Why I Love Password Managers

Tanya waving

** This article is for beginners in security or other IT folk, not experts. 😀

Passwords are awful. The software security industry expects us to remember 100+ passwords, that are complex (variations of upper & lowercase, numbers and special characters), that are supposed to be changed every 3 months, with each one being unique. Obviously this is impossible for most people, and for those whom it is possible, why would they want to waste all of that brain power on something that is, essentially, meaningless?

Comic illustrating the need for password security.
I love XKCD and so should you: https://xkcd.com/936/

That’s right, the password itself means nothing. The purpose of the password is to authenticate the user; to prove that *you* are the real, authentic, you. Not another person with the same name or birthday, but the person who owns the account that is being logged into. The person who’s money is in that bank account. The person who tweets all those tweets.

I realize that the security industry is wise to this issue, and NIST has updated it’s password advice, but that still leaves many applications doing things the old way and programmers continuing to implement the old security advice. The result is password reuse; people using the same password over and over, for most or all of their accounts. Last month I heard a speaker that claimed the most common password has changed from “Password1” to “Autumn2018”, “Winter2019” and so on, for every third month. Tragic.

The reason this is a problem is that once one account is breached, or a password stolen, that email & password combo (known as credentials) is likely to work in many, many other places. “Credential stuffing” is the term for when criminals or other bad actors steal many credentials and use scripts to try them all against a larger site, with malicious intent. These attacks are often wildly successful, which makes password reuse very scary from a defender’s perspective.

At least 1% of what I know comes from XKCD: https://xkcd.com/792/

This is where password managers come in. Password managers allow users to generate long and complex passwords, as long and complex as the software will allow. It remembers all of them, keeping them in an encrypted vault. When users go to log into something they either press a button on the browser to have them do it all for them, or they open the password manager, enter the one single password they need to know, and access all of their secrets.

Password managers can protect you against several types of attacks:

  • Password reuse attack (if all of your passwords are different, if one account is breached, the rest are fine)
  • Phishing attacks that target your accounts using URLs that are similar to ones you already use. When you go to the fake URL your password manager will not recognize it, and this should tip you off that you are under attack
  • Brute force attacks; if you are always using very long and complex passwords (because you don’t need to remember them), it would take forever for a brute force attack to uncover your password.

Below is a non-exhaustive list of password managers. Some are free, some are not. Either way, go get one so you can stop wasting brain power on boring things like remembering your passwords.

If you work in an IT environment, you absolutely must have a password manager. I strongly suggest that anyone who uses a computer regularly and has multiple passwords to remember to get one, even if you don’t consider yourself tech savvy. Put every single password in there, change all the passwords you used to have to long randomly-generated ones, and ensure the password you use for your password manager is a passphrase that is an entire sentence (such as: “I work with NeuraLegion and I like them a lot!” or “Tanya Janca is my favorite blog writer and her jokes are never self-deprecating”).

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

VAs, Scans and PenTests; not the same thing

I’d like to define a couple of subjects that seem to be confused often in the industry of application security; Vulnerability Assessment (VA), Vulnerability Scan (VA Scan) and Penetration Test (PenTest). They are often used interchangeably, and the differences do not seem to be well-understood; I have seen this misunderstanding used against many clients who have purchased these services and am hoping clear definitions will help us all.

Vulnerability Assessment (VA) (sometimes called a security assessment) is an assessment of the security of a system, in attempts to find all possible vulnerabilities. It generally involves using multiple scanning tools, manual exploration and evaluation, as well as examination of all security controls (a lock on a door, a login screen, or input validation are all security controls). The Assessor does not exploit vulnerabilities that are found (for instance they see the door is unlocked, but they do not enter), they just report them, along with information on how to fix each of the vulnerabilities. This sometimes includes a security review of the design and/or threat modelling, questionnaires or interviews, and generally takes days or weeks, not hours or minutes. Sometimes the security assessor will create a proof of concept (POC) to explain a vulnerability with more clarity, but to be clear, that is not the focus of this exercise.

In the past when I was hired to do a penetration test, I would often describe a VA, as if that’s what they wanted, and they would say “yes, do that”. My contract would say “PenTest”, but I would conduct a vulnerability assessment.

In the past I often had requests for “a quick VA” or “VA Scan”, which as it turns out meant “one scan with a vulnerability assessment tool” and no other activities, such a manual investigation of the results. This can be done in as few as a few hours or even minutes if your target is small, and the person performing the task does not need advanced training or skills to perform the task. There are many VA tools on the market; Nessus, Nexpose, OpenVAs and Azure Security Center (for Azure cloud infrastructure only) are all used for scanning infrastructure, while Microsoft Security Risk Detection, Burp Suite, Zed Attack Proxy, NetSparker, Acunetix, AppScan, and App Spider are for scanning web apps. Doing “a quick scan” with any of these tools will net you a list of vulnerabilities, and many of them will be true positives (as opposed to false positives); it is most certainly a worthwhile venture. It is not, however, as thorough as a Vulnerability Assessment or Penetration Test, and there will remain many other issues that are not uncovered if you leave it at that.

I also enjoy infrastructure as code, from time to time

Penetration Test is another beast entirely. A PenTest seeks to find vulnerabilities and then exploit them, to prove real-world risk. Sometimes penetration tests can cause damage (exploits, if not done very carefully, can leave a mess), and sometimes the scope of a PenTest can call for the tester to collect “trophies” to prove they did the things they claim.

It is very rare that I write an exploit or feel the need to exploit vulnerabilities I find when testing*. Most of the times in my career when I have exploited something everyone just ended up pissed off at me; from the first PenTest I ever did as a sub-contract when I ruined a live prod server and the person that hired me had to explain what happened, to creating proof of concept exploits that embarrass management into doing “the right thing”, to breaking a Drupal CMS site so badly that they had to restore the database AND the app server (Drupal CMS itself was completely unusable) from backup. It’s nice that I impressed people, but I honestly would prefer to spend that extra time helping the developers fix what I have found and re-testing the fixes, rather than showing off whatever talent I have for burning things down.

Special note on ethics: I have seen many consultants who offer these services pass off a quick scan as a full VA or Pentest, charging for 10 days what took them only 1 day to perform. I have also seen many of these same consultants sub-contract this work out to others who they pay less (and with who they share your sensitive data with!), but they do not credit these individuals in the reports or contracts resulting in you having no idea who had access to your systems and data. When writing contracts for such services it would be wise to be explicit in what you are paying for, as well as who will do the work and what information must remain confidential. I am sad to report that I have met many consultants who have bragged about doing these types of (in my opinion) unethical practices. Buyer beware.

I would suggest that performing a proper VA against all of your custom applications as well as large COTS implementations (Customizable Off The Shelf system, such as SharePoint) is a best practice for Enterprise businesses. Not only would you be amazed at the things that you find, (assuming you fix the issues) you will have taken serious measures to avoiding a data breach in the future, as insecure software is still, sadly, the top reason for data breaches (as per the Verizon Breach Reports 2016, 2017, and 2018).

I hope this article helps instill a bit of clarity in our industry.

When I did testing, I did exploit XSS using alert boxes, regularly, because it’s 100% safe to do so. And also blind SQL with timers and errors, but to be clear I am very careful to only perform safe exploits when testing. I can feel myself putting my foot right into my mouth with this note…

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Threat Modelling Serverless

I met with my colleague Bryan Hughes the other day to discuss the security of a serverless app he’s creating for JSConf EU (there will be no spoilers about his creation, don’t worry). We had discussed the idea of threat modelling while on a business trip together and he wanted to give it a go. Since I am particularly curious about serverless apps lately thanks to Tal Melamed having dragged me into the OWASP Serverless Top 10 Project, I was excited to have a chance to dive down this rabbit hole.

Bryan’s app’s architecture:

  • Azure Functions App (MSFT serverless)
  • JWT tokens for Auth, they will be short-lived
  • His app will allow other Azure users to call it, with parameters, and it will do something exciting (see? no spoilers!)
Bryan Hughes, South Korea, Demilitarized Zone (DMZ)

Once Bryan has explained what his app would do, he told me his security concerns: who would have access to his app? Could they break into other areas of his Azure Subscription? Exactly what type of authentication token should he use? How would he handle session management? All of which are definitely valid concerns, I was impressed!

We discussed each one of his concerns, and possible technical solutions to mitigate each risk. For instance, use JWTs only to send a random session token value, never a password or sensitive data, and never a number that actually corresponds to something important, such as using someone’s SIN number as their session ID number, that is sensitive info, and an insecure direct object reference. I reminded him that JWTs are encoded, not encrypted, and therefore they were not a secure way to transmit data. Also, I suggested that he create a virtual network around this app (firewalls), just in case someone gets into it, it would mean that they can’t get into the rest of his network and subscription.

NoteRFC 7516 allows for the encryption of JWT tokens, follow the link for more info.

Then we talked about my concerns, which started with a bunch of questions for Bryan about his users and his data.

  • What data are you asking for from your users? Is any of it sensitive?

He’s asking for their GitHub info, so that he could give them access to call his serverless app so he could grant them access, but that is all. This one piece of data is sensitive info.

  • Who are your users? What are their motivations to use your app?

The users are conference attendees who want to learn how to call a serverless app like an API, and then make his app do the cool thing that it would do. It’s a learning opportunity, and it’s fun.

  • Let’s assume you have a malicious user, how could they attack your app?

My first concern was Denial of Service or Brute Force-Style attacks. To avoid these attack vectors he should follow Azure Functions best practices guide, specifically, he should set maxConcurrentRequests to a small number (to avoid a distributed denial-of service), add throttling (slowing down requests to a reasonable speed, which would stop scripted attacks) by enabling the “dynamicThrottlesEnabled” flag, and ideally also set a low number for the maxOutstandingRequests setting, to ensure no one overflows his buffer for requests, which would also result in a denial of service. (Note this is the “A” in CIA: availability)

Other attacks I was concerned about where someone sending malformed requests, in attempt to elicit unexpected behaviour from his app, such as crashing, deleting or modifying data, allowing the user to inject their own code or other potential issues. We discussed using a white list for user input validation and rejecting all requests that were not perfectly formed, or that contained any characters that were not “a-z,A-Z,0–9”. (Note this is an attack on both Integrity and Availability)

The last attack vector I will list here is that users may attempt to access the data itself, the subscription IDs of all the other users (Confidentiality). This was the most important of the risks in this list, as you are the guardian of this data, and if you lose it, and they were to be attacked successfully as a result, this could cause catastrophic reputation damage (to the conference, to him as the creator of the app, to Microsoft as his employer). When I explained this, it became his #1 priority to ensure his users and their data were protected during and after using his system.

Tanya Janca, South Korea, DMZ, 2019
  • How long are you keeping this data? Where are you storing it? How are you storing it?

Originally Bryan was hoping to avoid using a database together; no data collection means nothing to steal. Although he’s still looking into if that’s a possibility, the plan is to use a database, for now.

He decided he would keep the data until just after the conference was over, and then destroy it all (hence making the risk only a 48~ hour risk). It would be stored in a database (we discussed encryption at rest and in transit, as well as always using parameterized queries, and applying least privilege for the DB user that calls those queries (likely read-only or read/write, but never DBO).

  • What country is this conference in? Will you be subject to GDPR?

It would be in Europe, and therefore is subject to GDPR. I introduced him to Miriam Wiesner, an MSFT employee with a Pentesting and Security Assessment background, who happens to live in the EU and therefore would have familiarity. I said she would have better advice than I would.

The conversation was about an hour, but I think you get the picture.

The key to serverless is to remember that almost all the same web app vulnerabilities still apply, such as Injection or Denial of Service (DOS) attacks, and that just because there is no server involved, does not mean you do not need to be diligent about the security of your application.

If you want to keep up with Bryan Hughes, and see the results of his project, you can follow him on Dev.TO.

I hope that you found this informal threat model helpful.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Presentation Tips for Technical Talks

Me with Solomon Sonya, at sector 2021 !

In the past few years I’ve given and watched several technical talks, and they are not all created equal. Recently I met with Teuta H Hyseni to talk about an upcoming talk she was planning (securing AI and ML, very interesting!), and afterwards I made several notes about general tips for technical talks that I have shared below.

Me with Solomon Sonya, at sector 2021 !
Me with Solomon Sonya, at #sectorca #sector2021 !
  1. The first thing I always do is explain what the talk is about, so audience members know if they want to stay or go. If some people walk out it’s okay, your talk wasn’t for them anyway. For everyone else, it will reaffirm they are in the right room.
  2. Whenever you say the name of a product the first time, make sure you say it very clearly, especially if the audience’s first language is not the same as the language you are giving your talk in.
  3. Always explain what every acronym means the first time you use it. If it is a core component of your talk, if it’s not too clumsy, say the full name of it twice or even three times, throughout the talk.
  4. If there is one new key concept that you want to audience to take away from your talk, explain it 3 times, in different ways. Abstract concepts are very difficult for people to learn at first, and explaining it a few different ways, and repeating it, will ensure that people learn it.
  5. If you put a bunch of words on the screen people will read it, as soon as you show the slide. They will not listen to you until you are done reading. So either use images and explain, then put text, or give the audience a few seconds to read what you wrote. Trust me, 90% of the audience will read the text and not listen, so change your slides accordingly.
  6. When you introduce yourself pronounce your name very clearly and slightly slowly, especially if it’s a bit unusual/not common in the area you are presenting.
  7. Audiences tend to like stories that tie together technical points. If you are trying to tell them “Don’t roll your own crypto” follow it up with a story about how disastrous it was when you saw it done. It helps drive the point home. *Extra points if the story is funny or is very interesting or otherwise special.*
  8. Try not to put too much on one slide, slides are free, just make more.
  9. Ensure that your text is large enough for the audience to read, especially code. If possible, try to put your slides up on the big screen in advance, walk to the back of the room, and see if you can read your own slides.
  10. Remember that your audience is smart, but might not know your topic well, so try hard to explain what each part is, unless you are at a speciality/advanced conference on that topic. For instance, when I give security talks at developer conferences I always try to remember my audience is very smart, but they are not likely experts in security, so explain each point well, even the basic ones. I don’t want to leave anyone in the audience behind, and neither do you.
  11. Put a summary slide at the end. People will likely take photos of it. If you see people with their cameras/phones up, try to give them enough time to take the photo(s) of your slide(s).
  12. If possible, use imagery to explain your concepts more clearly. Personally I’m weak in this area, but whenever I see someone else do it well I remember that I need to try harder to do that whenever possible.
  13. If possible give explanations of why the audience should or should not do something. For instance: “do not feed machine learning systems data from the internet, it has to be clean”, but what does “clean” mean? Instead we could follow that with “Clean datasets could include survey data, customer data, and data purchased from social media platforms”.
  14. Practice to ensure you are approximately the correct amount of time. Factor in the fact that you will likely go a bit fast. Ending late or very early is not good, you don’t want your talk to bleed into the next speaker’s allotted time (that is very rude) and you also don’t want the audience to feel they didn’t get enough of you. If you go under, perhaps use that time for Q&A.
  15. Take a breath in-between each major point — so the audience has time to digest the info, and so that you can breathe.
  16. If you see the audience’s eyes sort of closing a bit, this likely means they are tired or their “brains are full”. This might be from all the previous talks, or yours, but it likely means they are having trouble keeping up. It generally does not mean that you are boring.
  17. If you see many people playing with their phones this can be good or bad. Sometimes they are taking notes or tweeting about you, but other times they are just distracted. If you happen to be good at telling jokes, this would be an ideal time to briefly stop and tell a joke, to get their attention back. **This approach is not for everyone, and you have to know for sure that you are funny. A bad joke will potentially make people leave.**
  18. Many people like to hear about where the future will go in your area of expertise, if you have some guesses, perhaps share them?
  19. Unless your talk is “an intro to xyz” or level 101, don’t spend more than 10 minutes of your talk giving background on the topic. If I go to a cryptocurrency talk and they spend 30 of the 50 minutes talking about the origins of bitcoin, I’m going to play with my phone and wait for the talk to actually start.
  20. If you feel comfortable, give a rough outline of your talk right at the start, then the audience knows what to expect.
  21. If possible, have links from your talk to longer videos or blog posts that go deeper into specific topics. Even if the videos or blogs are not yours, if they are good, it’s nice to give the audience more if they want more.
  22. At the end of your talk always say thank you (the audience could have done 100 other things with the time they just gave to you), and then pause to allow them to clap. Whenever a speaker doesn’t give the audience a space to clap I always feel so awkward. Don’t ask “Any questions” immediately at the end, allow the audience to thank you.
  23. Practice on someone you trust, get feedback, make adjustments, repeat. Do this until you know your talk is awesome and you will be a smashing success!

I hope you find these tips helpful!

Other relevant articles & videos by yours truly!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Sharing talks with the InfoSec & IT Community and Industry

Artwork by Ashley McNamera

I recently decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). By “share” I mean give my express permission for anyone, anywhere, to present content that I have written, with no need to pay anything or ask for my consent. You can even charge money to give the talk, but if you do I kindly ask you make a donation to the OWASP DevSlop Project or WoSEC.

OWASP Bat Signal, Image created by Ashley McNamara

I’ve had a few people ask me why I would do this, and there are a few reasons.
* To spread the word about how to secure software; it’s important to me to try to make the internet and other technologies safe to use.
* To help new speakers (especially from underrepresented groups). If they have something they can present, with instructions they can follow, hopefully it will help make them more confident and skilled at presenting.
* To share knowledge with my community in general: sharing is caring, yo.
* The more people who present my talk the more people who may decide to follow me. SO MUCH WIN!

The first talk I decided to release is called “Pushing Left, Like a Boss”. It’s an intro to application security that I’m told is very accessible for technical and non-technical audiences alike. My mom watched me do this talk and said “I finally understand what the IT Security people are talking about at work and why they were bothering me!” You could do this talk at any almost IT meetup and they are likely to find value; it’s also great for a lunch and learn at work with software developers or other IT staff. Topics covered include; threat modelling, Pentesting, code review, creating a secure system development lifecycle, and how to figure out the most secure way to do whatever you are trying to do. Talk difficulty level: 101/intro. Also, this talk is based on the Pushing Left, Like a Boss Blog series.

In efforts to ensure anyone who presents my material has a good experience I made a GitHub repo with an instructional video of what to say, a readme file with written instructions and links so you can watch me do the talk myself.

Please go forth and teach AppSec! And if you have feedback I want to hear it!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Multi-Factor Authentication (MFA)

** This article is for beginners in security or other IT folk, not security experts. 😀

Recently you may have noticed me calling out several Canadian banks for not allowing users to add multi-factor authentication (MFA) to their online banking accounts. This blog post will detail what I mean by this, why it’s important, and why I’m pushing for it.

Update: you can follow community activities online on this topic with the hashtag #MFAally.

Me, hassling a Canadian Bank about their lack of MFA. They have since implemented MFA!

Two-factor or multi-factor authentication (2FA or MFA) means using more than one factor to prove that you are the real, authentic, you. A “factor” of authentication is a method of proving who you are, to a computer. Currently there are only 3 types: something you have, something you are and something you know.

  • Something you have could be a phone, computer, token, or your badge for work. Something that should only ever be in your possession.
“Something you have” can be your laptop, phone, a token that generates codes, your badge, and more.
  • Something you are could be your finger print, an iris scan, your gait (the way you walk), or your DNA. Something that is physically unique to you.
“Something you are” can be your fingerprint, an iris scan, the gait of your walk, your DNA, and more.
  • Something you know could be a password, a passphrase, a pattern or a combination of several pieces of information (often referred to as “Security Questions”) such as your mother’s maiden name, your data of birth and your social insurance number. The idea is that it is only something that YOU would know.

When we log into accounts online with only a username and password, we are only using one “factor” of authentication, and that is less secure than using 2 or more factors. Many times accounts that are broken into or data is stolen, it is often due to someone using only one factor.

When passwords are breached, users that have a second factor of authentication are still protected. When someone tries to brute force a system or account that has MFA enabled, even if they eventually get the password, they won’t have the second factor in order to get in. Using a second factor makes your online accounts significantly more difficult to break into.

Microsoft Authenticator app

When Cloud Shell logged me out on stage (how embarrassing!) at MSIgniteTheTour in Hong Kong this past winter, I used my username and password (2 things that I know, meaning two of the SAME factor), plus the Microsoft Authenticator app (something I had), on my phone (something else that I had), which asked for my finger print (something that I am). That means I logged back in using all three factors of authentication. Even though I know it inadvertently made a great demo of the Microsoft products I was using, getting logged out mid-demo was embarrassing…

Demo-failure aside, let’s talk about what MFA is, what it is not, and why it is so important.

Examples of MFA

Multi-Factor: Entering your username and password, then having to use a second device or physical token to receive a code to authenticate. The username and password are one factor (something you know) and using a second device is the second factor (something you have).

Not multi-factor: a username AND a password. This is two examples of the SAME factor; they are both something that you know. Multi-factor authentication means that you have more than one of the different types of factors of authentication, not one or more of the same type.

Not multi-factor: using a username and password, and then answering security questions. These are two of the *same* fact, something you know.

My attempt to demonstrate “Something you know”

Many in our industry are in disagreement as to whether or not using your phone to receive an SMS (text message) with a pin is a “good” implementation of MFA, as there are known security flaws within the SMS protocol and some implementations of it. My (potentially unpopular) opinion is that I would rather have a pretty-darn-good second factor of authentication rather than only one factor, and that if this is the trade off (convenience versus perfect security) to convince the average user to adopt 2FA, I’m in favour of using SMS as a second factor.

The number one piece of security advice that Azure Security Center gives anyone and everyone is to enable multi-factor authentication on all of your subscriptions; protecting the keys to your (cloud) kingdom is paramount. In fact, enabling multi-factor auth (MFA or 2FA for short) is industry best practice, and is constantly prescribed by security professionals to technical and non-technical people alike for all of their important accounts. Yet strangely, less than 10% of accounts on Google and other popular platforms have 2FA enabled. Why?

I suspect that the reason is 2 fold; 1) it’s not always convenient and 2) the public simply does not understand the risk. And while most of us are not in a position to change #1, every one of us can work on changing #2.

I’d like to appeal to you, dear reader, to try to explain MFA to someone in your life, at work or at home, and ask them to enable it on their important accounts. I’d also like to ask you to enable 2FA for yourself, both at home and at work, if you haven’t already. It might save you or someone you love from some serious heartache.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Why ‘She Hacks PURPLE’?

The story of my handle: SheHacksPurple.

Whenever I ask an audience “Who here is Blue Team? Raise your hand if you’re Blue Team.” I tend to have one to two cautious hands go up in the back. I raise my hand as well. I explain “If you are defender, you are blue team.” More hands.

“If you fix bugs. If you patch servers. If you configure the firewall. If you do anything that helps protects your systems or data, you are a defender. YOU are blue team.”

Lots of hands. Now back to my original topic: red team.

“Red team are the attackers. When I do a penetration test, I’m an attacker. When I feed nasty data into your app and talk maliciously to your API; I’m red team. Who here is red team?” Hands go up.

I raise my other hand. Both of my hands are now up.

“As an AppSec person I am both an attacker AND a defender. I am both red and blue team. This makes me purple team. 

Self Portrait

When I created my handle for twitter my original choice of “SheHacksComputers” was 1 character too long. I thought “But that’s what I do, I hack computers.” It was just at this point in my career that I had decided that I wanted to do AppSec full time, as opposed to being a pure red teamer/penetration tester. I was aware that being a red teamer would be more glamorous, and I figured it would likely pay more as well, but AppSec felt like the place I belonged. Especially once I became part of the OWASP community. I knew that I wanted to be able to not only find the problems, I wanted to be able to root out the cause and make sure it never happened again. It just made sense.

And with that, I changed “computers” to “purple”, and the rest is history.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community We Hack Purple!

Promoting Yourself on Social Media

Many people who are aspiring to become a public speaker ask me how to conduct themselves on social media or promote a talk once they have been accepted to speak somewhere. Having been a professional musician for a long time before I worked in InfoSec, I am used to trying to promote my events and set myself and my art apart from others. With this in mind, I humbly offer the following suggestions to help you gain social media followers or attract people to your events or work.

My original ‘SheHacksPurple’ logo. That lady has come a long way since then!
  • Tweet about your events and your work! Share on LinkedIn! Talk about what you are doing and what you want to bring attention to. Send a tweet to your followers to tell them what’s new in your work, research you’ve released, or an article you have written. If you are doing things you are proud of in your professional life, you should tell people about them.
  • Send a tweet to other speakers at the same conference that you are speaking at, congratulating them or telling them you are looking forward to their talk (note, only do this if it’s true). I know I love it when people congratulate me, so why not do that for others?
  • General rule: never tweet or say or act in a way that is not genuine to who you really are. Don’t fake it; people can tell, and it’s a huge turn off. I know that I’m a giant nerd who is overly enthusiastic, obsessed with security and sometimes awkward. I own who I am, and people tend to think it’s adorable. If they don’t like it, they were never going to like me anyway; those aren’t the followers/connections/friends that I’m looking for. If you make your personal brand the real you, it’s much easier to ensure that you never step out from your brand and alienate the people who follow you.
  • Always do major announcements (conference appearance, project release, etc.) on ALL of your social media. Don’t just announce it on one platform, use at least two. Do it on ALL social media that you have available to you. (PS you should use at least two forms of social media.)
  • Don’t be as chatty on LinkedIn as on Twitter, it’s not the platform for that. 🙂
  • Don’t use Twitter and LinkedIn the same way you use Facebook. Facebook is for personal connections, and some professional things. LinkedIn is professional only. Twitter can be a mix. Don’t post 100 photos per day of your family, your lunch or your dog on your Twitter or LinkedIn account and then wonder why you have no professional followers. If you work in InfoSec, and you are trying to get people interested in the research or other work that you are doing, why are you tweeting photos of your French fries that you just ordered? Rare personal tweets are okay, but you have to remember that’s not what people are following you for….
  • Don’t comment on women’s appearance, attractiveness or bodies in a professional setting or social media. If I post a photo of myself giving a talk and someone comments how attractive I am it embarrasses me and makes me uncomfortable. It makes me wonder if how I look is more important than my research to some people, and I know many other women feel this way as well. If you want to compliment a woman, I highly suggest you compliment her on her work, achievements or something else professional. “Great talk!”, “Awesome article”, “You were so powerful on stage!”, “Highly informative”, “Great ideas!” etc. are all something anyone would be happy to see as a comment online.
  • If possible, involve other people in your events. For instance, do a workshop with a friend, or write an article with someone who works in the same field as you. Organize a meetup with multiple speakers. It will bring more attention to the whole thing. It’s also usually more fun, and if there are technical issues you have backup. Plus, you have someone else to help you create the content or run the event, it’s win-win. It is also a good way to give a platform to someone else who has less followers, but who you want to see succeed.
  • Ask to be on podcasts that relate to your area of interest. Tell them the topic that you want to talk about, make it easy for them by having a story ready. Announce it on social media. Always announce everything on social media.
  • Reach out to the newspapers or blogs and see if they want to write an article about you/the conference. Try to have a story or interesting angle ready for them, so that the story writes itself. They are more likely to say yes if you have a good idea for a story.
  • Plan other local events in conjunction with a large event (such as speaking at a conference) and give a different talk than the one you are doing at the conference (never do the same talk, in the same city, the same week). If you are doing a DevOps related talk, there’s almost always a DevOps meetup, same for OWASP (appSec), .Net users’ group, Cloud and so on. The bigger the city, the more options you will have. If you can get two different groups to co-host it (for instance the DevOps and OWASP meetups hosting a DevSecOps talk) that’s even better. Don’t forget to announce it on social media.
  • Add something personal to your talk, if you feel comfortable. “War stories” are always well received. For instance, if you are giving advice that people should always encrypt their hard drives, share a story about when an unencrypted hard drive was stolen that illustrates the reason why you are offering this advice. People like knowing the secrets of what goes on behind the scenes, and that you are a real person. But don’t get too personal though, no over-sharing, that can have the opposite effect.
  • When at an event where you are presenting, ask someone to take photos of you. Share one of the images online after and thank the conference for having you. Saying thank you is never a bad thing. Save good photos to help promote future events.
  • Live tweet other people’s talks (again, only if you actually like it). Give compliments (publicly and/or privately) when people deserve them. If a talk looks cool, comment that the talk looks cool. If you feel someone’s project or research is impressive, tweet at them to tell them that it’s impressive. It’s not only a nice thing to do, it adds visibility to what you do and boosts your image of being positive and nice to work with. Again, win-win!
  • Never tweet/share on social bad things about other professionals in your field. Talk to them directly if you have a problem. I try to treat others how I would want to be treated, and I would much rather handle things like that privately.
  • Don’t respond to trolls unless you have something incredibly good ready and you have thought about what the response will be. Always proceed with caution with interacting with someone who’s willing to act like that online. Staying away is usually best.
  • People love images, post related images if possible, with the conference/event/project/article/video tagged. Always tag the thing you are trying to promote. Feel free to tag people who will be involved as well.
  • If you see a news article that relates to your talk share it, with comments that you will cover this topic in more depth at your talk/presentation.
  • If people tweet at you or reach out to you on social media, unless it’s negative, “like” their comment and respond positively whenever you have time. People like to be acknowledged, I know I do.
  • Whenever possible, show kindness, patience and respect to others, both publicly and privately. This is a general tip, but it really makes life much better no matter what you do or who you are. 🙂

I hope this helps! Please reach out with questions or any suggestions of your own. I’d love to hear your feedback.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

Practice Makes Perfect: Comments on Public Speaking

Many people ask me about how to become a better speaker. Below are some tips that I have for all of you. I hope they help!

Spoiler alert: my advice is not very exciting. I do not have a secret recipe, it’s mostly just a lot of hard work and practice.

My first suggestion is that you practice in front of your friends, colleagues, and anyone else that you trust. Practice many times. Ask for feedback each time. Take the feedback seriously, and change your talk accordingly.

When you feel ready, speak at a meetup. Then another one. Then another one. Speak at work if you are allowed. Speaking to smaller groups will give you more confidence, and people will begin to know who you are in your city. I also speak at work as much as they will tolerate. 🙂 The more practice you get, the better speaker you will be.

One you feel that you have mastered speaking at a meetup, you can try to move on to bigger things, like conferences.

Tacos from local produce and meat, at the farmer’s market. Nothing to do with infosec, but absolutely delicious.

When you apply for a conference, have someone you trust review your abstract and your talk outline. I usually write the entire talk before I apply, but I know many others do not do this and still do very well at it. Get feedback from as many people who work in your field as possible, you want to make sure it is interesting and will make the conference organizers interested in what you have to say. Include as much research and reference material as possible in your outline. This is your chance to prove that you know what you are talking about.

When you are accepted to a conference, practice even more than before! You want to ensure that you impress the people who invited you to speak, so put as much work into practicing as you can. I practice many hours for every conference, and it really pays off. When I am up there I am much less nervous, because I have done it so many times before, in front of so many people.

That’s right. When I speak, I am usually nervous too.

Super secret trick that I do: I practice all of my new talks in front of the Ladies Code Meetup in Ottawa. They are a very small, incredibly supportive and warm audience. They are so very, very lovely, and forgiving when I make errors or something does not go well. If you have a very small audience that you trust to do a “test run” on, this is ideal. I’m extremely grateful that they let me “practice on them” regularly. 😀

Other thoughts:

  • If you get bad feedback about a joke, perhaps don’t use it. Especially when speaking in your second or third language. It’s much better to not be funny, then to have it backfire; I have learned that I am not good at being funny in French…. The hard way. It’s best to not offend.
  • When you put a bunch of words on the screen the audience will read the words. We can’t help it! So try to have a picture, talk about your idea, then have words. This is a personal preference, but I find it helps.
  • Consider including a diverse set of people in your slides. Most Meme Generators (if you use those) only have white people, and mostly men for technology images. Why not have all ages, races, shapes and sizes? Because that’s what people actually look like.
  • Try to speak a bit slower than normal. Many people speak very quickly when they are nervous, so if you try to pronounce a little better and speak slightly slower, you will probably be very easy for everyone to understand. Drink water if that helps you remember to slow down. This is especially important if 1) you are giving a talk that is not in your first language and 2) if you are speaking to an audience that does have the first first same language as you are speaking in (for instance, if you are giving a talk in English, in Japan). Being understood is more important that anything else.
  • Don’t be afraid to apply or be rejected. My submissions are rejected ALL THE TIME. Don’t get let down. It’s okay. Just apply again. Because eventually, they will say YES! And each time you do this process you will improve.
  • Always listen to feedback and consider it, but you don’t have to “take” all of the feedback. If three times you hear “You talk too fast”, you should probably talk slower. But if you hear one time “Maybe you should do X” and “X” doesn’t make any sense to you, just say thank you and feel free to not follow that advice.
  • Be open to feeback. Constructive feedback is a gift that someone is giving to you to help you improve. Try not to act defensive. Try to be open.
  • If someone asks a question that you don’t know the answer to, don’t make something up. You are allowed to say “I don’t know, that’s not my area of expertise” or “I’m not sure, I’ve never thought of that before, does any else have any thoughts on this?”. You don’t have to know everything in the universe, although you should definitely know as much as possible about your topic.
  • If someone is arguing with you or giving you a hard time during question period tell them you would like to continue the discussion after, and in the meantime you want to have give other people a chance to ask questions. Then meet them after and let them argue. You still have to talk to them (unless they are extremely rude, it is not your duty to be abused). I find that quite often people like that are just having trouble forming the question properly to express what they want to say, and when there is no spotlight on them it goes better. Also: I often learn something.
  • Please don’t be afraid to try. Believe it or not the first time someone suggested that I do a talk I said “Oh no, not ME!”. And look at me now. You can do this, it will just take a lot of hard work.

I hope these suggestions help you!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

More Tips for Social Media and Presenting

Last week I had a meeting with some of the wonderful ladies from WoSEC (Women of Security) to give them some tips on how to not feel strange when ‘bragging’, how to set goals for using social media, and how to avoid “taking shit” during question period after a talk. I made a video and it is linked below, however this article contains all the tips that I missed in the video.

I previously released the following relevant articles & videos:

Presentation and Social Media tips with SheHacksPurple

  1. On social media you will often receive the same questions over and over. Keep track, and then write a blog post or make a video about it, just like this one. Then share the link each time, instead of writing an individual letter each time. You will save yourself lots of time, but also give a much, much better answer to the person who is asking.
  2. Don’t assume your audience can read your mind, ask for what you want. I need to remind myself of this constantly. Example: my old startup, Security Sidekick, created our own Twitter account. I really wanted people to follow us, and I was tweeting and sharing things and then remembered “ask for what you want”, so I just politely asked my followers to follow us and we got 600 new followers over night. I felt so silly that it took me 6 weeks to think about *just asking*. You can ask for things too.
  3. If you do public speaking, thank your audience after. In person and on social media. This is not only polite, but the right thing to do.
  4. Create goals regarding your social media, and personal brand. Why are you doing all of this? What are you trying to achieve? Then remind yourself when you are making decisions what you are trying to achieve. For instance, I use social media to promote my content (I want people to attend my talks, read my blog, etc), I want to help bring people into our industry (see #CyberMentoringMonday), and I want to help other women excel in our industry (and other’s who are underrepresented in infosec). For helping other women I realized that it would be better if I created a second account, and @WoSECtweets was born. Figure out what you really want, and then use social media as a tool to get it.
  5. People want to see your content. You are not “bragging” by telling them about it, you are helping them find it. If you don’t tell them about it, they won’t know, and why did you bother writing it if you don’t want anyone to see it? The same goes for speaking, people want to know, that’s why they are following you. If you feel bad or like you are “bragging”, then ask a friend, talk about it, and hopefully they can reassure you. It’s okay to be proud. It’s okay to make announcements. It’s okay to share what you have created. I promise, it’s okay.
  6. Schedule important tweets and make sure you have 1 in AM and another one in PM, so it reaches more than 1 timezone. Showing up in someone’s feed means they might discover you, like your messages, and ready your content. It’s win-win, and very little effort. Also: it’s okay to tweet things more than once, because of the way twitter works lots of people will miss it. Don’t tweet it 10 times, that’s annoying, but find a balance, tweeting the same thing more than once is 100% advised. Thanks to Chad Fowler for teaching me it’s a great idea to tweet something more than once.
  7. Invite people on LinkedIn to follow you on twitter. Invite people on Twitter to connect with you on LinkedIn. Link on your blog to your social media handles, etc. Cross promotion.
  8. If someone asks you questions aggressively after a talk, don’t shrink away. Stand tall, be polite but clear. YOU are on stage, you are the authority. Don’t let someone try to turn the tables on you. If someone is talking for more than 30 seconds, ask them politely “is there a question in there?”, this can help them get to the point. If they disagree with you, that’s okay, you can counter with “I’d love to hear more about your perspective, let’s take it offstage / let’s talk after the session”. If someone is being particularly difficult feel free to cut them off and then re-route the questions to a different section of the audience by physically turning to the other side of the room to know they are being dismissed and saying “I feel I’m ignoring this side of the audience, do you have any questions?”. Quite often it is a misunderstanding when things like this happen and they actually agree with you, or they are just trying to paraphrase what you said. If so, take it in a good way and say “Yes, exactly! I’m glad we agree”. This is a great way to twist things back around in your favour, and end the conversation. Remember, the audience wants to see you succeed, they are on your side; it makes everyone uncomfortable if things go poorly during question period, so stand up for yourself if for no other reason than to save your audience from feeling uncomfortable for you. Please note: always assume good intent and you will avoid these types of situations 99% of the time.
  9. Share your slides after your talk and tweet them at the audience. I use SlideShare, but you can use whatever you like. Sharing is caring, yo.
  10. If you forget something during a presentation, no one knows, don’t feel bad about it, act in a good way, and take it lightly
  11. LinkedIn has a far lower engagement ratio, but you should still post important things there. Don’t be afraid to share, even though it may feel intimidating at first because most of the people you know aren’t posting there; it will set you apart.
  12. Balance personal and professional tweets. It’s not bad to share personal things, but don’t make it most of your tweets if your goal is to also use your social media for professional reasons
For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!