Hire Tanya Janca to speak at corporate events or train your teams! She will teach, entertain, discuss and advocate for all things security at your events, with an NDA in place so your team can speak freely about real issues.

For bookings email us at: info@shehackspurple.ca

Shifting Security Everywhere – 2023

As AppSec pro, you may feel that marketing has ruined the meaning of ‘shift left’. It was supposed to mean ‘starting security as early as possible in the SDLC’, but was transformed into “buy our product, put it in your CI/CD, then your apps will be secure”. But we can’t just throw a bunch of tools into a CI/CD and call it a day. With this in mind, let’s focus on comprehensive programs, developer buy-in, and making security work for the entire business, by shifting security everywhere.

Shifting Security Everywhere, OWASP Global AppSec 2023, Dublin, Ireland

When DevSecOps Fails – 2022

DevSecOps has become the ultimate marketing buzzword, and is often suggested as a silver bullet to solve all software security issues. But what happens when things go wrong? This talk will cover what to do if you run into any of the most common pitfalls: false positives, slow tooling, lack of other SDLC security activities, unfixed bugs and lack of training & knowledge.

Adding DAST to CI/CD, Without Losing Any Friends – 2022

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this talk we will discuss multiple options for adding dynamic application security testing (DAST) to your CI/CD, in ways that won’t compromise speed or results, such as limiting scope, using HAR files, using test subsets, etc. We will also cover several other options for automation of finding vulnerabilities in your web apps and APIs, all at the speed of DevOps.

Incident Response, for Developers & DevOps – 2021

Learn the 5 things that you, as a software developer, need to know during an emergency. How not to ruin the chain of custody, follow ‘need to know’, how to spot an incident in progress, and why you should NOT try to be a hero.

Top Ten Security Tips for APIs – 2022

APIs are being attacked by bots all the time, being abused all over the internet. Even without a front end, APIs are still a big target for malicious actors. How do we fight this? In this talk we will cover all the best practices for making your APIs tough and safe! PS There are more than ten.

Building Security Champions – 2021

With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?

This session will teach you:

  • How to attract the right people to your program
  • What and how to train them
  • How to engage them, and turn them into security advocates
  • What do delegate and what NOT to delegate
  • What to communicate, how often and to who
  • How to motivate them
  • How to build an AMAZING security champion program

Security Metrics that Matter – 2021

We measure so that we can improve and report. Reporting is for our bosses and job security. Improvement is for us. As an outnumbered security professional you will never, ever have enough time, money and resources to add every layer of defence you wish you could, which means we need to work smarter. Learn about which metrics truly matter, and which vanity metrics you can learn to safely ignore, so that you can work the most effectively at protecting your organization

Demystifying PCI Compliance – 2021

Does your organization create apps that handle credit cards? This means you need to be PCI Compliance. But it’s not all bad news! Imagine learning about PCI compliance, and having a good laugh at the same time. Join Tanya to learn only what you actually need to know in this talk, with memes and dad jokes to boot.

Secure Design Concepts – 2021

What the heck is your security team talking about? Learn all the concepts they throw around so freely, and how to apply them to the applications you build. Assume Breach, Zero Trust, Defense in Depth, Least Privilege, Supply chain Security, Security by Obscurity, Attack Surface Reduction, Usable Security.

Personal Branding: Being Yourself, But More! – 2021

Social media, managing your image online, creating content, and why bragging is OK!

Your Career in AppSec! – 2021

There are many different jobs and career paths in the IT Security field and today we’re going to discuss application security, from start to finish. What IS IT? Is it right for you? How do you get started? Are there a lot of jobs in this niche of security? (spoiler alert: there are lots of jobs!). Our industry needs you, and this presentation will try to sway you towards a software-security-focused role!

DevSecOps: More Than Just Pipelines – 2020

Although DevSecOps is currently a favorite industry buzzword many of us have limited knowledge on how to “do” it. Most vendors are selling mini versions of their tools meant to squish into your already crowded pipeline and calling it a day. This talk will define DevSecOps then discuss several strategies (high level ideas) and tactics (hands on keyboard) for fast and effective application security practices in a DevOps environment, all of which will take place OUTSIDE your pipeline.

When AppSec professionals operate in a DevOps environment they need to respect ‘the 3 ways’ (efficiency of the entire system, fast feedback and continuous learning), while ensuring they consistently release secure software. The current trend in this area is to add mini or partial versions of traditional security tools into your pipeline, breaking builds and/or slowing developers down immensely. For a change of perspective, this talk will detail how to implement a complete application security program without heavy reliance on pipelines.

Purple is the New Black: Modern Approaches to Application Security – 2020

Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches need to address both offensive (red team) and defensive (blue team) approaches, as well as continuous learning and advocacy for developers. This means Purple Team. This talk will explore how to combine defence, offence, automation, empathy and continuous learning, all without the requirement of ever wearing a hoodie. The future of security is PURPLE.

DevSecOps with OWASP DevSlop – 2019

The OWASP DevSlop team is dedicated to learning and teaching DevSecOps via examples, and “Patty the Pipeline” is no exception: we ensure all the 3rd party components are known-secure, retrieve secrets from a secret store, and the code must pass negative unit tests, dynamic application security testing (DAST), static application security

testing (SAST), and encryption and infrastructure VA verification. This entire system/project is open-sourced as part of the OWASP DevSlop project on GitHub and as live streaming and recorded videos, so that developers can watch each of the lessons, add it to their own pipelines, giving them a head start on DevSecOps. The talk will consist mostly of a start-to-finish demo of each part of the pipeline. Tools showcased include SSL Labs, Key Vault, SonarCloud, Cred Scan, White Source Bolt, Azure DevOps Security Toolkit and OWASP Zap.

DIY Azure Security Assessment – 2019 (Written by Tanya Janca and Teri Radichel)

PenTesters, Blue & Red teamers, network admins and cloud enthusiasts, this talk will layout from start to finish how to verify the security of your Azure and AWS implementations. This talk will be 80%+ demos of where to look, what to do, and how to prioritize what you find. Topics include: Azure Security Center, AWS Security Hub, Advanced Data Protection, Compliance Center, Just In Time Access Control, Guard Duty, more.

Cloud Native Security; Explained – 2019

Have you ever wondered how security is different ‘in the cloud’? What does “Cloud Native” even mean? What is “Zero Trust”? Serverless? And how do we secure these things? How do we apply important security concepts such as least privilege? What is policy automation and how is it going to change my life? This talk is a whirlwind intro to securing cloud computing with audience participation and discussions of various new cloud security tactics.

Are You Ready for the Worst? Application Security Incident Response – 2019

No matter the size of your IT shop, if the first time you think about the security of the software is during a major incident, it’s not going to go well. I will teach developers and security teams to prepare for, manage, and hopefully prevent, application security incidents. Starting with preparation; do you have a proper application inventory? How do you manage your technology stack? Disaster Recover? Backup strategy? Do you have a WAF? Monitoring? Tools that are at the ready when the s* hits the fan? During an incident; who’s managing the incident? Do you know? What is triage? Who does the investigation? Do you have a “safe” place to do potentially destructive testing? This talk outlines an immediate plan for the audience to get started, with a list of open source tools the security team and/or developers will use to ensure that they are ready, for the worst.

Security Learns to Sprint – 2018

This talk will argue that DevOps could be the best thing to happen to application security since OWASP, if developers and operations teams are enabled to make security a part of their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security, security now needs to concentrate on creating tools, processes and opportunities for dev and ops that result in more-secure products, instead of trying to do it all themselves like they did in days past. We must build security into each of “The Three Ways”; automating and/or improving efficiency of all security activities to ensure we don’t slow down developers, speeding up feedback loops for security related activities so that we fix the bugs faster and sooner, and providing continuous learning opportunities in relation to security, for both teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no longer be used as a justification for project delays. If developers are sprinting, then we need to sprint too. So put on your running shoes; it’s time for DevSecOps!

Security is Everybody’s Job – 2018

In DevOps everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody’s job.

XSS Deep Dive – 2018

What IS Cross Site Scripting? Also know as ‘XSS’, cross site scripting is a web application vulnerability that allows an attacker to inject their own script into your application, manipulating your application into trusting it, as if their script was part of the application. The attack is then executed against users of your application in the browser. XSS is common, dangerous, and easy to find with automated tools, which is why it is #A6 on the OWASP Top Ten. This Application Security Lesson will teach you what XSS, how to differentiate the 3 types of XSS, explain how to find it, but most importantly, how to prevent it.

Why Can’t We Build Secure Software? / Insecurity in Information Technology – 2017

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.

This session will explain how job insecurities can be brought out by IT leadership decisions, and how this can lead to real-life vulnerabilities in software. This is not a talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.

No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioural influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal-clear expectations.

Pushing Left, Like a Boss – 2016

A fun introduction to AppSec; my most popular talk of all time!

With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left’, like a boss.