- This Week on Absolute AppSec
- Posts
- Episode #249 with Tanya Janca
Episode #249 with Tanya Janca
Secure Guardrails
Seth Law
June 28, 2024
This week on Episode #249 of Absolute AppSec, Seth and Ken are joined by Tanya Janca – a powerhouse in the world of application security. Currently, she leads Community and Education initiatives at Semgrep and is the founder of SheHacksPurple/WeHackPurple. After Semgrep acquired WeHackPurple, she has been updating the coursework from the WeHackPurple Academy to the new Semgrep Academy, providing free educational resources in application security. Full Episode Video at: https://www.youtube.com/live/DRcjrvomyRs
Tanya is passionate about engaging with the community and empowering diversity within application security. Tanya emphasizes the critical role that mentorship and engagement play in helping guide newcomers, especially from underrepresented groups. Mentors can guide mentees through the complexities of application security, where both the mentor and the mentee learn and grow together. This passion is reflected in the inclusive communities that she has built over her career and in her belief in the importance of having accessible educational resources.
Tanya introduced the concept of secure guardrails as a proactive measure for application security. Unlike traditional reactive measures such as DAST, SAST, and SCA tools, secure guardrails are implemented seamlessly into the development process. Secure guardrails help developers avoid common security pitfalls by providing automated checks and balances that guide them toward secure coding practices without feeling constrained.
“[W]hen you're doing a guardrail, you don't want to do a hundred. You want to look at what the absolute most important thing is that is facing your organization and then figure out if there's a way to make a technical control to stop it.”
Application security activities are underscored by the necessity of prioritizing security issues within the context of business needs. Not all vulnerabilities carry the same weight; their impact can vary significantly based on the application and its use. Using a risk-based approach, where vulnerability priority is based on potential business impact, ensures resources are allocated effectively to address critical issues first. As the challenges of growing organizations call for scaling security systems, maintaining consistent security standards will only become more challenging. Tanya recommends standardized security frameworks and automation to ensure uniform application of security practices.
"We want to take the scariest things first, get those done."
“[T]ry to just stamp out those really big, scary things first, and then work on bigger chunks.”
Tanya expressed her frustration with the misuse of the term “shift left” by marketing teams. Originally meant to advocate for early integration of security practices in the development lifecycle, the term has been diluted by marketing campaigns. Tanya stressed the need for genuine implementation of this concept to improve security outcomes. With this, she highlights the importance of building strong relationships with developers. Security should be integrated into the development process through collaboration and understanding. Engaging with developers and addressing their concerns can lead to more effective security measures.
Overall, a great conversation with Tanya’s insights. Be sure to catch this episode on your preferred platform. And, as always, there is further conversation going on in Slack. If you are in need of Absolute AppSec Merch, you can now purchase items at merch.absoluteappsec.com. So be the cool kid in your neighborhood and grab a t-shirt (or two).
This episode was sponsored by The Diana Initiative. The Diana Initiative is a one-day information security conference committed to helping all those underrepresented in Informational Security. This year, it is being help on Monday August 5th in Las Vegas, NV at the start of Hacker Summer Camp. The event will feature multiple speaker tracks, workshops, a capture-the-flag competition (CTF), and villages with hands-on learning. Get your tickets today at https://www.dianainitiative.org/.
Stay Secure,
Seth & Ken
https://youtube.com/live/rdRJK8WWV_o - Episode #241 - Seth & Ken explore Secure Defaults
https://youtu.be/yjsE_DSnK5w - Episode #115 - Clint Gibler discussed Semgrep and Static Analysis
https://youtu.be/QtlW6tfMSKU - Episode #63 - Julian Berton relays importance of developing Security Standards
Absolute AppSec Happenings
https://www.theregister.com/2024/06/21/optus_data_breach_faulty_api/ - As discussed previously on the podcast, the Optus breach details are now available. A deprecated APIs existed on an old environment that was not cleaned up or removed when new functionality was implemented. Crocs & Socks, basics.
https://www.dorkgpt.com - Using AI to generate Google Dorks. Entertaining for OSINT activities or to see what else the search engine knows about your current application.
https://sansec.io/research/polyfill-supply-chain-attack - Another supply chain attack. Takeover of a domain and related GitHub project leading to malware injection.