at home, and ask them to enable it on their important accounts. I’d also like to ask you to enable 2FA for yourself, both at home and at work, if you haven’t already. It might save you or someone you love from some serious heartache.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Why ‘She Hacks PURPLE’?

The story of my handle: SheHacksPurple.

Whenever I ask an audience “Who here is Blue Team? Raise your hand if you’re Blue Team.” I tend to have one to two cautious hands go up in the back. I raise my hand as well. I explain “If you are defender, you are blue team.” More hands.

“If you fix bugs. If you patch servers. If you configure the firewall. If you do anything that helps protects your systems or data, you are a defender. YOU are blue team.”

Lots of hands. Now back to my original topic: red team.

“Red team are the attackers. When I do a penetration test, I’m an attacker. When I feed nasty data into your app and talk maliciously to your API; I’m red team. Who here is red team?” Hands go up.

I raise my other hand. Both of my hands are now up.

“As an AppSec person I am both an attacker AND a defender. I am both red and blue team. This makes me purple team. 

Self Portrait

When I created my handle for twitter my original choice of “SheHacksComputers” was 1 character too long. I thought “But that’s what I do, I hack computers.” It was just at this point in my career that I had decided that I wanted to do AppSec full time, as opposed to being a pure red teamer/penetration tester. I was aware that being a red teamer would be more glamorous, and I figured it would likely pay more as well, but AppSec felt like the place I belonged. Especially once I became part of the OWASP community. I knew that I wanted to be able to not only find the problems, I wanted to be able to root out the cause and make sure it never happened again. It just made sense.

And with that, I changed “computers” to “purple”, and the rest is history.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community We Hack Purple!

Promoting Yourself on Social Media

Many people who are aspiring to become a public speaker ask me how to conduct themselves on social media or promote a talk once they have been accepted to speak somewhere. Having been a professional musician for a long time before I worked in InfoSec, I am used to trying to promote my events and set myself and my art apart from others. With this in mind, I humbly offer the following suggestions to help you gain social media followers or attract people to your events or work.

My original ‘SheHacksPurple’ logo. That lady has come a long way since then!
  • Tweet about your events and your work! Share on LinkedIn! Talk about what you are doing and what you want to bring attention to. Send a tweet to your followers to tell them what’s new in your work, research you’ve released, or an article you have written. If you are doing things you are proud of in your professional life, you should tell people about them.
  • Send a tweet to other speakers at the same conference that you are speaking at, congratulating them or telling them you are looking forward to their talk (note, only do this if it’s true). I know I love it when people congratulate me, so why not do that for others?
  • General rule: never tweet or say or act in a way that is not genuine to who you really are. Don’t fake it; people can tell, and it’s a huge turn off. I know that I’m a giant nerd who is overly enthusiastic, obsessed with security and sometimes awkward. I own who I am, and people tend to think it’s adorable. If they don’t like it, they were never going to like me anyway; those aren’t the followers/connections/friends that I’m looking for. If you make your personal brand the real you, it’s much easier to ensure that you never step out from your brand and alienate the people who follow you.
  • Always do major announcements (conference appearance, project release, etc.) on ALL of your social media. Don’t just announce it on one platform, use at least two. Do it on ALL social media that you have available to you. (PS you should use at least two forms of social media.)
  • Don’t be as chatty on LinkedIn as on Twitter, it’s not the platform for that. 🙂
  • Don’t use Twitter and LinkedIn the same way you use Facebook. Facebook is for personal connections, and some professional things. LinkedIn is professional only. Twitter can be a mix. Don’t post 100 photos per day of your family, your lunch or your dog on your Twitter or LinkedIn account and then wonder why you have no professional followers. If you work in InfoSec, and you are trying to get people interested in the research or other work that you are doing, why are you tweeting photos of your French fries that you just ordered? Rare personal tweets are okay, but you have to remember that’s not what people are following you for….
  • Don’t comment on women’s appearance, attractiveness or bodies in a professional setting or social media. If I post a photo of myself giving a talk and someone comments how attractive I am it embarrasses me and makes me uncomfortable. It makes me wonder if how I look is more important than my research to some people, and I know many other women feel this way as well. If you want to compliment a woman, I highly suggest you compliment her on her work, achievements or something else professional. “Great talk!”, “Awesome article”, “You were so powerful on stage!”, “Highly informative”, “Great ideas!” etc. are all something anyone would be happy to see as a comment online.
  • If possible, involve other people in your events. For instance, do a workshop with a friend, or write an article with someone who works in the same field as you. Organize a meetup with multiple speakers. It will bring more attention to the whole thing. It’s also usually more fun, and if there are technical issues you have backup. Plus, you have someone else to help you create the content or run the event, it’s win-win. It is also a good way to give a platform to someone else who has less followers, but who you want to see succeed.
  • Ask to be on podcasts that relate to your area of interest. Tell them the topic that you want to talk about, make it easy for them by having a story ready. Announce it on social media. Always announce everything on social media.
  • Reach out to the newspapers or blogs and see if they want to write an article about you/the conference. Try to have a story or interesting angle ready for them, so that the story writes itself. They are more likely to say yes if you have a good idea for a story.
  • Plan other local events in conjunction with a large event (such as speaking at a conference) and give a different talk than the one you are doing at the conference (never do the same talk, in the same city, the same week). If you are doing a DevOps related talk, there’s almost always a DevOps meetup, same for OWASP (appSec), .Net users’ group, Cloud and so on. The bigger the city, the more options you will have. If you can get two different groups to co-host it (for instance the DevOps and OWASP meetups hosting a DevSecOps talk) that’s even better. Don’t forget to announce it on social media.
  • Add something personal to your talk, if you feel comfortable. “War stories” are always well received. For instance, if you are giving advice that people should always encrypt their hard drives, share a story about when an unencrypted hard drive was stolen that illustrates the reason why you are offering this advice. People like knowing the secrets of what goes on behind the scenes, and that you are a real person. But don’t get too personal though, no over-sharing, that can have the opposite effect.
  • When at an event where you are presenting, ask someone to take photos of you. Share one of the images online after and thank the conference for having you. Saying thank you is never a bad thing. Save good photos to help promote future events.
  • Live tweet other people’s talks (again, only if you actually like it). Give compliments (publicly and/or privately) when people deserve them. If a talk looks cool, comment that the talk looks cool. If you feel someone’s project or research is impressive, tweet at them to tell them that it’s impressive. It’s not only a nice thing to do, it adds visibility to what you do and boosts your image of being positive and nice to work with. Again, win-win!
  • Never tweet/share on social bad things about other professionals in your field. Talk to them directly if you have a problem. I try to treat others how I would want to be treated, and I would much rather handle things like that privately.
  • Don’t respond to trolls unless you have something incredibly good ready and you have thought about what the response will be. Always proceed with caution with interacting with someone who’s willing to act like that online. Staying away is usually best.
  • People love images, post related images if possible, with the conference/event/project/article/video tagged. Always tag the thing you are trying to promote. Feel free to tag people who will be involved as well.
  • If you see a news article that relates to your talk share it, with comments that you will cover this topic in more depth at your talk/presentation.
  • If people tweet at you or reach out to you on social media, unless it’s negative, “like” their comment and respond positively whenever you have time. People like to be acknowledged, I know I do.
  • Whenever possible, show kindness, patience and respect to others, both publicly and privately. This is a general tip, but it really makes life much better no matter what you do or who you are. 🙂

I hope this helps! Please reach out with questions or any suggestions of your own. I’d love to hear your feedback.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

Practice Makes Perfect: Comments on Public Speaking

Many people ask me about how to become a better speaker. Below are some tips that I have for all of you. I hope they help!

Spoiler alert: my advice is not very exciting. I do not have a secret recipe, it’s mostly just a lot of hard work and practice.

My first suggestion is that you practice in front of your friends, colleagues, and anyone else that you trust. Practice many times. Ask for feedback each time. Take the feedback seriously, and change your talk accordingly.

When you feel ready, speak at a meetup. Then another one. Then another one. Speak at work if you are allowed. Speaking to smaller groups will give you more confidence, and people will begin to know who you are in your city. I also speak at work as much as they will tolerate. 🙂 The more practice you get, the better speaker you will be.

One you feel that you have mastered speaking at a meetup, you can try to move on to bigger things, like conferences.

Tacos from local produce and meat, at the farmer’s market. Nothing to do with infosec, but absolutely delicious.

When you apply for a conference, have someone you trust review your abstract and your talk outline. I usually write the entire talk before I apply, but I know many others do not do this and still do very well at it. Get feedback from as many people who work in your field as possible, you want to make sure it is interesting and will make the conference organizers interested in what you have to say. Include as much research and reference material as possible in your outline. This is your chance to prove that you know what you are talking about.

When you are accepted to a conference, practice even more than before! You want to ensure that you impress the people who invited you to speak, so put as much work into practicing as you can. I practice many hours for every conference, and it really pays off. When I am up there I am much less nervous, because I have done it so many times before, in front of so many people.

That’s right. When I speak, I am usually nervous too.

Super secret trick that I do: I practice all of my new talks in front of the Ladies Code Meetup in Ottawa. They are a very small, incredibly supportive and warm audience. They are so very, very lovely, and forgiving when I make errors or something does not go well. If you have a very small audience that you trust to do a “test run” on, this is ideal. I’m extremely grateful that they let me “practice on them” regularly. 😀

Other thoughts:

  • If you get bad feedback about a joke, perhaps don’t use it. Especially when speaking in your second or third language. It’s much better to not be funny, then to have it backfire; I have learned that I am not good at being funny in French…. The hard way. It’s best to not offend.
  • When you put a bunch of words on the screen the audience will read the words. We can’t help it! So try to have a picture, talk about your idea, then have words. This is a personal preference, but I find it helps.
  • Consider including a diverse set of people in your slides. Most Meme Generators (if you use those) only have white people, and mostly men for technology images. Why not have all ages, races, shapes and sizes? Because that’s what people actually look like.
  • Try to speak a bit slower than normal. Many people speak very quickly when they are nervous, so if you try to pronounce a little better and speak slightly slower, you will probably be very easy for everyone to understand. Drink water if that helps you remember to slow down. This is especially important if 1) you are giving a talk that is not in your first language and 2) if you are speaking to an audience that does have the first first same language as you are speaking in (for instance, if you are giving a talk in English, in Japan). Being understood is more important that anything else.
  • Don’t be afraid to apply or be rejected. My submissions are rejected ALL THE TIME. Don’t get let down. It’s okay. Just apply again. Because eventually, they will say YES! And each time you do this process you will improve.
  • Always listen to feedback and consider it, but you don’t have to “take” all of the feedback. If three times you hear “You talk too fast”, you should probably talk slower. But if you hear one time “Maybe you should do X” and “X” doesn’t make any sense to you, just say thank you and feel free to not follow that advice.
  • Be open to feeback. Constructive feedback is a gift that someone is giving to you to help you improve. Try not to act defensive. Try to be open.
  • If someone asks a question that you don’t know the answer to, don’t make something up. You are allowed to say “I don’t know, that’s not my area of expertise” or “I’m not sure, I’ve never thought of that before, does any else have any thoughts on this?”. You don’t have to know everything in the universe, although you should definitely know as much as possible about your topic.
  • If someone is arguing with you or giving you a hard time during question period tell them you would like to continue the discussion after, and in the meantime you want to have give other people a chance to ask questions. Then meet them after and let them argue. You still have to talk to them (unless they are extremely rude, it is not your duty to be abused). I find that quite often people like that are just having trouble forming the question properly to express what they want to say, and when there is no spotlight on them it goes better. Also: I often learn something.
  • Please don’t be afraid to try. Believe it or not the first time someone suggested that I do a talk I said “Oh no, not ME!”. And look at me now. You can do this, it will just take a lot of hard work.

I hope these suggestions help you!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

More Tips for Social Media and Presenting

Last week I had a meeting with some of the wonderful ladies from WoSEC (Women of Security) to give them some tips on how to not feel strange when ‘bragging’, how to set goals for using social media, and how to avoid “taking shit” during question period after a talk. I made a video and it is linked below, however this article contains all the tips that I missed in the video.

I previously released the following relevant articles & videos:

Presentation and Social Media tips with SheHacksPurple

  1. On social media you will often receive the same questions over and over. Keep track, and then write a blog post or make a video about it, just like this one. Then share the link each time, instead of writing an individual letter each time. You will save yourself lots of time, but also give a much, much better answer to the person who is asking.
  2. Don’t assume your audience can read your mind, ask for what you want. I need to remind myself of this constantly. Example: my old startup, Security Sidekick, created our own Twitter account. I really wanted people to follow us, and I was tweeting and sharing things and then remembered “ask for what you want”, so I just politely asked my followers to follow us and we got 600 new followers over night. I felt so silly that it took me 6 weeks to think about *just asking*. You can ask for things too.
  3. If you do public speaking, thank your audience after. In person and on social media. This is not only polite, but the right thing to do.
  4. Create goals regarding your social media, and personal brand. Why are you doing all of this? What are you trying to achieve? Then remind yourself when you are making decisions what you are trying to achieve. For instance, I use social media to promote my content (I want people to attend my talks, read my blog, etc), I want to help bring people into our industry (see #CyberMentoringMonday), and I want to help other women excel in our industry (and other’s who are underrepresented in infosec). For helping other women I realized that it would be better if I created a second account, and @WoSECtweets was born. Figure out what you really want, and then use social media as a tool to get it.
  5. People want to see your content. You are not “bragging” by telling them about it, you are helping them find it. If you don’t tell them about it, they won’t know, and why did you bother writing it if you don’t want anyone to see it? The same goes for speaking, people want to know, that’s why they are following you. If you feel bad or like you are “bragging”, then ask a friend, talk about it, and hopefully they can reassure you. It’s okay to be proud. It’s okay to make announcements. It’s okay to share what you have created. I promise, it’s okay.
  6. Schedule important tweets and make sure you have 1 in AM and another one in PM, so it reaches more than 1 timezone. Showing up in someone’s feed means they might discover you, like your messages, and ready your content. It’s win-win, and very little effort. Also: it’s okay to tweet things more than once, because of the way twitter works lots of people will miss it. Don’t tweet it 10 times, that’s annoying, but find a balance, tweeting the same thing more than once is 100% advised. Thanks to Chad Fowler for teaching me it’s a great idea to tweet something more than once.
  7. Invite people on LinkedIn to follow you on twitter. Invite people on Twitter to connect with you on LinkedIn. Link on your blog to your social media handles, etc. Cross promotion.
  8. If someone asks you questions aggressively after a talk, don’t shrink away. Stand tall, be polite but clear. YOU are on stage, you are the authority. Don’t let someone try to turn the tables on you. If someone is talking for more than 30 seconds, ask them politely “is there a question in there?”, this can help them get to the point. If they disagree with you, that’s okay, you can counter with “I’d love to hear more about your perspective, let’s take it offstage / let’s talk after the session”. If someone is being particularly difficult feel free to cut them off and then re-route the questions to a different section of the audience by physically turning to the other side of the room to know they are being dismissed and saying “I feel I’m ignoring this side of the audience, do you have any questions?”. Quite often it is a misunderstanding when things like this happen and they actually agree with you, or they are just trying to paraphrase what you said. If so, take it in a good way and say “Yes, exactly! I’m glad we agree”. This is a great way to twist things back around in your favour, and end the conversation. Remember, the audience wants to see you succeed, they are on your side; it makes everyone uncomfortable if things go poorly during question period, so stand up for yourself if for no other reason than to save your audience from feeling uncomfortable for you. Please note: always assume good intent and you will avoid these types of situations 99% of the time.
  9. Share your slides after your talk and tweet them at the audience. I use SlideShare, but you can use whatever you like. Sharing is caring, yo.
  10. If you forget something during a presentation, no one knows, don’t feel bad about it, act in a good way, and take it lightly
  11. LinkedIn has a far lower engagement ratio, but you should still post important things there. Don’t be afraid to share, even though it may feel intimidating at first because most of the people you know aren’t posting there; it will set you apart.
  12. Balance personal and professional tweets. It’s not bad to share personal things, but don’t make it most of your tweets if your goal is to also use your social media for professional reasons
For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

HSTS Preloading of all .Dev domains: Troubleshooting

I’ve been quietly planning out for the past little while, with the intent to announce it while at RSAC last week in San Francisco. My new site provides regular security content for a modest fee ($7/month), all created by yours truly, on the topics of DevSecOps, AppSec, Cloud Security, MFA, etc. Soon I will be releasing full length training courses on these topics, also at affordable prices.

** Our company website is now

That said, when I pointed my domain at (the place that is hosting my content), I followed the directions, and it did not work. The link worked, but the apex domain,, was throwing a security error. The instructions were to point the CNAME record for “www” to the Podia address for my content, no problem. Then forward the apex domain (no “www” at the front), to the www address for my site. I wasn’t sure why but the following error was thrown in all browsers.

HOW EMBARRASSING! I teach how to implement HSTS, then I can’t get it right? Ahh!

By this point I knew it was an HSTS problem, and that I was being pre-loaded, so I tried to remove my URL from being pre-loaded. Sounds easy right? Nope.

Being rejected by the HSTS Preload Page

At this point I felt I had to ask for help, people were clicking on the links from my presentations and getting this embarrassing error. Time to swallow my pride. I called GoDaddy, the ones who sold me the “.dev” domain name, and they had no idea. I called Podia, and they were also at a loss.

My sharing my feelings with the Chromium Dev Team.

They did not answer my accusatory tweet.

So then I did what I always do when I’m completely stuck; I asked my brilliant twitter followers.

Within 10 minutes someone pointed out that Google had purchased the entire “.dev” domain (I didn’t know that was possible) and decided to force pre-loading of the HSTS security header on all of the domains under .Dev. THAT was why I could not get my URL to stop being pre-loaded. This news surprised me because 1) shouldn’t GoDaddy have known this was the issue since they sold me the .dev domain? 2) forcing a security feature on everyone often leads to poor results and 3) apparently some people think that “.dev” means a site that is under development, when it actually means “for developers”. No one is going to buy a completely separate domain so they can host their dev stuff on it, internal to their own networks. That makes zero sense folks.

In summary, I bought a .dev because I thought that’s where all the cool kids were, but it turns out that the .dev addresses come with baggage. My emails from my new domain are too-often caught in spam filters, and now this HSTS situation… But I digress.

read a few articles on this topic, and I learned that the TLS handshake couldn’t be completed on the apex (my domain without the “www” at the front), because I had it forwarding to my www domain. HSTS forces you to complete the handshake. GoDaddy’s forwarding feature doesn’t complete it, it just forwards it directly, which is not enough for HSTS, it’s strict.

Once I knew what the problem was, then I had to figure out a way to hack around it. I’m stubborn and did not want to have to start all over with a new domain. No way.

Luckily a whole bunch of my followers had great ideas. Michael Buckbee was particularly helpful, helping me figure out that the APEX ( needed to terminate the TLS, so then I just needed to figure out how to do it. PS Thanks Michael!

This is where I turned to CloudFlare. No, this is not an advertisement for them, we aren’t affiliated (but if they want to buy a subscription to my site that would be cool!).

CloudFlare protects sites from DDOS and other internet problems, and in the process they *forward* your traffic. GREAT, I needed my traffic forwarded. And since they are a security company they terminate the TLS. PERFECT.

First I set up CloudFlare, which was super-simple. They have a free plan and I choose that one, so far so good.

Then I created a Page Rule to forward my Apex URL to my www URL, like so.

My CloudFlare Page Rule

And BOOM, is no longer broken, and I can post content for all to find. 😀

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Alice and Bob Learn: Chapter Discussions

At the end of each chapter of Alice and Bob Learn Application Security, there are questions for the reader to ponder. As the author, I will behold streaming sessions every 4 weeks to discuss the questions, starting March 20, 2021. If you would like invites to the streams, please sign up here.

All of the streams are free, and I would love to have you join us live! If you can’t make it live, you can watch them after on my YouTube Channel, or download them via a podcast app by looking for the podcast “Alice and Bob Learn” (which will be launched right after the first stream).

Ideally, you will read the chapter before the corresponding live discussion, but if you don’t, that’s okay. You will still learn, and you are definitely will welcome to attend. 😀

AMA: Where can we learn Threat Modelling?

In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’.

The linked video is approximately 2 minutes.

  • Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
  • The question included “How can we learn by doing, not just reading?”
  • Play the game “Escalation of Privilege”, create by Adam Shostack
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won’t teach you threat modelling. 😀
  • Every time there is a new project at work, meet with them for one hour and just *try* to threat model. It’s okay if it’s not perfect, if you identify just one risk you had not thought of, your sessions was productive.
  • Every time someone else at work is doing a threat model, sit in and “job shadow” them. Learning by watching and participating is a fantastic way to get in the middle of things.
  • Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam ShostackAvi DouglenTony UcedaVelezCaroline MoeckelTash Norris, the list goes on and on.
  • Whiteboard designs with people and then ‘put on your black hat’ and take a look.
  • Ask the tech team (developers, architects, ops peeps), ‘If you were going to hack your app, how would you do it?” The answers may terrify you, but you’ll be happy you asked.
  • Read Tanya Janca’s numerous articles on the topic: Hacking Robots and Eating SushiThreat Modelling Serverless, and Threat Modelling.
  • Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions…
For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

PS The Video Quality is low in this video and has been improved in future recordings.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

AMA AppSec: What would you tell University Students about Application Security?

Content from the We Hack Purple Community!

In a recent ‘Ask Me Anything; Application Security’ live stream, Tanya Janca discusses ‘What would you tell University Students about Application Security?’ This video is approximately 9 minutes.

What would you tell University Students about Application Security?

Stream Summary:

  • There are over a million jobs in the security field for which there is no qualified security person available to fill; you will never be without work if you choose this field
  • I explained that learning how to use zap is easy, and breaking things is fun
  • Doing hands-on things right away is a good way to learn
  • I explained that I started THIS SITE. How meta of me to discuss it here. I also talked about my long term goals for the site; to create affordable training so that we can create AppSec and DevSecOp engineers, and find them their first job.
  • Discussion of two large problems in InfoSec; not enough highly skilled people to do all of the work and there is no clear career path to get into our field.
  • Plans for to create theory and hands-on lessons with security tools. Especially the “not free” tools, that you are more likely to be expected to use at work. I am currently contacting vendors to see how we can create a deal so my students can try their products for free or almost-free.
  • I describe how I want to teach my courses, how I hope to help people learn.
  • Then I nerd out about Vulnerability Management and Metrics, because I really like those topics.
  • Then someone in the chat changes the topic and that will be my very next post!

If you want to be invited to my free live streams sign up for my newsletter!

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

AMA: DevSecOps versus Secure SDLC

In a recent ‘Ask Me Anything’ live stream, Tanya Janca of We Hack Purple discusses ‘DevSecOps versus Secure SDLC’. This video is approximately 2.5 minutes.

  • DevSecOps is you as an AppSec professional, doing your job, in a DevOps environment.
  • A secure SDLC is when you add security activities to your system development lifecycle. Preferably in every phase of the SDLC, and formalized (devs cannot avoid it).
  • Examples of secure SDLC
  • Threat modelling during design
  • Adding security requirements & review during requirements gathering
  • Reviewing your design for security flaws and to ensure secure deign concepts are applied
  • Then Tanya gets off topic and talks about We Hack Purple.
For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!