Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
Advisor: Nord VPN, Cloud Defense, NeuraLegion, ICTC PAC
Founder: We Hack Purple, OWASP DevSlop, #CyberMentoringMonday, WoSEC
Quite often clients ask me “Which API Security Tool should I buy?”, and as you might have guessed I answer “It depends”, then proceed to ask them a dozen questions. Recently I asked a colleague at Semgrep if they felt this process might be of value to my readers, and Chinmay said “Absolutely!” and here we are with a new blog post.
If you are in charge of securing the software at your organization it is likely you have quite a few APIs under your purview, and that you might feel overwhelmed with the huge list of products on the market right now. Since 2021, this market has exploded with several new API security tools. In this article I am going to stress that what matters most when selecting a tool is what you need from them. There are several different functionalities that might interest you, depending upon your AppSec program, how invested the developers are, your SDLC methodology (waterfall, agile, DevOps, something else), your development environment (and the level of freedom your developers have), and your percentage of new types of applications (API/micro service) versus older types (enterprise, monolith).
Note: I’m going to speak about tools that work with the OpenAI/Swagger protocol in this article. For those using SOAP, your toolset will be significantly more limited than this, and some of these tools will not work for you. I gently suggest that for all new APIs you develop going forward that you use OpenAPI, as you will have significantly more options.
– Tanya
Common API Security Tooling Features:
Photo by Łukasz Rawa on Unsplash
Inventory – Finding all of your live APIs is VERY VALUABLE. There’s huge potential for there to be one or more APIs that you might have missed, living on your network, unprotected. Sometimes they call this feature enumeration.Fuzzing or dynamic automated testing, made for APIs (not web apps). Interacting with your API, sending it requests, and looking for problematic responses.
Web Application Firewall (WAF) for APIs, blocks malicious requests and responses.
API Gateway (a must have if you are putting your API on the internet!) Performs authentication and authorization, throttling, resource quotas, and more. If you want to fight bots, this is your #1 defense.
“Context” This is a new one that several vendors list as a feature, which means telling you more information about the API to help you prioritize what to fix, and what can be safely ignored. I’m not exactly sure how each of these work, but it’s a promise some of them make. You need to investigate exactly what this means before buying.
Static analysis (you can use a normal automated SAST tool for everything but the OpenAPI/Swagger file to find vulnerabilities in written code). No need to get a special tool.
API Linters help with code quality, but they can also be security-focused. Finding one that can open your OpenAPI file and find help you ensure your definition file (sometimes called a schema) can save you lots of bug-fixing time down the road.
Regular (non-API-specific) automated dynamic testing tools (DAST) are not very good at scanning APIs, even if the vendors tell you they are good. Unless it is a web proxy, and it’s in the hands of a Penetration Tester, assume they are not worth your time. Get an API-specific dynamic testing tool instead, which can understand your API, rather than older tools that were made for web apps.
Software composition analysis (SCA): APIs have dependencies too, but it’s the same as web apps, so use the same one you use for all your apps. No need to get a special tool.
Another image of bees. I do not know why bees always come up when I search APIs, but they certainly are beautiful.
I suggest an API gateway for every company, full stop. Ideally you are already doing SAST and SCA for your regular web apps with tools you already own/use, keep doing that for your APIs. For Dynamic scanners, you need an API specific one unless you want to spend many engineering hours making it work properly (time you could spend fixing bugs instead). There are also quite a few IDE plugins, but the key here is: which things are you concerned about? Go from there and you will find the right product. Most of these companies have 2-4 different functionalities. Figure out which one(s) you want, then do a proof of concept exercise (POC) with the finalists. After that, pick the winner!
Right now, the concept of the software supply chain and securing it is quite trendy. After the solar winds breach, the attack on the crypto wallet, at the log4J fiasco, the entire world appears to be focused on securing the software supply chain. I’m not complaining. If anything, as an application security nerd, I am quite pleased that I am finally getting buy-in that these things need to be protected, and that vulnerable dependencies need to be avoided. Folks, this is GREAT.
Software composition analysis, often called SCA, means figuring out which dependencies your software has, and of those, which contain vulnerabilities. When we create software, we include third party components, often called libraries, plugins, packages, etc. All third-party components are made-up of code that you, and your team, did not write. That said, because you have included them inside of your software, you have added (at least some) of their risk into your product.A ‘supply chain’ means all of the things that you need to create an end product. If you were creating soup, you would need all of the ingredients of the soup, you would need things like pots and pans in order to cook and prepare the ingredients of the soup, you would need a can or a jar to put it in, and likely a label on top to tell everyone what type of soup it is. All of those things would be considered your supply chain.
Imagine inside of your soup one of the ingredients is flour. Chances are that it (wheat) was grown in a field, and then it was harvested, and then it was ground down into flour, and then it might have been processed even further, and only then it was sent to you, so that you could create your soup. All of the steps along the way could have been contaminated, or perhaps the wheat could have rotted, or been otherwise spoiled. You have to protect the wheat all along the way before it gets to you, and once you make the soup, in order to ensure the end product is safe to eat.
Protecting all of the parts along the supply chain, from ensuring that there aren’t terrible chemicals sprayed on the ingredients as they grow, to ensuring that the can or jar that you put the soup into has been properly sterilized, is you securing your supply chain.
When we build software, we need to secure our software supply chain. That means not only ensuring the third-party components that we’re putting into our software are safe to use, but the way we are using them is secure [more on this later]. We also have to ensure how we build the software is safe, and this can mean using version control to store our code, ensuring any CI/CD that we use is protected from people meddling and changing it, and every single other tool we use or process we follow are also safe.
If you’ve followed my work a long time, I am sure you know that I think this includes a secure system development life cycle (S-SDLC). This means each step of the SDLC (requirements, design, coding, testing and release/deploy/maintain) contains at least one security activity (providing security requirements, threat modelling, design review, secure coding training, static or dynamic analysis, penetration testing, manual code review, logging & monitoring, etc.) A secure SDLC is the only way to be sure that you are releasing secure software, every time.
Tanya Janca/me
With this in mind, the difference between the two is that SCA only covers third party dependencies, while supply chain security also covers the CI/CD, your IDE (and all your nifty plugins), version control, and everything else you need in order to make your software. It is my hope that our industry learns to secure every single part of the software supply chain, as opposed to only worrying about the dependencies. I want securing these systems to be a habit; I want it to be the norm. I want the default IAM (identity and access management) settings for every CI/CD to be locked down. I want checking your changes into source control to be as natural as breathing. I want all new code check-ins to be scanned for vulnerabilities, including their components. I want us to make software that is SAFE.
If you read my blog, you are likely aware that I recently started working at Semgrep **, a company that creates a static analysis tool, and recently released a software supply chain security tool. If you’ve seen their SAST tool, you know they’re pretty different than all the other similar tools on the market, and their new supply chain tool is also pretty unique: it tells you if your app is calling the vulnerable part of your dependencies. They call it ‘reachability’. If your app is calling a vulnerable library, but it’s not calling the function inside of that library where the vulnerability lives, you’re usually safe (meaning it’s not exploitable). If you ARE calling the function that is inside your library where the vulnerability is located, there’s a strong likelihood that the vulnerability could be exploitable from within your application (meaning you are probably not safe). We added this to the product to help teams prioritize which bugs to fix, because although we all want to fix every bug, we know there isn’t always time. In summary, if the vulnerability is reachable in your code, you should run, not walk, back to your desk to fix that bug. Me, again
Me, again
I have worked with more than one company who had programmers who did not check in their code regularly (or at all) to source control. Let me tell you, every single time it was expensive! Losing years of hard work will break your heart, not just your budget. Supply chain security matters.
Join me in this adventure by starting at your own office! Whether you have budget or not, there are paid and free tools that can help you check to see if your supply chain is safe! You can also check some of this stuff manually, easily (the IAM settings on your CI/CD are just a few clicks away). Reviewing the setup for your systems, and ensuring you have everything important backed up, will make your future less stressful, trust me.
You can literally join me on this adventure, by signing up for the Semgrep newsletter! The Semgrep Community is about to launch live free events, including training on topics like this, and we can learn together. First email goes out next week, don’t miss out!
~ fin ~
** I work at Semgrep. This means I am positively biased towards our products and my teammates (I think they are awesome!) That said, with 27+ years’ experience in IT, being a best-selling author and world-renown public speaker, there are a LOT of companies that would be happy to let me work for them. I choose Semgrep for a reason; my choice to work there was intentional. That said, I will try not to be annoying by only talking about work on my blog, promise!
For those of you who are aware, every August for the past 30 years or so, hackers have been meeting in the dead heat of summer in Las Vegas Nevada to host multiple learning and community events. It started with Def Con, a conference dedicated to hackers & hacker culture, releasing exploits, and “doing stuff that makes you feel like a badass” (or at least that’s my opinion). Four years later, Black Hat was started, a corporate security event, known for high quality training and research-heavy presentations. After multiple years of being rejected from the Black Hat and Def Con conferences, Jack Daniels (who I met this year for the first time, he was so nice and friendly!) started a conference for those of us who have been rejected from the main conference, named aptly “B-Sides” (for those younger than I: records and tapes used to have an “A side” and a “B side”, with the B side having… Less popular songs). As a person who has been rejected over and over by these conferences… I love the Las Vegas B-sides and B-sides in several other cities (they are all over the planet now, by the way)! As the years went by, more events were added, such as The Diana Initiative, and so many more. Eventually people started referring to this annual event as “hacker summer camp”, and if the shoe fits… Hack it!
Okay Vegas, let’s do this!This is Chadd, my new BFF from WHP Community!
This year started off for me by keynoting The Diana Initiative. Not only did We Hack Purple sponsor this annual event that I love so much, but I credit this group (community? movement?) with being the main reason that I have come back to Vegas (my least-fav American city) year after year. Being able to keynote what I consider to be my favorite part of hacker summer camp is pretty much the best outcome I could imagine. Diana is a place where I always feel comfortable and safe, and after my first trip to hacker summer camp (2015 – before I gave talks or had a twitter account) being extremely uncomfortable, I have found them to be a force of nature for re-building trust with those of us from underrepresented groups. My first trip to hacker summer camp involved a lot of unwanted touching from men, being followed around (even from one building to another, with me saying “Stop following me!”), lots of feeling unwelcome/not fitting in, and the TiaraCon folks making me feel so utterly embarrassed by demanding I wear a plastic tiara and feather boa, so many times, that I ended up yelling at them to “stay the F away from me”. Not one of my finer moments. Sigh. Hacker summer camp has come a LONG WAY since then.
Me, in cat ears, at The Diana InitiativeI was also on a panel of kick-ass ladies to talk about our careers at Diana!
We Hack Purple Podcast alumni Maril Vernon doing the superwoman pose with me, and the Diana Initiative Volunteers! There would be no conference without volunteers, hats off to each and every one of you!
The next day I had a We Hack Purple meetup where I got to meet several community members, including my new friend Chadd (he’s looking for his first job in AppSec, if you’re hiring!). We chatted all things community, jobs, AppSec, and how I could plan a WHP meetup in DC in October when I come up for OWASP Global AppSec. Also, did I mention that I will be speaking at OWASP Global AppSec?!?!?!?1? Yay!
The CUTEST instructors in Vegas!!!! Wait, I mean Enno Liu and Colleen Dai of Semgrep.
Also on Tuesday, B-Sides LV started! I gave a workshop (Adding SAST to CI/CD without losing any friends) with my new colleagues, Enno Liu and Colleen Dai. It was SUPER FUN! I covered the easy parts, setup, cloning and running the CI, Juice Shop, the SCA and SAST results, etc. Then Enno and Colleen really took it away with rule writing in Semgrep. I’m new to Semgrep (week two), so I’m still learning to become a little rule ninja. I suspect I will learn a lot from these two.
This was our team dinner. They know how to treat me!
Monday night I attended the B-Sides Speaker dinner and ate very little… Because then I went to a team dinner for work ,and we ate KOREAN BBQ (which I love)! It was all you can eat, and folks, I did my best to get my new employer their money’s worth by stuffing my face. 😛
Wednesday morning, I met my dear friends Vandana Verma and Gabrielle Botbol for breakfast. We caught up, ate tasty food, and took selfies, just like any other set of friends who have been apart for a few months. Don’t they look lovely? They are two wonderful human beings!
After breakfast I had several meetings that were sort of all over the place, broken up by “Oh hi! I haven’t seen you in forever!” type conversations as I recognized people at B-sides. Obviously, Chad was there!
My IANS and Forte Group Colleague, Summer Fowler!
Later in the evening I met up with the crew from IANs Research! I also FINALLY got to meet Malware Jake Williams in person, instead of just tagging him in slack all the time. He had a create Splunk T-shirt that said “You bet your sweet SaaS” and… I want one! LOLOLOLOL!
Thursday morning started with a Forte Group breakfast. Well, there wasn’t really a breakfast per-say, but who cares? I can get food anywhere. What I cannot get anywhere is 100 CISO, CEO, and Startup lady founder friends!!!! Only about 30 of them showed up, but it was awesome! Obviously, we discussed taking over the world. Wait, I mean: How can we train and find the next generation of cyber security professionals, and ensure more of them are women than ever before. Yes, that what as it. ;-D
Forte Ladies Unite!
After the Forte amazingness, I went for the first-ever Semgrep Community Meetup! We were *supposed* to meet in the Starbucks just off the lobby from Caesar’s Palace, but unbeknownst to me it was closed recently for construction, and for some reason an unfriendly employee was demanding no one stand around. I tried to stand around and wait for people, to direct them to the new location (Starbucks in the food court of Caesar’s) but she yelled “GET!” at me, and I ran away… She was not having any of it. The Cloud Defense team was there, and they also tried to go round up any community members I missed and were also shooed away. If we missed you, I am so sorry! That said, the people I DID find had lots of fun with me and Semgrep!
The first Semgrep Community in-person meetup!Don’t the Twillio/Segment Product Security Team look amazing???!?!??!
After that I headed off to the Bishop Fox Drybar event, and (completely randomly) ran into Ariel Shin (previous WHP podcast Guest) and several other ladies from the Twillio/Segment product security team. DON’T WE LOOK GREAT? Thank you Bishop Fox!!!! We will secure the world and look great doing it!!!!
She’s trying so hardThey served drinks!Holy crap I have a lot of hair!I was not sure what the hair dresser could do with this!Ariel is in this image somewhere?Final product!Well done Bishop Fox!
Later that night I met up with several friends from the Slack Product Security team, ate dinner, and learned a lot of new stuff about what makes the ‘glue’ of a team. Although I didn’t take pictures, but I assure you that it was both delightful and delicious.
I realize that I am a total jackass. AppSec Village
Friday was the big day…. Presenting at the AppSec Village! Both Semgrep and We Hack Purple were sponsors of the AppSec Village, because we both LOVE AppSec and this community. I gave my talk DevSecOps Worst Practices and it went really well (everyone laughed when I hoped they would, and did not laugh when they were not supposed to).
My nails and dress were matchy-matchy for my first day!
Since I’ve been keeping this giant secret for so long, I’m very excited to finally be able to share all of my good news. This blog post is going to be all about my first week at Semgrep. We choose July 31 as my first day because they were already having several other people start that day, and because they were hosting Semgrep Hub Week—team building events for every single team, in person. As you might imagine, I am going to be a mostly-remote worker, so a chance to meet the entire team in person was something I could not miss. They flew people from all over the planet to San Francisco, with a focus on connecting, having fun, and innovation. I’m told that normally there’s more work and fewer cruises, art lessons, mini put and other fun activities, but that there’s always lots of bubble tea. 😀
My first day was just a lot of airplanes, and sharing on social media that I’m going “somewhere” and asking everyone to guess. I arrived way too late in the day to see anyone, unfortunately. For the record, my followers are brilliant, and several of them guessed not only which city I was in, but also the purpose of my trip, very quickly, with few hints! My followers are way too smart to have the secret last very long, so we knew we only had a few days at best to make our announcement.
Clint and I pose in front of the Semgrep sign at HQ. Getting to work with my long-time friend Clint Gibler is a HUGE PLUS!!! Meet (some of) Semgrep People Ops. THEY HIRED ME!
My second day I had a previous-commitment teaching engagement, so I couldn’t come into the office until around 1:00 pm, and went I entered the building I was immediately greeted with smiling faces! My new boss Pablo greeted me with a hug, same with Clint, and so many more of my new co-workers! I’m going to have several images throughout the blog post of some of the friendly faces I met all week. There were so many people! We’re almost at 150 at this point, and growing fast!
The first day (for me) team building exercise was a graffiti painting lesson. No, seriously! We were all given access to spray paint, a quick lesson, and then let loose upon a couple of brick walls in downtown San Francisco!
Chris is smart, he wore a hazmat suit and got NO PAINT on his clothes.Another of my colleagues who managed not to get paint on himself!
After a few hours of painting, several of us walked back towards the office and decided Dim Sum was in order. One of my teammates had never tried tofu, eggplant or potstickers before in his life, and was a VERY good sport about trying literally everything we brought to the table. He says he doesn’t need to try tofu again, but the rest was a hit! I’ve converted one more person into a Dim Sum fan!
They walked me back to the office to get my laptops (I have 3 with me now, the WHP one, a burner one for Def Con, and my new Semgrep M1). I got to see a bunch of SF at night that I likely wouldn’t have wanted to wander through by myself at that time of day, so that was really nice.
On day two, I had to teach all morning again, so I arrived at the office quite late (1:00 pm). At 3:30 pm, which seemed to arrive in only a millisecond, we left to go on what I was told was a cruise, but it was actually a sailboat that we went all over the San Francisco Bay. Lots of us got splashed! There was also a lot of tasty cheese, fruit and other snacks. I ate a lot of cheese, lol.
We’re ON A BOAT!
After the cruise we went to a giant food truck park, and I got to have a rice burger (the buns where made of deep fried rice, and I want you to know that I learned that I APPROVE of deep frying rice, YUM), and bubble tea! This trip involved a lot of bubble tea, and I noticed that people were offered alcohol throughout the week and a lot of us opted for boba (fancy bubble tea) and other non-alcoholic alternatives. Startup culture is often “let’s get hammered”, or it has seemed that way to me, and as a person who doesn’t drink all that often, at times I have felt left out. I never felt ‘left out’ or pressured to drink at all this week, and that was SO NICE. It’s cool that other people want to enjoy a beer or two, but I will take a fancy latte or bubble tea over beer any day. Mmmmmm, sugar. LOL.
On day 3 was more meeting new people, starting to tell everyone what my new role will be, and suggesting 400 different new features for the product (this is what happens when you use something a lot with clients, you have a build up of suggestions). I had several 1:1 meetings, and even more introductions. Once the work slowed down, I went to play mini put with the security research team. There was more bubble tea!
Day 4, the Friday, we finally got to announce that We Hack Purple and I had joined Semgrep! I remember I pressed “send” on the announcement and then we both ran to the Hub Week presentations. When I got back to my desk I had a couple (hundred) notifications… LOL! The Hub Week presentations where all new features and innovations that various teams had made at Semgrep that week. Not only were a bunch of them AMAZING, the presentations were absolutely hilarious! They had one employee MC the whole thing, and we were all in fits of giggles for 2 hours while the teams showed off their cool new creations. Although I am not allowed to share them as several will probably become part of the product very soon, I CAN share that there was: ASCII art, music, dad jokes, and Hawaiian leis for everyone!
Clint and Tanya hang out! Best part of my trip!I like this fortune. Quite a bit.Burmese Food: YUMMYDelicious food with Enno, Tae’lur and Clint
The last thing I did this trip was visit my friend Anshu Basnal of Cloud Defense. I know I talk about them a lot! They are my friends. 😀 Anyway, I don’t usually get to spend a ton of time with Anshu (he’s a CEO, he has stuff to do), and it was nice he took his entire Sunday to show me around SF and make sure I got to the airport on time. Thank you my friend!
Hello my friends! It’s me, Tanya Janca from We Hack Purple, and I am beyond thrilled to announce that we are joining forces with Semgrepto take the world of application security by storm! As the new Head of Education and Community, bringing We Hack Purple community and content with me, we will be offering more free content, events, and training than ever before!
Let me tell you a little bit about why I decided to join Semgrep. For starters, we share a common goal of advancing application security practices and empowering developers to build secure code. As a company, Semgrep values openness, accessibility, and community, which aligns perfectly with my values and We Hack Purple’s mission. By merging our expertise and strengths, we can amplify our impact and bring about real change in the cybersecurity landscape.
So, what does it mean to be the Head of Education and Community at Semgrep? Well, my role is all about fostering inclusivity, building relationships, and offering valuable resources to both Semgrep customers and the public. In other words, it’s about empowering everyone to learn and grow in the realm of application security. Education and community-building are integral to advancing cybersecurity practices, and I’m thrilled to have the opportunity to lead those efforts at Semgrep.
One way we’re doing this is through free training programs for Semgrep customers and the public! By offering free resources and training to anyone who wants to learn, we’re helping to close the gap on education and accessibility in application security. We will be working to combine the two communities (We Hack Purple + Semgrep) over the coming months to offer more services, events, content, and fun! We will work to foster a community that shares knowledge, asks questions, and grows together. This is only the beginning of what I hope to accomplish with our collaboration with Semgrep.
Will you please do me a small favour? Sign up for the Semgrep Newsletter. I’m going to be inviting everyone for free training, events, contents, sharing content and more via the newsletter, and I want to ensure you get it. 😀
Tanya
To wrap things up, I want to reiterate the value of community to bring together expertise and experience in the cybersecurity industry. With a united effort like this one between Semgrep and We Hack Purple, we can achieve great things in the realm of application security and empower developers and IT professionals to build secure code with confidence. Stay tuned for upcoming initiatives and training opportunities – we can’t wait to share them with you!So, until next time, happy coding and stay secure!
Many years ago, when I was a software developer, a very smart boss said to me: “Tanya, it’s always operations first. Projects after.” At first, I was confused, how will I make any progress on my projects if I’m always doing operations? And, what the HECK is “operations” anyway? Reader, this was an incredibly important lesson that has helped me countless times, throughout my entire career.
At We Hack Purple (WHP), we have a rule: “operations first, then everything else”. Operations means all the stuff you already regularly do, that people are counting on you for. For instance, at WHP, every single week there’s a newsletter. If it’s late, our subscribers ask where it is. Subscribers expect it and enjoy receiving it. It is one of the services that we offer, and it’s part of our general operations.
Other examples of WHP operations: running payroll, answering support requests from students in our academy, emails from active clients, accepting/approving new community members, and moderating our online community if someone acts inappropriately. Imagine if my team and I were “too busy” to run payroll, or ensure students could log into their accounts, or to let new people into our community? It would become a huge bottle neck for the business, and WHP would be known for leaving people disappointed.
When I was a software developer, ensuring that all bugs were fixed, customer problems/complaints were addressed, all our apps were up and running, and that my entire team knew what they needed to do (and had the information/access/resources to do it), meant that then I could work on my projects. Ensuring people weren’t waiting on me not only meant I ran a smoothly running shop; it got me promoted. Multiple times!
Examples of Application Security ‘Operations’:
Attending project kick off meetings to make yourself known to the team
Provide security requirements for all new projects
Performing threat modelling sessions, and completing the paperwork afterwards
Following up on unfixed bugs
Checking in with your security champions, every month
Answering questions from… Everyone.
Running scans, reviewing scan results
Arranging pentests, reviewing results with dev team
Reporting up to management
Being ready, should a security incident occur
Recently I had a conversation with a client who was trying a new project management methodology, and we were talking about how to best implement it at their org. After about 10 minutes of discussing, I said “What about operations? Sounds like you’re not getting your everyday work done. If you can’t even finish up the close out of a security incident from 6 months ago, you don’t need a new project management system. You need to stop over-allocating the people on your team. Ideally, operations should take somewhere between 25-50% of your time, but it sounds like you have a lot of not-quite-finished work items. Get all that done, then start on new projects. And ensure you save time, every day, for operations.”
Note: it was 25-50% of the time *for her team* and the responsibilities they had, to run operations. For your team it might be higher or lower. When I was a software developer, I was told to never allocate a resource above 80%, because something always comes up. And they were right!
Be prepared, always add 20% to your time estimates for software projects. You’ll thank me.
If your team is supposed to review the architecture for every single software project, and you have allocated zero time for it, how do you think that’s going to go? It’s not going to be good, that’s for sure. It sounds obvious when I lay it out like that, and you might think “I would never do that”, but guess what? I see companies do this ALL THE TIME. And I know I have been guilty of this in the past, not realizing I had done it.
Any security activities that you want to do as part of the system development life cycle (SDLC) are part of your team’s operations. If there are documents to review, meetings to attend, scans to run, whatever, you need to ensure you have the capacity to perform these activities as needed. You can’t say “You must complete this 20-page architecture document, then receive our approval, before you start your coding phase” then proceed to make them wait several weeks for feedback from your team. Or… I guess technically you CAN do this, but it will cause a lot of problems, frustration, and delays for other teams. *Note: I would not recommend this strategy to friends.*
Then my client and I got into a discussion about the 3 ways of DevOps (as per The Phoenix Project and The DevOps Handbook), with the 1st way being “Emphasize the efficiency of the entire system”, the 2nd being “Fast Feedback”, and the 3rd way “Taking Time to Improve Your Everyday Work.” I LOVE DevOps, and in my opinion, The Three Ways are rules to live by if you work in IT.
I know I’ve talked to about The Three Ways of DevOps a lot, but they add value in SO MANY situations! I just can’t help myself, they are just SO GOOD.
Unplanned Work: There will always be external forces that you cannot control. A security incident will happen. The big boss decides your team is going to run a tabletop exercise. Suddenly your team is in charge of something it never was before. If you have allocated your team’s resources already at 100%, there’s no space for this. And unplanned work is (unfortunately) a fact of life. One of the things you can do in such a situation and ask ‘the powers that be’ which thing will come off of your plate if you add this new one. If they say nothing comes off, explain that you team is already fully allocated, and you expect them to start slipping on other projects or operational requirements. At least you warned them, right?
This might not make you popular, but it WILL ensure your projects succeed, on time.
The First Way of DevOps: Emphasize the efficiency of the entire system.
If security teams around the world took this to heart, people would like their IT Security co-workers a lot more. I have heard hundreds of times “We make them fill out all these forms, then we don’t have time to read them.” So…. Did you stop making them fill out the forms? “No.“
If instead the security team adopted the model of “operations first”, they would either 1) make those forms way less complicated and time consuming, and 2) allocate enough time for their team to properly review them, promptly. It is my wish that security teams would look at all the inputs (forms, meetings, documents, and so on) that they ask for from other teams, and then ensure they have capacity to use those inputs to their fullest, in efforts to protect their organizations. This might mean reducing risk, adding additional layers of security, preparing for potential disasters, etc. Security teams demanding other teams to perform work, and then not fully utilizing the work they asked for, makes me very upset. I used to be a software developer, and I have been put through the paces by a lot of management in my time, and I’m quite tired of filling out templates that no one ever reads… And I know I am not the only person who feels this way!
Tip: whenever possible, make services from your organization self-service. If you can provide all the guidance on a wiki page, do it. If you can create a portal where all the developers can access your toolset for them, do it. If you can set it up so that you already have a pre-existing contract with a pentesting company, and they just need to call and book the dates, do it. This results in saved time, less friction between teams, and operations moving much more smoothly!
A great tip, from me to you!
The Second Way of DevOps: Fast Feedback
I tend to add onto this phrase and change it from ‘fast feedback’ to ‘feedback, that is accurate, and gets to the right person/people, fast”. Who cares if the feedback is fast if it never gets to its intended destination? Or it’s completely inaccurate so it sends someone on a wild goose chase? That is not helpful.
This is another area where if we do ‘operations first’ that we will see some big benefits. Whenever a project team asks for feedback from the security team, if we turned that around very quickly it would enable the project to finish that part ON TIME. Meaning the rest of the project could potentially also finish ON TIME. Being on time, on budget, and pleasing the customer with the end product, is the trifecta of “this project succeeded”. That’s what we all want, successful projects.
While many teams ask the security team for feedback constantly, there are others who hide stuff from the security team. When other teams hide things from us, it’s often because we take so damn long to provide feedback and/or the feedback we provide is not helpful. I suspect that if security teams that gave fast feedback, regularly, would receive more requests. “Hey, we’re planning on doing XYZ, any chance we could run our design by you?” is a sentence I dream about hearing. When the other IT teams come to us, instead of us chasing them around, we have created a trusting relationship!
Tip: Make a list of all the things your team does. Then split it the list into two: projects and operations. Once you have a list of all the operational activities that your team is responsible for, it’s easier to allocate time and resources. You can also then show your boss just how many initiatives that your team is supporting for your organization. This creates visibility of your work, which is important when it comes time to allocate budget.
Make your work visible to management.
The Third Way of DevOps: Taking time to improve your daily work.
When I think of The Third Way, I try to apply it not only to MY daily work but also to ‘other people’s daily work that I affect’. If I can take an afternoon to tighten up the configuration on a tool, to remove some false positives it was spitting out, this could potentially affect the daily work for several of my co-workers (usually developers). If I spend 4 hours doing this, but it saves about one hour of time for each of my 100 developers that year, that’s a fantastic return on investment (ROI).
Another way in the past that I have applied this principal is by creating 1-page ‘best practice’ documents for various technologies. If one project team is building a serverless app, and I need to give them some guidelines, why not reuse those guidelines next time? Plus, for every new project using that same technology within our org? We could provide it even if they didn’t ask for it, we have the options to provide best practices information by default. And in my case, as an independent consultant, author, community manager, and public speaker, why not share that research in a blog, conference talk, or book? Why not share this work with as many other humans as possible, so that, as an industry, we can ALL move forward? (You don’t have to think that big, but, as usual, I digress.)
When we are putting operations first, before we work on projects, you might think that The Third Way is not in line with this thinking, but it is! It’s about finding better efficiencies for when we are performing operations. Improving what we do, day in and day out, so we do a better job and/or we can do it faster, from then on. It’s an investment in improving our organization’s operations as a whole, going forward. We are improving our our futures.
Tip: Double your time estimates. A boss told me this long ago, and at the time I thought he was nuts. The idea with doubling your estimate is that 1) technical folks are famous for underestimating how long something takes to do and 2) if you finish early you look like a rock star! This only works if you are the only person to double it though, I once had a boss who doubled my estimate, and his boss also doubled it, and by the time it got to the big boss it looked like it was going to take 6 months for me to make two windows forms… That was not so good…
– ME
Back To Operations
Back to the topic at hand: putting operations first. If you are not able to get through your inbox, you probably shouldn’t take on another new project. If you have several other teams waiting on you, for a process that your team is forcing them to go through, you should likely not purchase yet another tool. If you don’t already have your current toolset fully operationalized (for example, having a SAST and SCA scan performed on every PR, as opposed to manually performing 1-off scans from time to time), then you are not ready to add yet another security step to the SDLC. If you aren’t meeting your current operational requirements, you cannot (successfully) take on new projects.
Last tip! Help your teammates, especially those with less experience and seniority, prioritize and reprioritize their work, often. I’ve seen many people become a bit lost, or feel overwhelmed, because their list has gotten out of hand. Often there are things on the list that you, as their boss, are completely unaware of. Take that stuff off, and go talk to the other managers who are trying to offload their responsibilities onto your team…
– Me, again
If every single day you never finish your work, if your inbox has people writing you multiple times asking the same question because you still haven’t answered, if you feel like you are drowning at work; it’s time to look at your operational capacity, and make sure you haven’t over allocated yourself or your team. It’s always better to do a fantastic job of your current responsibilities, than to have several unfinished projects and really frustrated stakeholders.
I want to get something straight: you do not need to put a dynamic scanning tool into your CI/CD pipeline in order to do DevSecOps properly. You don’t even necessarily need to use automated dynamic analysis at all, to be doing DevSecOps.
I do regular consulting via IANs Research and quite often I find myself assuring clients that “Yes, what you are doing makes perfect sense. You are covering all of your bases. In fact, you’re doing a GREAT JOB.”
So why the mystery? Why the uncertainty? Let’s dive a little deeper.
What IS Dynamic Analysis?
Dynamic (when referring to a system, not a person) meansconstant change, activity, or progress. When we perform dynamic types of testing on a technology system, that means interacting with it as it is running. This could mean using live software, that is hosted on a web server, or a smart fridge that is turned on, with real food inside of it.
Dynamic testing can be performed from within an application, which is what IAST (Interactive Application Security Testing) products promise: testing your running app from the inside out. More commonly dynamic analysis is performed from outside the application, often with a web proxy, an automated DAST (Dynamic Application Security Testing) tool, or manually with a web browser or direct calls to the system (such as API calls).
Some of the advantages of dynamic analysis include; You get to see how it actually works, you can discover if some of the behaviours are not what you were planning from a business perspective, you could try to find business logic issues (which are often cause by design flaws), and you can validate whether a vulnerability found by an automated tool is exploitable (or not).
A DAST (Dynamic Application Security Testing) is generally considered a software product that scans web applications and API for vulnerabilities, (generally) performing both active and passive scans. It works in a completed automated way, such that you do not need weeks, months or years or training to be proficient with it. Sometimes DAST tools are also called a VA (vulnerability assessment) scanner or a ‘web app scanner’.
Me
The most obvious disadvantage of dynamic testing is that you can’t see the code. This is often called black box testing, where you don’t get to know the design, the functionality, or anything else about the application before you perform your test. Being able to see how the code works, or a network or architecture diagram, can help someone with a malicious mindset find more vulnerabilities faster.
A web proxy is a software product that can be used for manual, dynamic, security testing. Penetration testers often use web proxies while testing APIs and web applications. Sometimes products combine both the DAST and Web Proxy functionality into one product, and, unfortunately, those are often called a DAST or Web Proxy, as though the terms are interchanged, which leads to more than a little confusion.
Also me
Other disadvantages of dynamic testing are that there are a whole bunch of different types, and sometimes it gets confusing. When using an automated DAST scanner, pretty much anyone could operate it (this is an advantage). This means that the bar to entry is very low, and you don’t have to hire an expert, which can be expensive, and it can also be quite difficult to attract that type of talent on a permanent basis. That said, automated dynamic scanners, when operated by someone without very much training, can result in bad data being injected into your database, not testing your entire attack surface, inability to talk directly to APIs, and more. Although it’s wonderful to have this automated functionality scanning legacy apps, and finding lots of old bugs in your ancient code, for more modern apps… Some automated DAST tools leave a lot of untested attack surface behind.
It should be noted that each DAST and each web proxy product works differently. Some have great scheduling automation options, some don’t. Some are only able to automate passive scanning, while others can do both active and passive scanning. Not all options discussed in this article are available for all products.
Me, based on comments from my friend Rick
This brings me to penetration testing. Penetration testing usually involves a whole bunch of tools, an entire toolbox, if you will. It also generally involves at least one extremely skilled security testing expert. They manually test the application by using a series of tools (some automated, some not), to find as many bugs as possible, then validate each one’s exploitability. They only report what they feel to be legitimate business risks, vulnerabilities, or other issues that they feel could hurt your system, your business, your employees, users, or customers. Just the important stuff!
But there are more types of dynamic testing than just automated DAST and PenTesting, and all of them count under the giant umbrella of the term dynamic. Performance testing, stress testing, DDoS testing. All of those are dynamic, they interact with your application to find out if there are problems you should be aware of.
In addition to the traditional DAST scanners, there are newer fuzzing and dynamic scanners that are created only for APIs (application programming interfaces), and they are looking more and more promising every month. In 2020 and 2021, several new API companies came on the market, with amazing new products. A lot of them offer dynamic forms of analysis that are different than anything I had seen before.
One of the examples I saw recently, in San Francisco as part of the RSA festivities, was an IDE plugin that would allow the developer to fuzz each one of the fields within their API, in an automated fashion. Fuzzing means adding in all sorts of bad input, to test the input validation of a system. The person demoing it for me, Isabelle Mauny, showed me how it could look at the API definition file, then automatically generate tests for you. Holy smokes, nothing like that existed when I was a dev!
I’ve also seen some really amazing functionality involving monitoring for data that is being exfiltrated (watching for potential data breaches). A regular web application firewall can be configured to watch for unusually large HTTP responses (think: a whole heck of a lot of data, way more data than makes sense). And that can be quite helpful. However, some of the web application firewalls made for APIs, another monitoring product for APIs, can watch for when you have made a grave error in your access control. They can check to see if perhaps the request that you created has brought back more records than it should have, or different fields that were not expected to be brought back. With the biggest threats to APIs (according to the OWASP API Security Top Ten) being broken authorization at all levels, that’s some pretty spectacular coverage. Although this is more of a shield, than a dynamic test so to speak, we have to choose what reduces business risk the most, and this might protect you from a myriad of issues that an automated tool would likely miss.
Other nifty dynamic functionality that is made only for APIs include inventory tools. Often, they perform active (sending their own test requests) or passive (checking requests and responses for security problems, but never sending their own requests) dynamic scans at the same time they perform inventory, telling you immediately if they spot something new that might be a problem in your API. They can find all your APIs, including some that you thought were decommissioned months or years ago! I personally find this to be an extraordinary step forward in making sure that you have complete tooling coverage of your application portfolio. When I started in AppSec, I would never have imagined that I could have tools that could stop an error within just a few minutes of it being released into prod!
On top of this is WHERE you can do testing with all of these cool new dynamic tools. You can test directly in the IDE (integrated development environment), AS YOU WRITE YOUR CODE! That’s amazing, and the furthest ‘left’ security could ever push from a tooling standpoint. Some of them can be run nightly, or even continuously, in your production environment. When I started in AppSec, I had to manually run every single scan for dynamic tests. Now I can ‘set it and forget it’, only receiving reports when it finds new bugs. It’s a security nerd’s dream come true!
This leads me back to the title of this blog post: you truly do not need to run an automated DAST product in your CI/CD to say you’re doing DevSecOps. It is NOT a requirement! You can run all sorts of different types of dynamic tools, in several different places (IDE, against prod and pre-prod, continuously in prod, or CI/CD), and still do a great job and have excellent coverage. The key with DevSecOps is ensuring whatever you do follows the processes of the DevOps folks where you work and that it works within the Three Ways of DevOps (providing fast feedback, optimizing efficiency for the entire system, and aiming for constant improvement and learning).
If the way you run your tools slow down the pipeline for everyone, that’s not a win. If the tools you choose don’t get you good coverage, that’s not a win. If the tools you have report a lot of false positives, that’s never a win. Instead of trying to follow what the vendors and marketing materials tell us, focus on finding what creates the best results for YOUR org. Every dev shop is unique, and thus your security program will be too!
Potential alternatives to running an automated DAST in your CI/CD:
Automating a DAST to run monthly, overnight, receiving an email in the morning: set it and forget it!
Focusing almost exclusively on static forms of analysis (SAST, SCA, code review, secret scanning), and then pentesting the important apps once a year (pentesting is a form of dynamic testing)
Move towards a micro service architecture, where the front-end GUI is dumb (no business logic) then, when you’re ready, switching your old toolset for modern API-specific tooling, plus continuing with static and other forms of testing.
Use DAST manually, but only for legacy monolithic apps (think of it as backwards compatibility), PenTest the 2-5 most important apps, then use API tools for dynamic testing of APIs, plus (continuous) monitoring and inventory for extra coverage.
Ditch all dynamic testing, and just do static forms of testing (only recommended if you have a limited budget and you only have time and money for one tool, and for some reason do not want to use free DASTs).
Install an IAST tool into all of your apps, and use it in pre-prod environments and/or prod environments. Then you could skip DAST, or just PenTest the important apps, on top of the IAST.
PenTest everything, once a year (most expensive option, and certainly not the best, but I’ve seen it)
PenTest just your 3-5 most important apps then cross your fingers for the rest of them (not recommended, but more popular than you might think!)
None of the above options include non-tooling activities and support you can provide, which I always recommend in addition to tooling!
Training (secure coding, how to use security tools, secure design, threat modelling, etc.)
Security best practice instructions for each type of technology
Architecture and design review
Threat modelling
Security requirements for every project
Security Champion programs
I could go on forever! There are many other ways than just buying tools to support a secure system development life cycle (S-SDLC or SSDLC).
All of this aside, try not to let yourself get too caught up in what you read on the internet (this blog post included) and instead focus on what you and your team feel gets you the best coverage, fits your budget, and works WITH the developers and the processes they use. If you’re really struggling, it might be time for a change.
A few years ago, I wrote a blog post, Hacker Summer Camp 2019, about how to stay safe at #HackerSummerCamp (Def Con + Black Hat + Diana Initiative + B-Sides + everything else that week in Vegas). I made a video to add more details, clarity and ideas on how to have more fun and make more friends. You can watch it below!
Video about how to stay safe and have fun at Hacker Summercamp
As you might have been aware if you read my blog, I spoke at B-Sides San Francisco and RSA Conference 2023, and it was GREAT! Below is a report about my trip, and all the wonderful people, places, and activities I saw and participated in from April 21-28, 2023.
Breakfast with wonderful people! Ashish and Shilpi
April 22: I flew into San Francisco late on Friday the 21st, to wake up on Saturday to have breakfast with my two friends Ashish Rajan and Shilpi Bhattacharjee, the hosts of the Cloud Security Podcast (which obviously you need to subscribe to if you work in that field. Right now. Don’t worry, I’ll wait.)
Shilpi Bhattacharjee, Ashish Rajan, me, and COFFEE
During breakfast we filmed a ridiculous little video for our panel event with Snyk on Tuesday of this week, you can see it below. I then went to B-Sides San Francisco and saw a LOT of amazing talks.
We also recorded an episode of their podcast together!!!!
There were several more good ones, but I couldn’t see them all!
Ashish Rajan and Tanya Janca
I realize that if you’re a regular viewer of The Cloud Security podcast you might not recognize Shilpi, that’s because she’s generally behind the camera, as the producer of the show, but she is an equal partner in all the content the show creates. Plus, she’s wonderful!
Then I attended even more talks at B-Sides SF that were really good, and then finally came the time to give my talk. Being the very last talk, but not a keynote, at a 2-day-long event, is a hard time slot, but some people still came to it anyway. Here’s a link to a video of my talk, ‘Secret Hunting’ and a link to the corresponding blog post.
I also was interviewed by Buu Lam of F5 in the lobby of the AMC where B-Sides was held, video below. You all know how much I adore Buu!!!! It’s a fun interview.
This morning I had a private meeting for work. Although I can’t tell you about it, being able to shake hands with someone, in person, with whom you are going to do some serious work, is a pretty amazing feeling in this ‘post-covid’ world.
Diversity Executive Women’s Lunch, Microsoft
At lunch time on Monday, I went to the Microsoft Hub to be on a panel at an event called Women’s Executive Lunch. I usually say no when conferences invite me to be on this sort of panel, because if everyone else is on all the other stages talking about AppSec, and the whole conference is about AppSec, I don’t want to be the side show. I want to be on the main stage, talking about the main topic. I also don’t want to be known as “a woman in tech”, I want to be known as an expert in application security, which is what I am. Being female should be secondary (or not important at all), or at least that’s what I would prefer when it comes to my career and professional reputation. When everyone else is talking about a technical topic, I don’t want to be off topic. I also don’t want to talk about something that no one came there to learn about; most people don’t buy a ticket to a technical conference in hopes to learn about ‘women in tech’. I also think that most the people at a conference who would come to such a talk are already on board with the whole “turns out women deserve the same rights as men” thing, and thus we are preaching to the choir. The people who need to hear it aren’t going to choose to go to that room. They are going to skip it.
Diversity Executive Women’s Lunch, Microsoft
But when Microsoft asked me to address a group of women and allies, at an event aimed only to help, support, and promote women in tech, I jumped at the chance. To me, this is completely different to what I described above; we were there to try to provide answers, assistance, and encouragement, at an event dedicated only to this topic and cause. And that, my friends, is very much in line with my beliefs and what is important to me.
I got a hug from Ann Johnson! You are jealous!
Also: I suspected that if I attended that I might get another hug from Ann Johnson (#careeraccomplishment). AND I DID!!!!! Note: last time I got a hug from Ann was when I won “Hacker of the Year” 2019, in Vegas as part of hacker summer camp. You need to be particularly amazing in order to earn this privilege. #worthit
After the panel was over, I had to run over to #DevOpsConnect stage, run by TechStrong, a track at RSA dedicated only to DevOps, DevSecOps and other AppSec nerding, topics that are right up my alley. I was on right after DJ Schleen, and other amazing humans who presented on that track the same day, including Caroline Wong and Shannon Lietz.
My talk was about what software developers should do when there is a security incident, when to call the Incident Response (IR team) and how to not ruin evidence, plus please-don’t-think-you-are-saving-the-day-when-really-you’re-creating-a-big-mess. It went pretty well, despite me being a sweaty mess from running across SF to get there on time! Although there’s no live recording of it, WHP has a course about itin the academy.
Incident Response for Developers, on the #DevOps Connect Stage
After that I had another work meeting, but then I got to have some fun: I had the chance to meet with my friend Isabelle Muany from 42Crunch. She’s the founder of her company, but also, in my opinion, someone who really wants to help developers create more secure APIs. She’s very dedicated to this topic, and if you’re interested in securing your APIs, following her is a great idea. You can see a past presentation she did for WHP here. She’s also going to be on the We Hack Purple podcast soon, don’t miss it!
After that, I went to the RSA Speaker’s dinner in hopes of meeting up with my dear friend Vandana Verma. Although I ended up missing her (I showed up late, my bad) I DID have the chance to run into Jessica Robinson, Chris Romeo (of Security Journey and AppSec podcast fame) and Kim Wuyts, who you may remember I met for the first time in Dublin, Ireland earlier this year at OWASP Global AppSec 2023. She gave an amazing keynote about threat modelling privacy, and made me think of ‘building privacy in’, in a whole new way.
Tuesday April 25
Tuesday started off with a ladies’ breakfast for the Forte Group. Forte is a non-profit made up of women CISO, CEOs, and startup founders. Chenxi Wang and a few of us started it just after covid began, because we wanted to hang out other amazing women. Chenxi changed it from “Friday afternoon happy hour” into a vibrant community of incredibly powerful women from our industry, who share knowledge and support each other. Forte group has helped my business and my career immensely, and it’s also been quite a bit of fun. Hats off to Chenxi and the rest of the board members for working very hard to help lift other women up. ALSO, breakfast was a blast!
Forte Ladies Breakfast
After the first breakfast I went to my second breakfast event of the day, which was sponsored by SemGrep and Tromzo, where I got to see lots of familiar and wonderful faces such as Jim Manico and Robert Wood of The Soft Side of Cyber. The restaurant served us food that was very pretty and fancy, but it contained almost no calories… Glad the ladies’ breakfast actually fed me… Being a small company owner, I am always on the hunt for free food, lol.
After that I did a quick sound check for an event, then went to the Mend Booth to do a book signing… Except my books were nowhere to be found! I was so embarrassed, there was some sort of shipping error. Instead, I interviewed their CEO Rami Sass live, and then we recorded another one and released it on social media . Despite the mix up, we ended up having a really good time, plus they gave me a few blog post ideas, we made fun of SBOMS (why didn’t the USA executive order demand that people verify if their dependencies were vulnerable? Or document transitive dependencies too? It felt so underwhelming…), and I now have several MEND water bottles!
Caroline Wong, Ashish Rajan, and Tanya Janca, international nerds of mystery
From there I went on to my panel for #Snyk with Caroline Wong and Ashish Rajan! You can watch the video of us here: You can see how stylish we are and our amazing chemistry in the image above! Shilpi was behind the camera, ensuring we looked and sounded our best.
If you think this day didn’t have enough action… Then I went to the IANS Faculty Party! I’m a member of IANs Research faculty, where I work with such amazing humans as; Nicole Dove, Olivia Rose, Mick Douglas, Shannon Lietz, Wolfgang Goerlich, Jake Williams, and… Well, you get the picture. Lots, and lots and lots of amazing humans are part of the faculty, plus the staff are wonderful. We got to have a few drinks and chat in person, which is a change from our usual Slack channel conversations that scroll off the screen. It’s always a pleasure when I have a chance to see them. No photos from this event.
After this I was supposed to attend another party where I was finally going to get to see my friend Vandana, but instead I ordered tasty Asian food from some app on my phone (I was in San Francisco, after all) and stayed in. I had a big day to get ready for. Plus, my legs hurt from climbing one of those famous San Francisco hills…
Wednesday April 26
This morning started with another women-in-tech breakfast, but smaller and only Forte ladies. I then went to film an interview with TechStrong that you can watchhere.
Clint Gibler and I presenting at RSAC!
From there I went to yet another sound check, then did my “Adding SAST to CI/CD, Without Losing Any Friends” workshop for RSAC with my friend Clint Gibler. We joked around, talked about Static Analysis, and made SemGrep find a lot of bugs in OWASP Juice Shop. It was a total blast! And…. We’re accepted to give it again this summer at B-Sides Las Vegas! If you missed us at RSA, don’t worry, you can still see it at #HackerSummerCamp.
Book signing of Alice and Bob Learn Application Security
From there I did a book signing at the RSA Bookstore, had more private meetings, then had the absolute pleasure of spending dinner and the rest of my evening with my friend Laura Bell of Safe Stack. Below is a picture of us being silly.
Thursday April 27
Today was the big day, THE DAY I KEYNOTED #RSAC. I remember when they sent the invite for me to be the keynote. I thought “Is this a mistake? Did they mean someone else?” But no, it was me!!!!! I was supposed to do all sorts of things that morning (sorry if missed you!), but instead I practiced my talk over and over again. Before I went on, the backstage crew asked me multiple times: “Are you nervous?” They asked so many times that I started to become nervous. Before I went on, I thought to myself “Just be yourself. Talk passionately about this because this is very important to you. Tell stories. Be real. It will be fine.” And it was fine! Moreover, it was better than fine. People laughed when they were supposed to laugh, and didn’t when they weren’t supposed to. The recording is below (plus give me a thumbs up if you watch it on YouTube). In addition, here’s an article someone wrote about it, with a summary of all the points I made.
From there, I floated on a cloud to the AppSec Village, of which We Hack Purple is a proud sponsor, to sign copies of my books and give away more stickers. Video below of Liora and I! AppSec Village was founded by Erez Yalon and Liora Herman, and if you’re going to be at Def Con this summer you should definitely go check it out! I plan to be there.
After the AppSec Village hangout, I did something called a “Birds of a Feather” event with RSA. Many of us met to discuss how to create a more positive DevSecOps culture, getting buy in for fixing bugs, and “please don’t turn off my tools!!!!”. It might sound unusual, but I love situations where I get to learn from the audience. When people ask questions, or tell me “At our office, we do this, and here’s why”, I love it. If you have a chance to attend one of these, you should. I know that *I* learned a lot.
After that I got to have dinner with my friend Anshu BansalofCloudDefensel.ai, who was recently on the We Hack Purple Podcast, see his episode here. I’ve been an advisor at Cloud Defense since it was a drawing on the back of a napkin, and I cannot tell you how proud I am of Abhi Aroura and Anshu, the two founders, who I am proud to my friends!
To finish off my trip, I had a We Hack Purple in-person meetup! We drank bubble tea, traded stickers, and stories! Below is a pic! I also FINALLY had a chance to spend some time with my wonderful friend Vandana Verma, who had flown in all the way from Bangalore, India!
We Hack Purple Meetup! When I finally got to see Vandana!
Throughout all the events I listed, I also had several private business meetings. Some were great, some okay, and some did not go very well at all. I didn’t bother documenting them all here, but there were 28 meetings and events in total, plus a few surprise things that got added last minute. All in all, I would call this a very successful trip!
Friday April 28
This was supposed to be the easiest day of my trip, I was just supposed to get up and fly home, but it ended up being quite stressful. I had a mishap with my ride-share (which took 30 minutes to show up), and then another mishap waiting for security (watch out for the sign in SFO airport that says both “Clear” and “TFS-Precheck” on it with an arrow indicating to wait for those two security options there. Except that it turns out that the line is only for Clear, and people from Canada/TSA-Precheck need to somehow read the minds of the airport staff and understand that is not where TFS-precheck are supposed to wait….????? And it’s actually over 100 meters away so you cannot possibly see the real line??!?!?!). While I was doing this, I was also attempting to negotiating a business deal on the phone, with someone who wouldn’t take no for an answer. I ended up running (literally) through the airport, having a lovely woman recognize me from my keynote and let me jump in front of her in line (thank you wonderful mystery lady!), and then somehow I just barely managed to get onto my plane to Vancouver before it took off.
After that ‘excitement’ was a 4-hour layover in Vancouver, with more phone calls and emails and negotiations, before I gave up on trying to get work done and called my bestie for advice on “how to say no more forcefully” (she suggested I record a video of me laughing rudely and emailing it to the person, but I decided that was likely not the most mature response… Instead, I politely replied “no thank you”, again). Then I decided to relax and call my mom to say hi, before taking my plane ride back to Vancouver Island, then one more hour to drive home from the airport. I was POOPED!
I kept this last bit in about Friday because I don’t think people understand how un-glamourous the life of a CEO-of-a-small-company and/or person who does public speaking for a living can be. Answering emails into the evenings, taking several calls in-between flights, literally running from event to event, posting the #cybermentoringmonday thread to Mastadon (because it cannot be automated, but I still really want to engage with that community) while in line at a café in the airport, hoping I can get both a latte AND catch my flight… And I’m not telling you the half of it.
When people thank me after I give a talk. When people carry my book onto a plane with them, to bring it a conference to ask me to sign it. When people tell me how my mentoring program, blog, talks, or any other work I have done has helped them. THAT is what makes every single minute of hard work worth it. When I find out I helped someone find a new job, when they really needed it. When I hear a woman had the courage to ask for a raise, and she got it. When I hear that a company has changed the way they secure their apps, for the better. All of this makes my cup overflow. Thank you for reading about my trip. <3
If you’ve been following the #WeHackHealth hashtag, quite a few people who work in the field of information security have been sharing health tips, encouraging each other to focus on their own health, and showing progress reports on their efforts. Several people I know have been following it closely, participating, and reaping the benefits of this wonderfully positive movement. Started by @HackingDave, this use of social media to encourage others to live healthier lives is something I have been wanting to contribute to for quite a while, but I wasn’t sure quite how I could add value. That is, until my most recent trip to San Francisco for #RSAC 2023!
A summary of this blog post is available in PDF format here.
I’ve been struggling with poor sleep since my teens (that’s 30 years, for those who enjoy math). During my 20’s I used to stay up until at least 1:00 am most weeknights, then getting up at 6:30 to 7:00 am to go to work. The weekends were worse. I was part of the local music scene in Ottawa, playing at live music clubs several times a month, and would often be out until 2:00 am, 3:00 am, or even later on the weekends. Sometimes my fans would wait until the club closed (2:00 am) I would put my drums/guitars/whatever back at my place, then take me out to dinner, at 3:00 am. This whole time I worked full time as a software developer as well, doing the 9-5 routine. My thought was “If I’m not going to be asleep anyway, why bother laying in a bed being bored when I could be out having fun instead???” In my early 30’s I was slightly less ridiculous, until I met a doctor who asked me what my “sleep hygiene” was like. I had no idea what that was. He suggested that if I got better sleep that it could help with other issues I was having, and I set upon a path to get better sleep.
To be quite clear: I walked around like a complete zombie until around 11:00 am every day. I was an auto-pilot, and since I found coding easy and fun… It didn’t bother me. I zoned out, into the code, and worked until lunch…. I can’t imagine how I must have seemed to my co-workers, 1/2 asleep, trying to get work done, I must have looked a mess.
Sleep-deprived-Tanya
Before I get any further down this path, I’d like to inform you that I am not a doctor. I’ve never been to med school, or studied medicine in any way. In fact, I’ve never even played a doctor on TV (I know, so lame!). You should not take any of this as official medical advice, this is just what I have learned through lots of (non-professional) research, trial-and-error, and personal experience. Please talk to your doctor before trying anything with an astrix (*) beside it. Most of this stuff is harmless, but I will put the little * if I think you should ask your doctor first. Feel free to ask your doctor about anything anyway! In summary: I am definitely not a doctor, but just a regular person who hopes sharing her sleep journey might help you get better sleep.
WTF ‘Sleep Hygiene’?
Sleep hygiene means setting a time to wake up and go to sleep, every single day, and sticking to it. If you have children, or remember being a child, they usually have a “bedtime”. For some reason, as we become adults, we tend to throw this idea away. I told the doctor that suggested it that I never slept anyway (literally 2-3 hours a night, but sometimes as much as 5 hours. Yay?) but he insisted I try for it for 3 straight months, and I thought “WTF not?”.
His instructions: go to bed and wake up at the exact same time every single day, weekend or weekday. Give yourself 9 hours or more. Do not deviate, even if there’s a “super cool party”. * I might have asked if it was okay to skip this for parties and he gave me a serious frowny-face…
For the next 3 months, I went and laid in my bed at 11:00 every night, and forced myself to get up at 8:00 every morning. I did not think it would work. But it was SUCH A GIANT IMPROVEMENT (after a few weeks of being diligent). I did more than just this, but I started sleeping more hours. And for the first time, I started to feel drowsy around 11:30. And my other health condition improved noticeably. #WIN
Caffeine, Addiction, and Timing
Caffeine is a drug that a large portion of North American adults are addicted to, but it doesn’t have to be this way. I’ve had lots of friends who drink several coffees a day (multiple pots, in fact), they can’t sleep, but they also tell me “It doesn’t really affect me”. If caffeine doesn’t affect you, why are you always consuming it? This does not add up.
If you feel really tired, sleepy, or have ‘brain fog’ later in the day, it might not be that you are genuinely tired, it *could* be that you are having caffeine withdraw. Once I stopped having caffeine, I noticed I didn’t need it anymore. I didn’t have almost any caffeine (just de-caf tea or herbal teas) for a few years, and felt way better. I do drink it now though, but I stop early afternoon, no matter what.
If you love coffee, tea, diet cola, or whatever, that’s okay. But you need to only consume it at certain times if you’re having sleep issues. If you work the regular 9-5, I suggest no more caffeinated drinks after lunch, or just have decaf from then on. I personally don’t usually even have decaf past 1:00 pm (there is caffeine in decaf drinks, it’s just less!), but you can find your own rhythm that works for you.
Lowering the Lights (Dimmers are the best!)
I read a book called “The Primal Blue Print” By Mark Sission, and I loved it (and yes, eat paleo and do all the stuff he says). Then did what I always do, read every other thing the author ever wrote. “The Primal Connection” is a book about reconnecting with our bodies and nature, and one of his suggestions was lowering the lights, and removing blue light, when the sun sets.
You can get dimmer switches and change out a bunch of your lights in your house or apartment for a couple hundred bucks (I know, not cheap!) but I have found it worth the expense. If you LED or CFL lights, it’s important you buy the ones that are dimmable and “warm” temperature, otherwise they will flicker and be really annoying, or make a buzzing sound (also annoying). I walk around the house at a certain time and lower the lights. Everyone in the house starts chilling out. I usually do this around 9:00 pm, but do what’s best for you.
Also, I don’t mean walk around in the dark. I mean turn them down to 70% or 60%. So that you feel a bit relaxed. It will make sense over time which amount of dimming is best for you.
Amber/warm versus bright blue daylights
When you buy lightbulbs lots will say “bright White” or “daylight”, or “blue white”, those are great for an office, bathroom, or your kitchen, where you want to be fully awake and alert.
Some lights will say “Warm” or “Amber” lights, they are great for your bedroom, living room, dining room, anywhere you want to relax and wind down.
I typically use these to try to get myself more awake or more relaxed/wind down for bed. If I work late in the living room we have a special extra light that my partner setup, to hep me concentrate on my writing. It works like a charm!
Blue lights/screens
TV and phone screens often come into our bedrooms with us. All of them are able to display most colours, including blue, which tells our brain “WAKE UP IT’S DAYTIME”. There’s a setting on your phone where you can have it slightly dim the screen, and remove most of the blue light, when the sun sets. Doing this will help you sleep, and you can automate it easily.
For televisions, this is harder. I’ve seen people who buy funky orange lensed-glasses and wear them in the evening to remove the blue light themselves, but I am not personally a fan. If you watch TV via a computer/stream, some of them have settings that allow you to change and remove the blue, but not all. I used to have a raspberry pi that did this for me, but I just got a roku and I’m not sure if I can do that with it yet. Check your own devices if you have this option.
Complete Darkness
Sleeping in *complete* darkness helps me get very deep sleep. I have blackout blinds on all my bedroom windows, no visible LEDs, and we turn off the lights in other rooms so that they don’t shine through under the door. I take this very seriously, and travel with black electrical tape so I can cover all the lights in hotel rooms. I have received feedback from my significant other that this one change made a huge difference for their sleep. Removing all lights is worth the effort!
Sun Lamps
I am one of many people who are affected by Seasonal Affectiveness Disorder (SAD), sometimes known as “seasonal depression”. If you don’t know what it is, basically I get really bad brain fog every winter. It’s hard to concentrate, and I feel “down”, for months at a time. I remember my grades used to plumet in the winter semester, and soar in the spring… It’s not real depression, it’s much less serious. That said, it still sucks, and I moved across Canada just so I can avoid this situation as much as possible. (You can read more on SAD here)
SAD is caused by not enough sunlight. Our bodies NEED it. You can treat SAD by taking vitamin D, getting lots of sun in the winter (for instance, taking a vacation, or moving to a less-wintery-place if you’re me), and using a Sun Lamp.
A sun lamp generally has to give off 11,000 lumens of light or more, and sometimes they are bright white, or blue light. You need to sit in front of it for 15-30 minutes (depends on the model) every morning, ideally as soon as you wake up. I’ve been doing this every winter, since I was 23, and these lamps changed my entire life.
Note: these lamps are great for treating jet lag, SAD, or just helping you get better sleep. You are telling your body “HEY, this is MORNING”.
Word of caution: do not use these lamps at other times of day. It will just keep you up and mess up your sleep. I’ve seen people say “Oh, I forgot this morning, I will do it after work” NOOOOOOO. Do not do that. It will not make for a fun night of sleep. :-/
Magnesium *
Magnesium is a type of salt that is really good for us and if you are; a woman over 40, someone with chronic pain, someone with (list other symptoms), it’s advised that you take it.
That said, it’s ALSO good for sleep! I take a small amount with water before bed, and it even kinda tastes good to boot.
Note: if you take too much magnesium you will have “exciting” trips to the bathroom. Start small and work your way up to the full dose over several days or even weeks.
Sleep Rituals
You might not realize it, but many of us have rituals we perform every day. We have a “get ready for work” ritual, a list of specific things we do in order to feel “ready”. Often, we also have nighttime rituals, to help us get ready for bed, whether you consciously realize it or not. Most of include brushing our teeth, journaling, turning off all the lights in the house, locking the doors, saying “goodnight” to people you live with, etc.
Years ago, I had a friend who had TERRIBLE nightmares. She feared going to sleep, and would often stay up as late as possible to avoid this vivid and awful dreams. We talked about it and I asked what her ritual was before bed and she said she didn’t know. She didn’t have one.
It turned out she did have a bedtime ritual, but it was the opposite of helpful for her. She would watch TV to try to avoid going to bed, and worry about what she would dream about. She would treats, to try to calm herself. She would “keep herself really busy” until she would fall into bed. This was NOT working for her.
Together we came up with a new one for her:
Herbal tea instead of sugary snacks
Calling a friend when it’s not too late, so she can have a nice conversation and remember there are a ton of people in her life who love her
Journaling all of her worries, then locking it away into a drawer
Stretching (I gave her a bed time yoga video I used to do every night)
Reading something non-scary in bed, instead of TV or phone
Lowering the lights 2 hours before sleep
Although her nightmares did not stop completely, it went from “pretty much every night” to “once a month” and “I don’t always remember them”. She started sleeping WAY better. She was also happier. One top of that, she took the lighting item to a whole new level and redid all the lighting in her entire house and has inspired me in decorating every place I have lived ever since!
Journals/Lists
Some of us don’t sleep because we are worrying. Worrying about work. Worrying we don’t have work. Worrying about money. Worrying about our loved ones. Worried no on loves us. Etc. This is NOT good for sleep. I personally worry about having too many things to do (and that I might forget one) and/or missing a flight. I’m SO WORRIED about flights. Sigh. We all have our hang ups.
Anyway, one way to get around this is to write everything in your head into a journal. It doesn’t even need to make sense. Getting it out is what matters. Whenever I wake up in the night concerned about something, I tried to write it down. Then I always fall back to sleep so easily. I have seen this work for several people in my life, including children! Just the act of writing it down can make us feel better when we are upset, even if we never read it again. Even if you are not upset, just making a list of what’s in your head can help…
Gotta sign the kids up for summer camp
Can’t forget the gas bill
Did my friend apply for that job or not? I’m going to ask. She might need a nudge.
Don’t forget to call your mom this weekend!
Bedrooms are only for 2 things, and one is way more fun than the other
“Bedrooms are for sleeping and sex. Nothing else.”
Mark Sission, author of the Primal Connection and other amazing books
I remember reading this in the primal connection, and thinking “Gosh, I want to live at your place.” But I used to do everything in my room… I would play guitar in my room, read in my room, whatever. If I wanted to avoid roommates, my room was the place to be, rather than the common room. Once I changed it to “only two things happen here”, it sounds weird but I go in and I know that’s what I’m doing. I’ve added “Get dressed” and “put away laundry” to the list, but I try to not do general activities there, and instead use other spaces. It helps my family members know I’m not avoiding them, and it sets the mood for sleep.
Note: If you live in a bachelor apartment or have a bunch of roommates, just ignore this one. This is one of those “if you’re lucky enough to have space for” rules.
Jetlag
I have travelled all over the planet and I’m pretty “good” at Jetlag now. Using a sun lamp, and following the eating windows in the section below can really help. I also sometimes “cheat” and take a sleeping pill to make myself sleep at the correct time the first day, and I force myself to have breakfast first thing in the morning in my new time zone even though I hate eating breakfast. But I need to tell my body “I am breaking the fast” and “this is morning now!”.
Diets and Eating Windows *
Our bodies are not meant to eat every moment of every day. When we eat at weird times, it can (negatively) effect our sleep. I am as guilty as the next person of having a snack in the evening lately, but if you are having a lot of trouble sleeping and you snack at night, I suggest reading this book: Your Circadian Code. Although the author jumps over into “this is how you can lose weight” a bunch, if you can ignore that part, the rest is REALLY GOOD. And, if you’re trying to lose weight, this could be a double whammy for you. The guy who read for the audiobook has a really nasal voice, but if you can get over that it’s not very long, and all of it was very helpful for me.
Meditation
Mediation is staying still and attempting to clear your mind and just observe your thoughts, body and breathing. I used to think it meant ‘trying hard to think of a specific thing’, concentrating very hard. But that’s not true, not really.
Meditation has been linked to all sorts of excellent health benefits, both physical and mental, such as lowering stress and anxiety, reduced chronic pain, more patience and calmness, happier outlook on life, etc. AND it can help with sleep!
If you meditate regularly, it can help you clear your mind so you can go to sleep. Start listening to your body, calming down your sympathetic system, and you’re miles ahead in getting to sleep fast. Regular medication can help with your sleep overall as well!
Hypnosis *
There are all sorts of hypnosis recordings and psychologists you can do it live for you, that can help you sleep. They hypnotize you, then tell your that sleep is your friend (not literally, but basically, they make you believe that you can sleep, you should sleep, and you will sleep). I used hypnosis years ago to help me stop drinking cola. It worked. For 5 years. Until I started working at Microsoft and travelling all over the world and I needed caffeine to power through various travels. 5 years is pretty good!
Comfortable bed – note, it might be way harder than you think!
I used to have a really soft bed. When I went to the store to buy it, I laid down on the soft bed with my friend and we both agreed, it was super soft and comfy. But then it made my back hurt, and I was very confused about it.
When Is started travelling for work all the time I got to stay in lots of different beds, in different hotels. I decided the Marriot’s beds were the best! I learned I could buy it cheaper direct from a place that sells beds, rather than the hotel, for about half the price. And I learned they choose FIRM beds. I thought that would hurt… but it’s SO MUCH BETTER. So if you have back pain and a really soft bed, consider trying out a very firm bed. Having a comfortable bed is really, really helpful.
Snoring and Sleep Apnea *
I got tested and I have incredibly mild sleep apnea. The doctor told me to sleep on my side and I would never snore again, and hug a pillow if it hurts my shoulders. I only sleep if I’ve had a glass of wine I swear! But I digress.
If you snore a lot, you likely have sleep apnea. I’m not saying you are doomed, or that you need to immediately get a C-PAC machine. But when you’re snoring it’s because you can’t quite breath exactly how your body needs to breath. This interrupts you sleeping in tiny internals. The louder and more irregular your snoring, the more likely you are getting CRAPPY sleep. If you know you snore, and you feel really tired when you wake up, even though you should have had “enough” sleep, you likely have this going on. There are a bunch of options, and a doctor or sleep clinic can help you fix this!
Carbs & Sugar near bedtime
I love candy and sugar. I wish it wasn’t true, but it is. I definitely want to have a sugary treat before bed, every night, but it’s not helpful for my sleep. It’s likely not helpful for your sleep either. If you are an evening snacker (and I’m not saying you are!), consider not snacking after dinner for a week or so and see if you’re getting better sleep. Might be a habit worth breaking!
Massage and/or physical affection
Also in the Primal Connection book was the idea of human touch and affection. I come from a very affectionate family; we hug each other all the time. I’ve always been “touchy feely”, but not everyone is. The book pointed out that human touch is actually a need, not a want, like I had thought. In the book the author suggests that the reader “just have sex”, which is all well and great if you have that option available to you at the time, but we don’t all have a special someone just waiting to supply us with all the sweet loving we need, whenever we want. Way to make me feel inadequate Mark! (just kidding, I think the author is awesome)
As an alternative, you can get a massage or acupuncture, you can hug a friend, you can get a pet (not the same, but still helps make humans happier), you can play a high contact sport like ball hockey, do acrobatic yoga, and more. If no one has touched you in months, this is something you might want to look at. I’m not saying this to cast judgement or make anyone feel bad. I’m telling you this because it might improve your life, and every human deserves happiness.
General Health, Weight, Stress, and Happiness
Prepare for some really obvious advice, that I didn’t always understand. If you already know it all, cool! If not, also cool! We do not need to be perfectly healthy every moment of every day, but there are things we can choose to limit, to reap big benefits. When I dropped sugar, alcohol, processed foods and gluten from my life for 5 years, every part of my body was great. My hair was softer. My skin was perfect. My sleep improved. But you don’t need to be very, very strict in order to benefit; I’ve loosened up over the years on some things. Below is a list of places you could “be more healthy” and for each one you do, you will not only sleep better, there will be other great benefits too!
Alcohol is very bad for our bodies. I know it’s socially acceptable and “everybody’s doing it”, but you don’t have to, or you can just have some on special occasions. Having less (or none) will make you a healthier person, full stop. Also, all those news articles proclaiming that “having a glass of wine a day is good for you” are complete bullshit and the studies they based it upon where incredibly biased. I will definitely have an internet argument about this if you want!
Sugar is bad. Not as bad as alcohol, but it’s also in way more foods and still total garbage for us. It’s SNEAKY, especially in the United States. Read the ingredients. Having less sugar will also help you be healthier.
Processed food is bad. It usually also has sugar, salt and chemicals. Having whole foods instead of processed foods will mean way more nutrients (to power your amazing brain and body) and less sugar and salt. Whole foods means eating vegetables with butter and spices, or salad with oil and herbs, or meat that you’ve grilled. It’s not something that has a list of ingredients.
Eat LOTS of veggies. LOTS. Eat tons of veggies and your body will thank you.
Spices, herbs, especially turmeric, are your friend. They contains tons of stuff that’s good for us (nutrients, vitamins, etc) but they also make food taste better. Then you can have very tasty meals, of unprocessed foods. Spices and herbs are the secret!
Lifting heavy things and sprinting is good. The paleo folks have lots of mixed feelings about cardio, but basically every health expert agrees that moving around often, lifting heavy stuff sometimes, and sprinting once in a while, is good for us. Think: playing sports once a week, walking to and from work, and lifting weights once a week. This recipe can be very easy to stick to, be really fun, and keep you lean and trim.
Regular cardio can be quite bad, which I found surprising. Instead focus on “movement”, often. Plus play and have fun! Seriously. This is paleo wisdom, and I gotta say, I agree with it. I used to do the “tons of cardio” thing, and it never really worked for me. It spikes your cortisol (I have enough already, thank you) and it’s nowhere near as fun for me as playing sports, doing a yoga or pilates class, ‘playing’ in my garden, or goofing around with my kids at a park. Make your “exercise” a fun part of your life, and you will be fit forever.
Me and my weird walking desk: I have a walking desk, I really like it. I use it whenever I have a meeting where I just need to listen (think: team meeting). I used to use it a lot more than right now, because I cannot create content and walk at the same time. But I can listen and walk easily. If you’ve thought about getting one, they are now cheaper than ever before. And you don’t need to walk all day! If you walk one meeting per day, you’re awesome!
Grounding is good. I thought this was “total crap” when someone first suggested that I “touch dirt”, but over the years I have grown to love gardening so much that I now own a small hobby farm and grow a lot of the food my family and I eat. It works for me, and might not work for you, but as a self-described ‘city-slicker’ and tech worker who lived downtown and was surrounded by concrete most of her life, clearly it had it’s effect on me.
Filling your own cup. Doing things for yourself that bring you joy and comfort. THIS is important. We cannot just work and do things for others. If we do not take care of ourselves, we will have nothing left for anyone else. This can mean making a piece of art, writing a story or blog post, joining a sports team, having a great big laugh with a good friend. Your happiness greatly affects your overall health. No joke!
For those of us that travel on airplanes, often
WATER! Drink a lot of water. Note to self: Coffee is not water. Neither is diet soda.
Walking: walk around the airport a lot, rather than more sitting. It will help ensure you don’t get swollen ankles on the plane, but also help you feel better later.
Compression socks and more: if you are on a plane often, wear compression socks or even compression outfits.
More water. Seriously.
Do calf raises and any sort of neck/shoulder stretches/movement, at least once, per trip. It prevents blood clots and will make you feel way better.
Don’t sit on those crappy chairs at the gates if you can avoid it. They are uneven, so that your hips tilt back, which makes your head no longer even, so then you move your head forward. In summary: they are very bad for your back, neck and posture.
Carrying your own food, that doesn’t suck: I often bring protein powder that is high in fat & collagen as well, plus a shaker when I travel. Then I always have a food option. As a person who is sensitive to gluten and all sorts of other stuff, it’s hard to find food in airports for me. Bonus points: put two plastic bags around it. I had mine explode once and I smelled like a chocolate milkshake for the rest of the trip. I was not impressed, although my colleagues found it pretty funny. “Why does this elevator smell like…. A chocolate milkshake?”
