Consulting on Canada’s Approach to Cyber Security

Good job Public Safety!

You may not be aware but Canada’s Public Safety department put out a call to Canadian Citizens (sorry brilliant people who are not Canadian), asking for ideas, suggestions and thoughts on what they should prioritize next for the Canadian Government for InfoSec. I WAS SO EXCITED WHEN I SAW THIS AND WROTE THEM IMMEDIATELY. Obviously I made suggestions about AppSec. You have until August 19, 2022 to send your suggestions. The suggestions that I sent are below.

Good job Public Safety!
Good job Public Safety! I’m so impressed!


I am responding to calls for suggestions from this link:  I used to work for the Canadian Public service, and now work in private industry.

  1. I would like to see the Canadian Public Service and Government of Canada focus on ensuring we are creating secure software for the public to use. I want to see formal application security programs (sometimes called a secure system development life cycle or S-SDLC) at every department. I have extensive training materials on this topic that I would be happy to provide for free to help.
  2. I would also like to see a government-wide training for all software developers on secure coding, and AppSec training for every person tasked with ensuring the software of their department is secure. When I was in the government (13.5 years), I was never allowed to have security training, because it was too expensive ($7,000 USD for a SANS class was completely out of reach). I was told the government wouldn’t arrange giant classes (say 100 people, splitting the cost of one instructor), because that would be ‘unfair competition with private industry’. You need to fix that, having mostly untrained assets is not a winning strategy. There needs to be a government-wide training initiative to modernize your workforce. (Again, I have free online training that can be accessed here: – join the community (free), then take any courses you want (also free))
  3. Create security policies that apply to all departments, then socialize them (do workshops, create videos, make sure everyone knows – don’t just post them to the TBS website and hope someone notices on their own). A secure coding guideline. An AppSec program/secure SDLC. Incident response, etc. Each department shouldn’t have to start from scratch each time. Then we could have a standardization of what level of security assurance that we expect from each department.  I provide some of these policies in the AppSec foundations level 2 course, which is free in the link above.
  4. Throw away all the old policies and procedures that are just not working. 90-day password rotation? Gone. SA&A process that takes several weeks to complete but doesn’t actually offer much in the way of actionable advice? Gone. Re-evaluate current process, get rid of the bad ones. We need agile processes, that let people get their work done. I felt like many of the processes that I had to do in the government were in place because of a lack of trust in the staff’s competency. Instead of not trusting the staff, train them, then trust them. If they continue to screw up after training, discipline them and eventually get rid of the bad apples. Most of your staff is GOOD. Some of them are truly amazing. Treat them with trust and many of them will astound you. Remove onerous administration that is there because you don’t trust them, then let them get their jobs done.

If you have any questions I would love to talk. Thank you for putting out an open call, I’m super-impressed!


Meet up with me at RSA!


Hello! I will be all over the place in San Francisco from Saturday June 4th to Thursday June 9, and I’d love to meet any of you that are going to be there. My schedule is pretty hectic, but I’m sharing it in hopes some of you can join me at one or more of the events. Thank you to BRIGHT SECURITY for sponsoring & supporting every bit of this trip.

  • Saturday June 4th, the Bright team will be at B-Sides all day! They have a booth and if I arrive in time I will be there in the late afternoon (4:00-5:30). Sometimes flights are late, so this one is non-certain.
  • Sunday June 5th I will be hanging out with the Bright team all day long! 8 am to 5 pm. Please come join me!
  • Sunday June 5, 6:00 – 8:00 pm, We Hack Purple is having a meetup at Share Bubble Tea, 135 4th St, San Francisco, CA 94103, United States. We will likely be milling around outside and inside. Bubble Tea is a tasty Asian dessert, and it’s about $6, so this meetup shouldn’t cost you much at all to join. You don’t even need to buy anything if you don’t want. Everyone is welcome to come hang out! RVSP within the WHP community to let us know you’ll be there.
  • Monday June 6, 8:30 am, my talk at RSA! Check the conference schedule for the room!
  • Monday June 6, 9:40 am, Birds of a Feather event at RSA: Transforming Security Champions – Check the schedule for room #
  • I will also be attending several meetups this day, but you need to get your invite to attend (I cannot get you an invite, sorry!): Microsoft Party, Forte Group, IANs Faculty Party, and RSA Speakers Event
  • Tuesday Jun 7, 12:40 pm, RSA Panel, Spreading Application Security Ownership Across the Entire Organization – Check RSA conference schedule for room number
  • Tuesday June 7, 1:30 pm to 2:00 Book Signing at RSA Library, bring a copy of Alice and Bob and I shall sign it for you! South Hall, Mezzanine Level Lobby.
  • Tuesday June 7, 3:00 – 4:00 pm, Join me in the Juniper Booth #6071 in the North Expo Hall for a book signing. I will be giving away copies of Alice and Bob Learn AppSec! MAP
  • Tuesday June 7, 7-10 pm! The Fabulous Five Party with Bright, Snyk, Salt, BluBracket and Wiz! Please get your FREE tickets here.
  • Wednesday June 8, 8:30 am to 11:00 am The Purple Cloud Summit, I will be on a panel and giving away copies of Alice and Bob Learn! SIGN UP HERE, it’s free! Location: Contemporary Jewish Museum
  • Wednesday June 8, 12:20 pm to 1:30 pm, Alice and Bob Learn Book Signing with F5 , free copies of Alice and Bob! Join us at Booth N-5771 – Moscone Center – North Expo
  • Wednesday June 8, 1:30 pm – 2:30 pm, Alice and Bob Learn Book Signing with VMware, free copies of Alice and Bob! Join us at Booth N-5745 – Moscone Center – North Expo
  • Wednesday June 8, 6:00 – 10:00 pm, Apiiro “Level Up” Party and book signing! More free copies of Alice and Bob, plus food and drink! Be early to get a signed copy of my book. Free tickets here.
  • Thursday June 9th, 9-11 am, Ladies of RSA Breakfast with Shira Shamban and me, Sponsored by Bright and Solvo Cloud! Sign up here, for free!
  • Thursday June 10, 12:30 pm – Last book signing with free copies of Alice and Bob Learn with Cloud Defense! Please come see us in the Moscone center at their booth!

Lastly, if you want to talk to an expert from Bright, you can book them directly, here. Ask them all of your questions about dynamic security testing, security unit testing, and more! Seriously, they would love to meet you!

– Tanya

We Hack Purple, Acquired by Bright Security!

Tanya smiling thanks to good news

Yes, you read that right! My friends at Bright bought my company, We Hack Purple! Bright makes a DAST (dynamic application security testing tool), and I have been on their advisory board for some time, so we know each other well and have been working together for years. They also just released a brand new tool for the Lucky Framework (crystal programming language), which creates security-focused unit tests, automagically! Trust me, it’s very cool, and there’s more on the way!

As part of this deal, starting immediately, all of the courses from the We Hack Purple Academy will be available in the We Hack Purple Community, for FREE. Yes, you heard that right. Secure coding for everyone!

Image of Tanya, smiling
I am VERY happy about this news!

So what comes next? I plan to work with Bright for the next couple years, creating more content, running the We Hack Purple Community, speaking at conferences and helping to improve the Bright products until they are absolutely spectacular. I will also start on writing my next book, Alice and Bob Learn Secure Coding.

Thanks for listening to my happy news!

Sharing Another Talk with the Community

Me, delivering this talk for the first time, on stage.

Three years ago I decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). At the time, I only shared one, because…. I ran out of time. Now it’s time to share the second talk, “Security is Everybody’s Job!” By “share” I mean give my express permission for anyone, anywhere, to present content that I have written, with no need to pay anything or ask for my consent. You can even charge money to give the talk! Please, just teach people about security.

In efforts to ensure anyone who presents my material has a good experience I made a GitHub repo with an instructional video of what to say, a readme file with written instructions and links so you can watch me do the talk myself.

Me, delivering this talk for the first time, on stage.
Me, delivering this talk for the first time, on stage, at DevOpsDays Zurich, in in beautiful Switzerland.

I’ve had a few people ask me why I would do this, and there are a few reasons.
* To spread the word about how to secure software; it’s important to me to try to make the internet and other technologies safe to use.
* To help new speakers (especially from underrepresented groups). If they have something they can present, with instructions they can follow, hopefully it will help make them more confident and skilled at presenting.
* To share knowledge with my community in general: sharing is caring, yo.
* The more people who present my talk the more people who may decide to follow me. SO MUCH WIN!

You can give this talk at any IT meetup, especially DevOps, InfoSec or any software development meetup.

Please go forth and teach AppSec! And if you have feedback I want to hear it!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Why I Joined the NeuraLegion Advisory Board

I joined the NeuraLegion Advisory Board because they’re really fun to work with. Gosh, that would make for a short blog post, wouldn’t it?

When I started my quickly failed startup in 2019, Security Sidekick, Bar Hofesh reached out to me to see if he and Gadi Bashvitz could help. I was pleasantly surprised to have several people in my industry reach out to me, and even other small companies reaching out to see how they could help me with my startup. InfoSec is full of kind and generous people, let me tell you.

When I left Microsoft, I had committed to several speaking engagements before I decided to leave, including the 2020 RSA conference, and rather than be in breach of contract with several conferences and potentially ruin my reputation, I completed all of the obligations that I had made while I worked there. But there was a catch: I had to pay for all my travel myself. Bar and Gadi knew this, so they offered me a free place to stay (in San Francisco!!!!!) which I really appreciated. It didn’t work out in the end, but we met up in person for the first time for some Starbucks, and it was awesome.

You know that feeling when you meet someone, and you like them immediately? Bar and I talked nerdy, and Gadi tolerated us. We continued to stay in touch.

Fast forward a few more months and the NeuraLegion tool NexDast was fully developed, and I had started We Hack Purple. We decided we wanted to find an excuse to work together, because we got along so well, and we all feel really passionately about security and changing our industry for the better.

That’s us!

We decided that we would plan a workshop together; I would teach a bunch of cool DevSecOps stuff, we would use Broken Crystals (more on this in another blog post), and demo their product. We made a GitHub action together, we made a workshop together, and of course we found lots of bugs together. It was super, duper fun and a smashing success!

Then Christmas and Hanukkah came, and Gadi called me up. He asked me if I wanted to join their Advisory Board, so we no longer had to make excuses to work together. What could I say? I said yes.

We have so many ideas of fun and awesome things we are going to work on together, to make their product even better, and to give back to the community. In addition to being great people, we also share a commitment to shifting security left and making sure application security is liberated and automated as part of the SDLC, and put in the hands of developers, not just AppSec people.

I’m honored to be on their Advisory Board, and I feel lucky to have the chance to work with such a talented and fun team.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!