We Hack Purple Podcast

In episode 81 of the We Hack Purple Podcast host Tanya Janca spoke to Diana Kelley, Chief Information Security Officer (CISO) at Protect AI. Diana and Tanya worked together at Microsoft, and to say that Diana is a pillar of the information security industry is somewhat of an understatement. Together they discussed problems with Large Language Models (LLMs) ingesting crappy code, and bad licenses, the OSSF (and it's goodness), and that sometimes people don't even realize they are breaking software licences when they use what an LLM has produced.We discussed the fact that if a CVE comes out for a library an LLM gave you, but it didn't identify it with the correct name of the library, you wouldn't receive notifications about it. She clarified how ML pipelines are set up, how data scientists work, with insecure juniper laptops all over the place (perhaps a generalization on my part). We discussed how data science seems to be a topic a lot of CISOs are pretending aren't in their domain to protect, but both of us agreed that is not so. They have some of the most valuable data your organization can possess.We also covered best practices for securing MLSec, the OWASP Top Ten for LLMs, and the new free community her company has started MLSECOPS. She also released an update version of her book, Practical Cyber Security Architecture!.Diana Links:Diana on LinkedInhttps://www.wicys.org/. (of course!)https://mlsecops.com/OSS Jupyter Notebook scanner here: https://nbdefense.ai/https://protectai.com/ Her book https://www.packtpub.com/product/practical-cybersecurity-architecture-second-edition/9781837637164.Bio: Diana Kelley is the Chief Information Security Officer (CISO) for Protect AI. She also serves on the boards of Cyber Future Foundation, WiCyS, and The Executive Women's Forum (EWF). Diana was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity..Very special thanks to our sponsor!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE

In episode 80 of the We Hack Purple Podcast host Tanya Janca brings on her long-time friend Ray Leblanc of 'Hella Secure' blog. You may remember him from several Alice and Bob Learn streams, or from his cutting sarcasm on social media.Ray and Tanya discussed what they always discuss: AppSec. They compared AppSec responsibility versus business responsibility, how to "put it down" at the end of the day in order to avoid burn out, and that 'perhaps Tanya should learn to stay in her lane?' We covered when bug fixes don't get merged and released, the first year of the brand new conference which focuses only on Threat Modelling (ThreatModCon) and that Tanya will be Adam Shostack's teaching assistant for his course that is part of OWASP Global AppSec the first week of November (get tickets here).  Although Ray professes to be bad at threat modelling on the podcast, if you follow any of his work you know that's absolutely untrue, and Tanya teases him accordingly about it.Ray's Links:https://www.hella-secure.com/https://twitter.com/Raybeornhttps://www.linkedin.com/in/raymondlleblanc/Very special thanks to our sponsor, Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Join We Hack Purple! Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more! 

In episode 79 of the We Hack Purple Podcast host Tanya Janca spoke to Isabelle Mauny , Field CTO and founder of 42Crunch! Isabelle and Tanya met way back in 2018, at an API Security workshop in Britain, having no idea they would be friends for years to come! Isabelle is extremely passionate about securing APIs, and has volunteered for several different groups and projects in order to try to steer our industry in a more secure direction, including being president of the OpenAPI group and lending her skills to the OWASP DevSlop project to fix up our Pixi app.Together they discussed several of the challenges when creating secure APIs, including: BOLA (Broken Object Level Authorization), bots, all sorts of other broken authentication (not just object-level), verbose error messages, the fact that APIs are *not* invisible to hackers, and so much more. Isabelle covered how to have a positive security culture, and build out a DevSecOps program that includes API security, what the OpenAPI protocol is, and several inspiring customer success stories. We also talked about her free IDE Plugin that gives you a score out of 100 for security, and how Tanya's first try at it she only got a score somewhere in the 20's to start! Of course, we also talked about the OWASP API Security Top Ten, and how that helped bring the important of securing APIs into the mainstream, rather than an obscure thing only AppSec people like Isabelle and Tanya obsess over.Isabelle also spoke about a webinar she will be on July 13, Mastering Secure API Development with GitHub and 42Crunch, you can sign up here: https://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/Get to know Isabelle:Isabelle Mauny, co-founder and Field CTO of 42Crunch, is a technologist at heart. She worked at IBM, WSO2 and Vordel across a variety of roles, helping large enterprises design and implement integration solutions. At 42Crunch, Isabelle manages customer POCs , partners integrations and product training. She is a frequent speaker at conferences and a published author. Isabelle is passionate about APIs and enjoys sharing her experience in podcasts such as this one :)Isabelle Links!https://tools.openapis.orghttps://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/https://apisecurity.iohttps://github.com/isamauny/codemotion2023/blob/main/RuggedAPIs-Codemotion-2023.pdfhttps://42crunch.com/blog/Very special thanks to our sponsor, Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset!

In episode 78 of the We Hack Purple Podcast host Tanya Janca brings Jason Haddix on to talk about artificial intelligence, and (of course) how to hack it! Jason discussed how to use AI for both defense and offence, using plain language (conversational), rather than code, and what a red teaming exercise looks for such a system. We talked about what a large language model looks like, cleaning up data, and how easy it is to get them to do bad things. Jason invited everyone to the AI Village at Def Con this year, and so much more! There was also much love for Daniel Miessler, his articles on AI, and his newsletter Unsupervised Learning (https://danielmiessler.com/newsletter/). Listen to hear the whole thing!Jason Haddix AKA jhaddix is the CISO and “Hacker in Charge” at BuddoBot, a world-class adversary emulation and red teaming  consultancy. He's had a distinguished 18-year career in cybersecurity previously serving as the CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason is a hacker, bug hunter and currently ranked 51st all-time on Bugcrowd's bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies. Jason Links! https://buddobot.com/https://twitter.com/BuddoBothttps://www.linkedin.com/company/buddobot/mycompany/https://twitter.com/Jhaddixhttps://www.jhaddix.com/https://www.linkedin.com/in/jhaddix/ Jason's Newsletter: https://executiveoffense.beehiiv.com/ Jason's training happening in July: https://tbhmlive.com/ Very special thanks to our sponsor!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable. Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE   Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy (https://academy.wehackpurple.com/). Join us in the We Hack Purple Community (https://community.wehackpurple.com/):  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to 

In episode 77 of the We Hack Purple Podcast host Tanya Janca chats with Brendan Sheairs about her latest obsession; security champions! Brendan has significantly more experience in this area than anyone Tanya has met, so they dug in deep on this topic. We covered a lot in this episode, including;  •       What the heck are security champions? Why would someone want them?•    You need building blocks◦                    Must haves: goals! Who will run it! What problem are they solving?•    What is the business goal? Or objective? You need a justification to do this!•    Getting buy in to be allowed to build a program•    Having fewer bugs in production•    Moral? Are they happier? Are they missing less work?•    Biggest challenge, time commitment for champions, and then no one is allowed to work on it•    You need top down buy in, but then the work happens bottom up•    10% for champions, what does this mean? What can it look like?•    Conflicts of interest or alignment with other important things like deadline and bonuses•    Motivations: Career advancement and financial•    Things we can do to motivate champions•    What does a good program look like?•    If someone leading the program? Someone needs to be responsible for the program, or it will, for sure, fall apart Want More Brendan? Here you go!•    https://www.linkedin.com/posts/brendan-sheairs_securitychampions-securitychampions-cybersecurity-activity-7064622406937538560-bR59/•    https://www.synopsys.com/blogs.html•    https://www.linkedin.com/feed/update/urn:li:activity:7067122079698931714/•    https://www.linkedin.com/posts/brendan-sheairs_securitychampions-securitychampions-cybersecurity-activity-7051901776257503232--Az7?utm_source=share&utm_medium=member_desktop Very special thanks to our sponsor!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable. Get Your Free Trial Here! https://semgrep.dev/products/semgrep-supply-chainSemgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE (https://semgrep.dev/products/semgrep-code/). Join We Hack Purple!

In episode 72 of the We Hack Purple Podcast host Tanya Janca brings Scott Helme back on because she just cannot get enough when it comes to security headers! You can watch and listen to his first episode here (https://wehackpurple.com/podcast/episode-69-with-scott-helme/). In this episode we focus on the “new” security headers from Scott's great blog article where he first introduced the public to them (https://scotthelme.co.uk/coop-and-coep/). The new security header's focus on protecting us from side-channel attacks like Spectre and Meltdown, and we really honed in on how to configure each one, and why we would need or want them. The features are powerful, and we discussed building up to using them, for best results. Part of the reason that Scott built SecurityHeaders.com was to contribute to solving the problem of ‘how do we get the message out there'. SecurityHeaders.com is an educational tool rather than any kind of definitive or perfect security assessment tool, but it's still incredibly useful. He's working hard to raise awareness, and podcast episodes like this can help.  One of the most striking things Scott hears when teaching his and Troy Hunt's ‘Hack Yourself First' course when they talk about headers like CSP and HSTS, is: “Wow, I didn't know this existed!” There is a huge gap that we need to bridge in security between these things existing, and people knowing they exist and then actually using them. This is a bug hurdle for folks like us.We also talked a bit about how all of these security headers are able to create reports and tell you what's up with your app. Lucky for us, Scott built Report-URI so we can receive those reports with ease! Scott also has another free tool he created: https://crawler.ninja/ too, where he scans the top 1 million sites every day and looks at various things, including their use of security headers. As an example, you can see this list of sites using a CSP from today: https://crawler.ninja/files/csp-sites.txtScott also creates reports using his crawler data that showing trends over time and changes in the usage of security features like various security headers: https://scotthelme.co.uk/tag/crawler-report/Very special thanks to our sponsor: Women's Society of Cyberjutsu! Women's Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more.  Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 76 of the We Hack Purple Podcast host Tanya Janca brings Anshu Bansal, the CEO of CloudDefense.ai, back onto the show for a second time to discuss “solving problems in application security”. Tanya and Anshu have worked together quite a while, as Tanya has been an advisor at Cloud Defense since it was a drawing on the back of a napkin!We choose this topic because Anshu recently spoke at the OWASP Bay Area meetup chapter, and he told Tanya his talk was about "solving the AppSec problems”. Obviously, she had to hear more about this. They dove into Anshu's definition of false positives (the traditional meaning, plus legit vulnerabilities that aren't reachable or otherwise do not cause business risk), as well as how to prioritize issues in way that makes more sense for the business. He simplified a lot of ideas that sometimes technical folks struggle with, such as how to get your message across to the business so that they agree to fix what matters most.More Anshu!Anshu generously offered to connect with any of our listeners on LinkedIn: https://www.linkedin.com/in/anshubansal/He's part of the Cloud Defense blog https://www.clouddefense.ai/blogThey also have a Newsletter https://www.clouddefense.ai/contactVery special thanks to our sponsor: Semgrep!Semgrep Supply Chain's reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable. Get Your Free Trial Here! Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers a community-created rule set! Check out Semgrep Code HERE Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 75 of the We Hack Purple Podcast, host Tanya Janca interviews Enno, a security researcher from Semgrep. They discussed all things static analysis, including; how do we come up with SAST rules, what's important to search for, important considerations when writing rules, testing rules before wider roll out, and writing rules specifically for Semgrep.We briefly got into The Official Docs, and content creation for both internal and external use, plus its importance when trying to scale your security efforts.Want more Enno?They can be found here!https://www.linkedin.com/in/enno-liu/https://www.youtube.com/@enncodedhttps://youtu.be/g_Yrp9_ZK2chttps://twitter.com/enncodedThe video by Enno that we discussed can be watched here!https://twitter.com/enncoded/status/1648908623152844801Very special thanks to our sponsor: Day of Shecurity! This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it's very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!View the agenda here: https://guides.dayofshecurity.com/view/314270378/If you're not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more! 

In episode 74 of the We Hack Purple Podcast, host Tanya Janca talks to guest Ray Espinoza from Inspectiv! During the podcast we honed in on how to build a positive security culture, which has several important ingredients; Security Champions, Empathy, explaining ‘the why', sharing information in both technical and non technical formats, and storytelling! We talked about training, we talked about metrics, we talked about how to get your point across in an effective way, without scaring people's pants off. If you want to hear about creating a successful security champions programs, how to ‘win' more often, and what pitfalls to avoid, this episode is especially helpful!We ended the conversation with several calls to action for audience members abounding including more people in cyber. Young people, old people, new-to-cyber people, every race of people, every gender; we really mean EVERYONE. Ray also (very generously) offered listeners to connect with him online so he could help them find mentors and meet people. This episode was great!A bit more about Ray:Ray Espinoza is Vice President and Chief Information Security Officer at Inspectiv, Inc. With over 15 years of both tactical and security leadership experience, Ray has a proven track record of successfully building effective security programs for top companies that include eBay, Cisco, Amazon and Cobalt.io.Prior to joining Inspectiv, Ray served as VP of Cloud Security at Medallia where he was responsible for developing and executing Medallia's multi-cloud security strategy. Outside of work, Ray is the head strength and conditioning coach and an assistant football coach at Camas High School. Where to find Ray!LinkedIn - https://www.linkedin.com/in/ray-espinoza-b399821/Twitter - https://twitter.com/RayEspinozaSecCauses and Groups Ray (and Tanya) supports:• Raîces Cyber • Black Girls Hack• Black Girls in CyberVery special thanks to our sponsor: Day of Shecurity!  This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it's very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE! View the agenda here: https://guides.dayofshecurity.com/view/314270378/If you're not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 73 of the We Hack Purple Podcast, host Tanya Janca talks to guest Amanda Crawley of 1Password! We talked about how developers need special tools to help them do their jobs, securely, then we chatted about several things that can help them, especially password managers! Developers are huge targets for malicious actors and Amanda shared TONS of ways devs can protect themselves, and their companies they work for:• Keep everything up to date - phones, computers, routers, all software (apple just released an update to fix actively exploited vulnerabilities!)• Use strong, unique passwords. Change passwords when:  ◦ The respective service recommends a password change, or;  ◦ The password has been shared with individuals who are no longer authorized to use the password, or;  ◦ The password has been used for another service.• Use encryption• Follow your company's security policies• Don't disable your operating system's malware detection (Windows Defender, XProtect)• Vet your third party libraries and dependencies, and then keep an eye on them to make informed decisions about updating• Follow the principle of least privilege - people can't be compromised for things they don't have access to• Consider non-SMS based 2FA (google authenticator, 1Password, yubikey), but any MFA is better than none  ◦ Something you know (pin, password)  ◦ Something you have (token, hardware key)  ◦ Something you are (biometrics)• Don't store user data locally (if you need it, delete immediately after you're done with it)Things you can do today!• Audit connected oauth apps (to social media platforms, github, etc)• Delete old accounts • Check haveibeenpwned.com• Check your router for firmware updates (I did this yesterday)Developer hack examples • https://thehackernews.com/2023/03/lastpass-hack-engineers-failure-to.html • https://www.upguard.com/blog/what-caused-the-uber-data-breach • https://en.wikipedia.org/wiki/2017_Equifax_data_breach • https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/ • https://www.synopsys.com/blogs/software-security/heartbleed-bug/Links From Amanda: · https://1password.com/developers · https://1password.com/developer/student · https://education.github.com/pack · https://hashnode.com/hackathons/1passwordVery special thanks to our sponsor: Women's Society of Cyberjutsu! Women's Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, RecruitingOpportunities, Celebration, and more. Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here:

In episode 71 of the We Hack Purple Podcast Host Tanya Janca speaks to the Ariel Shin from Twillio! Ariel does product security, and as you might imagine, Tanya had at least 100 questions for her.  We discussed threat modelling, influence, persuasion and other communication skills needed to be an effective #AppSec person (or any security professional, for that matter). The conversation got really interesting as we dove into how to communicate with an executive, versus an engineer, versus a non-tech person, and how we can communicate and advocate for security (effectively) in the process. She talked about breaking down an argument into multiple pieces, to ensure you get the message across the best possible way. If you are someone who has struggled with convincing the rest of IT to patch or fix bugs, she breaks down how to do this in a way Tanya plans to adopt from now on. Take a listen at the links below!  Ariel's Bio: Ariel Shin is a product security team lead at Twilio. Ariel started her career as a penetration tester, specializing in web and mobile security, before moving into the product security space. Ariel enjoys building relationships with developers through secure code reviews, threat modeling, security training, and vulnerability management. Currently, Ariel is working on rolling out and expanding Self-Service Threat Models for the Twilio Org.  Ariel's Social Media:  linkedin.com/in/arielshin/ Link to the great podcast episode Ariel spoke about: “Hacker Explains One Concept in 5 Levels of Difficulty” by WIRED Podcast, featuring Samy Kamkar.   Very special thanks to our sponsor: Women's Society of Cyberjutsu!  Women's Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more.  Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023 FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023 And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023  Join We Hack Purple!  Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!    

In episode 70 of the We Hack Purple Podcast Host Tanya Janca speaks with Meghan Jacquot, who she met at OWASP Global AppSec in Dublin, Ireland. Tanya talked her into being on the podcast, and all of us get to hear about threat modelling (horizontally and vertically!), how women choose which conferences to attend, how to reduce physical risks when traveling, how to do security research and perform ‘good' at the same time (“Cyber for good”), any her countless volunteer efforts to make our industry more welcoming. Meghan will be giving a talk at RSAC  about how “You Are Not an Island - Threat Model as a Team”. With all of that, we somehow still had time to talk about interest span versus attention span. This is an episode you don't want to miss! Meghan's Bio:Meghan Jacquot is a Security Engineer with Inspectiv and focuses on vulnerabilities and attack surface management. She is particularly interested in cloud security, threat intelligence, investigating vulnerabilities, and the ethical use of data. Meghan shares her research via conferences and publications. Throughout the year, she helps a variety of organizations and folks including DEF CON as a SOC GOON, Diana Initiative, OWASP, SANS, and WiCyS. To relax she also spends time visiting national parks, gardening, and hanging with her chinchilla. She's happy to connect with others on LinkedIn and Mastodon.Meghan's Links:Meghan on LinkedInWiCyS has just opened their mentor and mentee program for the year and the applications close on March 22.  Meghan's talk at #RSAC: You Are Not an Island - Threat Model as a TeamWomen in Cyber WiCYS – 2 hour workshop on Threat Modelling a Conference (attending as a woman), with Jessica Robinson and Sumara (Link to slides coming soon)Very special thanks to our sponsor: Women's Society of Cyberjutsu! Women's Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The con Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more.  Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023 Join We Hack Purple!Check out our brand new courses in We Hack Purple Academy . Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more! 

In episode 68 of the We Hack Purple Podcast host Tanya Janca dives into Domain Driven Design (and development) with Gagandeep Singh. Gagandeep is an avid blogger, and Tanya read his article on DDD and just had to interview him. We discussed if Design Driven design or development are those the same thing (they aren't!), the security advantages of DDD, how Trusted Types and Content Security Policy Header come into play! We discussed the concept of having the security of a feature be part of the design and feature itself, and the huge security advantages we can expect to see. To hear more, you need to see the episode! Gagandeep's Bio:Gagandeep Juneja is an experienced Information Security professional working in the Information Technology and Services Industry. Working in Application Security domain, security assessment, threat modeling, architecture review, DevSecOps and guidelines for security technologies to develop effective secure solutions. In his opinion if we focus on securing code which will result in fewer vulnerabilities in the solution. Domain Driven Design sets the bar higher for software development, providing an efficient way to designing and developing a more secure IT solution. His blog: https://securityintelligence.com/posts/secure-coding-domain-driven-design/ Very special thanks to our sponsor: The Diana Initiative! A conference committed to helping all those underrepresented in Information Security - Monday August 7, 2023 In-Person at The Westin Las Vegas Hotel & Spa  Join We Hack Purple! We have new courses in the We Hack Purple Academy! Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!   

We Hack Purple Podcast Episode 67 with Jeremy VenturaIn this episode of the We Hack Purple podcast host Tanya Janca met with Jeremy Ventura of ThreatX, to discuss how we can help more people from underrepresented groups into tech and specifically into the field of Cybersecurity / InfoSec. How do we get them a seat at the table? How can we share knowledge and educate people en mass? Can we advocate for others? (Spoiler alert: Jeremy and I gave several examples of both sides of that equation) We talked about “Saying yes more often!” when we are asked to do something a bit outside our comfort zone, if it might bring us new opportunities. We talked about imposter syndrome, different learning styles, and that you can come from any career, education or background, and there's a place for YOU in our field!Jeremy also shared some links and events too!ThreatX Cyber 101 Event! March 23, 2023The ThreatX blogJeremy's LinkedIn#CyberMentoringMondayEXploring Cyber Security - web cast Date unknown - early MarchArticle about #CyberMentoringMonday, read here: Article about mentoring and advocacyJeremy's Bio:Jeremy Ventura is a cybersecurity professional, specializing in advising organizations on information security best practices. He has years of experience in vulnerability management, email security, incident response and security center operations. At ThreatX, he is responsible for the development and presentation of thought leadership across all areas of cybersecurity. Ventura is an industry leader that can regularly be seen in media, blog posts, podcasts and at speaking events. Previously, Ventura worked at Gong, Mimecast, Tenable and IBM, among other security organizations. Ventura holds a Master's Degree in Cybersecurity and Homeland Security.Very special thanks to our sponsor: The Diana Initiative!The Diana Initiative Is: A diversity-driven conference committed to helping all underrepresented people in Information Security. This year the theme is “Lead the Change.”The Diana Initiative is seeking sponsors for their annual event happening Monday August 7, 2023 in Las Vegas - https://www.dianainitiative.org/sponsor/ for more informationThe Diana Initiative Call For Presentations opens on March 1, if you have a topic you want to share submit at tdi. https://tdi.mobi/CFPJoin We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 69 of the We Hack Purple Podcast Host Tanya Janca speaks to the only person on earth who is more excited about security headers than she is: Scott Helme of Report URI! Scott talked about all the different security headers, how some are ‘new', when and why we would use them. We spoke about why some security headers stopped being used, rogue certificate authorities, and so much more. In fact, at the end, we felt that didn't get to finish all the things we wanted to say. There was so much more to dive into, meaning this is part 1 of a 2 part episode! Scott's Bio:Hi, I'm Scott Helme, a Security Researcher, Entrepreneur and International Speaker. I'm the creator of Report URI and Security Headers, and I deliver world renowned training on Hacking and Encryption. Scott's Links:https://scotthelme.co.ukhttps://report-uri.com/https://scotthelme.co.uk/tag/crawler-report/https://crawler.ninja/ https://crawler.ninja/files/csp-sites.txt Very special thanks to our sponsor: The Diana Initiative! A conference committed to helping all those underrepresented in Information Security: Monday August 7, 2023 In-Person at The Westin Las Vegas Hotel & SpaJoin We Hack Purple!Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 66 of the We Hack Purple Podcast Host Tanya Janca sits down with one of her colleagues from IANs Research, Wolfgang Goerlich! We talked about his work and AMAZING team at Cisco (Hi Wendy and Dave!), how they were originally part of Duo Security, and that they missed their chance for a fun rebrand of Duo + Cisco = Disco! Besides all the silly jokes, we talked about what security looks like beyond just vulnerabilities and trying to keep the bad guys out. We zeroed in on legitimate users that misuse systems, and dug into how Threat modelling and diversity could be used to prevent situations such as the infamous apple AirTags misuse. We talked about including privacy as part of threat modelling, Cara Bloom's Mitre Privacy Framework (https://www.usenix.org/system/files/pepr22_slides_bloom.pdf), ‘least data collection', as well as using nudge economics to promote positive security and privacy culture change. This conversation was AWESOME. Plus, Wolfgang has a podcast (https://www.securingsexuality.com/), a conference (Detroit, 2023), and a book coming out! If you ‘colour outside the lines', you definitely want to check out everything Wolf does! Subscribe his newsletter, we know we did!  Wolf's Bio:J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Wolfgang has held VP positions at several consulting firms, leading security advisory and assessment practices. He is an active part of the security community. Wolfgang regularly advises on the topics of security architecture and design, identity and access management, zero trust, and resilience. Social media:https://mastodon.social/@jwgoerlich@infosec.exchangehttps://twitter.com/jwgoerlichhttps://www.linkedin.com/in/jwgoerlich/ Websites:Personal - https://jwgoerlich.com/Conference and podcast - https://www.securingsexuality.com/  Very special thanks to our sponsor: The Diana Initiative! (https://www.dianainitiative.org/)A conference committed to helping all those underrepresented in Information SecurityMonday August 7, 2023 In-Person at The Westin Las Vegas Hotel & Spa  Join We Hack Purple! Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In this episode of the We Hack Purple podcast host Tanya Janca met with Anant Shrivastava! We talked about securing the entire software supply chain (including your CI/CD and where you get your packages from), and how it is more than just buying a software composition analysis (SCA) tool. He explained the new and very different risks of securing a mobile app versus a regular web app or an API, that's he's more of an ops than a dev person, and how the risks are all coming together now that many of us are doing DevOps. He shared his numerous open source projects, such as: Code vigilant: https://codevigilant.com/, TamerPlatform : https://tamerplatform.com/ and HackingArchivesOfIndia https://hackingarchivesofindia.com/.  Anant's Bio:Anant Shrivastava is an experienced information security professional with over 15 years of corporate experience. He has expertise in Network, Mobile, Application and Linux Security. He is the founder of Cyfinoid Research, a cyber security research firm and has previously served as Technical Director at NotSoSecure Global Services, a boutique cyber security consultancy. He is a frequent speaker and trainer at international conferences such as BlackHat, Nullcon, and c0c0n. Additionally, Anant leads the open source projects Tamer Platform and CodeVigilant and maintains the Hacking Archives of India. He also participates in open communities targeted towards spreading information security knowledge such as null (null.community). His work can be found at anantshri.info and his blog is here  https://blog.anantshri.info/!Very special thanks to our sponsor: The Diana Initiative!The Diana Initiative is seeking sponsors for their annual event happening Monday August 7, 2023 in Las Vegas - https://www.dianainitiative.org/sponsor/ for more informationThe Diana Initiative Call For Presentations opens on March 1, if you have a topic you want to share submit at tdi.The Diana Initiative Is: A diversity-driven conference committed to helping all underrepresented people in Information Security. This year the theme is “Lead the Change.” You can submit to be a speaker at tdi . mobi / CFP or if your company would like to support the event by sponsoring check out https://www.dianainitiative.org/sponsor/Join We Hack Purple!Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In this episode of the We Hack Purple podcast host Tanya Janca met with Frank from Phoenix Security in the UK! We talked about this latest white paper ‘SLAs are Dead, Long Live SLAs!', how AppSec folks aren't necessarily ‘great' at maintaining their own SLAs, and how to empower a team to do their own governance and be responsible for their own risk. We talked about how to figure out the security maturity model you are looking for, and what kind of language we can use to help a client decide it for themselves. We also talked about how to get several industry experts to work on the same document together: spoiler alert, it's hard! Listen to hear more!The White Paper: SLAs are Dead, Long Live SLAs! Data Driven Vulnerability ManagementFrank's Podcast: Cyber Security and Cloud PodcastSeveral MORE White Papers from Phoenix Security:Priority: https://phoenix.security/whitepapers-resources/vulnerability-management-in-application-cloud-security/ Vulnerability management and regulation: https://phoenix.security/whitepapers-resources/whitepaper-vulnerability-management-in-application-cloud-security/ Upcoming Webinars with Frank!16/02 - 4m GMT - Brooks Shoenfield - SLA, application security and data driven programs : https://youtube.com/live/dfANH8WKavY?feature=share22/2 - 5 PM GMT - Chris Romeo - Data Driven Application security programs, how to measure maturity and scale : https://youtube.com/live/wqlC-cClqYE?feature=shareFrank's Bio:Francesco is a seasoned entrepreneur, CEO of the Application Security Risk based posture management Appsec Phoenix, author of several books, host of multi award Cyber Security & Cloud Podcast, speaker and known in the in the cybersecurity industry and recognized for his visionary views. He currently serves as Chapter Chair UK&I of the Cloud Security Alliance. Previously, Francesco headed the application and cloud security at HSBC and was Senior Security Consultant at AWS. Francesco has been keynoting at global conferences, have authored and co-authored of a number of books. Outside of work, you can find me running marathons, snowboarding on the Italian slopes, and enjoying single malt whiskeys in one of my favourite London clubs. Very special thanks to our sponsor: Phoenix Security!Phoenix Security ingests data from any security tool, cloud, or code, correlates vulnerabilities, contextualizes, prioritizes and translates into risk. Phoenix Algorithm selects the subset of vulnerabilities more likely to get exploited in the next 30 days, delivering them to the engineers' backlog. From Code to cloud contextualize, Prioritize enables security engineers to act on the risk that matters most without burning out. Join We Hack Purple!Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find We Hack Purple Podcast, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

A We Hack Purple Live Stream with Matt Tesauro of Defect Dojo Inc (https://www.defectdojo.com/). Join We Hack Purple Community to be invited to awesome events like one! https://community.wehackpurple.com Description: You're tasked with ‘doing DevSecOps' for your company and you've got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo is an open source platform that can be your single pane of glass by aggregating, distilling, and automating your AppSec and DevSecOps tools. DefectDojo was created by DevSecOps people for DevSecOps people. In this talk, you'll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your single pane of glass for discovered security vulnerabilities, report generation, aggregation of over 150+ different security tools, inventory of applications, tracking testing efforts / metrics on your AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo. About Matt: Matt Tesauro is a DevSecOps and application security (AppSec) guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement in open-source projects, presentations, trainings and new technology innovation. Matt thrives on tackling technical problems, but his economics background gives him a unique understanding of business constraints and incentives around security initiatives. As a versatile engineer, Matt's background spans software development (primarily web development), Linux system administration, penetration testing and application / cloud security. Additionally, he offers more than 13 years of experience with the internationally recognized AppSec and open-source nonprofit OWASP Foundation. At OWASP, Matt has served on the global board of directors and conducted several highly successful open-source projects, including a web testing environment with 300,000+ downloads in a single year and the OWASP DefectDojo vulnerability management platform with 10 million+ downloads. As a recognized thought leader, Matt has presented at conferences multiple times per year since 2009 and has facilitated training around the world. Some of his noteworthy speaking engagements include a DHS Software Assurance Workshop; OpenStack Summit; SANS AppSec Summit; and AppSec US, EU and LATAM. He has also taught computer security courses at Texas A&M and the University of Texas at the undergraduate and graduate level. Matt leads by example and rolls up his sleeves to help teams reach their goals. He is a supportive and collaborative leader who mentors and motivates others to realize their potential. Colleagues note that Matt is fiendishly clever when solving problems and refreshingly honest in his work. In 2021, Matt was recruited for the role of Distinguished Engineer at Noname Security. His priority is to evangelize Noname's ground-breaking API security platform and API security in general. He works closely with the product team to ensure that Noname's platform addresses the application and product security issues that impact customers. Before joining Noname, Matt rolled out AppSec automation at USAA and founded 10Security. His early career includes tenures as Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer at Duo Security, Senior Software Security Engineer at Pearson and Senior Product Security Engineer at Rackspace. Matt received a master's degree in management information systems and a bachelor's degree in economics from Texas A&M Univers

In this episode of the We Hack Purple podcast host Tanya Janca met with her colleague from IANs Faculty: Mick Douglas, founder of InfoSec Innovations! We talked about EVERYTHING AppSec and definitely could haveeasily  talked at least 2 more hours! He explained what honey pots/honey files/honey links are, and how to use them. Creating a "tamper evident" network and system, as well as how marketing people have really messed up the term "shift left" for the rest of us. Not only that, but the episode had TONS of laughs! Mick's Bio:Mick Douglas has over 10 years of experience in information security and is currently the Managing Partner for InfoSec Innovations. He specializes in PowerShell, Unix, Data Visualization, Hardware, and Radio Hacking and teaches SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling and SEC555: SIEM with Tactical Very special thanks to our sponsor: Luta Security!Luta Security is the global leader in transforming how governments and organizations work with friendly hackers to bolster their security. LutaSecurity can manage end-to-end vulnerability disclosure and bug bounty programs or train your existing staff to maximize your security investment. Visit LutaSecurity.com/services to get started today!Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!#appsec #wehackpurple #shehackspurple

In this episode of the We Hack Purple Podcast we meet Olivia Rose, founder Rose CISO Group,  www.RoseCISOGroup.com.We talked about the fact that "consulting rules!", mentoring opportunities, and how CISOs and AppSec people have to fight to do their jobs all day, every day. Olivia dove into how to translate what do you, as a cyber security expert, to the executive board and other folks who are brilliant, but not-so-technical. She also gave us the secrets for how to make leadership care about the security work you do, the goals you have, and so much more!She told us all about about her mentoring program, and that the deadline to apply is December 30, 2022 (for mentors)! Mentees have until January 21, 2023. So get crackin' on those applications. You can apply here to be a mentor or a mentee. Or both!Olivia also gave us the heads up on her newest adventure, the Rose CISO Group! Her new company offers virtual Chief Information Security Officer (CISO) services, boardroom and leadership communications, assessment services, keynote speaking, event presentations; and career and executive coaching... All led by experienced enterprise CISOs!Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!#appsec #wehackpurple #shehackspurple

The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we've seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”. This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. We'll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines. Rana is an application security engineer consultant currently working at C3SA. She has a diverse professional background with experience in software development, quality assurance and pentesting. She holds a Bachelor and Master's degree in Mathematics and Computer Science from the University of Ottawa. She has spoken about her research and work at several local and international conferences. In her non-existent free time, you can find her posting educational videos and holding workshops through her Academy and YouTube channel. She has received several awards and honorable mentions for her research and contributions to the cybersecurity community. Speaker Links: Youtube Channel: https://www.youtube.com/c/RanaKhalil101 Academy: https://ranakhalil.com/ Twitter: https://twitter.com/rana__khalil LinkedIn: https://www.linkedin.com/in/ranakhalil1/ Medium Blog: https://ranakhalil101.medium.com/

In this episode of the We Hack Purple Podcast we meet Gemma Moore , co-founder and director of Cyberis. Gemma is an expert in penetration testing and red teaming. She started her career in cyber security nearly twenty years ago, working her way up from a junior penetration tester to running the penetration testing practice in a specialist consultancy by 2011. She is a founding director of the information security consultancy, Cyberis.Over her career, she has held CREST certifications in Infrastructure, Applications and Simulated Attack, and now focuses most of her efforts on planning, running and executing red team and purple team exercises.In recognition of her outstanding level of commitment to the technical information security industry and the highest level of excellence in CREST examinations, Gemma was selected to receive a lifetime CREST Fellowship award in 2017.  Gemma was a contributing author to the BCS' “Penetration Testing: A guide for business and IT managers”  Gemma was named “Best Ethical Hacker” in the 2018 Security Serious Unsung Heroes industry awards, and has been honoured by SC Magazine as one of its 50 Most Influential Women in Cybersecurity, and by IT Security Guru magazine as one of its Most Inspiring Women in Cyber.  We talked about everything to do with Red Teaming and PenTester, especially what the difference was between the two, risks involved, setting scope, and several funny and scary stories! We also talked about what people are trying to achieve with a red teaming exercise, and how things can go terribly wrong when we blame everything on the user. This was through and through a fantastic conversation.You can learn more by reading in Gemma's blog!Thank you so much to our sponsor, Bright! Check out their amazing #DAST! https://brightsec.com/Join us in the We Hack Purple Community:  A fun and safe place tolearn and share your knowledge with other professionals in the field.Subscribe to our newsletter! Find us on Apple Podcast, Overcast + Pod#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity 

In this episode of the We Hack Purple Podcast we meet Anshuman Bhartiya, a Principal Security Engineer who also happens to be an avid AppSec blogger (https://www.anshumanbhartiya.com/) and conference speaker.We talked about how the SAST industry seems to be divided into two camps, as well as “the old guard” who used to say no to everything, versus newer ways of working towards better AppSec, such as using empathy and enablement, rather than a stick. Anshuman is a huge fan of automation (I mean, who isn't?) and he covered many ways we could use it for better security, including vulnerability management. We covered how vulnerability management tends to have 3 phases (finding bugs, fixing bugs,then retesting to ensure they are fixed) and how step two appears to be the most difficult. We ended on inventory, cool new tools that are out, and how there's still more work we can do in this area to make it even better. All and all, this is a greatepisode!Here are some links you will need to keep track of Anshumanand the great content he releases:• https://www.anshumanbhartiya.com/• https://www.linkedin.com/in/anshumanbhartiya/• https://twitter.com/anshuman_bhThank you so much to our sponsor, Bright! Check outtheir amazing DAST! https://brightsec.com/Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field.Subscribe to our newsletter!Find us on Apple Podcast, Overcast + Pod

In this episode of the We Hack Purple Podcast we meet Vitaly Unic, the head of AppSec Research at Bright Security and Tanya's co-worker. We talked about creating an application security program with realistic goals, what works and what does not work. We dove into how to roll out a tool and get the most value, and then took a deep dive into how DASTs are built. How does a DAST find vulnerabilities, how does it discover the attack surface, and what, exactly, is an endpoint? Listen to learn more!Vitaly's link to share is…. Bright! Please give it a try! (https://brightsec.com/sign-up-for-bright)Thank you so much to our sponsor, Bright! Check outtheir amazing #DAST! https://brightsec.com/Join us in the We Hack Purple Community:A fun and safe place to learn and share your knowledge with other professionals in the field.Subscribe to our newsletter! https://newsletter.wehackpurple.com/Find us on Apple Podcast, Overcast + Pod#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity

In this episode of the We Hack Purple Podcast we meet Anshuman Bhartiya, a Principal Security Engineer who also happens to be an avid AppSec blogger (https://www.anshumanbhartiya.com/) and conference speaker.We talked about how the SAST industry seems to be divided into two camps, as well as “the old guard” who used to say no to everything, versus newer ways of working towards better AppSec, such as using empathy and enablement, rather than a stick. Anshuman is a huge fan of automation (I mean, who isn't?) and he covered many ways we could use it for better security, including vulnerability management. We covered how vulnerability management tends to have 3 phases (finding bugs, fixing bugs,then retesting to ensure they are fixed) and how step two appears to be the most difficult. We ended on inventory, cool new tools that are out, and how there's still more work we can do in this area to make it even better. All and all, this is a greatepisode!Here are some links you will need to keep track of Anshumanand the great content he releases:• https://www.anshumanbhartiya.com/• https://www.linkedin.com/in/anshumanbhartiya/• https://twitter.com/anshuman_bhThank you so much to our sponsor, Bright! Check outtheir amazing DAST! https://brightsec.com/Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field.Subscribe to our newsletter!Find us on Apple Podcast, Overcast + Pod

 In this episode of the We Hack Purple Podcast we meet one of host Tanya Janca's professional mentors; Sherif Koussa of Software Secured and Reshift Security. In this episode we talked about how we could prevent the next Log4J. We covered government regulations, industry compliance, tooling, SBOMs, inventory, incident response, and more! Check it OUT! Thank you so much to our sponsor, Bright Security! Check out their amazing #DAST! https://brightsec.com/ Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Find us on Apple Podcast, Overcast + Pod 

In this episode of the We Hack Purple Podcast we meet another of host Tanya Janca's friends; Yael Nagler , founder of Yass Partners!Yael has built a career advising extremely large businesses about processes and risk. In this episode she covered:- How to use Situational Awareness- Ten Steps to win at corporate!- How to talk so CISOs will listen. How to listen so CISOs will talk.- What are CISOs being asked.- Why helping others is the best feeling in the entire world.Thank you so much to our sponsor, Bright Security! Check outtheir amazing #DAST! https://brightsec.com/Join us in the We Hack Purple Community:https://community.wehackpurple.com/ A fun and safe place to learn and share your knowledge with other professionals in the field.Subscribe to our newsletter! https://newsletter.wehackpurple.com/Find us on Apple Podcast, Overcast + Pod#TanyaJanca #SheHacksPurple #AppSec #CyberSecurity #DAST

In this episode of the We Hack Purple Podcast we meet James Tabron the director of Engineering at Twilio! James switched from security to engineering recently, and wanted to share how startups and large companies can both start their SOC2 compliance programs. He shed a lot of light on where to start, common challenges, how much value can be gained from SOC two, and even how to automate the process. He also confirmed our on-going assumptions that good soft skills and specifically empathy were the most important things to look for when hiring someone to run an effective compliance program. Tune in to learn more!Thank you so much to our sponsor, Bright Security! Check out their amazing #DAST! Join us in the We Hack Purple Community!A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter!Find us on Apple Podcast, Overcast + Pod #TanyaJanca #SheHacksPurple #DevOps #CyberSecurity #DAST #BrightSec #DevSecOps #AppSec

 In this episode of the We Hack Purple Podcast we meet another of host Tanya Janca's friends; Caroline Wong of Cobalt Security! Caroline  has worked in security, and specialized in AppSec, for a very long time. She explained what Pentesting-as-a-Service actually is, how to hire a good pentester, and when this service might be your best choice. Tanya quizzed her quite a bit, but Caroline really is the expert; she even wrote a book on the topic! This episode also covers; defending against ransomware, why Pentesting-as-a-Service is not the same as a bug bounty, and how the OWASP Top Ten really hasn't changed that much over the years. Tune in to learn more!Thank you so much to our sponsor, Bright Security! Check out their amazing #DAST!Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field.Subscribe to our newsletter! Find us on Apple Podcast, Overcast + Pod#TanyaJanca #SheHacksPurple #DevOps #CyberSecurity#DAST #BrightSec #DevSecOps #AppSec

 In this episode of the We Hack Purple Podcast we meet another of host Tanya Janca's friends; Nicole Dove of Riot Games! Nicole is a BISO (Business Information Security Officer) and told us everything we need to know about this role, including; how to get this job, how to be great at it, and the huge value that it provides to companies. We also talked about software supply chain security, SBOMS, the LinkedIn Learning Course she just made, and how she's going to be speaking at RSA Conference PS Nicole has her OWN podcast, “Urban Girl, Corporate World”. Check it out!Thank you so much to our sponsor, Bright Security! Check out their amazing #DAST! https://brightsec.com/  Join us in the We Hack Purple Community:A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter!Find us on Apple Podcast, Overcast + Pod #TanyaJanca #SheHacksPurple #DevOps #CyberSecurity #DAST #BrightSec #DevSecOps #AppSec

In this episode of the We Hack Purple Podcast we meet SherifMansour, ex-chair of the OWASP Board of Directors. Having recently finished his 4-year term of volunteering for the largest application security community on the planet, he had a tiny bit of spare time for our host, Tanya Janca. Sherif talked about some of his favourite accomplishments within OWASP, his career and a special project with the OpenSSF: The Alpha-Omega Project to Improve Software Supply Chain Security for 10,000 OSS Projects! Watch or listen to hear more!Thank you so much to our sponsor, Bright Security! Check outtheir amazing #DAST!Join us in the We Hack Purple Community: A fun and safe place tolearn and share your knowledge with other professionals in the field.Subscribe to our newsletter!Find us on Apple Podcast, Overcast + Pod#TanyaJanca #SheHacksPurple #DevOps #CyberSecurity#DAST #BrightSec #DevSecOps #AppSecPhoto by Akson on Unsplash

Welcome back to season 2 of the We Hack Purple Podcast! In this episode We Hack Purple Community member Ashely Burke takes us on a non-technical journey into #InfoSec. Learn about navigating the job market, figuring out your special skills, how to handle imposter syndrome and much more. Thank you so much to our sponsor, Bright Security! Check out their amazing #DAST! https://brightsec.com/  Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter!Find us on Apple Podcast, Overcast + Pod

Welcome back to season 2 of the We Hack Purple Podcast! In this episode host Tanya Janca  learns about Threat Modelling with guest Adam Shostack.  He covers his new white paper (Fast, Cheap and Good: An Unusual Tradeoff Available in Threat Modeling) about how to do threat modeling that is cheap, fast AND good! Adam's WhitePapers: https://shostack.org/resources/whitepapers  Adam's "New Thing" newsletter: https://shostack.org/contact Join the We Hack Purple Cyber Security Community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter!  Find us on Apple Podcast, Overcast + Pod 

 Jeff Williams from Contrast Security takes our questions about their new Serverless Scanning Tool and gives a demo to show just how easy it is.  Video demo can be found here: https://youtu.be/R4NkfbNw5YsLearn more here: https://www.contrastsecurity.com/contrast-serverless-application-security Join our online community here: community.wehackpurple.com Our online courses in #AppSec and Secure Coding: academy.wehackpurple.com 

All too often, the AppSec team or security team is a person of one. How can you add more people to the team with out a massive increase to the budget?Persuasion!This talk was given at SecTor (Toronto) Nov 2021. Scaling your Team is part of our Application Security Program at Academy.WeHackPurple.Com 

 Host Tanya Janca   learns what it's like to do Cybersecurity Product testing and reviews at Security Weekly Labs with guest Adrian Sanabria!  Thank you to our sponsor Checkmarx! https://www.checkmarx.com/ Buy Tanya's new book on Application Security: Alice and Bob learn Application Security Don't forget to check out We Hack Purple Academy's NEW courses, Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter here: https://newsletter.wehackpurple.com/ Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca  learns what it's like to found and run a small business (Zimana Analytics) focused on data analytics, with guest Pierre DeBois! Thank you to our sponsor Checkmarx! https://www.checkmarx.com/ Buy Tanya's new book on Application Security: Alice and Bob learn Application Security Don't forget to check out We Hack Purple Academy's NEW courses, Join our Cyber Security community: https://community.wehackpurple.com/ A safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter here: https://newsletter.wehackpurple.com/ Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca  learns what it's like to be a physical penetration tester, with guest Deviant Ollam. Famous for hacking banks, elevators and basically any physical security device, he will share how he got to where he is today! Check out his Twitter while you're at it! Thank you to our sponsor 10SecurityNEW Secure coding Course here!Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca learns from Sunny Wear about penetration testing with a live demonstration! Sunny shows off her custom app, Burp Tool Buddy, which shows you how to use and configure burp suite Pro. And it's a STEAL at $4.99!! https://twitter.com/SunnyWear Thank you to our sponsor 10SecurityNEW Secure coding Course here!Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca meets Ron Brash. He is a well-known technical expert in the ICS community, with a long-standing history in oil and gas from a young age, but also by engaging in difficult-to-solve industry solution development questions. Today, he has a Master's degree in Computer Science, a Bachelor's in Technology, over a decade of experience with industrial networks and technologies, embedded systems, systems design, risk advisory, and in several different domains ranging from aviation, energy, gas & more. Currently, he is a director at Verve Industrial Protection where his role as Director of Cybersecurity Insights includes product ownership, risk analysis, vulnerability research, reverse engineering, and facilitating relationships in IT & OT divisions of organizations. Check out his Twitter!  Thank you to our sponsor 10SecurityNEW Secure coding Course here!Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

Host Tanya Janca  learns what it's like to be an offensive Engineer at @zoom, as well as a PluralSight author & mentor. Maril Vernon is always helping peeps break into cybersecurity. https://twitter.com/shewhohacks Thank you to our sponsor 10SecurityNEW Secure coding Course here!Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

Host Tanya Janca meets Leif Dreizler who manages the Product Security team at Segment. The ProdSec Team is focused on partnering with software engineering teams to design and implement security features for the Segment product. Leif got his start in the security industry at Redspin doing security consulting work and was later an early employee at Bugcrowd. He helps organize the Bay Area OWASP Chapter, the AppSec California Conference and LocoMocoSec. Thank you to our sponsor 10SecurityBuy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca talks with guest Jessica Dodson to learn what it's like to be a Customer Engineer (CE) in Security & Identity Modernization @ Microsoft. You can learn more about Jess here: https://girl-germs.com/ or follow her on Twitter. https://linktr.ee/girlgerms https://www.linkedin.com/in/jrdodson/ https://twitter.com/girlgerms Thank you to our sponsor #10Security! https://www.10security.com/ Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

 Host Tanya Janca learns what it's like to be a BISO (Business Information Security Officer)! Alyssa Miller has had a very exciting career, and has a LOT to share with us on how to climb the career ladder in Cyber! https://twitter.com/AlyssaM_InfoSec  Thank you to our sponsor Thread Fix! Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

Host Tanya Janca learns   what it's like to be a PhD, S-CISO, CISSP, AND the Head of Cyber Risk Consulting at Marsh Singapore! She's also a leader for WoSEC Singapore, has run many security events such as CTFs for girls and women, and so, so much more. Join us to listen in! https://twitter.com/m49D4ch3lly Thank you to our sponsor Thread Fix! Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

Host Tanya Janca learns  what it's like to be the executive Vice President at F5, with Haiyan Song! She has had a very long career in security and Tanya is looking forward to delving into Haiyan's career path, and tips she has to share! https://twitter.com/SplunkHaiyan Thank you to our sponsor Thread Fix! Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don't forget to check out  We Hack Purple Academy's NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

With our guest being unable to make it, host Tanya Janca gave a lesson on API security best practices. She also shared a twitter link with a list of API security testing tools, as well as a downloadable PDF about the best practices discussed.Thank you to our sponsor Thread Fix! Buy Tanya's new book on Application Security: Alice and Bob Learn Application Security. Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

Host Tanya Janca  learns what it's like to be a Open Source Intelligence Analyst, with Ritu Gill, AKA OSINT Techniques! https://twitter.com/OSINTtechniques Thank you to our sponsor Thread Fix! Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/Join our Cyber Security community: https://community.wehackpurple.com/A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com .  Find us on Apple Podcast, Overcast + Pod 

Host Tanya Janca  learns what it's like to be a Chief Product Officer (CPO) of a DevSecOps Product startup, with Abhi Arora! His startup is called Cloud Defense.Thank you to our sponsor Thread Fix! Buy Tanya's new book on Application Security: Alice and Bob learn Application Security. Don’t forget to check out  We Hack Purple's Academy and Community! A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter while you're at it! Sponsorship info: info@wehackpurple.com Find us on Apple Podcast, Overcast + Pod