A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST welcome to Cybersecurity Today on the weekend. My guest is Tanya Janka, also known as Shehax Purple, a Canadian application security expert, trainer, author and focuses on teaching developers and organizations how to build secure software. And Tanya is recognized in the community under the handle shehackspurple. She trains developers in secure coding and application security. She's also the best selling author of Alice and Bob Learn Application Security and Alice and Bob Learn Secure Coding and a Whole Pile of Other things. Over a career of more than two decades in IT and security, she's worked as a software developer, penetration tester, application security engineer, ciso, startup founder, and on. But you've done a lot of things. Can I just get you to summarize your career? Tell me a little bit about how you got to where you got to today.

B

So essentially I was a software developer and I was also a performing musician. So I would play in bands, I would play solo. Me and my guitar were everywhere. And then one day I decided I wanted to become a pen tester and I wanted to switch into cybersecurity. And I had a mentor and he, quite frankly, he was in a band and I was in a band and we became friends and he convinced me. And so very quickly I realized I couldn't afford any training and if I wanted to learn that I could speak at conferences and get a free ticket. So I was like, okay, I'm going to start doing that. And so I started speaking at conferences and then before I knew it, people were sending me plane tickets for all around the world to come and speak in Europe, in Asia, in South America. It was like wild to me that people would just invite me. And after doing that for maybe a year and a half or two years, Microsoft phoned me and quite frankly, I thought it was a prank call. And I actually hung up on the guy. But pull me back. And eventually he convinced me he was from Microsoft. And they sent me plane tickets and I went to Seattle and I joined Microsoft as their first security advocates instead of a developer advocate. And I did that for a while. And when I left, I started my own entrepreneurial journey then training and just basically teaching as many people as I possibly could, whether it be online, in person, whether it's live or it's recorded just so many different ways. To try to teach. And that's when I started writing books too. And no one tells you, hey, did you know you could be an author? Plan these things, Jen? They just kept happening. I'm like, ooh, I wrote my blog a lot. And people are like, are you going to write a book? I'm like, can I do that? They're like, yeah, you could just do it. So I did.

A

Why not? Yeah, it's a perfect thing to do. I've always described the fact that my. I've been able to do all these things because I have adhd. I think I just, I can't stay focused on one thing without being bored. But you just, you sound like you're never bored.

B

Oh, absolutely, yeah. Yeah, definitely not bored.

A

And I don't want to do a big thing about it. A lot of. There aren't a lot of women who started out in cyber security. And tell me a little bit about that because you've reached out and I think I'm going to get a DEI score in my US audience here for this. But it's just like you're empowering people and I can see it in your work. And how did that come about?

B

So being in software development, there were, I don't know, a thousand people in my class and six of us were Canadian women. And there, there were a bunch of students from China and a bunch of students from Russia and some of them were women. They wouldn't talk to me. They're all in like their 30s and 40s and not interested in hanging out with a 19 year old kid. And so basically I'm like, there's six girls in my class and a thousand dudes and this is a lot. And I there. So there's sexism in it, but there is sexism in entertainment. And so in the music industry, I faced significantly more overt, obvious, intense sexism. And so then in I T I was like, I'm not gonna put up with this. And it's a lot less over in it. So I just point it out or say something if I could. And I discovered that I could be an ally to other women and poitou, like, I'm like, hey, that's not okay that you're doing that to her. And that people would respond okay. Especially because in music, because it's so aggressive, the sexism, like I would just have people say, oh, you can't play because you're a woman. It'd just be like really direct. I don't work with girls, et cetera. And so it'd be easier to stand up for people when it's, like, less aggressive about bass lines.

A

Yeah. I have a great friend, October Brown, who's one of the most incredible guitar players you'll ever hear. You'll never see her leading in a rock band until others made Blondie and others made it beat the path for rock and roll, which was great. And yeah, the. Anybody who hasn't been in the music industry, I think I'll quote Randy Bachmann on this one. You ain't seen nothing yet. It is a lot easier to work your way around because if you just stand up for yourself, I think people are mostly fair. I mean, they're mostly intelligent. Mostly fair.

B

Yeah. So when I was doing we hack Purple, I felt I'm like, it's really important to me that I try to raise the profile of women. I had already started my first nonprofit for women called wozec, Women of Security. And so we're basically like groups of women in 34 cities. At our largest, we're where we would just get together and hang out and just be women that are insecurity. Just being friends so that we had peers, because all of us would always be the only woman on the team. And I'd go to meetings with 30 people, and I'd be the only woman everywhere I went. And I'm like, it's so cool to just hang out with other ladies. And so I did that for a while. And then when I started Wehack Purple, I wanted to make a place where all of them felt safe and welcome. And I have ADHD and I have dyslexia, and I come from a family with many disabilities, so I have a cousin that's blind. I have an aunt in a wheelchair. I have all sorts of different lack of ability in my family. And so I'm very. It's normal for me to make sure that the deaf people are included because that's my uncle. Right. And so I wanted to make sure everything was quite accessible as well. And then one day I was on Twitter playing around, and one of my friends, who's a disabled black woman, she was saying, how can I, as a black woman, ever afford a sans class? And then a bunch of white men responded, it costs the same for everyone. And I responded, yeah, but she doesn't have the same starting place as you. She's more likely to be paid less. She's less likely to get chosen for training. She's less likely, like, at work, I mean, getting funding. She's more likely to have, like, family borrowing money from her. She'd like all these other things as a result of her race and her gender and her not being fully abled. And she was. Yeah, what she said. And then I was like, you know what? I'd like to give a scholarship for 10 women of color to take the Wehack Purple and application Security program with multiple courses. And then when you graduate, we would help you find an application security job. We'd help you get interviews. Right? After three interviews, if you didn't get it, we're like, okay, something's wrong here. But we had a really high placement rate, like, 98%. And so I. I did that. And then Katie Missouri from Ludo Security messaged me, and she's, yo, how much does it cost to put 30 more women through? And I like, oh, I could split it with you. We could do this much. She's like, let's do it. And then someone else wrote me, and someone else wrote me, and before I knew it, we had this diversity scholarship for anyone who, like, was underrepresented and whatever that meant. And so whatever, they would just write us and justify. And most people got the yes. And we ended up putting a lot of people through that program, and lots of them became application security professionals or working in some other field of IT security. Because sometimes you learn about app tech and you realize, oh, I want to be an instant responder or something else, but all of it is a good foundation. And so I also had the we have Purple podcast, where if you look at the list of guests, you might notice that 75% of them are from underrepresented groups. And I feel like representation and seeing yourself in what you do really matters. I had no idea. So the very first security conference I went to is called Countermeasure in the local city I lived in. And the opening keynote was Justine Bone. Oh, she's full of fire. She's so incredible. And I was like. I was so amazed by her. And one third of the speakers were women. And in software development, it's about one third female now a day, right? I think it was 25% then. So I was like, oh, this is normal. And it wasn't until I went to every other conference I spoke at, and I remember, like, they take a picture of all the speakers, and there'd be me and 30 guys, me and 50 guys, me and maybe one lady from India and then a hundred guys. And I was like, oh, where? Where are they? Where's everyone? Where are all the women? And turns out it was only 10% female. At that time. Yeah.

A

And with a bunch of us struggling, going, how are we going to get more people? It. It's one of those things that. And I think despite the current environment, and I don't want to get into that because it just drags me down, but the whole idea of most CISOs I talk to, EOs, I talk to CIOs, I talk to are going, we've got to get more women in because we need more people. And they're talented and good and reliable. They hold up half the sky, really. And so I think that's been one of the things that's been a slow piece for people to adapt to, but it is something. And I was fortunate. I spent 10 years of my life working with Fawn Annan, who's probably one of the legends of Canadian it, you know, woman who never took no for an answer. And that was. So I was fortunate in that. But I don't want to put you into one block or another. You have your own reputation as a security person and as a security teacher. And one of the reasons I'd called you my friend, David, I was looking through this, and I just. I'm stumbling right now at why security is having such a tough time in terms of programming. Now I'll back up and say I started out so long ago that a clean compile was our security check, but it was also. It was also a unit test, too. And for anybody out there, programs, you know what I'm talking about. But at one point or another, we really did get to a pivot point where security is threatening a lot of our code or lack of security awareness. Can you just comment on that? Can I just get you to talk about that? Because that's your thing, I think.

B

Oh, it is my thing. It is absolutely my thing. So part of the issue is people like you and me. I started coding in 1994, 95. And I went to college in what, like, 1997? 98. Like, I got my first job in 1997 in IT. Like, that's a while ago. And I was taught to put the secrets in the code on purpose so you don't lose them. That's what I was taught. Right. And so if you want to learn about security now. So when I switched into being a pen tester, I had a mentor. Eventually, I had several mentors. And I read the Shellcoders Handbook and I read the web app Hackers Handbook and that it taught me how to break things, but not how to fix things. Right. And so when I released Alison Bobbler and Application Security. That is the first book that taught you how to build an AppSec program. There just wasn't one before. There wasn't one that taught you how to be an application security professional. And so Avalon was just winging it. There's no training class. When I built the Application Security Foundations program, like that was the first one. And so some chick from Ottawa.

A

Who.

B

Was like, this is how I do it. I hope you like it. And it turns out people did. And there's more since then. There's now the Application Security Handbook by Derek Fisher and there's some stuff from Sans and there's some stuff from a couple of groups, right? But that field, the person that makes sure that you have a secure SDLC and that there is testing happening every time and that it is consistent, that didn't. There were some of those people at some places, but that wasn't even like a job description in the Canadian government when I was working there. And we had to build that. The fact that like you would have a security program for software. And then on top of that, I believe that academia is completely failing us here. And I'm going to be like, quite harsh. I have hard, strong feelings about this. So I wrote my book hoping that academia would adopt it. And all of them responded with, yes, you can come work here for less than minimum wage and we'll keep all your ip. And I was like, oh, that's a bad deal. No, I charge a fortune per day for private companies to learn this. What if I prerecorded lessons for you and automated exams and they're like, no, you must be here physically in person three times a week. And I was like, no, that makes it so I can't even get another job. And it's basically volunteer work for a multimillion dollar, giantly profitable organization. No, screw you. And they're like, you only have a college diploma. You're not even a real human being. Like, you're not part of our pyramid scheme. That is the tenured professor track crap. I have two cousins that teach at Waterloo and it is are rackets. And so like you have all these adjunct professors and other level of professors that all just want to be tenured. And you don't know why some people are tenured and some aren't. And lots of them just happen to be white male, and there's a lot of stuff going on there that I can't fix. But they are right now graduating computer science students all around the world and computer engineering students with zero security skills. And they say we can't find someone to teach. But I say they're not willing to work, to give any sort of reasonable offer. And that's the problem. They're not willing to adjust. They're not willing. They're like, you will do it our way or not. Last month, for the very first time in my entire life, I met someone who is teaching secure coding at a university, the University of Maryland. And she's teaching my book, Alison Baubler and Secure Coding. And that is the very first one ever that I've heard of. I've heard of some adjunct professors teaching the OAS top 10 at night and a little bit of hacking. Now, Jim, imagine if trade school for electricians were like, you know what? We're not going to teach any safety and houses are just going to burn down all the time and it's just going to cost millions and millions of dollars and sometimes people are going to die. It's too expensive to teach safety that we going to. That's fine. Right. I think we should end funding for programs. I'm not kidding. Like the government should just be like, you start teaching that next year, you figure it out. Or you don't get any more grants for those students because what they're doing is making an industry that's not safe.

A

Yeah. And there are, and it is a problem. And I'm. I've taught in universities. I like to think of myself as a person who understands the academic world and, or at least why it's important to think in terms of structured academia and things like that. But you haven't lived until you've run a marketing company for 10 years, pulled it back from bankruptcy and have some professor turn to you and say you're not academic enough in your teaching of marketing, said, guess what, the customers aren't very academic in it either. And I've got friends who teach at university who are struggling with the same thing is how do we be relevant? How do we break out of what we're doing in these structures and be relevant? And it's not just about training people for jobs. It's about training people in the skills they need to survive. Friend of mine does teach at Waterloo. I taught a leadership course there for engineers. It was packed because they wanted to know how they could get their ideas across and how they could communicate better. We pigeonhole the people who are coming up as engineers, software engineers or whatever, as if they're not well rounded either. And they are. They just need the opportunity.

B

Yeah. Oh, I think the students want to Learn. I have lots and lots of students that follow me. This winter or early spring, I'm opening a new community which I'm going to call devsec Station with the idea of just like amassing lots of these people so we can try to learn some stuff together. And I feel like what I have been doing is giving live training to private companies for lots of money, which is awesome for me, but it's not awesome for individuals. Right. I'm not serving the whole industry. I'm just serving these small pockets and I speak at conferences and that's good. But can I complain about one more thing, Jerome?

A

Yeah, absolutely.

B

So I love speaking at conferences and I love being on stage and basically being on stage late night me up and fills my cup. But conferences always want a conference talk, don't want to listen. I'm dying to teach lesson. I want a conference that just lets me teach lessons. And so a lot of conferences now are going to let me teach, do training beforehand and they charge extra for that and that's cool. But I would love to attend a conference where instead of a talk with a thesis and then you prove the thesis and you like solve the problem for the audience and you're like, voila. Which is still fun. And I learned from those. I would love lessons. Like just every single hour is a different lesson. I would, I think that would be super.

A

That's where you go. This is the miss the audience mismatch. People go to conferences to hear about how people solved problems, how they dealt with issues, how they build it, and many times they get a marketing talk. And that, that's one I think is a disaster for conferencing and frankly, a waste of your money.

B

Yeah, sometimes that happened. But I get so frustrated if I'm in a talk and they're like. And that's why my product. I'm like, come on. Yeah, it's going for this. Who is going for this?

A

But there are some bright lights though, like B sides and some other places that are really that are diving deeper into the real experience of this, I think. So we are seeing a turnaround and I think it's just because I hate to say this, that may sound like. Makes me sound old, but I think younger people just aren't going to put up with this.

B

We can only hope.

A

Yeah. Yeah. So let's talk about security and programming. One of the reasons I wanted to call you this started with a conversation with my friend David Shipley and I. I did an interview with someone and we were talking about software tools simple tools that were there to neaten up your code, get your JSON in better shape and all that sort of stuff. And it turns out that these tools are actually storing passwords and secrets and all kinds of things and, and putting them on. And because you want to actually share which tools you have, you can actually Google and find lists of these tools. And they found an amazing trove of secrets and all sorts of things. And I went, okay, I get it, I get it, we need a lot to learn. But this is a mess, you know? And it makes me understand why GitHub is just attacked all the time. How. What do you think about this when you see this?

B

I think that they didn't follow a secure system development lifecycle to make that tool. I think that. So the open source software ideology, the whole thing of I made this cool thing. Would you like to see? It's so beautiful, right? Like, I love that. Like, I'm part of the OAS COP10 team and we wrote a new one and we did that last month. We're like, we wrote a new OAS cop 10. What do you think? And we're getting all this feedback from wonderful community members and it feels really good, right? But when you do that and you get feedback, you don't have a bunch of pen testers volunteering their time pen test each one of those things, right? You don't have an application security professional that can be part of every single one of those projects to be like, hey, did you follow proper secret management? Hey, I see you're rolling your own crypto. No. And so they don't have these proper checks that ideally you do if you're part of an enterprise, which quite frankly is not true. Around the world, there are still lots of companies where I'm helping them launch their first AppSec program. I'm doing some really interesting projects right now that are super, super cool. Like I'm working with a medical device company. I'm working with a company that ships some. I don't think I can tell you the thing they ship, but it's very large and they ship it all over the planet and especially to China. And they need to keep track of these special things they're shipping that are very big and heavy and like how to secure those things is really cool. Right? But there was no security before I got there. And it's 2025, right? And so we have people trying really hard to catch up and trying really hard to do this the right thing while they don't have a big budget to do the thing and there's not enough of the me's to go around. So I tried to build more application security engineers. Right. I helped create thousands of new ones via the books and courses and I'm still trying to help do that all the time with my teachings. But there's still not enough me's for all of them and not everyone can afford one. So there's that. And then open source has no money and everyone's, I'm just going to use it for free and never pay anything. Like I use signal on my phone for texting and each year I donate some money because I use it and I love it. But most corporations are like, why would I give money for free? And so it is free, so why would I pay? Why would I donate? If we all paid a fee for the things we used, I realized it would be a lot more expensive. But then those projects might have money for security, right?

A

Yeah, yeah. There's no question the economics of open source people. And we're seeing in some cases the near death of open source. There are projects that are just going away because people are retiring and they're not going to do it anymore. And when you listen to them, the amount of grief that they take from the community and from people who use the software. I've seen people say, writing this big complaint about the software, you didn't do all these things. Right. And they're really ripping someone a new one on this. And yet you look at it and say, wait a minute, this is free. As Jon Stewart says, those seats are free. Folks.

B

Don't complain. Submit a pull request. Yeah, don't be like, the kitchen isn't clean. Do the dishes. But I agree with you. Yeah. The OAS top 10 team, they are used to getting quite a lot of flack and people have been very gentle with us this time. And they're like, what's going on? Yeah, Open source maintainers, this is my hobby and this is what I'm doing for fun. And if it stops being fun, why would I keep doing it? Yeah.

A

But also we still haven't built that culture even into the open source community as to how to deal with security, I think, and if I've got it right and tell me if I don't, because I'm. I don't think I get everything right. But it's just we still seem to have that mentality that security is pasted on. There's a security person, an engineer is going to look at your code after you write it and tell you whether it passes or not. Or I'm going to do a little bit of a coaching with you and do those people. You can't do it. You can't spread that thin. And we all talk about it. We have to build this in to, we have to build security into coding, not try and put it on top of that. But how do we make that more than just a catchphrase?

B

Oh, so this is my favorite topic. So whatever system development lifecycle you're following, whether you're doing DevOps or Agile or waterfall or some freaky thing, I feel if we can add one security activity to, to each one of the phases, then you're going to build way better software. Even if you're doing DevOps, you're doing Agile, you're doing requirements gathering a bit at a time sometimes, right? But you still know you're building a serverless app that has three APIs. And so there's still certain security requirements you should know that you need, right? So every time you build an API, there's a bunch of things I'm going to want from you. And so if every org is every time you build one that these are security requirements you have, then you can start off with expectations of the things you need. And in those requirements you can also say all the other steps you expect. So let's say while you're doing the design phase, like I'd like you to do a threat modeling session, or I want you to do, I want you to fill out the security architecture review form, or I want us to have a one hour whiteboarding session where you tell me what it is and I draw and you tell me when I'm wrong and I ask 400 questions. Like when these two things talk, is there authentication and authorization? And if not, why not? And I just ask all the questions and I act like I don't know anything because I don't, because I'm not the SME. They're. They're the subject matter expert. And then eventually it's can I have these three changes if we could first of all make sure that we have one of those guys during everything. And then I realize that I sound incredibly biased and like I acknowledge that, but training. So I started doing training because I'd actually started a startup company that had failed. And then I'd put on Twitter like, I don't actually know what to do with myself. Like now that I've left Microsoft, I like planned this big startup and me and my co founder split and I'm just not sure what to do next. Now and all these people are like, while you're figuring that out, could you come train our devs? And I was like, yeah, I love devs. Let's do it. I love talking. This sounds great. And I just see it solve so many problems. Like, I talk to customers. Like, I met with some customers yesterday where I taught them one and a half years ago, and they're like, you changed everything. Everyone is different. And so now we're going to do like a multi, whatever engagement, blah, blah, blah, right? And they're just like, they ask us questions all the time now. They're like, hey, can we have one of this security tool? We didn't have to shove it at them. They're like, hey, what are the requirements for this? And I like, I'll go get those for you. And they're like, they're pushing us to be better and better by demanding stuff from us. And, like, it changed our culture so much. And I got. I made friends with this hacker essentially because we were both in bands, and then he infected me with the ideas, and then I joined owasp and then it was like, all downhill from there. And I made all these amazing friends and I just wanted to learn more and more from all these cool people at his meeting. And I feel like if we can, we can show the developers the thing, like, because they're builders, they're so proud of what they make. And of course they want it to be safe.

A

Yeah. So funny, because it seems to be the one skill that you can't put in there, or at least we haven't put in. I still remember when I was an analyst, one time I missed a field. And this is the old days when you had to unload the whole database and load it up again. I, the head of our development team, threw a pen at me. I don't recommend this, by the way. He threw a pen across the room at me and he said, you know what's going to happen now, buddy? I'm going to lose my long weekend. You're going to lose your long weekend. Our kids are not going to have anybody to play with because we're going to be sitting here fixing your mistake. Now. People would say, did he create a safe environment? Or whatever? All that sort of stuff. I tell you, I learned. I learned that I'd let the team down by not knowing those things. But the sense of we're part of a team and security's part of what we do just doesn't seem to be a roadblock we can get ahead of.

B

Yeah, yeah, I Agree that it is hard. I find that it. So it's funny cause like I, I was creating this lesson yesterday where I was explaining the purpose of threat modeling and I was like, in all the things you do to quantify risk to explain a threat, basically if you can't make yourself understood, then it's invisible. So people don't understand. So like right now there's a huge vulnerability on React and it's really scary. And I made a video about it right? Like literally as soon as I learned about it, I made a video about it because I was like, it's not being exploited in the wild yet and it's gonna be and I want to save as many people as I can. And I explained how it was like log 4J. I explained how easy it is to exploit or how it was going to be once we had the proof of concept. And I was like, and this is why I need you to go do it literally right this moment. And a lot of people were like, holy crap, I'm literally going to go do it right now. And learning how to explain a risk to someone or a threat or whatever and how likely it is hard. But once you can get that message across, people will take it seriously. And if you just say the sky is falling every day like all the security tools where everything's a frickin 10, everything's not a 10, buddy.

A

Yeah, but let's go back to that. I don't know if we're talking about the same thing and this will be we're from the past because we've recorded this. But the REACT JS thing that just happened that the story I've been covering now the neat thing about it is that the guys who support it put out a tool to actually do recursive searches for bad behavior and say that we'll implement and update your module to the latest version. The only question I had, and I love the fact that they got it out quickly, I can't figure out why that wasn't part of the development tool set.

B

So I think the REACT team handled it as gracefully and beautifully as they could and very quickly. And I'm very impressed with them and hug opt to them because their week probably really sucked. But I think that because if you look deep down and the vulnerability into the fight protocol and all of that, it's an insecurity serialization and that's basically like crossing trust boundaries, right? It's like we didn't validate input and that is it. It's about security awareness again, right? It's about training, it's about them just that's what the bug is about. And like them having that tool, how would they know to create that tool? And also quite frankly, like that's a tool that they could sell if you could create that tool for all software to find anomalous behavior in your apps. That tool doesn't exist right now in our industry.

A

And I'm not blaming them for not having it. I'm just. And for anybody who's listening to this, and I'm not God's gift to security, but the bug that they found is pretty esoteric and the fact that it is now starting to be exploited is not something a lot of people would think about. I've been critical of Microsoft who for past couple of in the wild exploits have been out there. They rejected them two years ago and said nobody's going to do that. I think when you're, when you got all the money in the world and you've got a big department, I'm going to give you a little less slack on that one. But if you're supporting an open source module and you don't think through that or you've got other code to do. But I'm just saying it. I don't know how we build that culture and we have to, I believe, because we can't. You can't paste this stuff on. You can't move at these speeds and paste it on.

B

No, we can't. And especially not now that we're vive coding all the time. So everyone's like, vibe coding's the worst. It's terrible. However, I feel like if we can teach the AI to create significantly more secure software, maybe it could be part of the answer. When I first started working with AI, so I have this weird training method that I call Bad Better Best. And so I show, really. So I'll talk about input validation and then I'll show some code. I'm like, hey, what's wrong with this code? It's pretty bad, eh? Because I'm Canadian, so I say a lot anyway. And they'll say there's no input validation. Yeah, that sucks. Then we'll look at better code. And I fixed this one thing. And then the best code's like multiple layers of defenses. And so when I was creating training last year, I would say, hey, give me an example of a login screen or whatever it is. And it just wouldn't have the input validation, it wouldn't have output encoding, it wouldn't have anything now. And so every bad Example was the default. Now sometimes I have to remove some security to have the bad thing. And that is very recent, like the Pass Lake 1, 2, 3 months. And yes, I also have a lot of security prompts and other things that I'm using. So maybe part of that is me. But I do think it is improving. And so I have some ideas on more things that we can do over time. But I feel like if we can make all the code coming out of the AI to be at like, a certain security posture, that could really help quite a bit because so many people are taking code from there. Right. So if we train the AI so that it is only producing, like, pretty decent code, we're going to bring everyone forward a whole lot. Although it's not there yet, I do think it can get there in the next year or two.

A

Yeah. Even with. And I've been working with Gemini since it came out as 3.0. And I'm not a coder anymore. That's a long time in the past. But I spent an afternoon working through it, asking it questions, asking it to teach me how to write code that I'd never written before, which I found just astonishing how quickly you could learn that with AI is a great teacher. But then I turned it to saying, how do you improve this? What do you do? And I don't. Again, I think the tools might be there for. Because for you to ask questions like, what are the list of things I should be concentrating on? Where are my vulnerabilities? I think they're there. I think it's a cultural thing that we don't try to. Which still. How fast can I generate a lot of code? Yeah, how fast can I get the answer I want?

B

I feel like if we at least started with some prompts. So I have a secure coding guideline that I give away, and if you want it for free, it's@securecodingguideline.com and basically it's 82 or 84 things that I want you to do to be secure enough to go on the Internet and to build a good app. And if someone turned all those into prompts, that would be some good. Which obviously I need to do. Right. But that needs to be the next thing that I. The next giveaway that I do. But basically I feel like it would at least be a good place to start. So it's make sure that every single input to my application has proper validation that it is what I'm expecting. And if it's missing, flag it for me. Made sure that every single Thing that I'm putting onto the screen has been output encoded and made sure that it has the proper context. If we went through and like, we ran that on it before we did the thing, like, we could really get out in front of a lot of stuff. And so this is where I'm hoping security teams are going to pick up some of the slack. Because if everyone's using, like, Bedrock or whatever they're using. Right. And the security teams here is like prompts that you have to use and they make it part of the guardrails for the system. Like, we. We could get ahead of a lot of these things, but right now we're not there. And I need it to get there a lot faster.

A

Yeah. And like I said, I go back to it sometimes as many things are the obvious. People spend a lot of time on AWS security and then leave a data bucket unsecure. And I think part of that, I think, is the complexity. Although we like to think of cloud as giving us simplicity. I'm not so sure about that. I look at how it fits together and I say, I think we got more complicated.

B

Yeah, we definitely did. It's way more complicated. Like, it's great that I don't have to take care of physical security anymore, but it's much more complicated. Oh, my gosh. I remember my security team. There was a security incident and I was like, talking to Shared Services, which in Canada, the IT department for the government. And I was like, I need you to take down the server. And they're like, you have to fill these forms. I'm like, no, I need you to turn off, like, right now. And they're like, no. And so I just sent two of my dudes from my team and they just walked into the data center. They walked into the cage, they unplugged it and walked out the front door, both carrying two big boxes. And like, there are just two. One. One was a regular sized dude, one was a big dude. And they're like, hey, where are you going? They're like, f off. And they walked in with the servers and I. We are protecting democracy today. Nope. And no one stopped them. And I was like, I don't know what to say, but thank you, guys. Because I was like, I need these servers off there. And they're like, we'll be right back and just rove down there. Oh, I love my team so much.

A

Yeah. Also, I still go back to this whole thing that I actually put into my book, which was you can get anywhere with a clipboard and coveralls sadly. But you can. Yeah, I think this thing of how we respond and how quickly we respond. I remember doing training with one, one place, and there was an actual piece in the training, which is you're. You're being attacked. What should you do? Should you pull the plug to the server and stop it so that it gets no further? Should you unplug the cable so that it can't communicate? What should you be doing? And one of the answers was, you shouldn't be doing that because you're going to take away the ability of the FBI to investigate this. And this was a real training piece. And I looked at it and said, I don't know, and I'll get notes on this from people, I'm sure. But I looked at it and said, you know something? What you do is stop the damage, I think. But again, that's training that I don't. We can speculate about it in a call that we were having, but that's training. You want to think your way through, but you want to plan in advance. And I think that's the other piece that drives me crazy about security, is you can't make those decisions at the moment of a crisis. You have to have thought of them in advance.

B

Can I. Sorry.

A

No, it's okay.

B

When I did incident response, I only had training on how to manage the incident, like communications, manage the people, get the investigation going. I didn't actually get any technical training on it because I. There was no course on how to investigate a software incident. It was only how to look at malware, how to look at ransomware, how to look at network types of attacks. And I don't know the answer.

A

Yeah, no, I. No, it's true. And I. But I think that's something that, again, we need to build into our culture. I want to. I promise I will let you go after an hour. And I do want to bring you back because I think I'll be a better interviewer after having talked to you a little bit. But. But I want. If we could just leave our audience with just. If I gave you the magic wand today and said you fix it, what would you do?

B

So every single introduction, so every single, hello, world lesson would include security. Every single boot camp or software development program would have secure coding as part of the actual program, like the main part of the program. It wouldn't be elective. It would be like the same as quality, the same as performance. It would be the exact same. And then I would also have all the AIs get trained on really super secure code instead of the crap it found on GitHub and other and Stack overflow and all the other crappy places that it got its code. And then I would have every developer have a sense of security, being a part of quality, be a part of their core belief system. And that is a big magic wand that I, I would like to put myself out of the job because then I can just go back to being a dev.

A

Yeah. Or a musician. I always think I've got that to fall back on too. You never know.

B

If I don't need any money, I could definitely fall back.

A

Yeah. How does a musician deal with winning the lottery? You just keep making CDs till it's gone.

B

That's so Turl.

A

This has been fabulous. So thank you very much. There's so many more questions I want to ask you and I want to have you back so we can go through that. But I feel like I've just started to get to know you and I'm going to say this to our audience. Tanya and I just met and I'm having this conversation. If you've got more questions, send them in to me. Send them in. Just go to technewsday.com, go to the contact us form, put in your questions and I'm sure she'll come back and help us answer those. And we will put links. She's going to have her people talk to my people and send links to all of the things she's talked about. So those you'll be able to find under. If you're watching this on YouTube, you can find them under there or you can find them@technewsday.com Tanya Janka, what a pleasure it's been. Thank you so much, Jim.

B

This has been so lovely. I'm so glad Dave introduced us and.

A

We will see you again. We'd like to thank Meter for their continuing support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. And working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity into a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, workers, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST.