On Oct 29th, 2023, was the very first edition of “ThreatModCon”, a conference dedicated entirely to threat modelling. On the 30th and 31st was “OWASP Global AppSec”, a conference by the OWASP Foundation, dedicated entirely to application security. On November 1st and 2nd, I helped Adam Shostack deliver his 2-day intensive threat modelling training. This…
Tag: AppSec
Choosing API Security Tools
Quite often clients ask me “Which API Security Tool should I buy?”, and as you might have guessed I answer “It depends”, then proceed to ask them a dozen questions. Recently I asked a colleague at Semgrep if they felt this process might be of value to my readers, and Chinmay said “Absolutely!” and here we are with a new blog post.
The Difference Between SCA and Supply Chain Security
Right now, the concept of the software supply chain and securing it is quite trendy. After the solar winds breach, the attack on the crypto wallet, at the log4J fiasco, the entire world appears to be focused on securing the software supply chain. I’m not complaining. If anything, as an application security nerd, I am quite pleased that…
Trip Report – Hacker Summer Camp 2023
For those of you who are aware, every August for the past 30 years or so, hackers have been meeting in the dead heat of summer in Las Vegas Nevada to host multiple learning and community events. It started with Def Con, a conference dedicated to hackers & hacker culture, releasing exploits, and “doing stuff…
I’m Joining Semgrep and Bringing We Hack Purple With Me
Hello my friends! It's me, Tanya Janca from We Hack Purple, and I am beyond thrilled to announce that we are joining forces with Semgrep to take the world of application security by storm! As the new Head of Education and Community, bringing We Hack Purple community and content with me, we will be offering…
Operations First!
Many years ago, when I was a software developer, a very smart boss said to me: “Tanya, it’s always operations first. Projects after.” At first, I was confused, how will I make any progress on my projects if I’m always doing operations? And, what the HECK is “operations” anyway? Reader, this was an incredibly important…
You Do Not Need to do DAST in a Pipeline to do DevSecOps
I want to get something straight: you do not need to put a dynamic scanning tool into your CI/CD pipeline in order to do DevSecOps properly. You don't even necessarily need to use automated dynamic analysis at all, to be doing DevSecOps. I do regular consulting via IANs Research and quite often I find myself…
Trip Report for B-Sides SF and RSAC 2023 San Francisco
As you might have been aware if you read my blog, I spoke at B-Sides San Francisco and RSA Conference 2023, and it was GREAT! Below is a report about my trip, and all the wonderful people, places, and activities I saw and participated in from April 21-28, 2023. B-Sides SF: Breakfast with wonderful people!…
Preventing Secrets in Code
When I started programming in the 90's the security of software wasn't on everyone's mind like it is now. I took no security classes in my 3-year college computer science program, and it never even came up as a subject. I was taught to save the connection string for each different environment in the comments…
OWASP Global AppSec Dublin 2023
Recently I had the pleasure of being one of the keynote speakers at OWASP Global AppSec, in Dublin Ireland. In this post I’m going to give a brief overview of some of the talks I saw while I was there, and the TONS of fun I had. I didn’t get to stay very long, and…