250: Pushing Security Testing Left, Like a Boss with Tanya Janca • Test Guild

Today we’ll be test talking with security testing expert Tanya Janca about application security and more. Tanya is passionate about application security and evangelizing software security and will share why you should be, too. Listen up to hear how Tanya can make even a topic like security fun.

About Tanya Janca

Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.

Founder: We Hack Purple (Academy, Community, and Podcast), WoSEC International (Women of Security), OWASP DevSlop, OWASP Victoria, #CyberMentoringMonday

Quotes & Insights from this Test Talk with Tanya Janca

I feel that security is sort of like taking care of and protecting people. If that makes any sense. And I was really interested in it and I really wanted to do hacking. But one of the first jobs I got in security was actually doing Internet response and just being able to let everyone know everything’s OK. Being able to figure out what happened and then block it from happening again stopping things partway through I just I felt so much pride to me it’s this wonderful impact.
For social engineering the main thing is is that you need to create policies and then make sure people actually follow the policies. So for instance, don’t put them in a situation where they’re likely to break the policy. For example, if you have a door where everyone has to badge in it’s common for people to just walk behind someone else. And it’s almost rude if they don’t hold the door. So I’ve worked places where they have this turnstile. So it’s just impossible.
Another thing which I think is like the easiest bang for your buck is to do third-party component scanning. So when we write an app like 60 70 80 even 90 percent of it is actually libraries and then those things have vulnerabilities in them.
I have this crazy idea that we should put critical types of scans in the CI/CD pipeline that go out to publish but then you can make another like a loop sort of like a circle and you hit every hardcode security check that’s ever happened and then it just goes back to Dev and stops.
Security tests have a lot of false positives and they have false negatives. For third party component, they’re pretty good because it’s kind of true or false. For example, you are using JQuery1.1 1.3 or you’re not right. Or there is a CVE a common vulnerability a numerator like a record for a vulnerability that is in that or there isn’t. So those there are few false positives with those, but with static code analysis, it’s insane. It’s like 95 percent false positives. And I know what you’re thinking you’re like That’s awful. Why would anyone use it? Here’s why. If you do a code review of 20,000 lines you have to read 20,000 lines of code. Now if you run a static analysis on it it might say hey I think I found 200 things and then you read those 200 things. It takes a lot less time than reading 20000 things and then you find others only 10 things. Thanks!
If you want to learn about penetration testing you. I feel like it would be a good idea to decide if you are more interested in software or if you’re more interested in infrastructure because there’s kind of separate skills that you need for those.
For actionable advice, you should read my blog. I’m writing up all of the things that I’ve learned in the past four almost five years of working in security, trying really hard to attract everyone else into security and I am writing how to add security to your pipeline. How to add security to your system development lifecycle. What is a secure coding guideline and like what should be in it and then I’m publishing one really soon as soon as I finish editing it and I feel like I’ve tried to make it really really helpful for beginners and at a level where you can ramp up really quickly.

Connect with Tanya Janca

Rate and Review TestTalks

Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.

Powered By SauceLabs

Test Talks is sponsored by the fantastic folks at Sauce Labs. Try it for free today!