Welcome to my personal blog! Topics include; securing software, DevOps, secure coding, application security (AppSec), cloud security, MFA, InfoSec community stuff, and anything else nerdy I feel like sharing. Hope you like it!
Choosing API Security Tools
Quite often clients ask me “Which API Security Tool should I buy?”, and as you might have guessed I answer “It depends”, then proceed to ask them a dozen questions. Recently I asked a colleague at Semgrep if they felt this process might be of value to my readers, …
The Difference Between SCA and Supply Chain Security
Right now, the concept of the software supply chain and securing it is quite trendy. After the solar winds breach, the attack on the crypto wallet, at the log4J fiasco, the entire world appears to be focused on securing the software supply chain. I’m not complaining. If anything, as an application security …
Trip Report – Hacker Summer Camp 2023
For those of you who are aware, every August for the past 30 years or so, hackers have been meeting in the dead heat of summer in Las Vegas Nevada to host multiple learning and community events. It started with Def Con, a conference dedicated to hackers & hacker …
My first week at Semgrep
My nails and dress were matchy-matchy for my first day! Since I've been keeping this giant secret for so long, I'm very excited to finally be able to share all of my good news. This blog post is going to be all about my first week at Semgrep. We …
I’m Joining Semgrep and Bringing We Hack Purple With Me
Hello my friends! It's me, Tanya Janca from We Hack Purple, and I am beyond thrilled to announce that we are joining forces with Semgrep to take the world of application security by storm! As the new Head of Education and Community, bringing We Hack Purple community and content …
Operations First!
Many years ago, when I was a software developer, a very smart boss said to me: “Tanya, it’s always operations first. Projects after.” At first, I was confused, how will I make any progress on my projects if I’m always doing operations? And, what the HECK is “operations” anyway? …
You Do Not Need to do DAST in a Pipeline to do DevSecOps
I want to get something straight: you do not need to put a dynamic scanning tool into your CI/CD pipeline in order to do DevSecOps properly. You don't even necessarily need to use automated dynamic analysis at all, to be doing DevSecOps. I do regular consulting via IANs Research …
Safety at #HackerSummerCamp
A few years ago, I wrote a blog post, Hacker Summer Camp 2019, about how to stay safe at #HackerSummerCamp (Def Con + Black Hat + Diana Initiative + B-Sides + everything else that week in Vegas). I made a video to add more details, clarity and ideas on …
Trip Report for B-Sides SF and RSAC 2023 San Francisco
As you might have been aware if you read my blog, I spoke at B-Sides San Francisco and RSA Conference 2023, and it was GREAT! Below is a report about my trip, and all the wonderful people, places, and activities I saw and participated in from April 21-28, 2023. …
#WeHackHealth Getting Better Sleep
If you’ve been following the #WeHackHealth hashtag, quite a few people who work in the field of information security have been sharing health tips, encouraging each other to focus on their own health, and showing progress reports on their efforts. Several people I know have been following it closely, …
My RSAC and B-Sides SF 2023 Schedule
https://www.youtube.com/watch?v=ILQGZIdvy7s Hello folks! I will be speaking both B-Sides San Francisco and #RSAC this year, the last week of April 2023, in San Francisco. I would love to have a chance to meet some of you in person. If you see me, and feel comfortable, please say hello! I'm …
Preventing Secrets in Code
When I started programming in the 90's the security of software wasn't on everyone's mind like it is now. I took no security classes in my 3-year college computer science program, and it never even came up as a subject. I was taught to save the connection string for …
OWASP Global AppSec Dublin 2023
Recently I had the pleasure of being one of the keynote speakers at OWASP Global AppSec, in Dublin Ireland. In this post I’m going to give a brief overview of some of the talks I saw while I was there, and the TONS of fun I had. I didn’t …
#CyberMentoringMonday and Advocating for Others
I have run an informal mentoring program, every single Monday, since 2018. It's very simple; I use the hashtag #CyberMentoringMonday on Twitter and Mastadon, to try to help people find each other.
Continuous Learning
Working in the information technology (IT) field means you need to be comfortable with things at work constantly changing and the need to continue to learn as your career grows. Working in information security (InfoSec) means you not only need to keep up with all sorts of IT trends, …
Consulting on Canada’s Approach to Cyber Security
You may not be aware but Canada's Public Safety department put out a call to Canadian Citizens (sorry brilliant people who are not Canadian), asking for ideas, suggestions and thoughts on what they should prioritize next for the Canadian Government for InfoSec. I WAS SO EXCITED WHEN I SAW …
Why can’t I get over log4j?
I haven’t written in my personal blog in a while, and I have good reasons (I moved to a new city, the new place will be a farm, I restarted my international travel, something secret that I can’t announce yet, and also did I mention I was a bit …
Parody Songs
For those who are not aware, I used to be a professional musician. I went both under my name (Tanya Janca, folk singer) and was in several different musical groups including Couchwrecked, who wrote the song Hottawa. I just released another parody video and thought I would share it. …
Sharing Another Talk with the Community
Three years ago I decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). At the time, I only shared one, because…. I ran out of time. Now it's time to share the second talk, "Security …
Jobs in Information Security (InfoSec)
Almost all of the people who respond to my #CyberMentoringMonday tweets each week say that they want to “get into InfoSec” or “become a Penetration Tester”; they rarely choose any other jobs or are more specific than that. I believe the reason for this is that they are not aware of …