On Oct 29th, 2023, was the very first edition of “ThreatModCon”, a conference dedicated entirely to threat modelling. On the 30th and 31st was “OWASP Global AppSec”, a conference by the OWASP Foundation, dedicated entirely to application security. On November 1st and 2nd, I helped Adam Shostack deliver his 2-day intensive threat modelling training. This…
Author: Tanya Janca (SheHacksPurple)
Choosing API Security Tools
Quite often clients ask me “Which API Security Tool should I buy?”, and as you might have guessed I answer “It depends”, then proceed to ask them a dozen questions. Recently I asked a colleague at Semgrep if they felt this process might be of value to my readers, and Chinmay said “Absolutely!” and here we are with a new blog post.
The Difference Between SCA and Supply Chain Security
Right now, the concept of the software supply chain and securing it is quite trendy. After the solar winds breach, the attack on the crypto wallet, at the log4J fiasco, the entire world appears to be focused on securing the software supply chain. I’m not complaining. If anything, as an application security nerd, I am quite pleased that…
Trip Report – Hacker Summer Camp 2023
For those of you who are aware, every August for the past 30 years or so, hackers have been meeting in the dead heat of summer in Las Vegas Nevada to host multiple learning and community events. It started with Def Con, a conference dedicated to hackers & hacker culture, releasing exploits, and “doing stuff…
My first week at Semgrep
My nails and dress were matchy-matchy for my first day! Since I've been keeping this giant secret for so long, I'm very excited to finally be able to share all of my good news. This blog post is going to be all about my first week at Semgrep. We choose July 31 as my first…
I’m Joining Semgrep and Bringing We Hack Purple With Me
Hello my friends! It's me, Tanya Janca from We Hack Purple, and I am beyond thrilled to announce that we are joining forces with Semgrep to take the world of application security by storm! As the new Head of Education and Community, bringing We Hack Purple community and content with me, we will be offering…
Operations First!
Many years ago, when I was a software developer, a very smart boss said to me: “Tanya, it’s always operations first. Projects after.” At first, I was confused, how will I make any progress on my projects if I’m always doing operations? And, what the HECK is “operations” anyway? Reader, this was an incredibly important…
You Do Not Need to do DAST in a Pipeline to do DevSecOps
I want to get something straight: you do not need to put a dynamic scanning tool into your CI/CD pipeline in order to do DevSecOps properly. You don't even necessarily need to use automated dynamic analysis at all, to be doing DevSecOps. I do regular consulting via IANs Research and quite often I find myself…
Safety at #HackerSummerCamp
A few years ago, I wrote a blog post, Hacker Summer Camp 2019, about how to stay safe at #HackerSummerCamp (Def Con + Black Hat + Diana Initiative + B-Sides + everything else that week in Vegas). I made a video to add more details, clarity and ideas on how to have more fun and…
Trip Report for B-Sides SF and RSAC 2023 San Francisco
As you might have been aware if you read my blog, I spoke at B-Sides San Francisco and RSA Conference 2023, and it was GREAT! Below is a report about my trip, and all the wonderful people, places, and activities I saw and participated in from April 21-28, 2023. B-Sides SF: Breakfast with wonderful people!…