This episode of Women in Cybersecurity features the amazing Tanya Janca, founder and CEO of the We Hack Purple Community author of Alice and Bob Learn Application Security. Tanya is a powerhouse in the application security community, so I was thrilled to talk to her about her passion for sharing knowledge and techniques to advance our field.
Tanya has a computer programming background that goes back to her childhood, with aunts, uncles, and her dad in computer science. “I was programming in high school way before I went to college in computer science. I don’t know if that’s the regular little girl experience to have your uncle build you a computer that can talk to you or have them show you how to write little scripts in DOS,” she said.
She started her career as a software developer, with a brief stint in cybersecurity in 2007 working for The Canadian government when she was working on counter terrorism activities. Though she went back into software development, she got back into cybersecurity in 2013 when she met a penetration tester (pen tester) who encouraged her to try pen testing, where you simulate attacks on applications to make sure they are secure. (Be sure to watch the video or listen to the full interview to hear her story on how it started with her playing guitar. So many great things begin with playing guitar!) He mentored her and helped her get her first contract.
“Being able to program made it way easier to move into application security and pen testing because I can imagine the code behind the input box,” she said.
While joining a security team to watch an incident, she could see the issue in the SQL code, and volunteered to write a script to de-obfuscate it. None of the security team members wrote code, so they put her on the response team.
After working for Microsoft as a senior cloud advocate specializing in application security, she left to start her own company with her friend. Her advice: “If you fail, fail fast while you still like each other.”
When she shared on twitter that she wasn’t sure what to do next, she said Microsoft was supportive, and she got an offer to be paid to train their developers, she took it, and then several others offered similar opportunities.
“I thought, ‘that is a job I could have. How can I make this more affordable so it’s not so restrictive?’ Because the thing that I found difficult in my career was switching from software development to security because there wasn’t a clear course.”
So she wrote her first book, Alice and Bob Learn Application Security, to share what she learned, and she developed courses to help others.
“This is a huge problem being able to afford to take training…So I opened an online academy for individuals at prices where basically I would just break even. I wanted to be able to open the doors so that’s part of why I merged with Bright Security was then I could open the door for literally everyone and cost was no longer a factor. Seeing it change people’s careers and lives for the better has been a wonderful experience.”
She started the program (and I’ve been following her for years) as “She Hacks Purple” but later changed it to “We Hack Purple” as men didn’t realize her courses were for everyone instead of just women. Her company was acquired by Bright Security last May to bring her training to wider audiences.
The “purple” refers to the blend of red team offensive security work and blue team prevention and defensive application security work that she addresses. She started with application security courses and expanded to secure coding, incident response, infrastructure as code (IaC) security, Azure security, and more.
This is extremely important work. When I talk to CISOs about adapting their security programs to support digital transformation and cloud-native development, they talk about how their security teams have traditional application security skillsets that don’t translate well for cloud-native applications. Our research in collaboration with ISSA also shows the top cybersecurity skills gaps in cloud security and application security.
“All courses are free so anyone can join the community, they just need to abide by the code of conduct… There are free events each month, people try to solve problems. There are mini courses if you work in appsec so you can scale your program. We start with foundation and build you up throughout the three courses, so if you work somewhere, you can augment, measure, improve,” she said.
She also talks about the importance of seeing other women speakers and more diversity at conferences, and how it helps make people more comfortable and included to join the industry. Her efforts include diversity scholarships and help with job placement.
Check out Tanya’s resources and video below, and don’t miss the full audio interview where we cover much more!
Resources:
- We Hack Purple Community
- We Hack Purple Academy constantly updated with new courses and resources
- She Hacks Purple with Tanya Janca blog and presentations
- Alice and Bob Learn Application Security book
- Alice and Bob Learn Application Security free video series
Be sure to visit ESG’s Women in Cybersecurity page, where you can view past episodes and connect with us to hear more inspiring stories in future shows.