Tanya Janca speaking and smiling

Talks by Tanya Janca

Hire Tanya Janca to speak at corporate events or train your teams! She will teach, entertain, discuss and advocate for all things security at your events, with an NDA in place so your team can speak freely about real issues.  See her extensive list of conference talks below, that she has delivered at events all over the world. If there is no video below the talk, there isn’t a public recording currently available. 

For bookings email: tanya@shehackspurple.ca

Download a PDF list of talks currently offered here.

List of Talks

Threat Modeling Developer Behaviour: The Psychology of Bad Code – 2025

Security teams threat model systems, but rarely do we threat model the developers building them. What if some of the most persistent AppSec problems aren’t purely technical—but behavioral?
This talk dives into the psychology of insecure code, using principles from behavioral economics to explain why developers take risky shortcuts, ignore secure practices, or ship code that “just vibes.” From copying insecure Stack Overflow snippets, to skipping documentation, to shipping untested features under tight deadlines—these aren’t personal failings. They’re predictable cognitive patterns influenced by incentives, stress, and how our brains are wired.
We’ll explore how well-known concepts such as present bias, automation bias, the bystander effect, and overconfidence play out in real-world development. Then we’ll shift from insight to action—offering behavioral nudges and design patterns you can apply in your SDLC, tools, and team culture to make secure behavior the default.
This talk blends psychology, security, and dev reality to reframe AppSec—not as a checklist, but as a human system.

The OWASP Top Ten 2025

The OWASP Top Ten has been one of the most influential resources in application security for more than two decades — shaping training, security programs, and procurement decisions around the world. In this session, we’ll unveil the newest edition of the OWASP Top Ten Critical Risks to Web Applications, explain how it was built through community input and real-world data, and show what these changes mean for you.

We will cover all ten risks, focusing more time on the new and expanded items, as well as covering 3 ‘honourable mentions’ (#11, #12, and one that we do not have data to support). We’ll wrap up with practical guidance on how to use the Top Ten in your own programs (not as a compliance checklist, but as a strategic awareness tool).

Whether you’re an application security engineer, developer, or in management, this is your chance to get ahead of the curve and help shape the conversation: the writing is open for comment, and your feedback will make a difference.

Secure Code Is Critical Infrastructure- Hacking Policy for the Public Good – 2025

What happens when a security professional tries to help a government fix its insecure software? In this talk, I’ll share my story: from writing a secure coding policy and offering it to the Canadian government, lobbying elected officials, contacting agencies like CRA about their poor security practices—and being met with silence, deflection, or outright dismissal. I didn’t stop there. I wrote public letters, went on podcasts, published on Risky Biz, even got interviewed by CBC. But the institutions in charge of protecting our data? Either silence or “No comment, because security.” This isn’t just a rant—it’s a roadmap. I’ll show you the secure coding guideline I created (free to reuse), explain why governments need public-facing AppSec policies, and outline how we can push for secure-by-default practices as citizens, hackers, and builders. Because secure code isn’t just for dev teams—it’s for democracy, privacy, and public safety. Let’s make it law. Let’s make it public.

The AppSec Poverty Line: Minimal Viable Security – 2025

Not every team has a security budget. Not every project has a dedicated AppSec engineer. But every product exposed to the internet needs some level of security to survive.

This talk explores what I call “The AppSec Poverty Line” also known as ‘Minimal Viable Security” — the minimum viable set of practices, tools, and cultural shifts that under-resourced dev teams can adopt to meaningfully improve application security. Whether you’re a startup with no security hires, an independent dev, or part of a team that doesn’t have a security budget, this talk will help you prioritize what actually matters.

We’ll cover practical approaches to getting from zero to secure-ish, with a focus on:
• Training developers to write more secure code, and spot unsafe code
• Cultivating a security-positive culture
• Leveraging open-source tools that punch above their weight
• Knowing when “good enough” really is enough — and when it’s not

Attendees will leave with a roadmap for building real-world security into their product lifecycle — without breaking the bank or burning out the team. Because even if you’re below the AppSec poverty line, you don’t have to be defenseless.

Red Teaming AI: 50 years of failure, but this time, for sure! (with Adam Shostack) – 2025

After 50 years of pen testing, it’s still hard to build secure systems. “Penetrate + patch” never worked. Shifting left, including threat modeling, is finally getting making headway. Securing LLMs is both challenging and painful because code and data are intermingled. This session will discuss how to deliver AI that’s secure by design, via threat modeling and achievable strategies. (Video not yet available)


Artificial Risks: AI, Games, and Threats – 2025


The integration of artificial intelligence (AI) in game development has revolutionized the gaming experience, offering enhanced interactivity, immersive storytelling, and adaptive gameplay. However, the pervasive use of AI in games also poses several risks and challenges. This conference talk aims to shed light on the potential risks associated with AI in games and present strategies to utilize AI safely and wisely. By understanding these risks and implementing effective methods, game developers can harness the power of AI without compromising security or ethical standards. This talk will discuss the various risks associated with AI in games, explore best practices for incorporating AI safely, and share valuable tips and tricks to ensure responsible and intelligent AI usage.


Security Champion Worst Practices – 2025


Security champion programs are all the rage right now, but they aren’t a magic bullet; they are a lot of work and more than half of them fail. We want to scale our security programs and improve security culture and communication, but what happens when are champions are less-than-enthused? There’s no support from management? We can’t get enough buy in? Let’s look at when things go WRONG with security champions programs, with this list of WORST practices, and how to avoid each one.

Who Hurt You? Earning the Trust of Developers – 2024

The security team plays a vital role in improving the security posture of an organization. However, it is equally important that the software developers contribute to securing all of the applications their organization creates and maintains. If there is an absence of trust and buy-in between security professionals and developers it can hinder progress, create vulnerabilities, and limit growth within organizations. In this thought-provoking talk, we look at the reasons behind a lack of trust and explore the importance of establishing buy-in and trust for success. We delve into why we cannot succeed without trust, effective strategies and tactics, and specific and actionable advice on what to do and what NOT to do. Together, let’s rebuild trust, mend grievances, and unlock our true potential for success by changing the way we run our AppSec programs. (This talk is interactive and requires audience participation).

Seatbelts for Web Apps (Security Headers) (with Scott Helme) – 2024

Imagine you could add one line of code to your app and it could prevent one or more types of cyber attacks, would you add it? You are likely to think “Of course!”, but if you look at web apps across the internet you will find that for most, security headers are missing in action. Let’s talk about how to mitigate several types of attacks, using the latest and greatest security headers!

Shift Left Doesn’t Mean Anything Anymore – 2024


Our job is to make the software more secure. It’s not to find all the bugs. It’s not to deploy tools. It’s not to spend money or write checks. It’s not to be frustrated with developers. It’s not to be “right”. It only matters if we reduce organizational risk. If we are not doing that, regularly and consistently, we are failing


Using Artificial Intelligence, Safely – 2024

Artificial intelligence is increasingly prevalent in software development, and as a result its safe and responsible use has become critical. We will dive into risks, such as unchecked decision making, AI agency, lack of validation, broken or missing oversight, and sensitive data exposures. We will also provide constructive insights on leveraging AI for code development, vulnerability detection, threat modeling, design assistance, and more. Through real-life examples and practical advice, this session will help you develop with AI, safely.

Maturing Your Application Security Program – 2024

After working with over 300 companies on their application security programs the most common question I receive is “what’s next?”. They want to know how to mature their programs, and when they look at the maturity models available, they find them intimidating and so far beyond their current maturity level that they feel impossible. In this talk I will take you through 3 common AppSec program maturity levels I have encountered over the years, with practical and actionable next steps you could take immediately to improve your security posture.

30 Tips for Secure JavaScript – 2024

In this talk, we will cover 30 tips for writing more secure JavaScript, emphasizing what to do, what NOT to do, and utilizing open-source tooling to enhance security. JavaScript is not only the most popular web programming language, but it also faces security threats like XSS and code injection, meaning we need to ensure our JavaScript is tough, rugged, and secure. We’ll touch only upon items that are specific to JavaScript, as opposed to agnostic topics that apply to all languages, such as encryption or authentication. By the end, you’ll gain insights into selecting the best framework, adopting secure coding practices, and leveraging tools for web application security, catering to both seasoned developers and beginners seeking practical guidance.

Top Tips for Python Security – 2024

In the realm of writing secure Python code, it’s not only about functionality and performance; it’s equally vital to shield your application and users from potential threats and vulnerabilities. Given Python’s immense popularity, it becomes even more essential that we acquire the skills to build secure, dependable, and robust applications. Join me in this talk as we embark on a shared journey to master the art of secure Python coding. Together, let’s empower ourselves to create a safer digital world.

Introduction to Threat Modelling – 2024

In this introductory lesson Tanya covers threat modelling; what is it, how do you get started, why is it an important part of application security, and more. She covers; Adam Shostack’s Four Question Frame, STRIDE and STRIPE, Attack Trees, DREAD, identifying threats, what to bring to a threat model, and how to tell if you’ve done ‘enough’. At the end the audience will do a short threat model, together.

Becoming a Security Champion – 2023

Are you curious about security? Do you want to learn more? Better yet, would you like to HELP? Have you ever considered becoming a security champion? This talk will tell you everything you need to know in order to help you make the right decision! We will cover; learning, communicating, advocating, how to lead by example and how to be a great corporate citizen. (No recording available – This talk helps recruit security champions.)

Adding SAST to CI/CD, Without Losing Any Friends – 2023

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this hands-on workshop we will discuss multiple options for adding static application security testing (SAST) to your CI/CD, in ways that won’t compromise speed or results, such as learning which results can be safely ignored, writing your own rules, company-specific checks, scanning PRs instead of commits, splitting blocking scans versus deep audit scans, etc. We will also cover ways to continuously find vulnerabilities. (No recording available)

DevSecOps Worst Practices – 2023

Quite often when we read best practices we are told ‘what’ to do, but not the ‘why’. When we are told to ensure there are no false positives in the pipeline, the reason seems obvious, but not every part of DevOps is that intuitive, and not all ‘best practices’ make sense on first blush. Let’s explore tried, tested, and failed methods, and then flip them on their head, so we know not only what to do to avoid them, but also why it is important to do so, with these DevSecOps WORST practices.

Tanya Janca, Keynote for RSAC 2023

Secret Hunting – 2023

Secrets are what computers use to recognize (authenticate) each other. Think of it as the computer equivalent of you showing your driver’s license to someone, but digital. Unfortunately, malicious actors have figured out various ways to detect secrets in our code, and then use them against us (theft, blackmail, data breaches, mining cryptocurrency using our cloud resources, etc.). Let’s talk about how to find secrets, rotate them, and then change our apps to manage and access them SAFELY. Let’s go hunting for secrets, together!

Shifting Security Everywhere – 2023

As AppSec pro, you may feel that marketing has ruined the meaning of ‘shift left’. It was supposed to mean ‘starting security as early as possible in the SDLC’, but was transformed into “buy our product, put it in your CI/CD, then your apps will be secure”. But we can’t just throw a bunch of tools into a CI/CD and call it a day. With this in mind, let’s focus on comprehensive programs, developer buy-in, and making security work for the entire business, by shifting security everywhere.

Shifting Security Everywhere, OWASP Global AppSec 2023, Dublin, Ireland

Incident Response, for Developers & DevOps – 2021

Learn the 5 things that you, as a software developer, need to know during an emergency. How not to ruin the chain of custody, follow ‘need to know’, how to spot an incident in progress, and why you should NOT try to be a hero.

Top Ten Security Tips for APIs – 2022

APIs are being attacked by bots all the time, being abused all over the internet. Even without a front end, APIs are still a big target for malicious actors. How do we fight this? In this talk we will cover all the best practices for making your APIs tough and safe! PS There are more than ten.

Building Security Champions – 2021

With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?

This session will teach you:

  • How to attract the right people to your program
  • What and how to train them
  • How to engage them, and turn them into security advocates
  • What do delegate and what NOT to delegate
  • What to communicate, how often and to who
  • How to motivate them
  • How to build an AMAZING security champion program

Security Metrics that Matter – 2021

We measure so that we can improve and report. Reporting is for our bosses and job security. Improvement is for us. As an outnumbered security professional you will never, ever have enough time, money and resources to add every layer of defence you wish you could, which means we need to work smarter. Learn about which metrics truly matter, and which vanity metrics you can learn to safely ignore, so that you can work the most effectively at protecting your organization

Security In the Wild – Secure Design Concepts – 2021

Have you ever wondered why the security team has asked you to do something? Why the security policies demand this or that? Understanding key secure design concepts will ensure you know where they are coming from, and how you can do your job better, every day. Let’s explore 8 fundamental secure design concepts together via our every day lives, in this discussion-based session. After this discussion, you will never look at security the same again!

Concepts explored: Assume Breach, Zero Trust, Defense in Depth, Least Privilege, Supply chain Security, Security by Obscurity, Attack Surface Reduction, Usable Security.

Personal Branding: Being Yourself, But More! – 2021

Let’s face it—people Google you. Whether it’s a potential employer, a conference organizer, or someone who just heard you speak, your online presence often makes the first impression. That’s why building your personal brand is so powerful. It’s not about being fake or flashy—it’s about showing the world who you truly are, and making sure the right people see it.

In this talk, we’ll explore how sharing your work, your wins (yes, you’re allowed to brag!), and even your learning journey can open doors you didn’t know existed. From using social media with intention, to creating content that reflects your voice, to simply showing up online as you, personal branding can supercharge your career. Whether you’re just getting started or want to take things to the next level, come learn how to put your best foot forward—and have fun doing it.

Your Career in AppSec! – 2021

There are many different jobs and career paths in the IT Security field and today we’re going to discuss application security, from start to finish. What IS IT? Is it right for you? How do you get started? Are there a lot of jobs in this niche of security? (spoiler alert: there are lots of jobs!). Our industry needs you, and this presentation will try to sway you towards a software-security-focused role!

DevSecOps: More Than Just Pipelines – 2020

Although DevSecOps is currently a favorite industry buzzword many of us have limited knowledge on how to “do” it. Most vendors are selling mini versions of their tools meant to squish into your already crowded pipeline and calling it a day. This talk will define DevSecOps then discuss several strategies (high level ideas) and tactics (hands on keyboard) for fast and effective application security practices in a DevOps environment, all of which will take place OUTSIDE your pipeline.

When AppSec professionals operate in a DevOps environment they need to respect ‘the 3 ways’ (efficiency of the entire system, fast feedback and continuous learning), while ensuring they consistently release secure software. The current trend in this area is to add mini or partial versions of traditional security tools into your pipeline, breaking builds and/or slowing developers down immensely. For a change of perspective, this talk will detail how to implement a complete application security program without heavy reliance on pipelines.

Purple is the New Black: Modern Approaches to Application Security – 2020

Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches need to address both offensive (red team) and defensive (blue team) approaches, as well as continuous learning and advocacy for developers. This means Purple Team. This talk will explore how to combine defence, offence, automation, empathy and continuous learning, all without the requirement of ever wearing a hoodie. The future of security is PURPLE.

DevSecOps with OWASP DevSlop – 2019

The OWASP DevSlop team is dedicated to learning and teaching DevSecOps via examples, and “Patty the Pipeline” is no exception: we ensure all the 3rd party components are known-secure, retrieve secrets from a secret store, and the code must pass negative unit tests, dynamic application security testing (DAST), static application security

testing (SAST), and encryption and infrastructure VA verification. This entire system/project is open-sourced as part of the OWASP DevSlop project on GitHub and as live streaming and recorded videos, so that developers can watch each of the lessons, add it to their own pipelines, giving them a head start on DevSecOps. The talk will consist mostly of a start-to-finish demo of each part of the pipeline. Tools showcased include SSL Labs, Key Vault, SonarCloud, Cred Scan, White Source Bolt, Azure DevOps Security Toolkit and OWASP Zap.

DIY Azure Security Assessment – 2019 (Written by Tanya Janca and Teri Radichel)

PenTesters, Blue & Red teamers, network admins and cloud enthusiasts, this talk will layout from start to finish how to verify the security of your Azure and AWS implementations. This talk will be 80%+ demos of where to look, what to do, and how to prioritize what you find. Topics include: Azure Security Center, AWS Security Hub, Advanced Data Protection, Compliance Center, Just In Time Access Control, Guard Duty, more.

Cloud Native Security; Explained – 2019

Have you ever wondered how security is different ‘in the cloud’? What does “Cloud Native” even mean? What is “Zero Trust”? Serverless? And how do we secure these things? How do we apply important security concepts such as least privilege? What is policy automation and how is it going to change my life? This talk is a whirlwind intro to securing cloud computing with audience participation and discussions of various new cloud security tactics.

Are You Ready for the Worst? Application Security Incident Response – 2019

No matter the size of your IT shop, if the first time you think about the security of the software is during a major incident, it’s not going to go well. I will teach developers and security teams to prepare for, manage, and hopefully prevent, application security incidents. Starting with preparation; do you have a proper application inventory? How do you manage your technology stack? Disaster Recover? Backup strategy? Do you have a WAF? Monitoring? Tools that are at the ready when the s* hits the fan? During an incident; who’s managing the incident? Do you know? What is triage? Who does the investigation? Do you have a “safe” place to do potentially destructive testing? This talk outlines an immediate plan for the audience to get started, with a list of open source tools the security team and/or developers will use to ensure that they are ready, for the worst.

Security Learns to Sprint – 2018

This talk will argue that DevOps could be the best thing to happen to application security since OWASP, if developers and operations teams are enabled to make security a part of their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security, security now needs to concentrate on creating tools, processes and opportunities for dev and ops that result in more-secure products, instead of trying to do it all themselves like they did in days past. We must build security into each of “The Three Ways”; automating and/or improving efficiency of all security activities to ensure we don’t slow down developers, speeding up feedback loops for security related activities so that we fix the bugs faster and sooner, and providing continuous learning opportunities in relation to security, for both teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no longer be used as a justification for project delays. If developers are sprinting, then we need to sprint too. So put on your running shoes; it’s time for DevSecOps!

Security is Everybody’s Job – 2018

In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody’s job.

XSS Deep Dive – 2018

What IS Cross Site Scripting? Also know as ‘XSS’, cross site scripting is a web application vulnerability that allows an attacker to inject their own script into your application, manipulating your application into trusting it, as if their script was part of the application. The attack is then executed against users of your application in the browser. XSS is common, dangerous, and easy to find with automated tools, which is why it is #A6 on the OWASP Top Ten. This Application Security Lesson will teach you what XSS, how to differentiate the 3 types of XSS, explain how to find it, but most importantly, how to prevent it.

Why Can’t We Build Secure Software? / Insecurity in Information Technology – 2017

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.

This session will explain how job insecurities can be brought out by IT leadership decisions, and how this can lead to real-life vulnerabilities in software. This is not a talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.

No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioural influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal-clear expectations.

Pushing Left, Like a Boss – 2016

With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left’, like a boss.