Cybersecurity Today – She Hacks Purple: An Interview With Tanya Janca

Podcast Host: Jim Love
Guest: Tanya Janca (SheHacksPurple)
Date: January 17, 2026

Episode Overview

In this insightful episode, Jim Love interviews Tanya Janca, renowned Canadian application security expert, educator, author, and founder of We Hack Purple. The conversation explores Tanya’s unconventional career path, her work empowering underrepresented groups in cybersecurity, the persistent security gaps in software development, the failings and opportunities within academia and open source, and the urgent need for cultural change in how organizations and individuals approach security in coding.

Key Discussion Points & Insights

Tanya Janca’s Career Journey

• From Musician to Security Advocate
  • Tanya began as a software developer and performing musician before being introduced to pentesting via a mentor she met through music.
  • To access free training, she started speaking at conferences, leading to global opportunities and eventually being recruited by Microsoft as their first security advocate.
  • After Microsoft, she founded We Hack Purple, focusing on widespread secure coding education.
  • Authored bestsellers like Alice and Bob Learn Application Security and Alice and Bob Learn Secure Coding.

Notable Quote:

"I started speaking at conferences and then before I knew it, people were sending me plane tickets for all around the world... Microsoft phoned me... They sent me plane tickets and I went to Seattle and I joined Microsoft as their first security advocate."
— Tanya, [01:05]

Diversity, Equity & Inclusion in Cybersecurity

• Challenges as a Woman in IT & Music
  • Tanya recounts being one of six Canadian women in a class of a thousand students and facing more intense sexism in the music industry than in IT.
  • Created Women of Security (WOSEC) to build peer support among women in cybersecurity.
  • At We Hack Purple, prioritized accessibility—accommodating a range of disabilities and focusing on inclusivity for underrepresented groups.
  • Launched diversity scholarships, resulting in high placement rates for women of color in security.
  • Stresses the importance of representation, sharing how a female keynote inspired her at her first security conference.

Notable Quote:

"We had this diversity scholarship for anyone who was underrepresented and whatever that meant... we ended up putting a lot of people through that program, and lots of them became application security professionals."
— Tanya, [05:22]

The Security Programming Gap

• Failures in Academia & Lack of Secure Coding Skills
  • Tanya criticizes universities for not teaching security fundamentals to computer science students.
  • Describes initial barriers in getting her books adopted and the difficulties of breaking into academic teaching without a traditional background.
  • Highlights a severe skills gap: few graduates have any security training.

Notable Quote:

“Academia is completely failing us here... graduating computer science students all around the world and computer engineering students with zero security skills... Like the government should just be like, you start teaching that next year, you figure it out. Or you don't get any more grants.”
— Tanya, [12:31]

Open Source and Security

• Open Source’s Inherent Security Flaws
  • Many open source projects lack resources and security expertise.
  • Systemic issue: free tools are widely adopted with little thought to code review or financial support, undermining security.
  • The open source community often fails to embed security as a core practice—security frequently treated as a post-development add-on.

Notable Quote:

“When you do that and you get feedback, you don't have a bunch of pen testers volunteering their time... you don't have an application security professional that can be part of every single one of those projects...”
— Tanya, [20:13]

Embedding Security in the Software Development Lifecycle (SDLC)

• Process Solutions
  • Advocates for integrating at least one security activity into every phase of SDLC—threat modeling, requirements, design, testing.
  • Emphasizes the culture change needed so security is seen as integral, not as a roadblock.

Notable Quote:

“If we can add one security activity to each one of the phases, then you're going to build way better software... and if we can show the developers the thing... of course they want it to be safe.”
— Tanya, [24:43] and [27:53]

The AI and Security Opportunity

• Can AI Make Coding Safer?
  • Tanya shares that when asking AI models to generate code, default outputs are gradually becoming more secure.
  • Sees promise in security-centric prompts and guidelines to steer code generation.
  • Offers a free secure coding guideline (securecodingguideline.com), proposing these be embedded into developer and AI workflows.

Notable Quote:

“If we train the AI so that it is only producing... pretty decent code, we're going to bring everyone forward a whole lot. Although it's not there yet, I do think it can get there in the next year or two.”
— Tanya, [34:14]

Incident Response and Real-World Security Challenges

• Hands-On vs. Policy
  • Tanya describes direct, sometimes improvised actions taken during security incidents—like literally unplugging physical servers to stop an attack—highlighting complexity and the need for flexible, practiced incident response processes.

Memorable Moment:

"I just sent two of my dudes from my team and they just walked into the data center... they unplugged it and walked out the front door, both carrying two big boxes... We are protecting democracy today."
— Tanya, [36:54]

The Magic Wand: Building Security In From the Start

• Tanya’s Wish for the Industry
  • Security should be introduced in every “Hello, World!” example, coded into every bootcamp and software curriculum, and deeply integrated into dev and AI culture.
  • Envisions security as intrinsic to software quality and not a distinct or elective topic.

Notable Quote:

“Every single Hello, World lesson would include security. Every single boot camp... would have secure coding as part of the actual program... Security being a part of quality, be a part of their core belief system... I would like to put myself out of the job because then I can just go back to being a dev.”
— Tanya, [40:14]

Timestamps for Important Segments

• Tanya Janca’s Origin Story: [01:05] – [02:52]
• Navigating Sexism & Building WOSEC: [03:32] – [09:34]
• Security Gaps in Education & Academia: [11:16] – [16:59]
• Conferences, Talks, and Effective Training: [17:40] – [18:57]
• Open Source Security Realities: [20:13] – [23:56]
• Integrating Security into SDLC: [24:43] – [27:53]
• AI, Secure Coding, and the Future: [32:24] – [36:29]
• Incident Response—Real Stories: [36:54]
• Big Solutions (Tanya’s Magic Wand): [40:14]

Memorable Quotes

• “Microsoft phoned me... I thought it was a prank call. And I actually hung up on the guy.”
  — Tanya, [01:05]
• “If you just say the sky is falling every day like all the security tools where everything's a frickin 10, everything's not a 10, buddy.”
  — Tanya, [28:46]
• “Don’t complain. Submit a pull request. Yeah, don't be like, the kitchen isn't clean. Do the dishes.”
  — Tanya, [23:28]

Tone and Language

Tanya’s tone throughout is candid, passionate, and approachable, blending serious expertise with relatable anecdotes and humor. She emphasizes practical solutions, community inclusivity, and a vision for systemic change—never shying away from difficult truths but focused on positive impact.

Takeaways for Listeners

• Security is for everyone: Accessible, integrated, and non-optional in both training and practice.
• Practical learning beats theory: Real lessons, hands-on exercises, and community engagement are more effective than traditional academic routes.
• Community matters: Representation, mentorship, and support networks play a vital role in navigating and growing within cybersecurity.
• AI and automation are double-edged swords: They can reinforce bad habits or raise the security bar depending on how they're implemented and guided.
• Incident response is a team effort: Agility, preparation, and communication are as important as technical prowess.

For further resources, Tanya’s secure coding guideline is available at securecodingguideline.com, and the We Hack Purple community continues her mission of making software, and the industry, safer and more inclusive.

End of Summary