Today we have one of the most renowned ethical hacker who also has contributed in OWASP for various projects. Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives. So let’s have a look on the interview we had with Tanya.
Team Hackers Interview : Hello Ms. Tanya, please introduce yourself to our readers.
Tanya Janca: Hello Readers, I am Tanya Janca, a software developer turned OWASP-obsessed ethical hacker. I work in the area of application security, helping developers write more secure apps.
Team Hackers Interview :Why you’ve decided to pursue Ethical hacking as your career option?
Tanya Janca: I used to run a lunch and learn program for my dev team. One day we had an ethical hacker come in and he hacked past a login screen using SQL Injection. I was intrigued. He and I became friends and he spent the next year and a half convincing me to “join the dark side” and become a hacker. I haven’t looked back since!
Team Hackers Interview : How you had started your journey in cyber world?
Tanya Janca: The gentleman who convinced me to become a hacker gave me my very first contract as well (what a guy!), and taught me the basics. I joined my local OWASP chapter at the same time, and quickly became one of the chapter leaders. Being a chapter leader meant I could help turn OWASP into what I wanted it to be, including finding talks that I felt would help me learn the most, adding Capture the Flag contests, and other events that are a fun way to learn. I also did *quite* a bit of self-study. All of that gave me a foundation of knowledge, but the tide really turned when I convinced the security team at my day job to give me a chance. It was magical, I learned so much, so fast. I am extremely grateful to all of the people who took a chance on my early in my InfoSec career when I did not have any experience behind me yet.
Team Hackers Interview : Tell us about your experience in this field.
Tanya Janca: I have done quite a few interesting things since I started in IT Security. I was the IT Security Coordinator (CISO equivalent) of the 42nd General Election in Canada, in 2015, when we voted in Justin Trudeau as our new prime minister. Then I launched my first ever application security program, it was incredible. That’s when I knew Application Security was what I wanted to do…. Then moved onto hacking web apps and scanning ALL the servers, in many data centers. Then I moved onto a web app security role, performing security testing, but also reviewing designs for security, interacting with developers, and designing their appsec and pentesting program. I also wrote my second web application security standard at that job, something to guide developers on how to make secure apps. I wrote a third standard before I left the government; I feel offering clear and concise guidance to developers is crucial. I then went on to join a formal application security program at a large department, where I “hacked all the apps” and “taught all the developers” about security. Throughout this entire timeline I performed quite a bit of incident response (management and investigation), for application security incidents (not malware, ransomware or any network incidents, just software). I also did quite a bit of consulting on the side, providing appsec training, hacking web apps, reviewing app designs for security issues, scanning networks, and advising on AppSec programs. I also did a bit of public speaking.
Team Hackers Interview : What are the amazing things you did in Ethical hacking?
Tanya Janca: As with many security jobs, I can’t tell you the juiciest parts, but I can certainly tell you about my open source project, OWASP DevSlop. (https://www.owasp.org/index.php/OWASP_DevSlop_Project) I’m currently obsessed with DevSecOps, which basically means weaving security into the 3 ways of DevOps, ensuring security becomes a part of Dev and Ops’ daily work, and that the security team learns to sprint. Anyway, OWASP DevSlop (DevSlop.co) is myself and a few amazing people (Nicole Becher, Imran Mohammed, Franziska Buehler) demonstrating many different ways that you can build a secure CI/DI pipeline, for creating secure web apps. Mine is named Patty, and she will be released in June, at the Open Security Summit (https://opensecuritysummit.com ) in London, England. We are all really excited to share our creations in hopes that people can reuse them and learn from them.
Team Hackers Interview : What advice will you give to our readers to stay safe online?
Tanya Janca: Well this is an open ended question for sure. I have so many suggestions that I am publishing a blog post on the topic. You can watch for it here in the next 2-3 weeks: https://medium.com/@shehackspurple
Team Hackers Interview : What is the scope of ethical hacking ?
Tanya Janca: This is a tough question. Many people have different opinions on this. Since this is an interview, and you are asking me, I will tell you *my* definition of scope. I only ever hack things that either I own, are intentionally vulnerable and made for practicing on (such as OWASP Juice Shop or DevSlop Pixi), or that I am given explicit permission to hack (meaning someone is paying me to do it and I have a signed contract). Although I am well aware that I could likely break into sites and get into other sorts of other types of mischief, I’m not the type to do those sorts of things. I am very aware that if you are someone who cannot be trusted, you are someone who will have trouble finding work in the security industry. Whatever temptation might be out there is never tempting enough to throw my career away for. So yes, I am squeaky-clean white hat, and proud of it.
Team Hackers Interview : What will you suggest to our newbies who are interested to start their career in Ethical Hacking?
Tanya Janca: The first thing I would do is join your local chapter of OWASP, and meet as many people as you can. Read or watch anything that sounds interesting to you on the topic. Attend relative meetups, if there are some in your area. Check out the links I posted for question #10. If you work in IT, ask the security team where you work if you can help or job shadow them, tell them you are interested. When you are sure you want this, and you are ready to work, ask the leaders of your OWASP chapter or the security team at work if they can help you find a professional mentor. I have had a few mentors since I moved into InfoSec, and each one of them has been invaluable in their support and advice they gave me. But prepare to work, because they can’t do it for you. Becoming an ethical hacker is a lot of work, it’s not for the faint of heart, but it’s worth it.
Team Hackers Interview : What are the various career opportunities in Ethical hacking?
Tanya Janca: There are many options. You could become a vulnerability assessment specialist or penetration tester, a bug bounty hunter/security researcher, you can setup security tools and consult teaching clients how to use them, you can review people’s code or architecture and design for security problems. You can become an amazing security coding champion. You can perform QA and add security testing. You can work in DevOps and be the “Sec” in DevSecOps. You can become a threat modeller, an incident responder, a forensic investigator. I feel like the possibilities are endless, although I’m sure that’s not actually true. There are quite a lot of jobs in this field, but finding that first job is the hardest one. This is where having a professional mentor can really help you, having someone who is well respected in your field recommend you is worth more than money.
Team Hackers Interview : What are the useful online and offline sources to learn ethical hacking?
Tanya Janca: I wrote a blog post about this exact topic! https://medium.com/@shehackspurple/links-for-getting-started-in-application-security-cc529d969cc6
“Thanks Tanya for giving your precious time to our readers.”
Author: Yogesh Prasad
Information Security Professional | Cyber Security Expert | Ethical Hacker | Founder – Hackers Interview