Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
Founder: We Hack Purple (Academy, Community, and Podcast), WoSEC International (Women of Security), OWASP DevSlop, OWASP Victoria, #CyberMentoringMonday
- Part of security is teaching security
- Started in software development then starting meeting hackers, and decided to switch into security.
- Tanya is extremely scholastically inclined
- She comes from a family full of Woman Computer Scientists and Mechanics
- Tanya’s Quick List For Getting Into Infosec:
- Responsibility of a mentee: [30:29]
- Have energy and time
- Respect your mentor’s time
- Need to have already looked for the answer online before you ever ask them for something
- They are not a free consultant, you shouldn’t ask them to do your work
- You shouldn’t stand them up for meetings
- Recognize and have gratitude for the fact that this person has a crap-ton of knowledge in their brain that they’re sharing with you for free. They’re taking the time out. You’re not their daughter or son. You’re not their friend. You’re a person in their industry and they’re trying to pay it forward.
- You want to actually do the exercises that your mentor gives you
- Choose your mentor wisely
- Do not expect your mentor to find you a job
- “We’re graduating people who don’t know how to make secure software, but they do know how to make software! So that ends up being insecure software. [2:52]
- “So if I was going to teach a software security course at a university, they would pay me as an adjunct professor and they would pay me almost nothing. It would almost be equivalent to volunteer work.” [3:30]
- “I thought I really wanted to be a penetration tester until I discovered that there is this weird spot… in between red team and blue team.” [8:12]
- “A lot of penetration testers get a little depressed.”[9:02]
- “People just don’t know how many super awesome cool things there are out there!” [13:06]
- “The people I liked the best are the people in my computer science class.” [20:19]
- “Honestly, I just smoked a lot of weed and just showed up and would ace things.” [20:07]
- “You don’t have to spend money at the beginning necessarily.” [29:53]
- “Which certification should I get so that I can be a good pentester?” [29:29]
- Tanya Online
- NICE Framework: https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center
- OWASP: https://owasp.org/
- WoSec: https://wearetechwomen.com/wosec-women-of-security/
- Franziska Bühler https://twitter.com/bufrasch
Getting Into Infosec:
- Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
- T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
- Sign up for sneak peaks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe
Tanya Janca 0:00
Security we need you. We do we need all of you we really need the help. We're not winning right now. You know group of person right? We need everyone we need people in wheelchairs please work with Zack. But like every person, old people, young people like you just got out of school. Great. You've already been a citizen for 20 years. Great.
Ayman Elsawah 0:34
Welcome to getting into infosec I'm your host, Ayman Elsawah. My guest this week is Tanya junka, aka she hacks purple. Tanya is an awesome giving person. She's a huge proponent of mentoring, diversity, inclusion and application security. She's quite involved in the community from starting your own company to running her own OS chapter for four years in Ottawa, founding a new OSS chapter in Victoria and co founding the International Women's organization lowsec fill bio is in the show notes Tanya's journey was one of this covery and fascination
Tanya Janca 1:01
and I thought I really wanted to be a penetration tester until I discovered that there's this weird spot in between software development. And like in between red team and blue team, that just, oh, that's the best part because, you know, I find a vulnerability. But then I show the developer how to fix it. And then I teach all of them about it, because it turns out all of them are making this mistake. We talk
Ayman Elsawah 1:24
a lot about mentoring and missteps people make when first starting out.
Tanya Janca 1:27
Wow, like you don't have to spend money at the beginning, necessarily. Computer Science
Ayman Elsawah 1:30
is not just about technology, though, but about the people too.
Tanya Janca 1:33
Oh, the people I like the best are the people that my computer science class
Ayman Elsawah 1:37
or family history is also quite extraordinary.
Tanya Janca 1:39
My aunt is the first woman to ever graduate from computer science and Ontario,
Ayman Elsawah 1:43
and that was only part of it. Take a listen for the rest. As usual, everything getting into infosec is getting into infosec.com. There you'll find a preview of my Practical Guide into the field a link to join my mailing list for previews and insights in T shirts and swag. If you like this podcast, please share your favorite quote or leave an awesome review and please stick around Guests for sharing their time and journey editor note. This is recorded when Tani used to work for Microsoft. All right onto the show. Hi, Tanya, thanks for coming on the show.
Tanya Janca 2:07
Thanks for having me.
Ayman Elsawah 2:08
Yeah, this is exciting. Cool. So maybe for those out there that don't know what you do, maybe you could talk about what you do in information security. I have
Tanya Janca 2:18
a very unusual job. I work for Microsoft as a cloud advocate. So my previous job was web app pen testing, an application security and the job before that. And before that, before that, I started doing public speaking and I started writing content about it. And it turns out that I'm really good at explaining things. So I have a very strange job where basically, I try to teach everyone by like writing blog posts or creating lessons or we have like a learning platform called Microsoft learn. And I make a module for that, that teaches everyone basically like how to use the cloud securely, how to launch apps and create apps. They're secure. You know how to add a whole bunch of security To our DevOps pipeline and stuff like that, and it's super fun, because I just get to break things and then knock them down. Right? And then bill more things. You get to see technical. Yeah, exactly. So I get to play with anything new that they make, which is ridiculous. I know. When I started on my own, I have a free license for everything. And they're like, yeah. Yeah, so I work with all the different Microsoft security teams a lot. Okay, so I kind of get to hear all the cool stuff that's happening. Yeah, and help make their lives better if I can.
Ayman Elsawah 3:36
Okay. And your audience is primarily the non security folks on Microsoft or
Tanya Janca 3:40
my audience or people outside Microsoft generally. Okay. So let's say you're trying to pick a cloud provider and you're like, Oh, you know, what is this dirty lake in Azure, then, you know, I have endless content on that topic, or if you're using it, and then you're wondering, okay, so how can I, you know, implement zero trust in Azure. Oh, I'm launching an app, but like, what are the settings I should use? Or where is that darn thing I'm looking for I know it exists. So I know where it is, I've probably written something about it, or someone has written something about it. And then to make sure that, you know, you can do whatever you want to, but securely.
Ayman Elsawah 4:14
Yeah. And you know, you said something, how about the ability to teach people? I mean, I think that's such a huge thing. insecurity, right? part of your job is to help educate others on security, wouldn't you say?
Tanya Janca 4:25
Yeah, absolutely. And I feel that that is something that we're lacking a bit. Because I know, in college, I didn't get any courses on security, and I did graduate and long time ago, but you have people graduating now are telling me that, you know, there's a cursory course that's optional, and I was just explaining identity and identity, super important. But it's not the only thing that's important. And so we're ending up graduating like a lot of people that know how to make insecure software, unfortunately. Oh, interesting, huh? we're graduating People who don't know how to make secure software, but they do know how to make software. So that ends up being insecure software, which is, as you know, quite problematic.
Ayman Elsawah 5:10
What would be your recommendations to institutions that are graduating these folks?
Tanya Janca 5:14
Well, we need to start covering security. Hey, there's a lot of problems in our industry in regards to incentives. So for instance, I don't have a PhD, I don't even have a degree, I just have a diploma, which in Canada has lesser value than a degree. And you need to have a PhD in order to be a professor. Yeah, at a university. So if I was going to teach us offers free course out of university, they would pay me as an adjunct professor, and they would pay me almost nothing. It would almost be equivalent to volunteer work, and why on earth would I do that when instead I could, you know, I could apply at sands I could try to be an instructor there. They get paid quite well. There's like a lot of different places where you could become an instructor and do private teaching and you could get Pay just astronomically more. So then the university say that can't find anyone that's willing to teach. Because if you have a PhD in computer science, it's rare, especially if you specialized in cybersecurity, that you would decide to remain in academia when you could instead prop start your own company and create products, right, like, yeah, so there's just such a small group of people that remain in academia and then of those, like finding one and so there's just not enough to meet that demand. And I feel like their system perhaps is not doing well for us as an industry where we're graduating people that only know half the thing like you would never assume like someone that went to trade school to learn about electricity wouldn't learn how to run electricity safely, right? Of course, right there would be taught safety, but we're like, oh, we're graduating people from computer science. But you know, like, you know, we can't find any professors because we don't want to pay them anything. So like, I guess we just won't teach safety.
Ayman Elsawah 6:58
Yeah, exactly. It's funny you say that because, you know, I wanted to teach a Master's Course on cost security. And I was talking to the university and they ran into an issue because I didn't have a master's degree, even though I had plenty of certifications, plenty of industry experience, you know, not trying to talk more about this, but basically what I'm trying to say is that, like, Here you are, you have someone that's willing to Oh, yeah, you know, teach a class, you know, I'm not doing it for the money, right? Yeah. Nobody really does teaching for the money. But, you know, I couldn't because I didn't meet this one very specific criteria. So that was really interesting. That's happened to me, I think a couple times.
Tanya Janca 7:33
Yeah. And then who's missing out the students? Right, right. Like, you're not like, oh, gosh, I wish I could get that $400 much.
Ayman Elsawah 7:45
Tanya Janca 7:46
yeah, exactly. It's that you want to share and improve our industry. That's what your motivations are, and then you're kind of being blocked. That's why I give a weight loss stuff for free online, because I like haha ultra strip for free on Twitch. Yeah, then I can do it. From my living room, and we're pajamas,
Ayman Elsawah 8:04
yeah, there you go
Tanya Janca 8:05
and make just slightly less money.
Ayman Elsawah 8:08
Yeah. And not to rant on here. But like, as an educator for me, I actually wanted to have more challenging or more engaged students. Yeah. So you know, having a master's student. Oh, yeah. You know, then that way, they're motivated, they're in it. A lot of times, they're people that are working already. And they're just nighttime. So, you know, when I give them homework, they're gonna actually going to do it. So that's actually that was actually the exciting part I was looking forward to, you know, it's funny. After teaching, I've learned that I was really bad student in college. I'm like, wow, like now I know, like, what infuriates teachers, like holy, like, Ah, oh, bad. Tommy.
Tanya Janca 8:51
Yeah, I know what you need. I know what you mean.
Ayman Elsawah 8:53
Yeah, it's so interesting. Anyway, so tell us a little more about some of your previous positions before Microsoft Like what you did?
Tanya Janca 9:01
Yeah, before Microsoft, I worked for the Canadian government for 13 and a half years. Hmm. And first I did software development for nine years, maybe around nine ish years. And then I switched over into security. And slowly as a software developer, I just got more and more obsessed with security. I met a hacker. And then I met another one and another one. Turns out there's not that many in Ottawa, I met a whole bunch of them through this learning program, I was running for my devs where I would just invite people in to teach us cool stuff at lunch. And as I got more and more interested, one of them was like, You should come hacker man, you could still good. And he became my first professional mentor. Yeah, and so I ended up getting to try a whole bunch of different things. So I got to do some network security stuff. Some, you know, like scanning networks and looking for vulnerabilities. Like some architecture, I got to play the seaso role for The 42nd general election for Canada where we elected Mr. Trudeau, okay, that was really cool. I got to do instant management's. And I got to do a lot of like web app, pen testing, and a lot of like scanning of all the things. And then I learned app sec. And I thought, I really wanted to be a penetration tester until I discovered that there's this weird spot in between software development. And like, in between red team and blue team, that I was just like, oh, that's the best part because now I find a vulnerability. But then I show the developer how to fix it. And then I teach all of them about it, because it turns out all of them are making this mistake. Yeah, you know, I hope implement tools to make sure you know we're capturing the right things or that everything's getting scanned before this happens or whatever. And it just felt like the right place for me if that makes sense. And I didn't even know that existed. So yeah, a lot of people who want to get into security They all tell me they want to be penetration tester I know. But if they know a lot of them don't know, okay, so I'm gonna air some dirty laundry here. A lot of penetration testers get a little depressed. Because like after a few years, so at first, it's like, this is so exciting, right? They can get pretty bored because you find the same problems over and over. And if you're doing consulting, and you go in and you're like, bam, bam, bam, bam. And you find a whole bunch of things that are wrong, and you write a report and then quite often no one reads it, where they just pick the top thing, they fix that and then that's it, then you have to leave. You don't feel you've done a good job, maybe Yeah, you know, like if I read a report, but then nothing actually happens. Personally, I feel like a bit of a not like a failure, but like, I haven't done good by my client. And so upset I felt so satisfied with because I'm like, look at me, I'm helping like I'm making a difference like I created a secure coding. guideline and it makes sense. And then I can help them you know, if they're having problems with parts of it, we can change or we can, like I can teach them or this one place I can't find across a scripting everywhere. And so I did this deep dive into it at lunch and I appeal to all the people, you know, only 10 people showed up in my manager. So it was quite a failure. We have 400 devs. And, you know, like 12 showed up, this sucks. But one of them it turned out was a team lead for a big team. And then he went and searched for cross site scripting and every single legacy app, and they made an entire sprint and they just knocked out cross site scripting for a wow crap ton of apps. And he was like, that was next to you. I can't wait till you show me the next thing because we're just gonna keep doing this and just knocking things out. And so we had like, more and more people interested. And for me that feels I have like that glow inside of like, I'm making a difference. Yeah. And so although like it's a lot of people view like red team activities or like penetration testing is very good. glamourous, I guess maybe app SEC is slower or more down in the weeds. But for me, like when I'd go home, I'm like, Yeah, that's right. That's awesome. Fix this and back, I fixed that. And now they know what a waitlist is versus a blacklist and our inputs are so much more secure now. And like, for me, that feels really good. And
Ayman Elsawah 13:18
yeah, I'm getting tingles myself.
Tanya Janca 13:20
Yeah, like it just it just, and that's part of why I guess that I like doing talks and writing blog posts and teaching is because like, people will write me and say, like, Oh, yeah, you know, I did that workshop with you. And then after, you know, we started using this tool and like this, you know, technique or the strategy that you told us and yeah, like our incidents have gone down. Or like, we haven't had an incident now or, you know, it caught all the things and it's just like, Yes, I'll bang. Yeah,
Ayman Elsawah 13:49
actually effecting change. So that's, you know, yeah, that's right. I mean, when you talk about the pen tester, you have this level of emotional drain where you know, not only are you trying to find you get the house I have like finding issues, but then yeah, that's right. But then you also have to have the art of telling people their baby's ugly. Right. Yeah. And I think it's a good skill if you can master it. Yeah. But it is emotionally draining. And then you know, you come back next year, do the same pen test, and you find out that didn't fix the stuff that you reported. And it's like, what? Yeah, right. So
Tanya Janca 14:25
yes, so when I would do consulting for pen testing, what I do is explain like a vulnerability assessment and explain like a security assessment and like threat modeling and whiteboarding and all of those things. And I'd be like, so that's what I'm going to do. And then we would sign the contract and it would say, pen test. But then it would have like all the things that I was actually going to do. And like, it's like, I'm not going to set your app on fire. I'm going to test it but I'm not going to like break into your network. You don't want me you want someone else if that's you're looking for and that's cool. Like, I'm glad that people know those things because I suck at that. I'm not going to 20 bucks says I'm not that person.
Ayman Elsawah 15:02
Right? We have to work on our strengths. So
Tanya Janca 15:04
yeah, exactly. Yeah. You know, this podcast is for people that are wanting to get into information security. And I think that part of the problem is that people just don't even know how many super awesome cool things that there are out there. Right? Yeah. And I feel really lucky and blessed to have had, you know, like a mentor that pushed me and then eventually more mentors, and then also at work. I just had this team of like, Oh, do you wanna do that? Okay, like, what am I managing an incident now, after I saw you do to like what? Yeah. And it was just really exciting. And they're like, if you need me, you know, just tag me in. Yeah. And I'll take over but you've got this, I believe in you. And yeah, oh, my gosh, the power like, I still go for beers with those guys sometimes. Nice. Yeah. And I think that if people who are interested in information security to find out all the different types of roles that exist, they could then concentrate a lot faster. Because it took me years to figure out what app sec was, yeah, how to do it. And that's why I'm writing that blog post. Like this series called pushing left like a boss where I'm explaining like, what is application security? Yeah. What is this trying to create secure software business? Yeah. How do you do that? Yeah. Try to explain from the beginning, because, you know, no one just laid it out for me. So I'm like, I'm just gonna lay it out. And hopefully some people will read it.
Ayman Elsawah 16:26
That's right. That's great work. Yeah, I really appreciate that. That's really good work. There's a nice framework. I'm really thankful for the nice framework that's come out. I wish that was around before, where it kind of lists all these types of positions that I don't even know about. Right. So what's that called? It's by NIST. They released something called the nice Nic framework. And you know, I'll link to it in the blog. I'm in the post. Yes, please. And in there, they have like a spreadsheet of all these different positions and skills required for some of these positions and things like that. So
Tanya Janca 16:57
that's awesome. That's really awesome. I want to take a look Look at that. I want to start sharing that with people that write me.
Ayman Elsawah 17:02
Yeah, that'd be great. Because everybody wants to be a pen tester. It's like, okay, there's more,
Tanya Janca 17:06
but they just don't know. They don't know. Yeah. And I think that we see hackers and pen testers is this like glorified thing where like, you just gonna press two keys and then you've just hacked the NSA and the NSA is just like face palming like, no. Yeah, no.
Ayman Elsawah 17:25
Yeah. And you know, if you want to do that, that's fine, too. I think the main thing is to be realistic about it, right. And there's no direct path. So I mean, one goal here is to find as many different kinds of people in infosec and have people talk about their jobs, right? Whether it be product security, or IoT, or Anyway, I digress. But one thing I'm curious about, do you think the Tanya of like, say five or even 10 years ago wrote secure code?
Tanya Janca 17:50
No, she did. No.
No, she did not. Oh, yes. So she did what she was taught in school. Okay. did not have very many things. One of my last night software development gigs was at the Treasury Board Secretariat, Canada. And we actually did pretty well compared to a lot of other departments. Because we had a couple guys on our team who just never stopped going to school for like, really, really bright. Okay, and they continue to take computer science courses at night indefinitely,
Ayman Elsawah 18:23
Tanya Janca 18:24
Yeah, they want to learn everything. Mm hmm. One of them created our own DLL, like our own library, where a dotnet shop nice, yeah. And it would, you know, like validate email addresses, and it would validate input. And then we just ended up adding like more and more security things to this framework. And we would just use the framework and it wasn't till and I worked through it. And then when I went to work other places, I'm like, Oh, my gosh, you guys don't have this. What do you do? Yeah. And so like, I'm lucky, like, my boss was really cool. And I could just be like, yo, can I just have like a latest copy of this? And he'd be like, yeah, of course, because it's not private industry. It's the And why recreate the wheel? So like, all of my previous software development bosses would just be like, yeah, of course you can have a copy of that code or that project you did. And you can like, just throw out half of it and then like, write this new thing that you're going to do, you know, please share it back after because I'm extroverted, that works. Most people are introverted. They're in computer science. Not most, but let's say more than half and
Ayman Elsawah 19:21
Tanya Janca 19:22
So like, I just call my old teams and be like, Yo, I'm working on this. You guys have anything like that? Or like, how are you fixing this problem, my team's kind of at a loss. And I found that went really great. But I think that I was a bit spoiled, having, you know, like, really awesome people on the team who are more security aware than I was, until I became obsessed. And then I want to learn everything about something. I'm that person. Yeah, I'm like, Oh, I'm gonna learn about kayaking. Like, I'm just gonna go 10,000% into it. That's how I am nice, which is fine. Right? So I'm really good at a couple things. Yeah, so eventually, like I left in, I got a security job and then I was like, sorry. Guys, I'm not coming back because they loaned me but then I never came back from the loan. Because again, like, unlike private industry, like, you know, we don't usually loan employees, so their companies, but you could do that and the government's like, oh, we're gonna loan her out to elections and she's gonna help with the election like I'm sorry, guys. I like it too much.
Ayman Elsawah 20:17
Yeah, that's awesome.
Tanya Janca 20:19
Yeah, it leads to great opportunities to
Ayman Elsawah 20:21
Yeah. And now a message from our sponsor. Having trouble with your opsec is your paranoia on the naive side, we have a solution for you. Cyber vitamins. Simply take two a day to start feeling effects after 24 hours. No longer will you be sending that unencrypted email, cyber vitamins with the ability just enough so you don't send that on encrypted email and you'll spend the time to actually encrypt your email but wait there's more. The same goes with logins. No longer will you log into email or bank account with just a password. Now you'll cower in the corner until you have two factor authentication enabled are special and proprietary formula adds the right dose of healthy paranoia to your bloodstream worried about nation state actors chargebacks Enemy of the State formula side effects include agoraphobia extreme friendlies brew attitude or locking yourself in your basement. So tell us a little about the younger Tanya, were you always into computers? Like how did you get into computers?
Tanya Janca 21:12
So I think that I have a very not traditional way that I did all the things so sure my aunt is the first woman to ever graduate from computer science and Ontario. Oh, cool. Yeah, my other aunt was one of the first 10 to graduate from computer science. Four of my five uncles are computer scientists. Okay. My mom's a mathematician, chemists, my dad's a technologist mechanic. And then my cousin's, most of them are like computer science. Okay, we're engineers for mechanics. So in my family, we have a garage. There's a bunch of mechanics that work at the garage. Then when I was like, oh, like I was thinking of taking computer science, so all of them were like, aha, like, what else would you do?
Ayman Elsawah 21:55
Tanya Janca 21:57
Right, and I know little girls less generally, not The case so like my uncle one of them had created a computer for us that would talk to us when we were a little. Okay, I programmed the whole thing himself. And it was like, Hi, my name is Mikey, what's your name? we type in her. Hi, Tanya, how are you? And like, we had things from the very beginning.
Ayman Elsawah 22:15
Wow, when did you write your first line of code?
Tanya Janca 22:17
Um, I think when I was 16, okay, I don't think I was really coding before that. I think I was just more playing around right. It wasn't until my parents were like, you have to take a computer science class and I was like, Oh, I really like English and drama and all these other things. They're like, you're awesome at math. Just go do some. You'll notice I'm like, I'm not that great. But it turns out they're really nice and when I like decided to go to college, honestly, I thought about it sighs accepted for history, English, Dramatic Arts, computer science, like just everything I applied to because I am scholastically inclined. So it was very effortless for me in high school. Honestly, I just smoked a lot of weed and hardly showed up and would just Ace things because I didn't understand Everyone else's problem was, oh, wow, okay, I didn't understand these things, right. But then I thought about it and I was like, Oh, the people I like the best are the people in my computer science class. And so I think that if I go into a career in that if I'm gonna like all the people that I get to work with that that's important, because I remember a Dramatic Arts like I wasn't pretty enough to get the leading role, even also like that my classmates were wildly annoying.
Ayman Elsawah 23:27
Dude, different personalities. Yeah,
Tanya Janca 23:28
exactly. And that like I just really drawn to the computer science II type of personality. Right. And so then I took computer science in school and that was great. And I started working at Nortel in high school and then I started at a you know, a software programming startup while I was in college. And then as soon as I graduated, I started my own company, which failed. I joined another startup which failed. Then I got jobs and then eventually landed in the government. But those failures taught you something right. Oh, yes, they did.
Ayman Elsawah 23:59
What did they teach?
Tanya Janca 24:00
So the failures taught me a lot of things that you shouldn't go into business with someone just because they're your friend, okay? And that I am good at Tech and that I don't know enough to run a company. And I need a person that really understands how to run a company if I do want to venture into that space again, also that I function at a high level. So like I'm okay with just like working and working and working, working and working. And I don't mind because I like it. But normal humans don't tolerate that crap. Yeah, and like, I can have a full time job and a part time job and even another job and then go speaking places and then also like, be on the sports team, because I just like to do something every single moment of the day and normal people need for us. And like, that's okay, but I can't like have expectations of others like I do with myself, because I'm gonna get disappointed. And also just because you have a great idea doesn't mean it will go somewhere. Yeah, I've had a lot People secretively tell me their business ideas and like some of them are really cool. Some of them I don't like obviously, like, not every idea is great, but they're really worried someone will steal it. Unless like you've already conducted the research or already built the product. And they're stealing like the already made product. Like the work not only is creating the product, but getting people to use it. Yeah, like someone last night, he's creating a super cool new infosec product that he's gonna open source and give away for free, which is awesome, nice. And I said, How are you going to promote it? Because there's no point in working really hard to create an amazing product open source it and then no one actually hears about it or uses it? Because I've seen that happen. Yeah, we're like only four people know about this thing. And the thing is always say the person worked really hard on it. And so he had this plan. And then I offered it like a bunch of suggestions of like, Okay, well, now I have the OS desktop show, you could come on and show your cool thing that you made and you're giving it away for free and we could tell lots of people about and he's like,
Ayman Elsawah 25:56
awesome, and yeah, there's a lot to unpack there. That's more of entrepreneurial. Yeah. discussion. But yeah, it's just telling people keeping it secret is basically a recipe for failure. Yeah, yeah. I
Tanya Janca 26:06
think a lot of people are uncomfortable with self promotion. Yeah. And no one will know about your cool thing you're doing. If you don't tell them, you're not saying like, oh, other products suck, and I'm the best, you should shut me up. Cool. That's not worth doing.
Ayman Elsawah 26:19
I mean, I run into that, too. You know, like, I was never on Twitter. You know, I was always the lurker. And now you guys are the podcast, I have to do this stuff. And, you know, I still find that difficult, frankly. But yeah, you're right. You know, self promotion is not easy. You can have an awesome product. But if people don't use it or read it, it doesn't matter.
Tanya Janca 26:35
Yeah. And it's tough if a tree falls on the forest, and no one's around to hear it, does it? You know, did it happen? Yeah,
Ayman Elsawah 26:43
that's right. So what would be some advice for folks that are not scholastically? inclined, necessarily, that are looking to get into infosec. What are some basic steps or what is your advice in general,
Tanya Janca 26:53
so there are a bunch of things so definitely listening to podcasts like this checking out that NIST document You're gonna link in the notes about all the different types of areas of infosec. And then reading about them listening to podcasts about them, blogs, whatever you can to figure out like as closely as you can, which one or ones interests you. And then from there, try to see if there's certain people that you can follow who are releasing content, right. So for instance, like, let's say, there's a specific cloud provider that you want to follow all of them have tons of free content to learn about their cloud, right? Yeah. So that you can narrow that down with certain security things. Sometimes there's free content online, so absorb as much free content as you can. Yeah. I also suggest joining clubs or groups. So for instance, oh, asked the open web application security project. I am their biggest fan. I love OAuth. Yeah. And there are 280 chapters now I think, Oh, wow. worldwide. Yeah. That's awesome. We because I'm one of them are amazing. They do so many great things. The community is so welcoming. And so Luckily, so go to their meetups, check out their cool projects. Also, I'm part of women of security or bozek, as we call ourselves. So if you're a woman, and you want to meet other cool chicks, we brunch and bitch, we cry. Yeah. Where we just like hang out and meet each other and eat cookies. Okay, we will go as a group to other events, so a conference or a meet up or something so that you're not the only woman there. Yeah, that can be really intimidating. And then we have in a women only safe spaces for learning, where it's just, you know, like, I'll give a talk and there's just 10 women there. And then we have like this open discussion about whatever the security topic is, because a lot of women will speak less if there's a lot of men in the room. They just feel a little intimidated for whatever reason, not all women but some women like a large enough amount, like I see huge differences. So we have 20 something chapters around the world at this point. We're only a year old. So we're working on it. Okay, and then also online. I'm running a campaign on Twitter every Monday called mentoring Monday. So use the hashtag and Oh, one word mentoring Monday and say what you're looking for, okay? Just say Hi, I'm interested in learning about incident response. And I'm looking for someone that could mentor me or, you know, give me a list of podcasts I should listen to, or, you know, put me in the right direction. Or Hi, I'm, I'm interested in doing security research, like I want to become a bug Hunter. I want to kick ass at bug bounties. And I want to learn from someone who has experience who can help steer me so I can have a good head start. And every Monday I'm doing this and I'll retweet you if you tag me or if you send it to me in a direct message. I try to look for all of the mentoring Mondays and retweet them every Monday. But sometimes I miss them. And some people have told me that 20 different people reached out to them to help them and they found it over bumping. The information security community has been so amazing. in answering all of these people, because we're not going to have enough people to meet the demand of our industry if we don't train them up, right, my first professional mentor hired me for my first pen test contract. And then he got like, a big consulting gig somewhere. And he told them, he wouldn't come without me. And like someone going, like advocating for me like that, like, that's just yeah, I mean, I did do all of his crap work, but I was like, oh reports, though, probably. Right. Right.
Ayman Elsawah 30:31
But like, that's how you learn. That's how you learn anyway.
Tanya Janca 30:33
Yeah, exactly, exactly. And then he would proofread them and approve them. And then eventually, like, I could write my own reports not being supervised. And eventually, I moved beyond and then found even more advanced mentors who could teach me even more and then in return, I mentor several people, right? Yeah, if you find someone that is right for you, it's rather magical, the way that they can kind of push you to succeed and give you opportunities. Just having someone believe in you, basically. Yeah, like one of the The women that that I have been working with, she was so shy and she said she would never ever, like want to present anywhere. But you know, a year later, she made this amazing pipeline where she has like a whassa without firewall, and then she has like a hacking tool, oh, wasp SAP attacking it, and then like a vulnerable app behind it. So you could auto tune your gas in your pipeline. Wow. Right. Isn't she? Awesome? That's so cool. Yeah, that's Francis cookie. Yes. standardly amazingly brilliant. And so she's like, been doing talks and all sorts of stuff. And like building proof of concepts, and she's like a whiz at like wax and reverse proxy. And so then I've learned a whole bunch of stuff about that from her. Mm hmm. That's pretty cool. You know what I mean? And so like, it's, yeah, we both benefit. Mm hmm. And so I think that a lot of people will tell me like, Oh, I don't know enough to be a mentor. Michael, have you done your job two years or more? And you know, a lot of people are able to say yes to that. I'm like, well You didn't get fired. So that means you're doing a good job, right? That means you know enough to do your job. Well, there's someone else that wishes they knew enough to do your job. Right, right. Like you don't have to meet with them every week. You don't have to coach them every single day, like people will write me and say, like, Oh, you know, which certification Should I get so that I can be a good pen tester. And they'll have, you know, like the Certified Ethical Hacking one, and I'm like, Oh, God, don't take that. It's just a bunch of random questions. And it's not helpful and I certainly wouldn't hire or not hire someone based on that instead, like, no, then I give them like a list of all these different resources. And a lot of them are like, oh, wow, like you don't have to spend money at the beginning necessarily, like I know a certification really could help show that you know, things. But maybe once you've specialized because they see you just rather random, like it's kind of a whole bunch of things, right. As opposed to if you really, really specialized really deep into something like the CSS LP, like the security coding specific one that's from the people. That makes sense, right? It's like application security, secure coding, like life cycle, like the whole thing. And it's very, very in depth, right? Yeah.
Ayman Elsawah 33:12
Well, let's talk about this. What's the responsibility of the ones seeking mentorship?
Tanya Janca 33:17
You definitely need to have energy and time and respect to your mentors time. You definitely need to have already looked for the answer yourself online before you ever ask them something. They are not a free consultant. So you shouldn't ask them to do your work because definitely that is a thing. You shouldn't stand them up for meetings, like recognize and have gratitude for the fact that this person has a crap ton of knowledge in their brain that they're sharing with you for free. They're taking time out like you're not their daughter or their son. You're not their friend. You're like a person in their industry, and they're trying to pay forward like people that have mentored them in the past, right? Yeah. And like when we remember that and we are gracious and grateful. It shows like the gratitude I have for my mentors, like I mentioned them in blog posts and podcasts. And they know, they know my feeling, right. And they know my appreciation. And I think that also you want to actually do the exercises that your mentor gives you. Right? So if they're, like, read this book, at least read some of the book, right? Yeah. I have a lot of trouble reading textbooks. Okay. I find that very, very difficult. So I, you know, read the first 13 chapters of the shell coders handbook and did the exercises. And then I told my mentor, like, Listen, my brain is melting. Like, could I just have exercise? just reading a textbook is so difficult. So then he made me read the web app, Hacker's Handbook, which is also
Ayman Elsawah 34:45
Tanya Janca 34:46
I know. But then eventually, like, he could see I was so frustrated and he's like, Great. Now you've graduated to doing more things? Yeah,
Ayman Elsawah 34:54
It's like Daniel sunning in karate kid, you know, just clean these cars and then clean more cars.
Tanya Janca 35:00
Yeah, exactly. He's like, how many patients does this woman have? Yeah,
but I think that also choose your mentor wisely. Like a lot of the women who have told me their mentors have made passes at them. Wow. You know, ospa in my chapter, we made a code of conduct. And one of the things was that you cannot date your mentor or mentee. And so that if that starts, your mentoring relationship is over. And like if people adults want to go date they can date right, but that you're no longer part of our program, and we're no longer responsible for what's going on and that you shouldn't be asking for such favors. And a bunch of the men were really shocked that we put that in, but then a man offered to be my mentor, and I pointed out that clause and he threw the paper at me and said that he would never sign it. What Yeah, wow, we just rented it out to him because I was pretty sure I knew what his motivations were. Oh, wow. And when I told the men that are like part of the core chapter that they were like, Oh my god, and I'm like, so I know. very extroverted and I'm fairly confident person. So I just pointed it out to him and he like it was clear it was not going to work out. But maybe someone with less experience or who's less confident or who's less assertive might not have the strength to say that, right. So that's why we put it in, you know, your mentor should not be hitting on you. Yeah. Your mentor should not be expecting special favors. Your mentor should not be asking you to do all of their work for free all the time. Yeah, it's just weird. And you should not be expecting that your mentor has to find you a job. Mm hmm. Right. It's not their responsibility to find your job like hopefully, that they would, you know, recommend you if an opportunity comes up and they think you're a good fit, right, and they would advocate for you. But it's not like I spent six months with them. And now they owe me a job. No way.
Ayman Elsawah 36:48
No, someone asked me a question recently, and I really appreciated. It was a long email. But what the person did was explained their background and then second paragraph was a very specific Question that are something that they're struggling and dealing with? Mm hmm. So it actually made it easier for me to answer that question. Right. Yeah. And I think what a lot of people are looking for, or at least, you know, is to ease the burden on both sides or to make it really synergistic. They're just looking for a direction, right? Yes. Just be pointed in the right direction. And hopefully they can keep going. But like if your mentor pointing the right direction, and then you know, you didn't go that way, you went a different way. I don't know. So what you said earlier, I think was really good summary. I think that was perfect.
Tanya Janca 37:31
Yeah, like setting expectations is really important. And I would also like to add for anyone that's listening, that's considering being a mentor. Please consider being a mentor for those who are underrepresented in information security, especially women. I know that some men feel uncomfortable mentoring women, because they're afraid that potentially you know the woman will think they're hitting on them or whatever, just don't hit on them and it'll be fine. Just don't be weird and will be weird. And so sometimes like women have a lot less options for mentors, because men have had a bad experience with one woman, we're not all the same. Most of us are great, just like most of you, right? And so please give extra consideration for giving time to someone that is from an underrepresented group. Because we're never going to like even the playing field if we don't try to give like, you know, extra consideration or extra options to try to draw in and try to attract every type of person to infosec. Yeah, because we won't fill all the jobs if we only accept one type or one group of person, right? We need everyone we need. Yeah, people in wheelchairs please work in infosec. Mm hmm. Like every type person. Oh, people, young people, like you just got out of school. Great. You've already been a sysadmin for 20 years. Great. want all of you?
Ayman Elsawah 38:48
Yeah, really well said. I really appreciate that. That's really good. Awesome. Thank you so much. This has been great.
Tanya Janca 38:54
Thank you, too.
Ayman Elsawah 38:55
Yeah, any parting words? Before we go?
Tanya Janca 38:58
Please join information security. We need you. We do we really do. We need all of you, we really need the help. We're not winning right now. You know, I want Have I been poned to not be needed anymore because there's just like no breaches. Right? It's a great service. I would love to not require it. Yeah. So help make that a reality by joining our industry. Thank you. Yeah.
Ayman Elsawah 39:20
Awesome. Awesome. Well, Tanya, thank you so much for your time. And I look forward to meeting in person.
Tanya Janca 39:25
Yeah. Thank you. And as you next time,
Ayman Elsawah 39:28
all right. Take care. Bye. Right. Wow, that was amazing. As always, if you like the show, please thank my guests for their time and let others know about the show. They might thank you for Intro Music is Cascadia by trash at trashy comm check out the website getting into infosec comm for show notes, clickable timestamps, a preview of my book and more and stay in touch on Twitter more getting into infosec reflections. Every week. I let my guests pick their outro music this week. It's Juna dem blues by Tanya Jonker herself Special thanks to listen to Todd for helping me with the outro music here it is in it's entirety.
Tanya Singing... 🙂