Category: Announcements

Dummy text is text that is used in the publishing industry or by web designers to occupy the space which will later be filled with real content

My RSAC and B-Sides SF 2023 Schedule

April 11, 2023April 19, 2023by Tanya Janca (SheHacksPurple)1 Comment

Hello folks! I will be speaking both B-Sides San Francisco and #RSAC this year, the last week of April 2023, in San Francisco. I would love to have a chance to meet some of you in person. If you see me, and feel comfortable, please say hello! I’m really friendly, and I will have stickers to give away.

Saturday April 22: B-Sides San Francisco, then the after party in the evening.

Sunday April 23: B-Sides San Francisco all day, including my talk at 4:30 pm, then private event in the evening.

Monday April 24:

12:00-2:00 pm: Microsoft Women’s Executive Lunch at RSA, register here. PASS REQUIRED
2:00- 3:00 pm: DevOps Connect at RSAC: Incident Response for Developers, register here, and get your free expo pass for RSA using this code: 5U3TECHSTRNGXPO PASS REQUIRED

Tuesday April 25th:

11:30 am to 1:00 pm: DevSecOps Fire-free Fireside! Come and listen to Tanya and Rami Sass, CEO of mend.io! Booth #1543. PASS REQUIRED
2:00 – 4:00 pm: Snyk Panel: AppSec is Eating Cloud Security for Lunch – No Pass Required
6:30- 9:30 ‘Cocktails in the Cloud’ with Snyk, register here

Wednesday April 26th:

1:00 to 3:00 pm, my SAST workshop at #RSAC with Clint Gibler of SemGrep, PASS REQUIRED
4:30 RSAC Library Book Signing PASS REQUIRED

Thursday April 27th:

9:45 am – my Keynote at RSAC, ‘DevSecOps Worst Practices‘ – PASS REQUIRED
1:00-2:00 pm RSAC Birds of a Feather discussion on Creating a Great DevSecOps Culture – PASS REQUIRED
7:00 pm We Hack Purple Meetup and Sticker Trade!!!!!! Share Tea bubble tea in the IMAX AMC theatre building, at 135 4th St, San Francisco, CA 94103, United States. Note: You can just show up if you want, but to RSVP formally you need ot join the community, which is free. Event and stickers are free, but if you want tea you need to pay for your own. – No Pass Required

Friday April 28th: fly home and sleep for a week!

Consulting on Canada’s Approach to Cyber Security

July 18, 2022by Tanya Janca (SheHacksPurple)Leave a comment

You may not be aware but Canada’s Public Safety department put out a call to Canadian Citizens (sorry brilliant people who are not Canadian), asking for ideas, suggestions and thoughts on what they should prioritize next for the Canadian Government for InfoSec. I WAS SO EXCITED WHEN I SAW THIS AND WROTE THEM IMMEDIATELY. Obviously I made suggestions about AppSec. You have until August 19, 2022 to send your suggestions. The suggestions that I sent are below.

Good job Public Safety! I’m so impressed!

Hi!

I am responding to calls for suggestions from this link: https://www.publicsafety.gc.ca/cnt/cnslttns/cnsltng-cnd-pprch-cbr-scrt/index-en.aspx I used to work for the Canadian Public service, and now work in private industry.

I would like to see the Canadian Public Service and Government of Canada focus on ensuring we are creating secure software for the public to use. I want to see formal application security programs (sometimes called a secure system development life cycle or S-SDLC) at every department. I have extensive training materials on this topic that I would be happy to provide for free to help.
I would also like to see a government-wide training for all software developers on secure coding, and AppSec training for every person tasked with ensuring the software of their department is secure. When I was in the government (13.5 years), I was never allowed to have security training, because it was too expensive ($7,000 USD for a SANS class was completely out of reach). I was told the government wouldn’t arrange giant classes (say 100 people, splitting the cost of one instructor), because that would be ‘unfair competition with private industry’. You need to fix that, having mostly untrained assets is not a winning strategy. There needs to be a government-wide training initiative to modernize your workforce. (Again, I have free online training that can be accessed here: https://community.wehackpurple.com – join the community (free), then take any courses you want (also free))
Create security policies that apply to all departments, then socialize them (do workshops, create videos, make sure everyone knows – don’t just post them to the TBS website and hope someone notices on their own). A secure coding guideline. An AppSec program/secure SDLC. Incident response, etc. Each department shouldn’t have to start from scratch each time. Then we could have a standardization of what level of security assurance that we expect from each department. I provide some of these policies in the AppSec foundations level 2 course, which is free in the link above.
Throw away all the old policies and procedures that are just not working. 90-day password rotation? Gone. SA&A process that takes several weeks to complete but doesn’t actually offer much in the way of actionable advice? Gone. Re-evaluate current process, get rid of the bad ones. We need agile processes, that let people get their work done. I felt like many of the processes that I had to do in the government were in place because of a lack of trust in the staff’s competency. Instead of not trusting the staff, train them, then trust them. If they continue to screw up after training, discipline them and eventually get rid of the bad apples. Most of your staff is GOOD. Some of them are truly amazing. Treat them with trust and many of them will astound you. Remove onerous administration that is there because you don’t trust them, then let them get their jobs done.

If you have any questions I would love to talk. Thank you for putting out an open call, I’m super-impressed!

Tanya

Sharing Another Talk with the Community

January 5, 2022January 1, 2022by Tanya Janca (SheHacksPurple)Leave a comment

Three years ago I decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). At the time, I only shared one, because…. I ran out of time. Now it’s time to share the second talk, “Security is Everybody’s Job!” By “share” I mean give my express permission for anyone, anywhere, to present content that I have written, with no need to pay anything or ask for my consent. You can even charge money to give the talk! Please, just teach people about security.

In efforts to ensure anyone who presents my material has a good experience I made a GitHub repo with an instructional video of what to say, a readme file with written instructions and links so you can watch me do the talk myself.

Me, delivering this talk for the first time, on stage. — Me, delivering this talk for the first time, on stage, at DevOpsDays Zurich, in in beautiful Switzerland.

I’ve had a few people ask me why I would do this, and there are a few reasons.
* To spread the word about how to secure software; it’s important to me to try to make the internet and other technologies safe to use.
* To help new speakers (especially from underrepresented groups). If they have something they can present, with instructions they can follow, hopefully it will help make them more confident and skilled at presenting.
* To share knowledge with my community in general: sharing is caring, yo.
* The more people who present my talk the more people who may decide to follow me. SO MUCH WIN!

You can give this talk at any IT meetup, especially DevOps, InfoSec or any software development meetup.

Please go forth and teach AppSec! And if you have feedback I want to hear it!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!