OWASP Global AppSec Dublin 2023

Tanya Janca Speaking on stage

Recently I had the pleasure of being one of the keynote speakers at OWASP Global AppSec, in Dublin Ireland. In this post I’m going to give a brief overview of some of the talks I saw while I was there, and the TONS of fun I had. I didn’t get to stay very long, and due to jetlag I fell asleep a few times when I wished I could have stayed awake, but overall I would recommend this event (and all the OWASP Global AppSec events) to anyone who is interested in application security, OWASP, or Guinness beer. This is going to be a long blog post, get yourself a beverage and get ready for lots of pictures!

I landed the morning before the conference, and met up with two friends I hadn’t seen in far too long, Takaharu Ogasa from Japan, and Vandana Verma from Bangalore India. I also met another speaker for the event named Meghan Jacquot!

Takaharu Ogasa, Tanya Janca, Vandana Verma and Meghan Jacquot!

The evening before the conference I had wanted to set up a We Hack Purple in-person meetup, but I was running short on time. Luckily, my friends at SemGrep invited me to a free pre-conference networking event, so I invited all the WHP folks to meet me there. Unfortunately, WAY too many people where there (the place was supposed to hold 50-100 people, but 200 showed up). Although I got to see many friendly faces (see Jessica Robinson, Vandana and I below), it was far too crowded for me. As a Canadian, we’re used to 13 square kilometres of personal space, per person, and it was a bit much for me. ;-D

Tanya Janca, Vandana Verma and Jessica Robinson

Luckily Adam Shostack invited me to a super-secret-speaker’s dinner the same evening, held in a giant church that had been converted into an amazing live music venue! There were tap dancers, fiddlers, OWASP Board Members, and Adam did an impromptu book signing!!! Thank you Adam! Next to Adam is Avi Douglen of the OWASP Board of Directors, and also an avid threat modeller.

Adam Shostack signing books, with Avi Douglen

The next day I woke up extremely early (6:00 am), thanks to a crying baby in the room next to mine at the hotel. :-/  I used this time to call home and practice my talk: Shifting Security Everywhere. You can download a summary of my presentation here. (Note: you are supposed to join my mailing list to receive the PDF, but my mailing list is awesome, so hopefully you feel it’s a good trade. Also, you can easily get around this if you truly do not want to subscribe, simply do not press the ‘confirm subscription’ link).

Grant Ongers, from the OWASP board of directors, kicked off the conference by announcing a brand-new award “OWASP Distinguished Lifetime Member” and then announced the first 4 winners: Simon Bennetts, Rick Mitchell, Ricardo Pereira, and Jim Manico.  As a person who has volunteered many hours for OWASP, I felt it was beautiful to see 4 extremely dedicated volunteers receive this much-deserved award. I am very proud of all of them and their amazing contributions to our community! Great job OWASP for thinking of this new way to show appreciation by publicly recognizing some of our most-dedicated volunteers!

Grant Ongers presenting award to Simon Bennetts

The very first talk of the conference was called “A Taste of Privacy Threat Modeling” by a woman named Kim Wuyts, introduce by Avi Douglen (Member of OWASP Board of Directors). She spoke about threat modelling privacy, and used ice cream analogies to explain how marketers see our data. I like ice cream, privacy, AND threat modelling, so this was a real treat (pun intended!). I care a lot about privacy, both personally and professionally, and loved how she used situations we are all familiar with (including eating ice cream too fast then ending up with brain freeze!) to explain various concepts within privacy and threat modelling. I feel like any person, with zero previous technical experience or knowledge, would have been able to follow her entire talk, which is quite rare at a conference like this. She also made her OWN threat modelling privacy game! Nicely done Kim!

After that I went to see Chris Romeo’s talk about “Ten DevSecOps Culture Fails”. Chris is also the host of the Application Security podcast, and I’ve been following his work for quite a while. He did not disappoint!

Chris Romeo, speaking

After the delicious lunch of yummy curry and rice, and more than one latte, we had the afternoon keynote. Grant Ongers introduced Jessica Robinson, who explained “Why winning the war in cyber means winning more of the everyday battles”. She shared several personal stories from her career, including what it was like to be a woman of colour working in STEM, her obsession with the Kennedys, implementing the first cyber security policy at a large law firm in New York City, and more! The thing I liked most about her presentation was how she took us on a journey. She’s an incredibly gifted public speaker, and she started by getting us all to close our eyes, then imagine various things, before opening our eyes and formally beginning her talk.

Part way through Jess’ presentation the videographer fainted, fell, and made a huge loud noise. He’s okay, don’t worry readers! All 500 of us turned around and started becoming concerned. She inquired as to if he was okay, a bunch of staff rushed to take care of him, and once it was clear there was no danger, she recommenced her talk. Not very many speakers would be able to recover like she did. To be able to fully capture our attention again was very impressive. I’m say this as a person who was a professional entertainer for 17 years, and then professional public speaker for 6 years; that is an incredible feat. By the end I had completely forgotten about the fainting, because I was so wrapped up in her and the tales she was telling. Anyway, she’s amazing.

Jessica Robinson, being amazing

At this point I have a silly complaint. Usually when I go to an InfoSec conference, there are only a handful of talks that interest me. I always want to see all of the AppSec talks, maybe some quantum computing, anything to do with using AI to create better security, or topics about cyber warfare (which equally interest and frighten me). But it’s rare at a conference that is not AppSec-focused that I have conflicts in the schedule of things that I really want to see. This happened a LOT at this conference. Sometimes there would be 3 different talks, at the same time, that I was dying to see. I found it very difficult to choose for some of the time slots, which may sound strange, but I’m a very decisive person. Not being able to decide is rare for me. That said, I am pleased to report that all of them were recorded, even if we all know it’s not quite as good as being there in person. I will try to add links to all the talks listed here once the videos are out so that you can enjoy them too!

Seba Deleersnyder and Bart De Win

This is my favourite picture from the entire conference. When you work on an open-source project with someone, you are working because you love what you are doing. When everyone on your team really cares about your goal, you can become very good friends. It is very clear the SAMM team are great friends! I love seeing OWASP bring people together! <3

The talk from the image above was about the OWASP SAMM project – The Software Assurance Maturity Model, presented by Seba Deleersnyder and Bart De Win. I live tweeted their talk (link here), if you want a play-by-play. The essence of their presentation was updates about the project from the past 2-3 years, and how they have worked with the community and industry to update, expand, and improve the model to be more helpful, by creating tools, surveys and online documentation to make their project more useful for everyone. I had been planning on writing a blog post about the project called “OWASP SAMM, for the rest of us”, because I find clients are often very insecure that they won’t ‘measure up’ to the SAMM standard. I hope I can help a bit by breaking things down into smaller pieces, and helping teams start where they are at, then working their way up over time. SAMM can work for any team, just be realistic and try not to be too hard on yourself! We all have to start somewhere.  

After Seba and Bart’s talk it was time for the networking event. OBVIOUSLY, they had Guinness beer on tap! We were in Ireland! I had a great time, chatting with all sorts of people, and I got an awesome gift of a Tigger-striped hoodie from Avi Douglen, which made my day! Then I went back to my hotel room to practice my talk, approximately a thousand times.

Tanya Janca, presenting on a stage

Side note: Remember the baby in the hotel room next to mine? The night before my talk it started crying, loudly, at 3:00 AM, and continued crying all the way until 6:00 am. I was up almost the entire night. Which gave me plenty of time to practice my talk. Yay?

Usually when you see me present a ‘new’ talk at a conference, it is not the first time that I have presented it. In fact, I have often given it 5 to 10 times, in front of 1 or 2 people each time, which is why I usually seem so comfortable on stage. I always practice new material on people from my community (We Hack Purple, OWASP Ottawa, the Ottawa Ladies Code Meetup, WoSEC Victoria, etc.). I’ve always turned to my community for feedback, advice, and encouragement. They have always been gentle, kind, and give reliably fantastic advice! I would recommend every speaker do this! But this time, because I was asked to do this with so little time, I hadn’t presented it in front of anyone. In fact, I was still writing it as I flew across the ocean to the venue. I WAS SO NERVOUS!!!!!

Tanya Janca, presenting on stage

But it went really well anyway!  Phew! And Matt Tesauro introduced me, so that was extra-nice! Matt is on the OWASP Board of directors and a leader of the Defect Dojo Project. Actually, he’s been a part of several different projects and chapters over the years. He was kind enough to distribute the maple-candies I brought to give to all the people who asked questions. Having a long-time friend introduce me made me a lot less nervous! Thank you Matt!

Tanya Janca, smiling for the camera

Now that my talk was over, I could concentrate completely on having fun! I ended up in the hallway speaking to lots of people and missing the talk after mine. Then we had lunch, and then came another time slot where there were THREE talks I wanted to see. THREE amazing presentations to choose from! I ended up in Tal Melamed’s talk, about the OWASP Serverless Top Ten. I had spoken to Tal many times before, but it was our first time meeting in person, so that was pretty exciting for me. I even managed to sit with him for lunch! Even though I already knew the Serverless Top Ten, it was still exciting to see Tal speak to it. As a bonus, he ended slightly early, so I was able to catch the Q&A after Matt Tesauro’s talk about Hacking and Defending APIs – Red and Blue make Purple. I felt this was a good compromise.

After lunch the wonderful Vandana Verma got on stage to introduce the last keynote speaker. She told us all that there would be “a BIG announcement” at 5:30 pm, so we had better not leave early. For those that don’t know, the big announcement was that OWASP has officially changed their name (but not the acronym). Previously it stood for ‘Open Web Application Security Project”, but that name was limiting. People often complained that we kept straying outside our purpose, by including cloud, containers, etc. But why would we want to limit ourselves like that? So the board of directors voted to change it to “Open World Wide Application Security Project”, which I have to say, I like WAY BETTER. Nicely done board!

The last keynote was Dr. Magda Chelly, and it was spectacular! In her talk, AI-Assisted Coding: The Future of Software Development; between Challenges and Benefits, she spoke about how AI is going to change the way most of us work, especially those of us in IT. I don’t want to give away the entire talk, but… She explained how many of us could work with AI, the difference between AI-assisted and AI-created content (this is more important that I had previously realized), and all the issues and questions around who owns the copyright of such work. If an AI creates a poem, but you asked it to create a poem, and gave it the parameters to create said poem, who owns the copyright? What if it only assisted you in creating an application, it didn’t write all the code, just some of the code? Who owns that? Also, when we train AI on certain data, but that data has specific licensing, then the AI creates code that is not licensed in the same way, has the created code broken the license agreement? There was a fascinating discussion during the Q&A, and it definitely has me thinking about such systems in a very new way.

Magda being amazing!

The last talk that I saw at the conference was present by someone named Adam Berman, it was called “When is a Vulnerability Not a Vulnerability?”. For those of you who have followed me a long time, you would know that I wrote a blog post with that exact title in 2018 (read it here). My post was about when vulnerabilities are reported to bug bounty programs, but they are not exploitable/do not create business risk, is it really a vulnerability? In it I explored a ‘neutered’ SQL injection attack, and of all the posts I have ever written, it has received by far the most scrutiny.

That said, although there was a similar slant, it was definitely not based off of anything I have written or spoken on. Which made it extra-exciting for me!

Adam works at R2C (who make SemGrep), so all of the research came from them. In April of this year, I will be co-presenting a workshop at RSA with Clint Gibler (of R2C and TL;DR Sec fame) about ‘How to Add SAST to CI/CD, Without Losing Any Friends’ (no link available at this time). We will be using SemGrep to demo all the lessons, so I was extra-curious to see Adam speak!

Brian presenting SemGrep

Adam’s talk was all about traceability in Software Composition Analysis (SCA). A reoccurring issue that happens when you work in AppSec is developers not having enough time to fix everything we ask them to. We (AppSec folks) are constantly trying to persuade, pressure, demand, and even beg developers to fix the bugs we have reported. One of the most convincing ways to get a developer to fix a bug is by creating an exploit. But that is VERY time consuming! It’s not realistic for us to create a proof-of-concept exploit for every single result that our scanners pick up. Layer on top of this the fact that automated tools tend to report a LOT of false positives, and this leads many developers to question if they absolutely need to fix something, or if “maybe we can fix it until later”. And by “later” I mean “never”.

If you scan an application with an SCA tool, most of them will tell you if any of the dependencies in your application are ‘known to be vulnerable’. They do this by checking a list of things they know are vulnerable (they create this list in many ways, and Adam covered that, but that part is not the exciting part, you can learn that anywhere). Think of the SCA tool working like this: “Are you using Java Struts version 2.2? Yes? It’s vulnerable! I shall now report this to you as a vulnerability!” But just because the dependency has a vulnerability in it, it doesn’t necessarily mean that you application is vulnerable, and here lies the problem.

More Brian!

If your application is not calling the function(s) that have the vulnerability in them, then your app shouldn’t be vulnerable (in most cases this is true, there are rare exceptions, specifically Log4J). Previously, SemGrep released a blog post about this (you can read it here), and they claim that approximately 98% of all results from SCA tools are false positives, because the vulnerable function within the dependency is never called from the scanned app. Which means there’s no risk to the business. Which means it’s a false positive. It’s still technical debt, which is not great, but it’s not a great big hole in your defenses, and that’s a very different (and much less scary) problem.

If you’ve been begging developers to update all sorts of dependencies, imagine if you reduced your number of asks by 98%? And you could show them where their app is calling the problematic function? That conversation would likely be a lot less difficult. In fact, I bet the developers would jump to fix it. Because it would be obvious that it’s a real risk to the business.

This is a BIG CLAIM, so I wanted to hear the details in person. And I did!

Moi

Because this was an OWASP event, Adam couldn’t just say “Yo, SemGrep is awesome, buy our stuff”. If he did that it also would also make for a not-very-entertaining-or-believable presentation. Instead, he explained HOW to do this yourself. And just how much work it is. Spoiler alert: it’s a lot of work.

Although I would love to provide the technical details for you, I have to admit that I was almost falling asleep the entire time because of the “absolutely no sleep” situation from the night before with the crying baby. I must have yawned 100 times, and I was more-than-a-little concerned I may have offended the speaker! That said, I can’t give you the details, but I will post a link here as soon as I have it so you can watch Adam explain. He’s better at explaining it anyway!

Then I went to bed (at 4:00 pm, and I slept all the way until 5:00 am the next day!). After that I headed to the airport, flew home, and wrote this on the plane! I hope you enjoyed my summary of my experience at OWASP Global AppSec 2023, held in Dublin, Ireland, February 14th and 15th, 2023.

– fin –

Tanya on stage

Sharing Another Talk with the Community

Me, delivering this talk for the first time, on stage.

Three years ago I decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). At the time, I only shared one, because…. I ran out of time. Now it’s time to share the second talk, “Security is Everybody’s Job!” By “share” I mean give my express permission for anyone, anywhere, to present content that I have written, with no need to pay anything or ask for my consent. You can even charge money to give the talk! Please, just teach people about security.

In efforts to ensure anyone who presents my material has a good experience I made a GitHub repo with an instructional video of what to say, a readme file with written instructions and links so you can watch me do the talk myself.

Me, delivering this talk for the first time, on stage.
Me, delivering this talk for the first time, on stage, at DevOpsDays Zurich, in in beautiful Switzerland.

I’ve had a few people ask me why I would do this, and there are a few reasons.
* To spread the word about how to secure software; it’s important to me to try to make the internet and other technologies safe to use.
* To help new speakers (especially from underrepresented groups). If they have something they can present, with instructions they can follow, hopefully it will help make them more confident and skilled at presenting.
* To share knowledge with my community in general: sharing is caring, yo.
* The more people who present my talk the more people who may decide to follow me. SO MUCH WIN!

You can give this talk at any IT meetup, especially DevOps, InfoSec or any software development meetup.

Please go forth and teach AppSec! And if you have feedback I want to hear it!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Presentation Tips for Technical Talks

Me with Solomon Sonya, at sector 2021 !

In the past few years I’ve given and watched several technical talks, and they are not all created equal. Recently I met with Teuta H Hyseni to talk about an upcoming talk she was planning (securing AI and ML, very interesting!), and afterwards I made several notes about general tips for technical talks that I have shared below.

Me with Solomon Sonya, at sector 2021 !
Me with Solomon Sonya, at #sectorca #sector2021 !
  1. The first thing I always do is explain what the talk is about, so audience members know if they want to stay or go. If some people walk out it’s okay, your talk wasn’t for them anyway. For everyone else, it will reaffirm they are in the right room.
  2. Whenever you say the name of a product the first time, make sure you say it very clearly, especially if the audience’s first language is not the same as the language you are giving your talk in.
  3. Always explain what every acronym means the first time you use it. If it is a core component of your talk, if it’s not too clumsy, say the full name of it twice or even three times, throughout the talk.
  4. If there is one new key concept that you want to audience to take away from your talk, explain it 3 times, in different ways. Abstract concepts are very difficult for people to learn at first, and explaining it a few different ways, and repeating it, will ensure that people learn it.
  5. If you put a bunch of words on the screen people will read it, as soon as you show the slide. They will not listen to you until you are done reading. So either use images and explain, then put text, or give the audience a few seconds to read what you wrote. Trust me, 90% of the audience will read the text and not listen, so change your slides accordingly.
  6. When you introduce yourself pronounce your name very clearly and slightly slowly, especially if it’s a bit unusual/not common in the area you are presenting.
  7. Audiences tend to like stories that tie together technical points. If you are trying to tell them “Don’t roll your own crypto” follow it up with a story about how disastrous it was when you saw it done. It helps drive the point home. *Extra points if the story is funny or is very interesting or otherwise special.*
  8. Try not to put too much on one slide, slides are free, just make more.
  9. Ensure that your text is large enough for the audience to read, especially code. If possible, try to put your slides up on the big screen in advance, walk to the back of the room, and see if you can read your own slides.
  10. Remember that your audience is smart, but might not know your topic well, so try hard to explain what each part is, unless you are at a speciality/advanced conference on that topic. For instance, when I give security talks at developer conferences I always try to remember my audience is very smart, but they are not likely experts in security, so explain each point well, even the basic ones. I don’t want to leave anyone in the audience behind, and neither do you.
  11. Put a summary slide at the end. People will likely take photos of it. If you see people with their cameras/phones up, try to give them enough time to take the photo(s) of your slide(s).
  12. If possible, use imagery to explain your concepts more clearly. Personally I’m weak in this area, but whenever I see someone else do it well I remember that I need to try harder to do that whenever possible.
  13. If possible give explanations of why the audience should or should not do something. For instance: “do not feed machine learning systems data from the internet, it has to be clean”, but what does “clean” mean? Instead we could follow that with “Clean datasets could include survey data, customer data, and data purchased from social media platforms”.
  14. Practice to ensure you are approximately the correct amount of time. Factor in the fact that you will likely go a bit fast. Ending late or very early is not good, you don’t want your talk to bleed into the next speaker’s allotted time (that is very rude) and you also don’t want the audience to feel they didn’t get enough of you. If you go under, perhaps use that time for Q&A.
  15. Take a breath in-between each major point — so the audience has time to digest the info, and so that you can breathe.
  16. If you see the audience’s eyes sort of closing a bit, this likely means they are tired or their “brains are full”. This might be from all the previous talks, or yours, but it likely means they are having trouble keeping up. It generally does not mean that you are boring.
  17. If you see many people playing with their phones this can be good or bad. Sometimes they are taking notes or tweeting about you, but other times they are just distracted. If you happen to be good at telling jokes, this would be an ideal time to briefly stop and tell a joke, to get their attention back. **This approach is not for everyone, and you have to know for sure that you are funny. A bad joke will potentially make people leave.**
  18. Many people like to hear about where the future will go in your area of expertise, if you have some guesses, perhaps share them?
  19. Unless your talk is “an intro to xyz” or level 101, don’t spend more than 10 minutes of your talk giving background on the topic. If I go to a cryptocurrency talk and they spend 30 of the 50 minutes talking about the origins of bitcoin, I’m going to play with my phone and wait for the talk to actually start.
  20. If you feel comfortable, give a rough outline of your talk right at the start, then the audience knows what to expect.
  21. If possible, have links from your talk to longer videos or blog posts that go deeper into specific topics. Even if the videos or blogs are not yours, if they are good, it’s nice to give the audience more if they want more.
  22. At the end of your talk always say thank you (the audience could have done 100 other things with the time they just gave to you), and then pause to allow them to clap. Whenever a speaker doesn’t give the audience a space to clap I always feel so awkward. Don’t ask “Any questions” immediately at the end, allow the audience to thank you.
  23. Practice on someone you trust, get feedback, make adjustments, repeat. Do this until you know your talk is awesome and you will be a smashing success!

I hope you find these tips helpful!

Other relevant articles & videos by yours truly!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

Sharing talks with the InfoSec & IT Community and Industry

Artwork by Ashley McNamera

I recently decided that I would share most of my talk content with my community (everything that I am not currently applying to conferences with). By “share” I mean give my express permission for anyone, anywhere, to present content that I have written, with no need to pay anything or ask for my consent. You can even charge money to give the talk, but if you do I kindly ask you make a donation to the OWASP DevSlop Project or WoSEC.

OWASP Bat Signal, Image created by Ashley McNamara

I’ve had a few people ask me why I would do this, and there are a few reasons.
* To spread the word about how to secure software; it’s important to me to try to make the internet and other technologies safe to use.
* To help new speakers (especially from underrepresented groups). If they have something they can present, with instructions they can follow, hopefully it will help make them more confident and skilled at presenting.
* To share knowledge with my community in general: sharing is caring, yo.
* The more people who present my talk the more people who may decide to follow me. SO MUCH WIN!

The first talk I decided to release is called “Pushing Left, Like a Boss”. It’s an intro to application security that I’m told is very accessible for technical and non-technical audiences alike. My mom watched me do this talk and said “I finally understand what the IT Security people are talking about at work and why they were bothering me!” You could do this talk at any almost IT meetup and they are likely to find value; it’s also great for a lunch and learn at work with software developers or other IT staff. Topics covered include; threat modelling, Pentesting, code review, creating a secure system development lifecycle, and how to figure out the most secure way to do whatever you are trying to do. Talk difficulty level: 101/intro. Also, this talk is based on the Pushing Left, Like a Boss Blog series.

In efforts to ensure anyone who presents my material has a good experience I made a GitHub repo with an instructional video of what to say, a readme file with written instructions and links so you can watch me do the talk myself.

Please go forth and teach AppSec! And if you have feedback I want to hear it!

For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!

More Tips for Social Media and Presenting

Last week I had a meeting with some of the wonderful ladies from WoSEC (Women of Security) to give them some tips on how to not feel strange when ‘bragging’, how to set goals for using social media, and how to avoid “taking shit” during question period after a talk. I made a video and it is linked below, however this article contains all the tips that I missed in the video.

I previously released the following relevant articles & videos:

Presentation and Social Media tips with SheHacksPurple

  1. On social media you will often receive the same questions over and over. Keep track, and then write a blog post or make a video about it, just like this one. Then share the link each time, instead of writing an individual letter each time. You will save yourself lots of time, but also give a much, much better answer to the person who is asking.
  2. Don’t assume your audience can read your mind, ask for what you want. I need to remind myself of this constantly. Example: my old startup, Security Sidekick, created our own Twitter account. I really wanted people to follow us, and I was tweeting and sharing things and then remembered “ask for what you want”, so I just politely asked my followers to follow us and we got 600 new followers over night. I felt so silly that it took me 6 weeks to think about *just asking*. You can ask for things too.
  3. If you do public speaking, thank your audience after. In person and on social media. This is not only polite, but the right thing to do.
  4. Create goals regarding your social media, and personal brand. Why are you doing all of this? What are you trying to achieve? Then remind yourself when you are making decisions what you are trying to achieve. For instance, I use social media to promote my content (I want people to attend my talks, read my blog, etc), I want to help bring people into our industry (see #CyberMentoringMonday), and I want to help other women excel in our industry (and other’s who are underrepresented in infosec). For helping other women I realized that it would be better if I created a second account, and @WoSECtweets was born. Figure out what you really want, and then use social media as a tool to get it.
  5. People want to see your content. You are not “bragging” by telling them about it, you are helping them find it. If you don’t tell them about it, they won’t know, and why did you bother writing it if you don’t want anyone to see it? The same goes for speaking, people want to know, that’s why they are following you. If you feel bad or like you are “bragging”, then ask a friend, talk about it, and hopefully they can reassure you. It’s okay to be proud. It’s okay to make announcements. It’s okay to share what you have created. I promise, it’s okay.
  6. Schedule important tweets and make sure you have 1 in AM and another one in PM, so it reaches more than 1 timezone. Showing up in someone’s feed means they might discover you, like your messages, and ready your content. It’s win-win, and very little effort. Also: it’s okay to tweet things more than once, because of the way twitter works lots of people will miss it. Don’t tweet it 10 times, that’s annoying, but find a balance, tweeting the same thing more than once is 100% advised. Thanks to Chad Fowler for teaching me it’s a great idea to tweet something more than once.
  7. Invite people on LinkedIn to follow you on twitter. Invite people on Twitter to connect with you on LinkedIn. Link on your blog to your social media handles, etc. Cross promotion.
  8. If someone asks you questions aggressively after a talk, don’t shrink away. Stand tall, be polite but clear. YOU are on stage, you are the authority. Don’t let someone try to turn the tables on you. If someone is talking for more than 30 seconds, ask them politely “is there a question in there?”, this can help them get to the point. If they disagree with you, that’s okay, you can counter with “I’d love to hear more about your perspective, let’s take it offstage / let’s talk after the session”. If someone is being particularly difficult feel free to cut them off and then re-route the questions to a different section of the audience by physically turning to the other side of the room to know they are being dismissed and saying “I feel I’m ignoring this side of the audience, do you have any questions?”. Quite often it is a misunderstanding when things like this happen and they actually agree with you, or they are just trying to paraphrase what you said. If so, take it in a good way and say “Yes, exactly! I’m glad we agree”. This is a great way to twist things back around in your favour, and end the conversation. Remember, the audience wants to see you succeed, they are on your side; it makes everyone uncomfortable if things go poorly during question period, so stand up for yourself if for no other reason than to save your audience from feeling uncomfortable for you. Please note: always assume good intent and you will avoid these types of situations 99% of the time.
  9. Share your slides after your talk and tweet them at the audience. I use SlideShare, but you can use whatever you like. Sharing is caring, yo.
  10. If you forget something during a presentation, no one knows, don’t feel bad about it, act in a good way, and take it lightly
  11. LinkedIn has a far lower engagement ratio, but you should still post important things there. Don’t be afraid to share, even though it may feel intimidating at first because most of the people you know aren’t posting there; it will set you apart.
  12. Balance personal and professional tweets. It’s not bad to share personal things, but don’t make it most of your tweets if your goal is to also use your social media for professional reasons
For content like this and more, check out my book, Alice and Bob Learn Application Security and my online community, We Hack Purple!