Trip Report – Hacker Summer Camp 2023

Ashish, Adam, me, Tiffany, Shilpi, Anna and new guy!
Photo credit: Scott Helme, AppSec Village, Def Con, 2023

For those of you who are aware, every August for the past 30 years or so, hackers have been meeting in the dead heat of summer in Las Vegas Nevada to host multiple learning and community events. It started with Def Con, a conference dedicated to hackers & hacker culture, releasing exploits, and “doing stuff that makes you feel like a badass” (or at least that’s my opinion). Four years later, Black Hat was started, a corporate security event, known for high quality training and research-heavy presentations. After multiple years of being rejected from the Black Hat and Def Con conferences, Jack Daniels (who I met this year for the first time, he was so nice and friendly!) started a conference for those of us who have been rejected from the main conference, named aptly “B-Sides” (for those younger than I: records and tapes used to have an “A side” and a “B side”, with the B side having… Less popular songs). As a person who has been rejected over and over by these conferences… I love the Las Vegas B-sides and B-sides in several other cities (they are all over the planet now, by the way)! As the years went by, more events were added, such as The Diana Initiative, and so many more. Eventually people started referring to this annual event as “hacker summer camp”, and if the shoe fits… Hack it!  

Okay Vegas, let's do this
Okay Vegas, let’s do this!
This is Chadd, my new BFF from WHP Community!
This is Chadd, my new BFF from WHP Community!

This year started off for me by keynoting The Diana Initiative. Not only did We Hack Purple sponsor this annual event that I love so much, but I credit this group (community? movement?) with being the main reason that I have come back to Vegas (my least-fav American city) year after year. Being able to keynote what I consider to be my favorite part of hacker summer camp is pretty much the best outcome I could imagine. Diana is a place where I always feel comfortable and safe, and after my first trip to hacker summer camp (2015 – before I gave talks or had a twitter account) being extremely uncomfortable, I have found them to be a force of nature for re-building trust with those of us from underrepresented groups. My first trip to hacker summer camp involved a lot of unwanted touching from men, being followed around (even from one building to another, with me saying “Stop following me!”), lots of feeling unwelcome/not fitting in, and the TiaraCon folks making me feel so utterly embarrassed by demanding I wear a plastic tiara and feather boa, so many times, that I ended up yelling at them to “stay the F away from me”. Not one of my finer moments. Sigh. Hacker summer camp has come a LONG WAY since then.  

Me, in cat ears, at The Diana Initiative
Me, in cat ears, at The Diana Initiative
I was also on a panel of kick-ass ladies to talk about our careers at Diana!
I was also on a panel of kick-ass ladies to talk about our careers at Diana!

I also saw some great talks at Diana, including ones by Chloe Potsklan and Yianna Paris!

We Hack Purple Podcast alumni Maril Vernon doing the superwoman pose with me, and the Diana Initiative Volunteers! There would be no conference without volunteers, hats off to each and every one of you!

A real life super hero: Lynn Dohm of WICYS
A real life super hero:  Lynn Dohm of WiCYS

The next day I had a We Hack Purple meetup where I got to meet several community members, including my new friend Chadd (he’s looking for his first job in AppSec, if you’re hiring!). We chatted all things community, jobs, AppSec, and how I could plan a WHP meetup in DC in October when I come up for OWASP Global AppSec. Also, did I mention that I will be speaking at OWASP Global AppSec?!?!?!?1? Yay!  

The CUTEST instructors in Vegas!!!!
The CUTEST instructors in Vegas!!!! Wait, I mean Enno Liu and Colleen Dai of Semgrep.

Also on Tuesday, B-Sides LV started! I gave a workshop (Adding SAST to CI/CD without losing any friends) with my new colleagues, Enno Liu and Colleen Dai. It was SUPER FUN! I covered the easy parts, setup, cloning and running the CI, Juice Shop, the SCA and SAST results, etc. Then Enno and Colleen really took it away with rule writing in Semgrep. I’m new to Semgrep (week two), so I’m still learning to become a little rule ninja. I suspect I will learn a lot from these two.  

This was our team dinner. They know how to treat me!
This was our team dinner. They know how to treat me!

Monday night I attended the B-Sides Speaker dinner and ate very little… Because then I went to a team dinner for work ,and we ate KOREAN BBQ (which I love)! It was all you can eat, and folks, I did my best to get my new employer their money’s worth by stuffing my face. 😛  

Gabrielle Botbol and Vandana Verma. Two incredibly dangerous pentesting ladies!
Gabrielle Botbol and Vandana Verma. Two incredibly dangerous pentesting ladies!

Wednesday morning, I met my dear friends Vandana Verma and Gabrielle Botbol for breakfast. We caught up, ate tasty food, and took selfies, just like any other set of friends who have been apart for a few months. Don’t they look lovely? They are two wonderful human beings!

After breakfast I had several meetings that were sort of all over the place, broken up by “Oh hi! I haven’t seen you in forever!” type conversations as I recognized people at B-sides. Obviously, Chad was there!  

My IANS and Forte Group Colleague, Summer Fowler!
My IANS and Forte Group Colleague, Summer Fowler!

Later in the evening I met up with the crew from IANs Research! I also FINALLY got to meet Malware Jake Williams in person, instead of just tagging him in slack all the time. He had a create Splunk T-shirt that said “You bet your sweet SaaS” and… I want one!   LOLOLOLOL!

Forte Ladies Unite!

Thursday morning started with a Forte Group breakfast. Well, there wasn’t really a breakfast per-say, but who cares? I can get food anywhere. What I cannot get anywhere is 100 CISO, CEO, and Startup lady founder friends!!!! Only about 30 of them showed up, but it was awesome! Obviously, we discussed taking over the world. Wait, I mean: How can we train and find the next generation of cyber security professionals, and ensure more of them are women than ever before. Yes, that what as it. ;-D  

After the Forte amazingness, I went for the first-ever Semgrep Community Meetup! We were *supposed* to meet in the Starbucks just off the lobby from Caesar’s Palace, but unbeknownst to me it was closed recently for construction, and for some reason an unfriendly employee was demanding no one stand around. I tried to stand around and wait for people, to direct them to the new location (Starbucks in the food court of Caesar’s) but she yelled “GET!” at me, and I ran away… She was not having any of it. The Cloud Defense team was there, and they also tried to go round up any community members I missed and were also shooed away. If we missed you, I am so sorry! That said, the people I DID find had lots of fun with me and Semgrep!  

The first Semgrep Community in-person meetup!
The first Semgrep Community in-person meetup!
Don't the Twillio/Segment Product Security Team look amazing???!?!??!
Don’t the Twillio/Segment Product Security Team look amazing???!?!??!

After that I headed off to the Bishop Fox Drybar event, and (completely randomly) ran into Ariel Shin (previous WHP podcast Guest) and several other ladies from the Twillio/Segment product security team. DON’T WE LOOK GREAT? Thank you Bishop Fox!!!!  We will secure the world and look great doing it!!!!

Later that night I met up with several friends from the Slack Product Security team, ate dinner, and learned a lot of new stuff about what makes the ‘glue’ of a team. Although I didn’t take pictures, but I assure you that it was both delightful and delicious.  

I realize that I am a total jackass.
I realize that I am a total jackass.
AppSec Village
AppSec Village

Friday was the big day…. Presenting at the AppSec Village! Both Semgrep and We Hack Purple were sponsors of the AppSec Village, because we both LOVE AppSec and this community. I gave my talk DevSecOps Worst Practices and it went really well (everyone laughed when I hoped they would, and did not laugh when they were not supposed to).

I also got to see SO MANY FRIENDS! Ashish and Shilpi, Jet, Scott Helme, Adam Shostack, Aaron Lord, and more!!!!  

Then I flew home. Phew, What A Trip!  

Thanks for reading, see ya next time! Also, lots more photos below, just ‘cause!          

Ready for Diana
Ready for Diana

My first week at Semgrep

Put all of your unhappiness aside.
My nails and dress were matchy-matchy for my first day!
My nails and dress were matchy-matchy for my first day!

Since I’ve been keeping this giant secret for so long, I’m very excited to finally be able to share all of my good news. This blog post is going to be all about my first week at Semgrep. We choose July 31 as my first day because they were already having several other people start that day, and because they were hosting Semgrep Hub Week—team building events for every single team, in person. As you might imagine, I am going to be a mostly-remote worker, so a chance to meet the entire team in person was something I could not miss. They flew people from all over the planet to San Francisco, with a focus on connecting, having fun, and innovation. I’m told that normally there’s more work and fewer cruises, art lessons, mini put and other fun activities, but that there’s always lots of bubble tea. 😀

My first day was just a lot of airplanes, and sharing on social media that I’m going “somewhere” and asking everyone to guess. I arrived way too late in the day to see anyone, unfortunately. For the record, my followers are brilliant, and several of them guessed not only which city I was in, but also the purpose of my trip, very quickly, with few hints! My followers are way too smart to have the secret last very long, so we knew we only had a few days at best to make our announcement.

Tanya and Clint pose in front of the Semgrep sign at HQ
Clint and I pose in front of the Semgrep sign at HQ. Getting to work with my long-time friend Clint Gibler is a HUGE PLUS!!!
A few members of my new team!
Even more of my team!
Meet (some of) Semgrep People Ops. THEY HIRED ME!

My second day I had a previous-commitment teaching engagement, so I couldn’t come into the office until around 1:00 pm, and went I entered the building I was immediately greeted with smiling faces! My new boss Pablo greeted me with a hug, same with Clint, and so many more of my new co-workers! I’m going to have several images throughout the blog post of some of the friendly faces I met all week. There were so many people! We’re almost at 150 at this point, and growing fast!

The first day (for me) team building exercise was a graffiti painting lesson. No, seriously! We were all given access to spray paint, a quick lesson, and then let loose upon a couple of brick walls in downtown San Francisco!

Chris is smart, he wore a hazmat suit and got NO PAINT on his clothes.
Chris is smart, he wore a hazmat suit and got NO PAINT on his clothes.
Another of my colleagues who managed not to get paint on himself!
Another of my colleagues who managed not to get paint on himself!

After a few hours of painting, several of us walked back towards the office and decided Dim Sum was in order. One of my teammates had never tried tofu, eggplant or potstickers before in his life, and was a VERY good sport about trying literally everything we brought to the table. He says he doesn’t need to try tofu again, but the rest was a hit! I’ve converted one more person into a Dim Sum fan!

They walked me back to the office to get my laptops (I have 3 with me now, the WHP one, a burner one for Def Con, and my new Semgrep M1). I got to see a bunch of SF at night that I likely wouldn’t have wanted to wander through by myself at that time of day, so that was really nice.

On day two, I had to teach all morning again, so I arrived at the office quite late (1:00 pm). At 3:30 pm, which seemed to arrive in only a millisecond, we left to go on what I was told was a cruise, but it was actually a sailboat that we went all over the San Francisco Bay. Lots of us got splashed! There was also a lot of tasty cheese, fruit and other snacks. I ate a lot of cheese, lol.

I'm on a BOAT!
We’re ON A BOAT!

After the cruise we went to a giant food truck park, and I got to have a rice burger (the buns where made of deep fried rice, and I want you to know that I learned that I APPROVE of deep frying rice, YUM), and bubble tea! This trip involved a lot of bubble tea, and I noticed that people were offered alcohol throughout the week and a lot of us opted for boba (fancy bubble tea) and other non-alcoholic alternatives. Startup culture is often “let’s get hammered”, or it has seemed that way to me, and as a person who doesn’t drink all that often, at times I have felt left out. I never felt ‘left out’ or pressured to drink at all this week, and that was SO NICE. It’s cool that other people want to enjoy a beer or two, but I will take a fancy latte or bubble tea over beer any day. Mmmmmm, sugar. LOL.

On day 3 was more meeting new people, starting to tell everyone what my new role will be, and suggesting 400 different new features for the product (this is what happens when you use something a lot with clients, you have a build up of suggestions). I had several 1:1 meetings, and even more introductions. Once the work slowed down, I went to play mini put with the security research team. There was more bubble tea!

Inside the heated food truck with HR and Support teams

Day 4, the Friday, we finally got to announce that We Hack Purple and I had joined Semgrep! I remember I pressed “send” on the announcement and then we both ran to the Hub Week presentations. When I got back to my desk I had a couple (hundred) notifications… LOL! The Hub Week presentations where all new features and innovations that various teams had made at Semgrep that week. Not only were a bunch of them AMAZING, the presentations were absolutely hilarious! They had one employee MC the whole thing, and we were all in fits of giggles for 2 hours while the teams showed off their cool new creations. Although I am not allowed to share them as several will probably become part of the product very soon, I CAN share that there was: ASCII art, music, dad jokes, and Hawaiian leis for everyone!

They gave me a new macbook!

The last thing I did this trip was visit my friend Anshu Basnal of Cloud Defense. I know I talk about them a lot! They are my friends. 😀 Anyway, I don’t usually get to spend a ton of time with Anshu (he’s a CEO, he has stuff to do), and it was nice he took his entire Sunday to show me around SF and make sure I got to the airport on time. Thank you my friend!

Anshu and me
Anshu and me

Safety at #HackerSummerCamp

Image of Tanya saying "Ask me anything AppSec"

A few years ago, I wrote a blog post, Hacker Summer Camp 2019, about how to stay safe at #HackerSummerCamp (Def Con + Black Hat + Diana Initiative + B-Sides + everything else that week in Vegas). I made a video to add more details, clarity and ideas on how to have more fun and make more friends. You can watch it below!

Video about how to stay safe and have fun at Hacker Summercamp

#WeHackHealth Getting Better Sleep

Tanya building garden beds

If you’ve been following the #WeHackHealth hashtag, quite a few people who work in the field of information security have been sharing health tips, encouraging each other to focus on their own health, and showing progress reports on their efforts. Several people I know have been following it closely, participating, and reaping the benefits of this wonderfully positive movement. Started by @HackingDave, this use of social media to encourage others to live healthier lives is something I have been wanting to contribute to for quite a while, but I wasn’t sure quite how I could add value. That is, until my most recent trip to San Francisco for #RSAC 2023!

A summary of this blog post is available in PDF format here.

Tanya, posing with her freshly planted seedlings.

I’ve been struggling with poor sleep since my teens (that’s 30 years, for those who enjoy math). During my 20’s I used to stay up until at least 1:00 am most weeknights, then getting up at 6:30 to 7:00 am to go to work. The weekends were worse. I was part of the local music scene in Ottawa, playing at live music clubs several times a month, and would often be out until 2:00 am, 3:00 am, or even later on the weekends. Sometimes my fans would wait until the club closed (2:00 am) I would put my drums/guitars/whatever back at my place, then take me out to dinner, at 3:00 am. This whole time I worked full time as a software developer as well, doing the 9-5 routine. My thought was “If I’m not going to be asleep anyway, why bother laying in a bed being bored when I could be out having fun instead???” In my early 30’s I was slightly less ridiculous, until I met a doctor who asked me what my “sleep hygiene” was like. I had no idea what that was. He suggested that if I got better sleep that it could help with other issues I was having, and I set upon a path to get better sleep.

To be quite clear: I walked around like a complete zombie until around 11:00 am every day. I was an auto-pilot, and since I found coding easy and fun… It didn’t bother me. I zoned out, into the code, and worked until lunch…. I can’t imagine how I must have seemed to my co-workers, 1/2 asleep, trying to get work done, I must have looked a mess.

Sleep-deprived-Tanya

Before I get any further down this path, I’d like to inform you that I am not a doctor. I’ve never been to med school, or studied medicine in any way. In fact, I’ve never even played a doctor on TV (I know, so lame!). You should not take any of this as official medical advice, this is just what I have learned through lots of (non-professional) research, trial-and-error, and personal experience. Please talk to your doctor before trying anything with an astrix (*) beside it. Most of this stuff is harmless, but I will put the little * if I think you should ask your doctor first. Feel free to ask your doctor about anything anyway! In summary: I am definitely not a doctor, but just a regular person who hopes sharing her sleep journey might help you get better sleep.

WTF ‘Sleep Hygiene’?

Sleep hygiene means setting a time to wake up and go to sleep, every single day, and sticking to it. If you have children, or remember being a child, they usually have a “bedtime”. For some reason, as we become adults, we tend to throw this idea away. I told the doctor that suggested it that I never slept anyway (literally 2-3 hours a night, but sometimes as much as 5 hours. Yay?) but he insisted I try for it for 3 straight months, and I thought “WTF not?”.

His instructions: go to bed and wake up at the exact same time every single day, weekend or weekday. Give yourself 9 hours or more. Do not deviate, even if there’s a “super cool party”. * I might have asked if it was okay to skip this for parties and he gave me a serious frowny-face…

For the next 3 months, I went and laid in my bed at 11:00 every night, and forced myself to get up at 8:00 every morning. I did not think it would work. But it was SUCH A GIANT IMPROVEMENT (after a few weeks of being diligent). I did more than just this, but I started sleeping more hours. And for the first time, I started to feel drowsy around 11:30. And my other health condition improved noticeably. #WIN

Caffeine, Addiction, and Timing

Caffeine is a drug that a large portion of North American adults are addicted to, but it doesn’t have to be this way. I’ve had lots of friends who drink several coffees a day (multiple pots, in fact), they can’t sleep, but they also tell me “It doesn’t really affect me”. If caffeine doesn’t affect you, why are you always consuming it? This does not add up.

If you feel really tired, sleepy, or have ‘brain fog’ later in the day, it might not be that you are genuinely tired, it *could* be that you are having caffeine withdraw. Once I stopped having caffeine, I noticed I didn’t need it anymore. I didn’t have almost any caffeine (just de-caf tea or herbal teas) for a few years, and felt way better. I do drink it now though, but I stop early afternoon, no matter what.

If you love coffee, tea, diet cola, or whatever, that’s okay. But you need to only consume it at certain times if you’re having sleep issues. If you work the regular 9-5, I suggest no more caffeinated drinks after lunch, or just have decaf from then on. I personally don’t usually even have decaf past 1:00 pm (there is caffeine in decaf drinks, it’s just less!), but you can find your own rhythm that works for you.

Lowering the Lights (Dimmers are the best!)

I read a book called “The Primal Blue Print” By Mark Sission, and I loved it (and yes, eat paleo and do all the stuff he says). Then did what I always do, read every other thing the author ever wrote. “The Primal Connection” is a book about reconnecting with our bodies and nature, and one of his suggestions was lowering the lights, and removing blue light, when the sun sets.

You can get dimmer switches and change out a bunch of your lights in your house or apartment for a couple hundred bucks (I know, not cheap!) but I have found it worth the expense. If you LED or CFL lights, it’s important you buy the ones that are dimmable and “warm” temperature, otherwise they will flicker and be really annoying, or make a buzzing sound (also annoying). I walk around the house at a certain time and lower the lights. Everyone in the house starts chilling out. I usually do this around 9:00 pm, but do what’s best for you.

Also, I don’t mean walk around in the dark. I mean turn them down to 70% or 60%. So that you feel a bit relaxed. It will make sense over time which amount of dimming is best for you.

Amber/warm versus bright blue daylights

When you buy lightbulbs lots will say “bright White” or “daylight”, or “blue white”, those are great for an office, bathroom, or your kitchen, where you want to be fully awake and alert.

Some lights will say “Warm” or “Amber” lights, they are great for your bedroom, living room, dining room, anywhere you want to relax and wind down.

I typically use these to try to get myself more awake or more relaxed/wind down for bed. If I work late in the living room we have a special extra light that my partner setup, to hep me concentrate on my writing. It works like a charm!

Blue lights/screens

TV and phone screens often come into our bedrooms with us. All of them are able to display most colours, including blue, which tells our brain “WAKE UP IT’S DAYTIME”. There’s a setting on your phone where you can have it slightly dim the screen, and remove most of the blue light, when the sun sets. Doing this will help you sleep, and you can automate it easily.

For televisions, this is harder. I’ve seen people who buy funky orange lensed-glasses and wear them in the evening to remove the blue light themselves, but I am not personally a fan. If you watch TV via a computer/stream, some of them have settings that allow you to change and remove the blue, but not all. I used to have a raspberry pi that did this for me, but I just got a roku and I’m not sure if I can do that with it yet. Check your own devices if you have this option.

Complete Darkness

Sleeping in *complete* darkness helps me get very deep sleep. I have blackout blinds on all my bedroom windows, no visible LEDs, and we turn off the lights in other rooms so that they don’t shine through under the door. I take this very seriously, and travel with black electrical tape so I can cover all the lights in hotel rooms. I have received feedback from my significant other that this one change made a huge difference for their sleep. Removing all lights is worth the effort!

Sun Lamps

I am one of many people who are affected by Seasonal Affectiveness Disorder (SAD), sometimes known as “seasonal depression”. If you don’t know what it is, basically I get really bad brain fog every winter. It’s hard to concentrate, and I feel “down”, for months at a time. I remember my grades used to plumet in the winter semester, and soar in the spring… It’s not real depression, it’s much less serious. That said, it still sucks, and I moved across Canada just so I can avoid this situation as much as possible. (You can read more on SAD here)

SAD is caused by not enough sunlight. Our bodies NEED it. You can treat SAD by taking vitamin D, getting lots of sun in the winter (for instance, taking a vacation, or moving to a less-wintery-place if you’re me), and using a Sun Lamp.

A sun lamp generally has to give off 11,000 lumens of light or more, and sometimes they are bright white, or blue light. You need to sit in front of it for 15-30 minutes (depends on the model) every morning, ideally as soon as you wake up. I’ve been doing this every winter, since I was 23, and these lamps changed my entire life.

Note: these lamps are great for treating jet lag, SAD, or just helping you get better sleep. You are telling your body “HEY, this is MORNING”.

Word of caution: do not use these lamps at other times of day. It will just keep you up and mess up your sleep. I’ve seen people say “Oh, I forgot this morning, I will do it after work” NOOOOOOO. Do not do that. It will not make for a fun night of sleep. :-/

Magnesium *

Magnesium is a type of salt that is really good for us and if you are; a woman over 40, someone with chronic pain, someone with (list other symptoms), it’s advised that you take it.

That said, it’s ALSO good for sleep! I take a small amount with water before bed, and it even kinda tastes good to boot.

Note: if you take too much magnesium you will have “exciting” trips to the bathroom. Start small and work your way up to the full dose over several days or even weeks.

Sleep Rituals

You might not realize it, but many of us have rituals we perform every day. We have a “get ready for work” ritual, a list of specific things we do in order to feel “ready”. Often, we also have nighttime rituals, to help us get ready for bed, whether you consciously realize it or not. Most of include brushing our teeth, journaling, turning off all the lights in the house, locking the doors, saying “goodnight” to people you live with, etc.

Years ago, I had a friend who had TERRIBLE nightmares. She feared going to sleep, and would often stay up as late as possible to avoid this vivid and awful dreams. We talked about it and I asked what her ritual was before bed and she said she didn’t know. She didn’t have one.

It turned out she did have a bedtime ritual, but it was the opposite of helpful for her. She would watch TV to try to avoid going to bed, and worry about what she would dream about. She would treats, to try to calm herself. She would “keep herself really busy” until she would fall into bed. This was NOT working for her.

Together we came up with a new one for her:

  • Herbal tea instead of sugary snacks
  • Calling a friend when it’s not too late, so she can have a nice conversation and remember there are a ton of people in her life who love her
  • Journaling all of her worries, then locking it away into a drawer
  • Stretching (I gave her a bed time yoga video I used to do every night)
  • Reading something non-scary in bed, instead of TV or phone
  • Lowering the lights 2 hours before sleep

Although her nightmares did not stop completely, it went from “pretty much every night” to “once a month” and “I don’t always remember them”. She started sleeping WAY better. She was also happier. One top of that, she took the lighting item to a whole new level and redid all the lighting in her entire house and has inspired me in decorating every place I have lived ever since!

Journals/Lists

Some of us don’t sleep because we are worrying. Worrying about work. Worrying we don’t have work. Worrying about money. Worrying about our loved ones. Worried no on loves us. Etc. This is NOT good for sleep. I personally worry about having too many things to do (and that I might forget one) and/or missing a flight. I’m SO WORRIED about flights. Sigh. We all have our hang ups.

Anyway, one way to get around this is to write everything in your head into a journal. It doesn’t even need to make sense. Getting it out is what matters. Whenever I wake up in the night concerned about something, I tried to write it down. Then I always fall back to sleep so easily. I have seen this work for several people in my life, including children! Just the act of writing it down can make us feel better when we are upset, even if we never read it again. Even if you are not upset, just making a list of what’s in your head can help…

  • Gotta sign the kids up for summer camp
  • Can’t forget the gas bill
  • Did my friend apply for that job or not? I’m going to ask. She might need a nudge.
  • Don’t forget to call your mom this weekend!

Bedrooms are only for 2 things, and one is way more fun than the other

“Bedrooms are for sleeping and sex. Nothing else.”

Mark Sission, author of the Primal Connection and other amazing books

I remember reading this in the primal connection, and thinking “Gosh, I want to live at your place.” But I used to do everything in my room… I would play guitar in my room, read in my room, whatever. If I wanted to avoid roommates, my room was the place to be, rather than the common room. Once I changed it to “only two things happen here”, it sounds weird but I go in and I know that’s what I’m doing. I’ve added “Get dressed” and “put away laundry” to the list, but I try to not do general activities there, and instead use other spaces. It helps my family members know I’m not avoiding them, and it sets the mood for sleep.

Note: If you live in a bachelor apartment or have a bunch of roommates, just ignore this one. This is one of those “if you’re lucky enough to have space for” rules.

Jetlag

I have travelled all over the planet and I’m pretty “good” at Jetlag now. Using a sun lamp, and following the eating windows in the section below can really help. I also sometimes “cheat” and take a sleeping pill to make myself sleep at the correct time the first day, and I force myself to have breakfast first thing in the morning in my new time zone even though I hate eating breakfast. But I need to tell my body “I am breaking the fast” and “this is morning now!”.

Diets and Eating Windows *

Our bodies are not meant to eat every moment of every day. When we eat at weird times, it can (negatively) effect our sleep. I am as guilty as the next person of having a snack in the evening lately, but if you are having a lot of trouble sleeping and you snack at night, I suggest reading this book: Your Circadian Code. Although the author jumps over into “this is how you can lose weight” a bunch, if you can ignore that part, the rest is REALLY GOOD. And, if you’re trying to lose weight, this could be a double whammy for you. The guy who read for the audiobook has a really nasal voice, but if you can get over that it’s not very long, and all of it was very helpful for me.

Meditation

Mediation is staying still and attempting to clear your mind and just observe your thoughts, body and breathing. I used to think it meant ‘trying hard to think of a specific thing’, concentrating very hard. But that’s not true, not really.

Meditation has been linked to all sorts of excellent health benefits, both physical and mental, such as lowering stress and anxiety, reduced chronic pain, more patience and calmness, happier outlook on life, etc. AND it can help with sleep!

If you meditate regularly, it can help you clear your mind so you can go to sleep. Start listening to your body, calming down your sympathetic system, and you’re miles ahead in getting to sleep fast. Regular medication can help with your sleep overall as well!

Hypnosis *

There are all sorts of hypnosis recordings and psychologists you can do it live for you, that can help you sleep. They hypnotize you, then tell your that sleep is your friend (not literally, but basically, they make you believe that you can sleep, you should sleep, and you will sleep). I used hypnosis years ago to help me stop drinking cola. It worked. For 5 years. Until I started working at Microsoft and travelling all over the world and I needed caffeine to power through various travels. 5 years is pretty good!

Comfortable bed – note, it might be way harder than you think!

I used to have a really soft bed. When I went to the store to buy it, I laid down on the soft bed with my friend and we both agreed, it was super soft and comfy. But then it made my back hurt, and I was very confused about it.

When Is started travelling for work all the time I got to stay in lots of different beds, in different hotels. I decided the Marriot’s beds were the best! I learned I could buy it cheaper direct from a place that sells beds, rather than the hotel, for about half the price. And I learned they choose FIRM beds. I thought that would hurt… but it’s SO MUCH BETTER. So if you have back pain and a really soft bed, consider trying out a very firm bed. Having a comfortable bed is really, really helpful.

Snoring and Sleep Apnea *

I got tested and I have incredibly mild sleep apnea. The doctor told me to sleep on my side and I would never snore again, and hug a pillow if it hurts my shoulders. I only sleep if I’ve had a glass of wine I swear! But I digress.

If you snore a lot, you likely have sleep apnea. I’m not saying you are doomed, or that you need to immediately get a C-PAC machine. But when you’re snoring it’s because you can’t quite breath exactly how your body needs to breath. This interrupts you sleeping in tiny internals.  The louder and more irregular your snoring, the more likely you are getting CRAPPY sleep. If you know you snore, and you feel really tired when you wake up, even though you should have had “enough” sleep, you likely have this going on. There are a bunch of options, and a doctor or sleep clinic can help you fix this!

Carbs & Sugar near bedtime

I love candy and sugar. I wish it wasn’t true, but it is. I definitely want to have a sugary treat before bed, every night, but it’s not helpful for my sleep. It’s likely not helpful for your sleep either. If you are an evening snacker (and I’m not saying you are!), consider not snacking after dinner for a week or so and see if you’re getting better sleep. Might be a habit worth breaking!

Massage and/or physical affection

Also in the Primal Connection book was the idea of human touch and affection. I come from a very affectionate family; we hug each other all the time. I’ve always been “touchy feely”, but not everyone is. The book pointed out that human touch is actually a need, not a want, like I had thought. In the book the author suggests that the reader “just have sex”, which is all well and great if you have that option available to you at the time, but we don’t all have a special someone just waiting to supply us with all the sweet loving we need, whenever we want. Way to make me feel inadequate Mark! (just kidding, I think the author is awesome)

As an alternative, you can get a massage or acupuncture, you can hug a friend, you can get a pet (not the same, but still helps make humans happier), you can play a high contact sport like ball hockey, do acrobatic yoga, and more. If no one has touched you in months, this is something you might want to look at. I’m not saying this to cast judgement or make anyone feel bad. I’m telling you this because it might improve your life, and every human deserves happiness.

General Health, Weight, Stress, and Happiness

Prepare for some really obvious advice, that I didn’t always understand. If you already know it all, cool! If not, also cool! We do not need to be perfectly healthy every moment of every day, but there are things we can choose to limit, to reap big benefits. When I dropped sugar, alcohol, processed foods and gluten from my life for 5 years, every part of my body was great. My hair was softer. My skin was perfect. My sleep improved. But you don’t need to be very, very strict in order to benefit; I’ve loosened up over the years on some things. Below is a list of places you could “be more healthy” and for each one you do, you will not only sleep better, there will be other great benefits too!

  • Alcohol is very bad for our bodies. I know it’s socially acceptable and “everybody’s doing it”, but you don’t have to, or you can just have some on special occasions. Having less (or none) will make you a healthier person, full stop. Also, all those news articles proclaiming that “having a glass of wine a day is good for you” are complete bullshit and the studies they based it upon where incredibly biased. I will definitely have an internet argument about this if you want!
  • Sugar is bad. Not as bad as alcohol, but it’s also in way more foods and still total garbage for us. It’s SNEAKY, especially in the United States. Read the ingredients. Having less sugar will also help you be healthier.
  • Processed food is bad. It usually also has sugar, salt and chemicals. Having whole foods instead of processed foods will mean way more nutrients (to power your amazing brain and body) and less sugar and salt. Whole foods means eating vegetables with butter and spices, or salad with oil and herbs, or meat that you’ve grilled. It’s not something that has a list of ingredients.
  • Eat LOTS of veggies. LOTS. Eat tons of veggies and your body will thank you.
  • Spices, herbs, especially turmeric, are your friend. They contains tons of stuff that’s good for us (nutrients, vitamins, etc) but they also make food taste better. Then you can have very tasty meals, of unprocessed foods. Spices and herbs are the secret!
  • Lifting heavy things and sprinting is good. The paleo folks have lots of mixed feelings about cardio, but basically every health expert agrees that moving around often, lifting heavy stuff sometimes, and sprinting once in a while, is good for us. Think: playing sports once a week, walking to and from work, and lifting weights once a week. This recipe can be very easy to stick to, be really fun, and keep you lean and trim.
  • Regular cardio can be quite bad, which I found surprising. Instead focus on “movement”, often. Plus play and have fun! Seriously. This is paleo wisdom, and I gotta say, I agree with it. I used to do the “tons of cardio” thing, and it never really worked for me. It spikes your cortisol (I have enough already, thank you) and it’s nowhere near as fun for me as playing sports, doing a yoga or pilates class, ‘playing’ in my garden, or goofing around with my kids at a park. Make your “exercise” a fun part of your life, and you will be fit forever.
  • Me and my weird walking desk: I have a walking desk, I really like it. I use it whenever I have a meeting where I just need to listen (think: team meeting). I used to use it a lot more than right now, because I cannot create content and walk at the same time. But I can listen and walk easily. If you’ve thought about getting one, they are now cheaper than ever before. And you don’t need to walk all day! If you walk one meeting per day, you’re awesome!
  • Grounding is good. I thought this was “total crap” when someone first suggested that I “touch dirt”, but over the years I have grown to love gardening so much that I now own a small hobby farm and grow a lot of the food my family and I eat. It works for me, and might not work for you, but as a self-described ‘city-slicker’ and tech worker who lived downtown and was surrounded by concrete most of her life, clearly it had it’s effect on me.
  • Filling your own cup. Doing things for yourself that bring you joy and comfort. THIS is important. We cannot just work and do things for others. If we do not take care of ourselves, we will have nothing left for anyone else. This can mean making a piece of art, writing a story or blog post, joining a sports team, having a great big laugh with a good friend. Your happiness greatly affects your overall health. No joke!

For those of us that travel on airplanes, often

  • WATER! Drink a lot of water. Note to self: Coffee is not water. Neither is diet soda.
  • Walking: walk around the airport a lot, rather than more sitting. It will help ensure you don’t get swollen ankles on the plane, but also help you feel better later.
  • Compression socks and more: if you are on a plane often, wear compression socks or even compression outfits.
  • More water. Seriously.
  • Do calf raises and any sort of neck/shoulder stretches/movement, at least once, per trip. It prevents blood clots and will make you feel way better.
  • Don’t sit on those crappy chairs at the gates if you can avoid it. They are uneven, so that your hips tilt back, which makes your head no longer even, so then you move your head forward. In summary: they are very bad for your back, neck and posture.
  • Carrying your own food, that doesn’t suck: I often bring protein powder that is high in fat & collagen as well, plus a shaker when I travel. Then I always have a food option. As a person who is sensitive to gluten and all sorts of other stuff, it’s hard to find food in airports for me. Bonus points: put two plastic bags around it. I had mine explode once and I smelled like a chocolate milkshake for the rest of the trip. I was not impressed, although my colleagues found it pretty funny. “Why does this elevator smell like…. A chocolate milkshake?”

Further reading:

Thank you for reading.

OWASP Global AppSec Dublin 2023

Tanya Janca Speaking on stage

Recently I had the pleasure of being one of the keynote speakers at OWASP Global AppSec, in Dublin Ireland. In this post I’m going to give a brief overview of some of the talks I saw while I was there, and the TONS of fun I had. I didn’t get to stay very long, and due to jetlag I fell asleep a few times when I wished I could have stayed awake, but overall I would recommend this event (and all the OWASP Global AppSec events) to anyone who is interested in application security, OWASP, or Guinness beer. This is going to be a long blog post, get yourself a beverage and get ready for lots of pictures!

I landed the morning before the conference, and met up with two friends I hadn’t seen in far too long, Takaharu Ogasa from Japan, and Vandana Verma from Bangalore India. I also met another speaker for the event named Meghan Jacquot!

Takaharu Ogasa, Tanya Janca, Vandana Verma and Meghan Jacquot!

The evening before the conference I had wanted to set up a We Hack Purple in-person meetup, but I was running short on time. Luckily, my friends at SemGrep invited me to a free pre-conference networking event, so I invited all the WHP folks to meet me there. Unfortunately, WAY too many people where there (the place was supposed to hold 50-100 people, but 200 showed up). Although I got to see many friendly faces (see Jessica Robinson, Vandana and I below), it was far too crowded for me. As a Canadian, we’re used to 13 square kilometres of personal space, per person, and it was a bit much for me. ;-D

Tanya Janca, Vandana Verma and Jessica Robinson

Luckily Adam Shostack invited me to a super-secret-speaker’s dinner the same evening, held in a giant church that had been converted into an amazing live music venue! There were tap dancers, fiddlers, OWASP Board Members, and Adam did an impromptu book signing!!! Thank you Adam! Next to Adam is Avi Douglen of the OWASP Board of Directors, and also an avid threat modeller.

Adam Shostack signing books, with Avi Douglen

The next day I woke up extremely early (6:00 am), thanks to a crying baby in the room next to mine at the hotel. :-/  I used this time to call home and practice my talk: Shifting Security Everywhere. You can download a summary of my presentation here. (Note: you are supposed to join my mailing list to receive the PDF, but my mailing list is awesome, so hopefully you feel it’s a good trade. Also, you can easily get around this if you truly do not want to subscribe, simply do not press the ‘confirm subscription’ link).

Grant Ongers, from the OWASP board of directors, kicked off the conference by announcing a brand-new award “OWASP Distinguished Lifetime Member” and then announced the first 4 winners: Simon Bennetts, Rick Mitchell, Ricardo Pereira, and Jim Manico.  As a person who has volunteered many hours for OWASP, I felt it was beautiful to see 4 extremely dedicated volunteers receive this much-deserved award. I am very proud of all of them and their amazing contributions to our community! Great job OWASP for thinking of this new way to show appreciation by publicly recognizing some of our most-dedicated volunteers!

Grant Ongers presenting award to Simon Bennetts

The very first talk of the conference was called “A Taste of Privacy Threat Modeling” by a woman named Kim Wuyts, introduce by Avi Douglen (Member of OWASP Board of Directors). She spoke about threat modelling privacy, and used ice cream analogies to explain how marketers see our data. I like ice cream, privacy, AND threat modelling, so this was a real treat (pun intended!). I care a lot about privacy, both personally and professionally, and loved how she used situations we are all familiar with (including eating ice cream too fast then ending up with brain freeze!) to explain various concepts within privacy and threat modelling. I feel like any person, with zero previous technical experience or knowledge, would have been able to follow her entire talk, which is quite rare at a conference like this. She also made her OWN threat modelling privacy game! Nicely done Kim!

After that I went to see Chris Romeo’s talk about “Ten DevSecOps Culture Fails”. Chris is also the host of the Application Security podcast, and I’ve been following his work for quite a while. He did not disappoint!

Chris Romeo, speaking

After the delicious lunch of yummy curry and rice, and more than one latte, we had the afternoon keynote. Grant Ongers introduced Jessica Robinson, who explained “Why winning the war in cyber means winning more of the everyday battles”. She shared several personal stories from her career, including what it was like to be a woman of colour working in STEM, her obsession with the Kennedys, implementing the first cyber security policy at a large law firm in New York City, and more! The thing I liked most about her presentation was how she took us on a journey. She’s an incredibly gifted public speaker, and she started by getting us all to close our eyes, then imagine various things, before opening our eyes and formally beginning her talk.

Part way through Jess’ presentation the videographer fainted, fell, and made a huge loud noise. He’s okay, don’t worry readers! All 500 of us turned around and started becoming concerned. She inquired as to if he was okay, a bunch of staff rushed to take care of him, and once it was clear there was no danger, she recommenced her talk. Not very many speakers would be able to recover like she did. To be able to fully capture our attention again was very impressive. I’m say this as a person who was a professional entertainer for 17 years, and then professional public speaker for 6 years; that is an incredible feat. By the end I had completely forgotten about the fainting, because I was so wrapped up in her and the tales she was telling. Anyway, she’s amazing.

Jessica Robinson, being amazing

At this point I have a silly complaint. Usually when I go to an InfoSec conference, there are only a handful of talks that interest me. I always want to see all of the AppSec talks, maybe some quantum computing, anything to do with using AI to create better security, or topics about cyber warfare (which equally interest and frighten me). But it’s rare at a conference that is not AppSec-focused that I have conflicts in the schedule of things that I really want to see. This happened a LOT at this conference. Sometimes there would be 3 different talks, at the same time, that I was dying to see. I found it very difficult to choose for some of the time slots, which may sound strange, but I’m a very decisive person. Not being able to decide is rare for me. That said, I am pleased to report that all of them were recorded, even if we all know it’s not quite as good as being there in person. I will try to add links to all the talks listed here once the videos are out so that you can enjoy them too!

Seba Deleersnyder and Bart De Win

This is my favourite picture from the entire conference. When you work on an open-source project with someone, you are working because you love what you are doing. When everyone on your team really cares about your goal, you can become very good friends. It is very clear the SAMM team are great friends! I love seeing OWASP bring people together! <3

The talk from the image above was about the OWASP SAMM project – The Software Assurance Maturity Model, presented by Seba Deleersnyder and Bart De Win. I live tweeted their talk (link here), if you want a play-by-play. The essence of their presentation was updates about the project from the past 2-3 years, and how they have worked with the community and industry to update, expand, and improve the model to be more helpful, by creating tools, surveys and online documentation to make their project more useful for everyone. I had been planning on writing a blog post about the project called “OWASP SAMM, for the rest of us”, because I find clients are often very insecure that they won’t ‘measure up’ to the SAMM standard. I hope I can help a bit by breaking things down into smaller pieces, and helping teams start where they are at, then working their way up over time. SAMM can work for any team, just be realistic and try not to be too hard on yourself! We all have to start somewhere.  

After Seba and Bart’s talk it was time for the networking event. OBVIOUSLY, they had Guinness beer on tap! We were in Ireland! I had a great time, chatting with all sorts of people, and I got an awesome gift of a Tigger-striped hoodie from Avi Douglen, which made my day! Then I went back to my hotel room to practice my talk, approximately a thousand times.

Tanya Janca, presenting on a stage

Side note: Remember the baby in the hotel room next to mine? The night before my talk it started crying, loudly, at 3:00 AM, and continued crying all the way until 6:00 am. I was up almost the entire night. Which gave me plenty of time to practice my talk. Yay?

Usually when you see me present a ‘new’ talk at a conference, it is not the first time that I have presented it. In fact, I have often given it 5 to 10 times, in front of 1 or 2 people each time, which is why I usually seem so comfortable on stage. I always practice new material on people from my community (We Hack Purple, OWASP Ottawa, the Ottawa Ladies Code Meetup, WoSEC Victoria, etc.). I’ve always turned to my community for feedback, advice, and encouragement. They have always been gentle, kind, and give reliably fantastic advice! I would recommend every speaker do this! But this time, because I was asked to do this with so little time, I hadn’t presented it in front of anyone. In fact, I was still writing it as I flew across the ocean to the venue. I WAS SO NERVOUS!!!!!

Tanya Janca, presenting on stage

But it went really well anyway!  Phew! And Matt Tesauro introduced me, so that was extra-nice! Matt is on the OWASP Board of directors and a leader of the Defect Dojo Project. Actually, he’s been a part of several different projects and chapters over the years. He was kind enough to distribute the maple-candies I brought to give to all the people who asked questions. Having a long-time friend introduce me made me a lot less nervous! Thank you Matt!

Tanya Janca, smiling for the camera

Now that my talk was over, I could concentrate completely on having fun! I ended up in the hallway speaking to lots of people and missing the talk after mine. Then we had lunch, and then came another time slot where there were THREE talks I wanted to see. THREE amazing presentations to choose from! I ended up in Tal Melamed’s talk, about the OWASP Serverless Top Ten. I had spoken to Tal many times before, but it was our first time meeting in person, so that was pretty exciting for me. I even managed to sit with him for lunch! Even though I already knew the Serverless Top Ten, it was still exciting to see Tal speak to it. As a bonus, he ended slightly early, so I was able to catch the Q&A after Matt Tesauro’s talk about Hacking and Defending APIs – Red and Blue make Purple. I felt this was a good compromise.

After lunch the wonderful Vandana Verma got on stage to introduce the last keynote speaker. She told us all that there would be “a BIG announcement” at 5:30 pm, so we had better not leave early. For those that don’t know, the big announcement was that OWASP has officially changed their name (but not the acronym). Previously it stood for ‘Open Web Application Security Project”, but that name was limiting. People often complained that we kept straying outside our purpose, by including cloud, containers, etc. But why would we want to limit ourselves like that? So the board of directors voted to change it to “Open World Wide Application Security Project”, which I have to say, I like WAY BETTER. Nicely done board!

The last keynote was Dr. Magda Chelly, and it was spectacular! In her talk, AI-Assisted Coding: The Future of Software Development; between Challenges and Benefits, she spoke about how AI is going to change the way most of us work, especially those of us in IT. I don’t want to give away the entire talk, but… She explained how many of us could work with AI, the difference between AI-assisted and AI-created content (this is more important that I had previously realized), and all the issues and questions around who owns the copyright of such work. If an AI creates a poem, but you asked it to create a poem, and gave it the parameters to create said poem, who owns the copyright? What if it only assisted you in creating an application, it didn’t write all the code, just some of the code? Who owns that? Also, when we train AI on certain data, but that data has specific licensing, then the AI creates code that is not licensed in the same way, has the created code broken the license agreement? There was a fascinating discussion during the Q&A, and it definitely has me thinking about such systems in a very new way.

Magda being amazing!

The last talk that I saw at the conference was present by someone named Adam Berman, it was called “When is a Vulnerability Not a Vulnerability?”. For those of you who have followed me a long time, you would know that I wrote a blog post with that exact title in 2018 (read it here). My post was about when vulnerabilities are reported to bug bounty programs, but they are not exploitable/do not create business risk, is it really a vulnerability? In it I explored a ‘neutered’ SQL injection attack, and of all the posts I have ever written, it has received by far the most scrutiny.

That said, although there was a similar slant, it was definitely not based off of anything I have written or spoken on. Which made it extra-exciting for me!

Adam works at R2C (who make SemGrep), so all of the research came from them. In April of this year, I will be co-presenting a workshop at RSA with Clint Gibler (of R2C and TL;DR Sec fame) about ‘How to Add SAST to CI/CD, Without Losing Any Friends’ (no link available at this time). We will be using SemGrep to demo all the lessons, so I was extra-curious to see Adam speak!

Brian presenting SemGrep

Adam’s talk was all about traceability in Software Composition Analysis (SCA). A reoccurring issue that happens when you work in AppSec is developers not having enough time to fix everything we ask them to. We (AppSec folks) are constantly trying to persuade, pressure, demand, and even beg developers to fix the bugs we have reported. One of the most convincing ways to get a developer to fix a bug is by creating an exploit. But that is VERY time consuming! It’s not realistic for us to create a proof-of-concept exploit for every single result that our scanners pick up. Layer on top of this the fact that automated tools tend to report a LOT of false positives, and this leads many developers to question if they absolutely need to fix something, or if “maybe we can fix it until later”. And by “later” I mean “never”.

If you scan an application with an SCA tool, most of them will tell you if any of the dependencies in your application are ‘known to be vulnerable’. They do this by checking a list of things they know are vulnerable (they create this list in many ways, and Adam covered that, but that part is not the exciting part, you can learn that anywhere). Think of the SCA tool working like this: “Are you using Java Struts version 2.2? Yes? It’s vulnerable! I shall now report this to you as a vulnerability!” But just because the dependency has a vulnerability in it, it doesn’t necessarily mean that you application is vulnerable, and here lies the problem.

More Brian!

If your application is not calling the function(s) that have the vulnerability in them, then your app shouldn’t be vulnerable (in most cases this is true, there are rare exceptions, specifically Log4J). Previously, SemGrep released a blog post about this (you can read it here), and they claim that approximately 98% of all results from SCA tools are false positives, because the vulnerable function within the dependency is never called from the scanned app. Which means there’s no risk to the business. Which means it’s a false positive. It’s still technical debt, which is not great, but it’s not a great big hole in your defenses, and that’s a very different (and much less scary) problem.

If you’ve been begging developers to update all sorts of dependencies, imagine if you reduced your number of asks by 98%? And you could show them where their app is calling the problematic function? That conversation would likely be a lot less difficult. In fact, I bet the developers would jump to fix it. Because it would be obvious that it’s a real risk to the business.

This is a BIG CLAIM, so I wanted to hear the details in person. And I did!

Moi

Because this was an OWASP event, Adam couldn’t just say “Yo, SemGrep is awesome, buy our stuff”. If he did that it also would also make for a not-very-entertaining-or-believable presentation. Instead, he explained HOW to do this yourself. And just how much work it is. Spoiler alert: it’s a lot of work.

Although I would love to provide the technical details for you, I have to admit that I was almost falling asleep the entire time because of the “absolutely no sleep” situation from the night before with the crying baby. I must have yawned 100 times, and I was more-than-a-little concerned I may have offended the speaker! That said, I can’t give you the details, but I will post a link here as soon as I have it so you can watch Adam explain. He’s better at explaining it anyway!

Then I went to bed (at 4:00 pm, and I slept all the way until 5:00 am the next day!). After that I headed to the airport, flew home, and wrote this on the plane! I hope you enjoyed my summary of my experience at OWASP Global AppSec 2023, held in Dublin, Ireland, February 14th and 15th, 2023.

– fin –

Tanya on stage