My first week at Semgrep

Put all of your unhappiness aside.
My nails and dress were matchy-matchy for my first day!
My nails and dress were matchy-matchy for my first day!

Since I’ve been keeping this giant secret for so long, I’m very excited to finally be able to share all of my good news. This blog post is going to be all about my first week at Semgrep. We choose July 31 as my first day because they were already having several other people start that day, and because they were hosting Semgrep Hub Week—team building events for every single team, in person. As you might imagine, I am going to be a mostly-remote worker, so a chance to meet the entire team in person was something I could not miss. They flew people from all over the planet to San Francisco, with a focus on connecting, having fun, and innovation. I’m told that normally there’s more work and fewer cruises, art lessons, mini put and other fun activities, but that there’s always lots of bubble tea. 😀

My first day was just a lot of airplanes, and sharing on social media that I’m going “somewhere” and asking everyone to guess. I arrived way too late in the day to see anyone, unfortunately. For the record, my followers are brilliant, and several of them guessed not only which city I was in, but also the purpose of my trip, very quickly, with few hints! My followers are way too smart to have the secret last very long, so we knew we only had a few days at best to make our announcement.

Tanya and Clint pose in front of the Semgrep sign at HQ
Clint and I pose in front of the Semgrep sign at HQ. Getting to work with my long-time friend Clint Gibler is a HUGE PLUS!!!
A few members of my new team!
Even more of my team!
Meet (some of) Semgrep People Ops. THEY HIRED ME!

My second day I had a previous-commitment teaching engagement, so I couldn’t come into the office until around 1:00 pm, and went I entered the building I was immediately greeted with smiling faces! My new boss Pablo greeted me with a hug, same with Clint, and so many more of my new co-workers! I’m going to have several images throughout the blog post of some of the friendly faces I met all week. There were so many people! We’re almost at 150 at this point, and growing fast!

The first day (for me) team building exercise was a graffiti painting lesson. No, seriously! We were all given access to spray paint, a quick lesson, and then let loose upon a couple of brick walls in downtown San Francisco!

Chris is smart, he wore a hazmat suit and got NO PAINT on his clothes.
Chris is smart, he wore a hazmat suit and got NO PAINT on his clothes.
Another of my colleagues who managed not to get paint on himself!
Another of my colleagues who managed not to get paint on himself!

After a few hours of painting, several of us walked back towards the office and decided Dim Sum was in order. One of my teammates had never tried tofu, eggplant or potstickers before in his life, and was a VERY good sport about trying literally everything we brought to the table. He says he doesn’t need to try tofu again, but the rest was a hit! I’ve converted one more person into a Dim Sum fan!

They walked me back to the office to get my laptops (I have 3 with me now, the WHP one, a burner one for Def Con, and my new Semgrep M1). I got to see a bunch of SF at night that I likely wouldn’t have wanted to wander through by myself at that time of day, so that was really nice.

On day two, I had to teach all morning again, so I arrived at the office quite late (1:00 pm). At 3:30 pm, which seemed to arrive in only a millisecond, we left to go on what I was told was a cruise, but it was actually a sailboat that we went all over the San Francisco Bay. Lots of us got splashed! There was also a lot of tasty cheese, fruit and other snacks. I ate a lot of cheese, lol.

I'm on a BOAT!
We’re ON A BOAT!

After the cruise we went to a giant food truck park, and I got to have a rice burger (the buns where made of deep fried rice, and I want you to know that I learned that I APPROVE of deep frying rice, YUM), and bubble tea! This trip involved a lot of bubble tea, and I noticed that people were offered alcohol throughout the week and a lot of us opted for boba (fancy bubble tea) and other non-alcoholic alternatives. Startup culture is often “let’s get hammered”, or it has seemed that way to me, and as a person who doesn’t drink all that often, at times I have felt left out. I never felt ‘left out’ or pressured to drink at all this week, and that was SO NICE. It’s cool that other people want to enjoy a beer or two, but I will take a fancy latte or bubble tea over beer any day. Mmmmmm, sugar. LOL.

On day 3 was more meeting new people, starting to tell everyone what my new role will be, and suggesting 400 different new features for the product (this is what happens when you use something a lot with clients, you have a build up of suggestions). I had several 1:1 meetings, and even more introductions. Once the work slowed down, I went to play mini put with the security research team. There was more bubble tea!

Inside the heated food truck with HR and Support teams

Day 4, the Friday, we finally got to announce that We Hack Purple and I had joined Semgrep! I remember I pressed “send” on the announcement and then we both ran to the Hub Week presentations. When I got back to my desk I had a couple (hundred) notifications… LOL! The Hub Week presentations where all new features and innovations that various teams had made at Semgrep that week. Not only were a bunch of them AMAZING, the presentations were absolutely hilarious! They had one employee MC the whole thing, and we were all in fits of giggles for 2 hours while the teams showed off their cool new creations. Although I am not allowed to share them as several will probably become part of the product very soon, I CAN share that there was: ASCII art, music, dad jokes, and Hawaiian leis for everyone!

They gave me a new macbook!

The last thing I did this trip was visit my friend Anshu Basnal of Cloud Defense. I know I talk about them a lot! They are my friends. 😀 Anyway, I don’t usually get to spend a ton of time with Anshu (he’s a CEO, he has stuff to do), and it was nice he took his entire Sunday to show me around SF and make sure I got to the airport on time. Thank you my friend!

Anshu and me
Anshu and me

I’m Joining Semgrep and Bringing We Hack Purple With Me

Image of Tanya Janca wearing a Semgrep T-shirt. She is obviously happy.

Hello my friends! It’s me, Tanya Janca from We Hack Purple, and I am beyond thrilled to announce that we are joining forces with Semgrep to take the world of application security by storm! As the new Head of Education and Community, bringing We Hack Purple community and content with me, we will be offering more free content, events, and training than ever before! 

I am joining Semgrep! I could not be more thrilled!

Let me tell you a little bit about why I decided to join Semgrep. For starters, we share a common goal of advancing application security practices and empowering developers to build secure code. As a company, Semgrep values openness, accessibility, and community, which aligns perfectly with my values and We Hack Purple’s mission. By merging our expertise and strengths, we can amplify our impact and bring about real change in the cybersecurity landscape.

So, what does it mean to be the Head of Education and Community at Semgrep? Well, my role is all about fostering inclusivity, building relationships, and offering valuable resources to both Semgrep customers and the public. In other words, it’s about empowering everyone to learn and grow in the realm of application security. Education and community-building are integral to advancing cybersecurity practices, and I’m thrilled to have the opportunity to lead those efforts at Semgrep.

Some of my new team members!!!!!

One way we’re doing this is through free training programs for Semgrep customers and the public! By offering free resources and training to anyone who wants to learn, we’re helping to close the gap on education and accessibility in application security. We will be working to combine the two communities (We Hack Purple + Semgrep) over the coming months to offer more services, events, content, and fun! We will work to foster a community that shares knowledge, asks questions, and grows together. This is only the beginning of what I hope to accomplish with our collaboration with Semgrep.

Will you please do me a small favour? Sign up for the Semgrep Newsletter. I’m going to be inviting everyone for free training, events, contents, sharing content and more via the newsletter, and I want to ensure you get it. 😀


To wrap things up, I want to reiterate the value of community to bring together expertise and experience in the cybersecurity industry. With a united effort like this one between Semgrep and We Hack Purple, we can achieve great things in the realm of application security and empower developers and IT professionals to build secure code with confidence. Stay tuned for upcoming initiatives and training opportunities – we can’t wait to share them with you!So, until next time, happy coding and stay secure!

#CyberMentoringMonday and Advocating for Others

Tanya Teaching

I have run an informal mentoring program, every single Monday, since 2018. It’s very simple; I use the hashtag #CyberMentoringMonday on Twitter and Mastadon, to try to help people find each other. I don’t pair people myself (it turns out I am an awful matchmaker), people use the thread to announce they are looking for a mentor or offering mentoring, and then the rest is up to them. Since starting it there have been countless amazing human beings who have offered their time, expertise, and assistance to those who want to join our field, all for free. I don’t run it by myself anymore, it’s bigger than me now, several other people run it with me! Although most of the ‘action’ happens in direct/private messages, there is more happening than it may appear.

This is me! Wearing glasses! And smiling!

Anyone can help with #CyberMentoringMonday, just use the hashtag to help people find each other!

This small mentoring program has helped thousands of people find each other over the years. It has resulted in jobs, friendships, starting companies together, and more. Since I have been running this program for a long time, people often ask me how to be a good mentor. I would love to tell you all that I know the answer and that applies for every situation, but we all know one size does not fit all. That said, I will tell you what has worked for me, and that is advocacy. Advocating for the people I am mentoring, by sending them as many opportunities as I can.

Mentoring can take many forms, but the format that has always worked best for me (receiving and giving) is to create opportunities (which is part of advocacy!). I have had my professional mentors do all sorts of amazing things for me, such as: standing on stage with me when I gave my first conference talk so I wouldn’t have a nervous meltdown, telling a hiring manager they wouldn’t accept the job unless I was hired too, introducing me to people who wanted to hire me/buy my services and/or products, helping me navigate having people stalk me online, and more. To say I am incredibly grateful to my mentors would be an understatement. 

Anyone can help participate in #CyberMentoringMonday, as a mentor and/or as a mentee. And it’s freeeeeeee!

In attempts to ‘even the scales’ and ‘pay it forward’, I do my best to advocate for others whenever possible, especially those from groups that are underrepresented in tech (such as women, disabled people, people of colour, etc.). Since I fit into more than one of these groups, I do my best to lift us all up, not just myself.

I am of the opinion that if I’m going to work my butt off to open the door for myself, it’s not that much more work to hold it open for one more person. Seriously, it’s really not that much extra work. If I manage to get myself invited to be a guest on a podcast, it takes very little effort to put myself out there a tiny bit more and say “Hey, are you looking for more guests? Because I have a list of a bunch of other women security experts, who are less well known that me, but who are equally knowledgeable and awesome. Want some intros?” The worst they can do is say no. And I have to tell you, most of them say “Hell yeah, send me that list!”

You have privilege and power. And you can use it to help others.

– Me

I’m going to tell you about some of the ways that I use my power to help others, in hopes that YOU think of ways that you can share your power and/or privilege with others.

Examples Advocating for Others:

Example 1: I wrote an essay to explain to a conference why one of my mentees deserved a diversity grant. She has worked SO HARD to teach herself and change careers. She won the grant because of her hard work, but my essay helped. It took me 30 minutes, and she benefited.

Example 2: I brainstormed talk ideas with a mentee, then she built an amazing technical proof of concept. I asked a conference that I was keynoting to book her, even though she’d never spoken before. She was AMAZING! Out of this world! I knew she would be good, but she was 10 times better than I would have dared to hope for. I’m so proud of her!!!

Example 3: When I’m invited to speak somewhere but cannot make it, I ask if they would like me to recommend someone else. I have a list of people who are not as well-known as I am, but who are amazing. I always recommend one of them to take my place. I advocate for them.

Making just one introduction can change a person’s entire career.

– SheHacksPurple

Example 4: I asked a friend to let one of my mentees into his very expensive training for free, and he said yes. I let her stay in my hotel room with me so she could afford the trip. It cost me one favour and sharing my room, to give her a huge leg up for her career.

I use the power and privileges of my career and whatever job I’m currently doing to help others, and you can too. You may not even realize how much power you have until you start helping someone.

Sometimes it’s recommending or loaning someone the right book. Sometimes it’s about letting them have a place in your training, workshop, talk, or conference for free. It’s giving someone a lift to an event they wouldn’t be able to get to themselves. Sometimes it’s helping them when they are stuck at work on a technical problem and you give them the answer. Maybe you will introduce them to the person who will hire them some day. It’s about helping however you can. You don’t need to put yourself out very much, to make a big difference in someone else’s life. And it’s definitely worth it!

I have a secret for you all: helping others FEELS GOOD. And the more often you do it, the more you will want to do it again.

I hope to see some of y’all at the next #CyberMentoringMonday!

Continuous Learning

Tanya Smiling

Working in the information technology (IT) field means you need to be comfortable with things at work constantly changing and the need to continue to learn as your career grows. Working in information security (InfoSec) means you not only need to keep up with all sorts of IT trends, but also the attacks, defenses, and mitigations for each. When I started learning about DevOps, and how they value continuous learning and ‘taking time to improve your daily work’, I was sold. But I wasn’t quite sure how to go about putting it into practice.

Tanya Janca, in British Columbia, Malahat

When I switched from being a software developer to a penetration tester, and then onto application security, I had a lot to learn. On top of that, I am dyslexic, so the more common ways that people learn don’t always work well for me. Even worse, my training budget for my job in the Canadian Public Service was $2,500 CAD a year (approximately $1900 USD) and I wasn’t allowed to travel for courses. Living in Ottawa, Canada at the time, there weren’t very many options that were within my reach.

I started out my security career switch with a professional mentor, but the first one didn’t work out very well. He got frustrated with me quickly, no matter how hard I tried. Although I found out later that his expectations were near-impossible to meet, and what was asked of me was not very reasonable (nor ethical at a times). Example: He asked me on a Friday to learn pentesting over the weekend, with no help or advice, and then told me to do my first pentest the following Monday, setting me loose on a client’s live production system, with zero previous experience. It did not end well. For me and the client. The mentor and I went our separate ways.

By this point I had started joining security communities. And I LOVED it. My favourite community of all the local ones I could find was OWASP, the Open Web Application Security Project. The Ottawa chapter was led by someone named Sherif Koussa, who I am proud to still call my friend and mentor today. I made friends quickly, found more than one new mentor, and even became a chapter leader. I learned a lot by inviting speakers, talking to others in the community, and volunteering for projects.

Eventually I started doing public speaking, which provided me with free tickets to conferences, and sometimes even free training! I also started my own OWASP project (OWASP DevSlop) so that I could learn how to secure software in a DevOps environment.

It became clear to me, very quickly, that I learn best by reading/listening/watching something, then trying it for myself, then teaching it to someone else. I also enjoy learning more when I follow this process, rather than only reading or watching videos. I realize this is way more work than just reading a book, but everyone is different. And I’m lucky because other people seem to like my style of teaching and writing, which motivates me in a way I had never previously known. 😀

Eventually I wrote my own book (Alice and Bob Learn Application Security), started my own tiny Canadian startup (We Hack Purple), and opened my own online academy and community.

But that’s what worked for me. You need to find what works for you.

Below is a long list of ways that you can use continue your learning. If you have more ideas, please send them to me and I will add them!

General Advice:

  • Find what you are interested in. Join communities (online and local, if possible) that focus on those topics. Make friends if you can!
  • Finding out what you are interested in might take a lot of time, that’s okay! It took me 2 years to figure out I wanted to do AppSec, not PenTesting. You need to find the right place for you.
  • If you fear that you are too old to learn, please put that notion aside. You CAN learn. If this belief is holding you back, talk to someone who cares about you, and let them talk you out of it. Everyone has doubts sometimes, people who love you can help you look past them.
  • Find out if there are learning opportunities at work. Sometimes you can job shadow someone or help on certain projects. I kept volunteering to help the security team at my office and eventually they let me join the team!
  • Some organizations offer coaching services to employees. Usually it’s for leadership, but I used to work somewhere as an AppSec coach. I trained up the junior people into AppSec pros; it was great!
  • If your office pays to bring in a trainer, it’s often significantly less costly than sending them all individually to courses. See if you can join forces with other teams, departments, or even other organizations to create a larger budget.
  • Ideally you will aim to learn about best practices that are agnostic in nature, and then also learn about your specific tech stack that you use at work. This could mean a general secure coding course, with a break-out session on your specific programming language, framework, cloud provider, etc.
  • If you are reading this and you are on the security team, and you are planning to train your developers on security for the first time, if anyone seems nervous, you might want to assure them all that no one is losing their job. It might sound strange, but sometimes when there’s change, people worry. If you can remove their worries, they will learn more, and hopefully maybe even enjoy it. Pay attention for this and reassure people if the need arises.
  • If you are planning learning for others, communicate your plan, in advance. Let them know what’s coming. It helps people prepare themselves, and you are likely to get better results.
  • If possible, provide training in multiple formats (audio, visual/diagrams/images, hands on, written, etc.) so that every person’s learning style is accommodated. If you’re not sure how you learn, try a few different ways and see which one “feels right”. That’s likely the best one for you!
  • Give yourself short breaks. A microbreak (5-15 seconds to laugh at a meme or read a few short posts on mastadon) can help you move the information from your short memory into long term memory, meaning you are more likely to be able to apply what you learned, and remember it for significantly longer.
  • Take tests or give yourself tests. Not so that you can see how you measure up against others, but to make yourself remember the things you’ve learned. Practising ‘recall’ will help ensure you’ve learned (not memorized) the new information.
  • Set a time aside for yourself each day and slowly watch recorded conference talks and other content that are of interest to you. Consuming information is smaller chunks can make it easier to absorb. If you aren’t sure which videos, books or articles that you want to start with, ask for suggestions from people in your community.
Tanya Janca, Presenting at B-Sides Ottawa, November 2022. Ottawa, Canada

Application Security Learning Opportunities:

I hope this helps you on your continuous learning journey!

Jobs in Information Security (InfoSec)

Image by Henry Jiang of Oppenheimer & Co.

Almost all of the people who respond to my #CyberMentoringMonday tweets each week say that they want to “get into InfoSec” or “become a Penetration Tester”; they rarely choose any other jobs or are more specific than that. I believe the reason for this is that they are not aware of all the different areas within the field of Information Security (InfoSec for short, and “Cyber” for those outside of our industry). I can sympathize; I was in the same position when I joined. I knew three Penetration Testers and lots of Risk Analysts and I had no clue that there were several other areas that may interest me or even existed. I knew I didn’t want to be a Risk Analyst, so I thought the only other option was PenTester. Now I know that is not true at all. This blog post will detail several other areas within the field of Information Security in hopes that newcomers to our field can find their niche more easily. It will not be exhaustive, but I’ll do my best

Image by Henry Jiang of Oppenheimer & Co.

The above image shows 8 different potential areas within the field of Information Security according to the author, Henry Jiang; Governance, Risk, Career Development, User Education, Standards, Threat Intelligence, Security Architecture and Security Operations.

Since I come from the software development side of IT, and have done almost exclusively coding, my view is going to be extremely biased. With that in mind, the first area you may want to consider is Application Security (AppSec); any and all work towards ensuring that software is secure. This is the field that I work in, so it will have the most detail. There are all sorts of jobs within this field, but the most well-known is the web app pentester (sometimes called an ethical hacker); a person who does security testing on software. Such a person is often a consultant, but can also work in large companies. They test one system, intensively, perform a lot of manual testing, and then move on.

Jobs in Application Security:

  • Application Security Engineer — you do a mix of all the things listed under AppSec and you are generally a full-time employee. This includes making customer tools, launching a security champion program, writing guidelines, and anything else that will help ensure the security of your organization’s apps. I personally consider this the sweet spot, as I get to do changing and interesting work, and see the security posture improve over time. It is, however, usually a more senior role.
  • Threat Modeller, working with developers, business representatives and the security team (that’s you in this scenario) to find and document potential threats to your software, then create plans to test for and fix the issues.
  • Vulnerability Assessment: running lots of scans, all the time, of everything. You can scan the network too. Ideally, you will do more than this, to assess the security of the systems in your care, but it depends on where you work. This position is often an employee position and you tend to have prolonged relationships with the systems and teams you assess.
  • Vulnerability Management: Keeping Track of the vulnerabilities that all the tools and people find, reporting to management about it, and planning from a higher level. For instance; attempting to wipe out an entire bug class, implementing new tools because you see a deficiency, resource planning, etc. This is an employee position usually, and often a manager role or team lead.
  • Secure Code Reviewer: reading lots of code, using SAST (static application security testing) tools and SCA (Software Composition Analysis — are our 3rd party components secure?), finding vulnerabilities in written code and helping developers fix it.
  • DevSecOps Engineer: an AppSec engineer working in a DevOps environment. Same goal, different tactics. Adding security checks to pipelines, figuring out how to secure containers and anything else your DevOps engineers are up to.
  • Developer Education: this is usually a consultant role, but sometimes for large companies, someone can do this full time. The person teachers the developers to write secure code, the architects to design secure apps, threat modelling, and any other topic they can think of that will help ensure their mandate (secure apps). This person is likely also to training the security champions.
  • Governance: writing policies, guidelines, standards, etc, to ensure your apps are secure. This job is usually someone that does all the governance stuff for your org and the person is working with the AppSec team to get the details right, OR this person is likely a consultant because this is not an activity that needs to be re-done constantly.
  • Incident Response: this area includes jobs as an incident manager (you boss everyone around and make sure the incident goes as smoothly as possible), and investigations (Forensics/DFIR). Investigating incidents related to insecure software is a topic I personally find thrilling; detective work is exciting! But with the stress it causes, it’s not for everyone.
  • Security Testing: often called Penetration Testing, sometimes called Red Teaming, sometimes not officially recognized as a job because management isn’t “ready” to admit they need this yet. This person tests the software (and sometimes networks) to ensure they are secure. This includes manual testing, using lots of tools, and trying to break things without causing a huge mess.
  • Design Review: This is called a “Security Architect” but AppSec folks are often asked to review designs for potential security flaws. If asked, say yes! It’s super fun and always educational. Bonus; it’s a good way to build trust between security and the developers.
  • In AppSec you will also be asked to do a range of other things because that’s how life is. Potential asks; install this giant AppSec tool and figure out how it works, create a proof of concept for an exploit to show everyone that it is/is not a problem, create a proof of value with a new AppSec tool we are considering acquiring, get all the developers to log their apps like ‘so’ in order for the SIEM can read the results, research how to do something securely when you have no idea how to do that thing at all, etc. As I said, it’s super fun!
ISACA Victoria, Dec 2019

Security Architect (apps, cloud, network): Security architects ensure that designs are secure. This can mean reviewing a deployment, network or application design, adding recommendations, or even creating the design themselves from scratch. This tends to be a more senior role.

SOC Analyst/Threat Hunter: SOC analysts interpret output from the monitoring tools to try to tell if something bad is happening, while threat hunters go looking for trouble. This is mostly network-based, and I’m not good at networks, otherwise, I would have been all over this when I moved into security. The idea of threat hunting (using data and patterns to spot problems), is very appealing to my metric-adoring brain.  Note: SOC Analyst is a junior or intermediate position and threat hunter is not a junior position, but if you want to get into InfoSec they are basically always hiring for SOC Analysts, at almost every company.

Risk Analyst: Evaluate systems to identify and measure risk to the business, then offer recommendations on how to mitigate or when to accept the risks. This tends to be coupled closely with Compliance, and Auditing, which I won’t describe here because I am shamefully under-educated in this area.

Security Policy Writer: Writing policies about security, such as how long network passwords need to be, that all public-facing web apps must be available via HTTPS, and that only TLS 1.2 and higher are acceptable on your network. Deciding, writing, socializing and enforcing these policies are all part of this role.

Malware Analyst/Reverse Engineer: Someone needs to look at malware and figure out how it works, and sometimes people need to write exploits (for legitimate reasons, such as to prove that something is indeed vulnerable, or… You need to ask them). If you enjoy puzzles and really low-level programming (such as ARM, assembler, etc), this job might be for you. But be careful; playing with malware at home is dangerous.

Chief Information Security Officer (CISO or CSO): ‘The boss” of security. This person (hopefully) has a seat at the executive table, directs all security aspects for a company, and is the person held responsible, for better or for worse. If you enjoy running programs, managing things from a high level, and making a big difference, this might be a role for you.

Blue Team/Defender/Security Engineer (enterprise security/implements security tools): The people that keep us safe! These people install tools, run the tools, monitor, patch, and freak out when people download and install things to their desktops without asking. They perform security operations, making sure all the things happen. While those in the SOC (Security operations centre), monitor everything that’s happening and respond when there are problems.

There are many, many, many jobs within the field of Information Security, please feel free to list some of the ones that I missed in the comments below. I hope this information helps more of you join our industry because we need all the help we can get!