Blog

Hi, I’m Tanya Janca.

I’m a technology founder, security leader, author, and educator with nearly three decades of experience helping organizations build more secure software. Throughout my career I’ve worked in government, startups, and global technology companies, led security initiatives at scale, founded multiple communities and businesses, and helped thousands of developers strengthen their security skills.

I believe security should enable innovation, not slow it down. Through my writing, speaking, training, and companies, I work to make secure software development more practical, accessible, and effective for everyone.

This blog, SheHacksPurple, is where I share lessons learned about security, leadership, entrepreneurship, technology, and building things that matter.

May 29, 2026The Psychology of Bad Code Part 6 – Avoiding Documentation

This is a series. The first blog post is here, #2, #3, #4, #5, and this is the sixth. The behaviour: Avoiding Documentation What this looks like in the real world Full-on not writing documentation that is mandated as part of project requirements, deciding intentionally not to do a …

May 6, 2026The Psychology of Bad Code Part 5 – Shiny New Tech

This is a series. The first blog post is here, #2, #3, #4, and this is the fifth. The behaviour: Shiny New Tech Using a brand-new technology, language, and/or framework, even when it’s not necessarily the best thing to use. Especially if it’s untested, and there’s little guidance or …

April 7, 2026The Psychology of Bad Code Part 4 – Copy Paste

This is a series. The first blog post is here, #2, #3, and this is the forth. The behaviour: Copy and Pasting from online forums What this looks like in the real world Copying code from Stack Overflow, GitHub, blog posts, or comments without fully understanding it or verifying …

February 16, 2026The Psychology of Bad Code Part 3 – Vibe Coding

This is a series. The first blog post is here, the second is here, and this is the third. For the rest of this series, I am going to follow a similar format for each post/behavior. I will name the behavior, then various biases and heuristics that I believe …

December 23, 2025The Psychology of Bad Code Part 2 – Building Systems That Support Secure Developer Behavior

In my previous blog post, I introduced the topic of applying behavioral economics to application security programs, using proven behavioral economic interventions to help us avoid known bad developer behaviors (including ones I know I am guilty of). In this post I am going to cover building systems that …

November 27, 2025The Psychology of Bad Code

In this blog series I will explore several known bad developer behaviors that lead to insecure software, as well as how we can combat them by applying behavioral economic interventions. This series is an expansion upon my thoughts from my conference talk ‘Threat Modeling Developer Behavior: The Psychology of …

November 21, 2025How To Get Your First Job In Cybersecurity

– By someone who really wants you to succeed! Finding your first job in cybersecurity (which us security nerds call 'InfoSec') can feel overwhelming. There are way too many job titles, technologies, and acronyms to keep track of. There's also no clear career or training pathway to get there …

November 13, 2025Metrics, Models, and Mindsets: A Conversation About the Future of AppSec

Recently I hosted a webinar called “Metrics, Models, and Mindsets: The Future of Application Security” with: Spyros Gasteratos – long-time open source maintainer (OpenCRE, OWASP projects) and founder of Smithy Security Aram Hovsepyan– CEO of Codific and a core contributor to OWASP SAMM (Software Assurance Maturity Model Our goal …

November 10, 2025Software Supply Chain: Bigger (and Scarier) Than We Realize

When we talk about the software supply chain security, most people think only of dependencies (open-source libraries and frameworks). But the supply chain is so much more than just that. It’s everything we use to build, test, and release our software: our IDE (and all those wonderful extensions), our …

November 9, 2025Why we need to start giving significantly more specific security advice

Recently, I had a great conversation with my friend Adam Shostack about a petition I started for the Canadian government to adopt a Secure Coding Policy that I wrote. Adam pointed out that my policy is very specific. Much more so than other government guidance like NIST or CISA’s …

October 1, 2025Vibe Check: A Panel Discussion at SecTor 2025

I had the opportunity to join an incredible panel at SecTor (a Black Hat event) in Toronto alongside Chad Breslin, Brett Grady, and Ian Hassard. We dove into the world of Vibe Coding! What it is, the risks it introduces, and how to use AI to write safer, more …

September 9, 2025What it’s Like to Record an Audiobook

https://www.youtube.com/shorts/wgrIy9Cz0qY I recently flew to Ottawa to record the narration for my second book, Alice and Bob Learn Secure Coding, and it was a LOT of work! From September 1st to to 7th, 2025 I recorded 6 hours a day at The Cave recording studio. Focusing on reading highly …

August 15, 2025What is Threat Modeling?

Threat modeling is really just a fancy way of saying: “Let’s think about what could go wrong with our software in advance, so we can stop it before it happens.” When we build applications, most of us usually think about features, speed, and usability. Threat modeling adds another viewpoint: …

July 25, 2025My Schedule for Hacker Summer Camp 2025

I'm headed to Las Vegas for the annual series of events known as 'hacker summer camp': Diana Initiative, Black Hat, Def Con, B-Sides LV, SquadCon, etc. Below is my schedule. Please feel free to come to any of these events to meet up with me, I would love to …

May 31, 2025Security Champion Worst Practices – My Slides from Barcelona

Thank you very much to everyone who came to my talk at OWASP Global AppSec in Barcelona! It was so lovely to have the chance to speak to so many of you, and to share our experiences around security champion programs — especially the ways they can go wrong, …

May 9, 2025B-Sides SF and RSAC Trip Report

Saturday April 26th 2025 through to Friday May 2nd I attended RSAC and B-Sides San Francisco, and it was amazing! Let me tell you about my trip!

April 17, 2025My schedule at RSAC and B-Sides

I am headed to the B-Sides San Francisco and RSAC conferences in San Francisco, California, USA, from Saturday April 26th, to Friday May 2nd. I'd love a chance to meet up with you, if you will be there.

March 20, 2025Security Highlights: My Last 9 Months in Review

It’s been a long time since I last wrote on my personal blog, but I’ve been busy creating tons of content! I figured it’s time to share everything I’ve been working on over the past nine months—events, projects, and all. Hope you find it helpful! 😃

July 30, 2024My Journey to Hacker Summer Camp in Las Vegas 2024

Black Hat to Def Con, Diana Initiative to SquadCon, invites to see Tanya all week long!

July 30, 2024Trip Report: OWASP AppSec PNW

June 15 & 16th, 2024, I was in beautiful Vancouver Canada with my colleagues Amanda McCarvill and Brandan Wu for the annual, local, moving conference that spreads the Pacific North West to give a talk, but it turned into so much more: OWASP AppSec PNW! The night before was …