Welcome to my personal blog! Topics include; securing software, DevOps, secure coding, AppSec, cloud security, MFA, InfoSec community stuff, and anything else nerdy I feel like sharing. Hope you like it!

Sharing Another Talk with the Community
Three years ago I decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). At the time, I only shared one, because…. I ran out of time. Now it's time to share the second talk, "Security …
Jobs in Information Security (InfoSec)
Almost all of the people who respond to my #CyberMentoringMonday tweets each week say that they want to “get into InfoSec” or “become a Penetration Tester”; they rarely choose any other jobs or are more specific than that. I believe the reason for this is that they are not aware of …
The Difference Between Applications and Infrastructure
Recently someone asked me what the difference was between Applications and Infrastructure. He asked why a Linux operating system wasn't "software" and I said it was but it's a perfect copy… I tend to speak about 'custom software'. We ended up talking for a very long time about it, …
Discoveries as a Result of the Log4j Debacle
Happier times, before I knew anything about log4j. Over the past 2 weeks many people working in IT have been dealing with the fallout of the vulnerabilities and exploits being carried out against servers and applications using the popular Log4J java library. Information security people have been responding 24/7 …
I want to talk about Log4j
Lots of people are talking about how Log4J affects servers, but if you subscribe to my newsletter or read my blog, you probably want to know about your apps. Let's talk about what the problem is, how to figure out if you have it, then what to do about …
My Career Story
I started coding at 17 years old, and it was love at first sight. I got great marks in all of my classes in high school, but loved computer science because in every class, I could “make something out of nothing.” Computer science runs deep in my family as …
#CyberMentoringMonday
Some people have been asking me online how to be a good mentor. Here are some thoughts for all of you. 😀 Some mentees don’t listen, and are not willing to put in the work. Some of them will astound you and excel beyond your wildest dreams. The key …
Security bugs are fundamentally different than quality bugs
This topic has come up a few times this year in question period: arguments that quality bugs and security bugs ‘have equal value’, that security testing and QA are ‘the same thing’, that security testing should ‘just be performed by QA’ and that ‘there’s no specific skillset’ required to …
Security Headers for ASP.Net and .Net CORE
For those who do not follow myself or Franziska Bühler, we have an open source project together called OWASP DevSlop in which we explore DevSecOps through writing vulnerable apps, creating pipelines, publishing proof of concepts, and documenting what we’ve learned on our YouTube Channel and our blogs. In this article we will explore adding security headers …
Hacking Robots and Eating Sushi
I recently had dinner with an old friend, Jesse Hones, the Engineering Manager of Systems / Senior Software Developer of Aprel. I remember when we first met he explained that he designed and programmed robots to measure radio frequencies at extremely precise levels. Fast forward a decade; I am an ethical …
Why I Love Password Managers
** This article is for beginners in security or other IT folk, not experts. 😀 Passwords are awful. The software security industry expects us to remember 100+ passwords, that are complex (variations of upper & lowercase, numbers and special characters), that are supposed to be changed every 3 months, …
VAs, Scans and PenTests; not the same thing
I’d like to define a couple of subjects that seem to be confused often in the industry of application security; Vulnerability Assessment (VA), Vulnerability Scan (VA Scan) and Penetration Test (PenTest). They are often used interchangeably, and the differences do not seem to be well-understood; I have seen this …
Threat Modelling Serverless
I met with my colleague Bryan Hughes the other day to discuss the security of a serverless app he’s creating for JSConf EU (there will be no spoilers about his creation, don’t worry). We had discussed the idea of threat modelling while on a business trip together and he wanted to give it …
Presentation Tips for Technical Talks
In the past few years I’ve given and watched several technical talks, and they are not all created equal. Recently I met with Teuta H Hyseni to talk about an upcoming talk she was planning (securing AI and ML, very interesting!), and afterwards I made several notes about general tips for …
Sharing talks with the InfoSec & IT Community and Industry
I recently decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). By “share” I mean give my express permission for anyone, anywhere, to present content that I have written, with no need to pay anything or …
Multi-Factor Authentication (MFA)
** This article is for beginners in security or other IT folk, not security experts. 😀 Recently you may have noticed me calling out several Canadian banks for not allowing users to add multi-factor authentication (MFA) to their online banking accounts. This blog post will detail what I mean …
Why ‘She Hacks PURPLE’?
The story of my handle: SheHacksPurple. Whenever I ask an audience “Who here is Blue Team? Raise your hand if you’re Blue Team.” I tend to have one to two cautious hands go up in the back. I raise my hand as well. I explain “If you are defender, you …
Promoting Yourself on Social Media
Many people who are aspiring to become a public speaker ask me how to conduct themselves on social media or promote a talk once they have been accepted to speak somewhere. Having been a professional musician for a long time before I worked in InfoSec, I am used to trying to …
Practice Makes Perfect: Comments on Public Speaking
Many people ask me about how to become a better speaker. Below are some tips that I have for all of you. I hope they help! Spoiler alert: my advice is not very exciting. I do not have a secret recipe, it’s mostly just a lot of hard work …
More Tips for Social Media and Presenting
Last week I had a meeting with some of the wonderful ladies from WoSEC (Women of Security) to give them some tips on how to not feel strange when ‘bragging’, how to set goals for using social media, and how to avoid “taking shit” during question period after a talk. I …