Category: Uncategorized

Promoting Yourself on Social Media

Posted on by

Many people who are aspiring to become a public speaker ask me how to conduct themselves on social media or promote a talk once they have been accepted to speak somewhere. Having been a professional musician for a long time before I worked in InfoSec, I am used to trying to promote my events and set myself and my art apart from others. With this in mind, I humbly offer the following suggestions to help you gain social media followers or attract people to your events or work.

My original ‘SheHacksPurple’ logo. That lady has come a long way since then!
  • Tweet about your events and your work! Share on LinkedIn! Talk about what you are doing and what you want to bring attention to. Send a tweet to your followers to tell them what’s new in your work, research you’ve released, or an article you have written. If you are doing things you are proud of in your professional life, you should tell people about them.
  • Send a tweet to other speakers at the same conference that you are speaking at, congratulating them or telling them you are looking forward to their talk (note, only do this if it’s true). I know I love it when people congratulate me, so why not do that for others?
  • General rule: never tweet or say or act in a way that is not genuine to who you really are. Don’t fake it; people can tell, and it’s a huge turn off. I know that I’m a giant nerd who is overly enthusiastic, obsessed with security and sometimes awkward. I own who I am, and people tend to think it’s adorable. If they don’t like it, they were never going to like me anyway; those aren’t the followers/connections/friends that I’m looking for. If you make your personal brand the real you, it’s much easier to ensure that you never step out from your brand and alienate the people who follow you.
  • Always do major announcements (conference appearance, project release, etc.) on ALL of your social media. Don’t just announce it on one platform, use at least two. Do it on ALL social media that you have available to you. (PS you should use at least two forms of social media.)
  • Don’t be as chatty on LinkedIn as on Twitter, it’s not the platform for that. 🙂
  • Don’t use Twitter and LinkedIn the same way you use Facebook. Facebook is for personal connections, and some professional things. LinkedIn is professional only. Twitter can be a mix. Don’t post 100 photos per day of your family, your lunch or your dog on your Twitter or LinkedIn account and then wonder why you have no professional followers. If you work in InfoSec, and you are trying to get people interested in the research or other work that you are doing, why are you tweeting photos of your French fries that you just ordered? Rare personal tweets are okay, but you have to remember that’s not what people are following you for….
  • Don’t comment on women’s appearance, attractiveness or bodies in a professional setting or social media. If I post a photo of myself giving a talk and someone comments how attractive I am it embarrasses me and makes me uncomfortable. It makes me wonder if how I look is more important than my research to some people, and I know many other women feel this way as well. If you want to compliment a woman, I highly suggest you compliment her on her work, achievements or something else professional. “Great talk!”, “Awesome article”, “You were so powerful on stage!”, “Highly informative”, “Great ideas!” etc. are all something anyone would be happy to see as a comment online.
  • If possible, involve other people in your events. For instance, do a workshop with a friend, or write an article with someone who works in the same field as you. Organize a meetup with multiple speakers. It will bring more attention to the whole thing. It’s also usually more fun, and if there are technical issues you have backup. Plus, you have someone else to help you create the content or run the event, it’s win-win. It is also a good way to give a platform to someone else who has less followers, but who you want to see succeed.
  • Ask to be on podcasts that relate to your area of interest. Tell them the topic that you want to talk about, make it easy for them by having a story ready. Announce it on social media. Always announce everything on social media.
  • Reach out to the newspapers or blogs and see if they want to write an article about you/the conference. Try to have a story or interesting angle ready for them, so that the story writes itself. They are more likely to say yes if you have a good idea for a story.
  • Plan other local events in conjunction with a large event (such as speaking at a conference) and give a different talk than the one you are doing at the conference (never do the same talk, in the same city, the same week). If you are doing a DevOps related talk, there’s almost always a DevOps meetup, same for OWASP (appSec), .Net users’ group, Cloud and so on. The bigger the city, the more options you will have. If you can get two different groups to co-host it (for instance the DevOps and OWASP meetups hosting a DevSecOps talk) that’s even better. Don’t forget to announce it on social media.
  • Add something personal to your talk, if you feel comfortable. “War stories” are always well received. For instance, if you are giving advice that people should always encrypt their hard drives, share a story about when an unencrypted hard drive was stolen that illustrates the reason why you are offering this advice. People like knowing the secrets of what goes on behind the scenes, and that you are a real person. But don’t get too personal though, no over-sharing, that can have the opposite effect.
  • When at an event where you are presenting, ask someone to take photos of you. Share one of the images online after and thank the conference for having you. Saying thank you is never a bad thing. Save good photos to help promote future events.
  • Live tweet other people’s talks (again, only if you actually like it). Give compliments (publicly and/or privately) when people deserve them. If a talk looks cool, comment that the talk looks cool. If you feel someone’s project or research is impressive, tweet at them to tell them that it’s impressive. It’s not only a nice thing to do, it adds visibility to what you do and boosts your image of being positive and nice to work with. Again, win-win!
  • Never tweet/share on social bad things about other professionals in your field. Talk to them directly if you have a problem. I try to treat others how I would want to be treated, and I would much rather handle things like that privately.
  • Don’t respond to trolls unless you have something incredibly good ready and you have thought about what the response will be. Always proceed with caution with interacting with someone who’s willing to act like that online. Staying away is usually best.
  • People love images, post related images if possible, with the conference/event/project/article/video tagged. Always tag the thing you are trying to promote. Feel free to tag people who will be involved as well.
  • If you see a news article that relates to your talk share it, with comments that you will cover this topic in more depth at your talk/presentation.
  • If people tweet at you or reach out to you on social media, unless it’s negative, “like” their comment and respond positively whenever you have time. People like to be acknowledged, I know I do.
  • Whenever possible, show kindness, patience and respect to others, both publicly and privately. This is a general tip, but it really makes life much better no matter what you do or who you are. 🙂

I hope this helps! Please reach out with questions or any suggestions of your own. I’d love to hear your feedback.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

Practice Makes Perfect: Comments on Public Speaking

Posted on by Leave a comment

Many people ask me about how to become a better speaker. Below are some tips that I have for all of you. I hope they help!

Spoiler alert: my advice is not very exciting. I do not have a secret recipe, it’s mostly just a lot of hard work and practice.

My first suggestion is that you practice in front of your friends, colleagues, and anyone else that you trust. Practice many times. Ask for feedback each time. Take the feedback seriously, and change your talk accordingly.

When you feel ready, speak at a meetup. Then another one. Then another one. Speak at work if you are allowed. Speaking to smaller groups will give you more confidence, and people will begin to know who you are in your city. I also speak at work as much as they will tolerate. 🙂 The more practice you get, the better speaker you will be.

One you feel that you have mastered speaking at a meetup, you can try to move on to bigger things, like conferences.

Tacos from local produce and meat, at the farmer’s market. Nothing to do with infosec, but absolutely delicious.

When you apply for a conference, have someone you trust review your abstract and your talk outline. I usually write the entire talk before I apply, but I know many others do not do this and still do very well at it. Get feedback from as many people who work in your field as possible, you want to make sure it is interesting and will make the conference organizers interested in what you have to say. Include as much research and reference material as possible in your outline. This is your chance to prove that you know what you are talking about.

When you are accepted to a conference, practice even more than before! You want to ensure that you impress the people who invited you to speak, so put as much work into practicing as you can. I practice many hours for every conference, and it really pays off. When I am up there I am much less nervous, because I have done it so many times before, in front of so many people.

That’s right. When I speak, I am usually nervous too.

Super secret trick that I do: I practice all of my new talks in front of the Ladies Code Meetup in Ottawa. They are a very small, incredibly supportive and warm audience. They are so very, very lovely, and forgiving when I make errors or something does not go well. If you have a very small audience that you trust to do a “test run” on, this is ideal. I’m extremely grateful that they let me “practice on them” regularly. 😀

Other thoughts:

  • If you get bad feedback about a joke, perhaps don’t use it. Especially when speaking in your second or third language. It’s much better to not be funny, then to have it backfire; I have learned that I am not good at being funny in French…. The hard way. It’s best to not offend.
  • When you put a bunch of words on the screen the audience will read the words. We can’t help it! So try to have a picture, talk about your idea, then have words. This is a personal preference, but I find it helps.
  • Consider including a diverse set of people in your slides. Most Meme Generators (if you use those) only have white people, and mostly men for technology images. Why not have all ages, races, shapes and sizes? Because that’s what people actually look like.
  • Try to speak a bit slower than normal. Many people speak very quickly when they are nervous, so if you try to pronounce a little better and speak slightly slower, you will probably be very easy for everyone to understand. Drink water if that helps you remember to slow down. This is especially important if 1) you are giving a talk that is not in your first language and 2) if you are speaking to an audience that does have the first first same language as you are speaking in (for instance, if you are giving a talk in English, in Japan). Being understood is more important that anything else.
  • Don’t be afraid to apply or be rejected. My submissions are rejected ALL THE TIME. Don’t get let down. It’s okay. Just apply again. Because eventually, they will say YES! And each time you do this process you will improve.
  • Always listen to feedback and consider it, but you don’t have to “take” all of the feedback. If three times you hear “You talk too fast”, you should probably talk slower. But if you hear one time “Maybe you should do X” and “X” doesn’t make any sense to you, just say thank you and feel free to not follow that advice.
  • Be open to feeback. Constructive feedback is a gift that someone is giving to you to help you improve. Try not to act defensive. Try to be open.
  • If someone asks a question that you don’t know the answer to, don’t make something up. You are allowed to say “I don’t know, that’s not my area of expertise” or “I’m not sure, I’ve never thought of that before, does any else have any thoughts on this?”. You don’t have to know everything in the universe, although you should definitely know as much as possible about your topic.
  • If someone is arguing with you or giving you a hard time during question period tell them you would like to continue the discussion after, and in the meantime you want to have give other people a chance to ask questions. Then meet them after and let them argue. You still have to talk to them (unless they are extremely rude, it is not your duty to be abused). I find that quite often people like that are just having trouble forming the question properly to express what they want to say, and when there is no spotlight on them it goes better. Also: I often learn something.
  • Please don’t be afraid to try. Believe it or not the first time someone suggested that I do a talk I said “Oh no, not ME!”. And look at me now. You can do this, it will just take a lot of hard work.

I hope these suggestions help you!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

More Tips for Social Media and Presenting

Posted on by Leave a comment

Last week I had a meeting with some of the wonderful ladies from WoSEC (Women of Security) to give them some tips on how to not feel strange when ‘bragging’, how to set goals for using social media, and how to avoid “taking shit” during question period after a talk. I made a video and it is linked below, however this article contains all the tips that I missed in the video.

I previously released the following relevant articles & videos:

Presentation and Social Media tips with SheHacksPurple

  1. On social media you will often receive the same questions over and over. Keep track, and then write a blog post or make a video about it, just like this one. Then share the link each time, instead of writing an individual letter each time. You will save yourself lots of time, but also give a much, much better answer to the person who is asking.
  2. Don’t assume your audience can read your mind, ask for what you want. I need to remind myself of this constantly. Example: my old startup, Security Sidekick, created our own Twitter account. I really wanted people to follow us, and I was tweeting and sharing things and then remembered “ask for what you want”, so I just politely asked my followers to follow us and we got 600 new followers over night. I felt so silly that it took me 6 weeks to think about *just asking*. You can ask for things too.
  3. If you do public speaking, thank your audience after. In person and on social media. This is not only polite, but the right thing to do.
  4. Create goals regarding your social media, and personal brand. Why are you doing all of this? What are you trying to achieve? Then remind yourself when you are making decisions what you are trying to achieve. For instance, I use social media to promote my content (I want people to attend my talks, read my blog, etc), I want to help bring people into our industry (see #CyberMentoringMonday), and I want to help other women excel in our industry (and other’s who are underrepresented in infosec). For helping other women I realized that it would be better if I created a second account, and @WoSECtweets was born. Figure out what you really want, and then use social media as a tool to get it.
  5. People want to see your content. You are not “bragging” by telling them about it, you are helping them find it. If you don’t tell them about it, they won’t know, and why did you bother writing it if you don’t want anyone to see it? The same goes for speaking, people want to know, that’s why they are following you. If you feel bad or like you are “bragging”, then ask a friend, talk about it, and hopefully they can reassure you. It’s okay to be proud. It’s okay to make announcements. It’s okay to share what you have created. I promise, it’s okay.
  6. Schedule important tweets and make sure you have 1 in AM and another one in PM, so it reaches more than 1 timezone. Showing up in someone’s feed means they might discover you, like your messages, and ready your content. It’s win-win, and very little effort. Also: it’s okay to tweet things more than once, because of the way twitter works lots of people will miss it. Don’t tweet it 10 times, that’s annoying, but find a balance, tweeting the same thing more than once is 100% advised. Thanks to Chad Fowler for teaching me it’s a great idea to tweet something more than once.
  7. Invite people on LinkedIn to follow you on twitter. Invite people on Twitter to connect with you on LinkedIn. Link on your blog to your social media handles, etc. Cross promotion.
  8. If someone asks you questions aggressively after a talk, don’t shrink away. Stand tall, be polite but clear. YOU are on stage, you are the authority. Don’t let someone try to turn the tables on you. If someone is talking for more than 30 seconds, ask them politely “is there a question in there?”, this can help them get to the point. If they disagree with you, that’s okay, you can counter with “I’d love to hear more about your perspective, let’s take it offstage / let’s talk after the session”. If someone is being particularly difficult feel free to cut them off and then re-route the questions to a different section of the audience by physically turning to the other side of the room to know they are being dismissed and saying “I feel I’m ignoring this side of the audience, do you have any questions?”. Quite often it is a misunderstanding when things like this happen and they actually agree with you, or they are just trying to paraphrase what you said. If so, take it in a good way and say “Yes, exactly! I’m glad we agree”. This is a great way to twist things back around in your favour, and end the conversation. Remember, the audience wants to see you succeed, they are on your side; it makes everyone uncomfortable if things go poorly during question period, so stand up for yourself if for no other reason than to save your audience from feeling uncomfortable for you. Please note: always assume good intent and you will avoid these types of situations 99% of the time.
  9. Share your slides after your talk and tweet them at the audience. I use SlideShare, but you can use whatever you like. Sharing is caring, yo.
  10. If you forget something during a presentation, no one knows, don’t feel bad about it, act in a good way, and take it lightly
  11. LinkedIn has a far lower engagement ratio, but you should still post important things there. Don’t be afraid to share, even though it may feel intimidating at first because most of the people you know aren’t posting there; it will set you apart.
  12. Balance personal and professional tweets. It’s not bad to share personal things, but don’t make it most of your tweets if your goal is to also use your social media for professional reasons
For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

HSTS Preloading of all .Dev domains: Troubleshooting

Posted on by Leave a comment

I’ve been quietly planning out SheHacksPurple.dev for the past little while, with the intent to announce it while at RSAC last week in San Francisco. My new site provides regular security content for a modest fee ($7/month), all created by yours truly, on the topics of DevSecOps, AppSec, Cloud Security, MFA, etc. Soon I will be releasing full length training courses on these topics, also at affordable prices.

** Our company website is now WeHackPurple.com

That said, when I pointed my domain at Podia.com (the place that is hosting my content), I followed the directions, and it did not work. The https://www.shehackspurple.dev link worked, but the apex domain, https://shehackspurple.dev, was throwing a security error. The instructions were to point the CNAME record for “www” to the Podia address for my content, no problem. Then forward the apex domain (no “www” at the front), to the www address for my site. I wasn’t sure why but the following error was thrown in all browsers.

HOW EMBARRASSING! I teach how to implement HSTS, then I can’t get it right? Ahh!

By this point I knew it was an HSTS problem, and that I was being pre-loaded, so I tried to remove my URL from being pre-loaded. Sounds easy right? Nope.

Being rejected by the HSTS Preload Page

At this point I felt I had to ask for help, people were clicking on the links from my presentations and getting this embarrassing error. Time to swallow my pride. I called GoDaddy, the ones who sold me the “.dev” domain name, and they had no idea. I called Podia, and they were also at a loss.

My sharing my feelings with the Chromium Dev Team.

They did not answer my accusatory tweet.

So then I did what I always do when I’m completely stuck; I asked my brilliant twitter followers.

Within 10 minutes someone pointed out that Google had purchased the entire “.dev” domain (I didn’t know that was possible) and decided to force pre-loading of the HSTS security header on all of the domains under .Dev. THAT was why I could not get my URL to stop being pre-loaded. This news surprised me because 1) shouldn’t GoDaddy have known this was the issue since they sold me the .dev domain? 2) forcing a security feature on everyone often leads to poor results and 3) apparently some people think that “.dev” means a site that is under development, when it actually means “for developers”. No one is going to buy a completely separate domain so they can host their dev stuff on it, internal to their own networks. That makes zero sense folks.

In summary, I bought a .dev because I thought that’s where all the cool kids were, but it turns out that the .dev addresses come with baggage. My emails from my new domain are too-often caught in spam filters, and now this HSTS situation… But I digress.

read a few articles on this topic, and I learned that the TLS handshake couldn’t be completed on the apex (my domain without the “www” at the front), because I had it forwarding to my www domain. HSTS forces you to complete the handshake. GoDaddy’s forwarding feature doesn’t complete it, it just forwards it directly, which is not enough for HSTS, it’s strict.

Once I knew what the problem was, then I had to figure out a way to hack around it. I’m stubborn and did not want to have to start all over with a new domain. No way.

Luckily a whole bunch of my followers had great ideas. Michael Buckbee was particularly helpful, helping me figure out that the APEX (https://shehackspurple.dev) needed to terminate the TLS, so then I just needed to figure out how to do it. PS Thanks Michael!

This is where I turned to CloudFlare. No, this is not an advertisement for them, we aren’t affiliated (but if they want to buy a subscription to my site that would be cool!).

CloudFlare protects sites from DDOS and other internet problems, and in the process they *forward* your traffic. GREAT, I needed my traffic forwarded. And since they are a security company they terminate the TLS. PERFECT.

First I set up CloudFlare, which was super-simple. They have a free plan and I choose that one, so far so good.

Then I created a Page Rule to forward my Apex URL to my www URL, like so.

My CloudFlare Page Rule

And BOOM, SheHacksPurple.dev is no longer broken, and I can post content for all to find. 😀

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

AMA: Where can we learn Threat Modelling?

Posted on by

In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’.

The linked video is approximately 2 minutes.

  • Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
  • The question included “How can we learn by doing, not just reading?”
  • Play the game “Escalation of Privilege”, create by Adam Shostack
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won’t teach you threat modelling. 😀
  • Every time there is a new project at work, meet with them for one hour and just *try* to threat model. It’s okay if it’s not perfect, if you identify just one risk you had not thought of, your sessions was productive.
  • Every time someone else at work is doing a threat model, sit in and “job shadow” them. Learning by watching and participating is a fantastic way to get in the middle of things.
  • Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam ShostackAvi DouglenTony UcedaVelezCaroline MoeckelTash Norris, the list goes on and on.
  • Whiteboard designs with people and then ‘put on your black hat’ and take a look.
  • Ask the tech team (developers, architects, ops peeps), ‘If you were going to hack your app, how would you do it?” The answers may terrify you, but you’ll be happy you asked.
  • Read Tanya Janca’s numerous articles on the topic: Hacking Robots and Eating SushiThreat Modelling Serverless, and Threat Modelling.
  • Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions…
For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

PS The Video Quality is low in this video and has been improved in future recordings.

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!