Brooke: You are known as SheHacksPurple. How did you become interested in hacking?

Tanya: I started coding as a teenager. Both of my aunts and three of my uncles are computer scientists, so learning to code did not seem out of place. I thought, “Every woman codes. Isn’t that the way?”

At college, I studied computer science and then was a software developer until around 2015, when I switched full time to security. I became more obsessed with security and software during my last two years in software development. I wanted to fix the bug and work with the penetration tester. I hustled my security team where I worked and after a year, one of them said, “We are posting a job for a security person and the job is for you. It was never for anyone else.” I joined that team.

I started speaking at conferences because you get in free, and when working for the federal government, they did not have a ton of money to fly me to another country for some cool training as part of a conference. I started getting plane tickets sent from all around the world and I flew everywhere.

Microsoft reached out and said, “We want to hire a developer advocate who understands security,” and I said, “Is this a prank call? Come on, that’s not a real job. You don’t get paid to do my hobby.” And they are like, “Yes, you do.”

Brooke: How valuable are information security certifications or any other certifications?

Tanya: Certifications have value depending on where you are in your career and the types of jobs you are looking for. There are not many application security certifications. There is one from my company, We Hack Purple. It is not widely recognized.

If you want a specific type of job, studying for a certification will teach you a lot. If you are new in your career, it shows evidence that you know something. One of the problems when you get a job in information security is that there is no clear career path and the people hiring you do not have the technical expertise to know what to ask you.

I have no certifications except for the ones from We Hack Purple. I have a college diploma and I took courses from the University of Maryland. The work I got was based on experience and mentors vouching for me. When people ask “Should I get one?” I say that if you have an active GitHub where you find bugs and fix all of them, that is evidence of skill. Sometimes, a certification helps with that, but they are not all created equal, and it costs a lot of money.

Brooke: What can companies do to protect themselves from ransomware attacks?

Tanya: Every IT department, even if you are not afraid of ransomware, should do backups and practice rollbacks. I worked somewhere once, and we had a glitch where 2,000 people lost all their work for the day. We still had copies of everything from the day before on our local machines, but a backup had not been done the night before. The backup team said it would take a month to replace that one day of work. And they said, “We don’t even know if it will work and it will copy over everything you have done in the meantime, so let’s not bother.”

I said to my boss, “We are going to save so much money because clearly we do not need them. They never practice the backup. Think of how many more developers we can hire.” Doing backups is good, but even better is practicing rollbacks so you can roll back in a reasonable amount of time and roll back more than just files. We need to roll back everything.

At We Hack Purple, we back up my machine in a special backup that no one else is in because I’m the CEO and I create most of the content. We also have a backup in the cloud and another physical backup in a different location that we do every week. If ransomware happens, I have everything backed up. There are companies that get hit with ransomware and just think, “Go away” and then they just roll everything back in an hour.

It is important to ensure that your backups are not attached to your network. Everyone has their fancy backup drive still connected to their computer and the ransomware is like “Excellent. I shall now encrypt your backup.”

About 60 percent of small businesses go out of business in the month after a cyberattack.¹ Because we are such a small company, if we lose one of our people, that is a huge enough risk. But imagine we lose all their work. That is even worse.

Brooke: How can tech leaders limit the frequency and severity of a ransomware attack?

Tanya: Get training for your company on what ransomware looks like and how to defend yourselves. For instance, do not save to your local computer. Save to the cloud like everyone else. You can download local copies to your machine but emphasize what it is like to lose your work and how bad it would be.

I am getting everyone to turn on multifactor authentication because it is extra defense and could block an attack from being successful. I am a huge fan of password managers. At my company, everyone must use a password manager. They make up unique, long, and random passwords that human beings would never guess, and that computers have trouble guessing.

Helping employees protect themselves in their private life gives them even more practice using the password manager.

Brooke: At what part of a development cycle does security come in?

Tanya: We used to bring security in at the end and they would do a penetration test and it would be like shooting fish in a barrel. They would tell you all the things you have done wrong, but because it is close to go-time, they would fix one or two things, put a big bandage on it, and send it out the door.

For a long time, I would give conference talks, write blog articles, and say, “We need to shift security left,” and by left, I mean earlier in the system development lifecycle. It is cheaper, faster, and easier to fix security problems there, whether it be a design flaw or a security bug. But marketing teams got a hold of that and there are all sorts of products that have the word “shift” in the name. What they meant is buy our product, put it in your continuous integration/continuous deployment (CI/CD) pipeline, and all your dreams will come true. The term got co-opted.

Brooke: If you could impact one thing in security, what would it be and why?

Tanya: On a professional level, it would be that more universities and colleges start teaching secure coding. If they are going to work in information security, one of the classes should be about application security. I wrote my book “Alice and Bob Learn Application Security” hoping universities would teach it and they only want to teach it in cybersecurity programs. I am happy about that, but 100 percent of them refused to teach it to the computer science students and I said, “But they are the ones making all the bad code.”

On a personal level, I want information security to be inclusive of everyone. I want all the LGBTQIA people to show up. I want all the women to show up. I want people of every race and religion to show up. I want disabled people to show up. Everyone can contribute effectively, but there must be space for them.

Learn more

If you’re attending the RSA Conference, do not miss Tanya’s sessions: “Adding SAST to CI/CD, without losing any friends” on April 26, 2023, “DevSecOps worst practices” on April 27, 2023, and “Creating a great DevSecOps culture” on April 27, 2023. And to learn more about Microsoft’s DevSecOps and shift left security solutions, visit the DevSecOps tools and DevSecOps services and Microsoft Defender for DevOps pages.

Learn more about general data security from Microsoft.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹60 Percent of Companies Fail in 6 Months Because of This (It’s Not What You Think), Thomas Koulopoulos. May 11, 2017.

The post Why you should practice rollbacks to prevent data loss in a ransomware attack appeared first on Microsoft Security Blog.

Natalia: When you’re building an AppSec program, what are the objectives and requirements?

Tanya: This is sort of a trick question because the way I do it is based on what’s already there and what they want to achieve. For Canada, I did antiterrorism activities, and you better believe that was the strictest security program that any human has ever seen. If I’m working with a company that sells scented soap on the internet, the level of security that they require is very different, their budget is different, and the importance of what they’re protecting is different. I try to figure out what the company’s risks are and what their tolerance is for change. For instance, I’ve been called into a lot of banks and they want the security to be tight, but they’re change-adverse. I find out what matters to them and try to bring their eyes to what should matter to them.

I also usually ask for all scan results. Even if they have almost no AppSec program, usually people have been doing scanning or they’ve had a penetration test. I look at all of it and I look at the top three things and I say, “OK, let’s just obliterate those top three things,” because quite often the top two or three are 40 to 60 percent of their vulnerabilities. First, I stop all the bleeding, and then I create processes and security awareness for developers. We’re going to have a secure coding day and deep dive into each one of these things. I’m going to spend quality time with the people who review all the pull requests so they can look for the top three and start setting specific, measurable goals.

It’s really important to get the developers to help you. When you have a secure coding training, a bunch of developers will self-identify as the security developer. There will be one person who asks multiple questions. We’re going to get that person’s email. They’re our new friend. We’re going to buy that person some books and encourage open communication because that person is going to be our security champion. Eventually, many of my clients start security champion programs and that’s even better because then you have a team of developers—hopefully one per team—that are helping you bring things to their team’s attention.

Natalia: What are some of the key performance indicators (KPIs) for measuring security posture?

Tanya: As application security professionals, we want to minimize the risk of scary apps and then try to bring everything across the board up to a higher security posture. Each organization sets that differently. For an application security program, I would measure that every app receives security attention in every phase of the software development life cycle. For a program, I take inventory of all their apps and APIs. Inventories are a difficult problem in application security; it’s the toughest problem that our field has not solved.

Once you have an inventory, you want to figure out if you can do a quick dynamic application security testing (DAST) scan on everything. You will see it light up like a Christmas tree on some, and on others, it found a couple of lows. It’s not perfect, but it’s what you can do in 30 days. You can scan a whole bunch of things quickly and see OK, so these things are terrifying, these things look OK. Now, let’s concentrate on the terrifying things and make them a little less scary.

Natalia: Do you have any best practices for threat modeling cloud security?

Tanya: For threat modeling generally, I introduce it as a hangout session with a security person and try not to be too formal the first time, because developers usually think, “What is she doing here? Danger, Will Robinson, danger. The security person wants to spend time with us. What have we done wrong?” I say, “I wanted to talk about your app and see if there’s any helpful advice I can offer.” Then, I start asking questions like, “If you were going to hack your app, how would you do it?”

I like the STRIDE methodology, where each of the letters represents a different thing that you need to worry about happening to your apps. Specifically, spoofing, tampering, repudiation, information disclosure, denial of service (DOS), and elevation of privilege. Could someone pretend to be someone else? Could someone pretend to be you? I go through it slowly in a conversational manner because that app is their baby, and I don’t want them to feel like I’m attacking their baby. Eventually, I teach them STRIDE so they can think about these things. Then, we come up with a plan and I say, “OK, I’m going to write up these notes and email them to you.” Writing the notes means you can assign tasks to people.

With threat modeling in the cloud, you must ask more questions, especially if your organization has had previous problems. You want to ask about those because there will be patterns. The biggest issue with the cloud is that we didn’t give them enough education. When we’re bringing them to the cloud, we need to teach them what we expect from them, and then we’ll get it. If we don’t, there’s a high likelihood we won’t get it.

Natalia: How can security professionals convince decision-makers to invest in AppSec?

Tanya: I have a bunch of tricks. The first one is to give presentations on AppSec. I would do lunch and learns. For instance, I sent out an email once to developers: “I’m going to break into a bank at lunch. Who wants to come watch?” and then I showed them this demo of a fake bank. I explained what SQL injection was and I explained how I’d found that vulnerability in one of our apps and what could happen if we didn’t fix it. And they said, “Woah!” Or I’d ask, “Who wants to learn how to hack apps?” and then I showed them a DAST tool. I kept showing them stuff and they started becoming more interested.

Then, I had to interest the developer managers and upper management. Some were still not on board because this was their first AppSec program and my first AppSec program. No one would do what I said, and I had all these penetration test results from a third party, and we had hired four different security assessors and they’d reported big issues that needed to be addressed.

So, I came up with a document called the risk sign-off sheet, which listed all the security risks and exactly what could happen to the business. I was extremely specific about what worried me. I printed it and I had a sign-off for the Director of Security for the whole building and the Chief Information Officer of the entire organization. I went to them and said, “I need your signature that you accept this risk on behalf of your organization.” I put a little note on the risk sign-off sheet that read: Please sign.

The Director of Security called and said, “What is this, Tanya?” and I told him, “No one will fix these things and I don’t have the authority to accept this risk on behalf of the organization. Only you do. I don’t have the authority to make these people fix these things. Only you do. I need you to sign to prove that you were aware of the risks. When we’re in the news, I need to know who’s at fault.” Both the CIO and the Director of Security refused to sign, and I said, “Then you have to give me the authority. I can’t have the responsibility and not have the authority” and it worked. I’ve used it twice at work and it worked.

It’s also important to explain to them using words they understand. The Head of Security, who is in charge of physical security and IT security, was a brilliant man but he didn’t know AppSec. When I explained that because of this vulnerability you can do this with the app, and this is what can result for our customers, he said, “Oh, let’s do something.” I had to learn how to communicate a lot better to do well at AppSec because as a developer, I would just speak developer to other developers.

Learn more

• Elevate your security posture with Microsoft Cloud App Security, Microsoft’s Cloud Access Security Broker.
• Learn about Microsoft’s Cloud Security approach.
• Get started with Azure Security Center.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to build a successful application security program appeared first on Microsoft Security Blog.

Natalia: How do you define application security?

Tanya: Application security, or AppSec, is every activity you do to make sure your software is secure. Let’s say there’s a Java developer that uses Spring Boot, and there’s a vulnerability. They hear a podcast about it and say, “I think we should probably update it because it sounded really scary on the podcast.” That contributes to application security.

However, quite often when people talk about application security, they are talking about a formalized program at a workplace to make sure that the applications being released are reliably secure. We want to make sure every single application gets security attention, and that each gets the same security attention and support. We want to do the best we can to verify that it is at the posture that we have decided is our goal.  Each organization sets that differently, which I talk about a lot in the book I released last year, but basically, application security professionals want to minimize the risk of the scary apps and then bring everything across the board up to a better security posture. That requires talking to almost everyone in IT on a regular basis. I like to think of application security folks as techie social butterflies.

Natalia: How does the security skills gap impact AppSec?

Tanya: I’m obviously biased because I run a training company, but I started it because people kept asking me to train them on how to do it because there is a gap. There is a gap, in general, in IT security with finding someone who has experience and understands best practices rather than just guessing how to train people.

In application security, there tends to be an even wider gap. I started a podcast in August 2020 called Cyber Mentoring Monday. I started it because I run #CyberMentoringMonday on Twitter, and the entire first year, every single person said, “I want to be a penetration tester,” but then I would ask them more questions because I am trying to find them a skilled professional mentor and lots of them didn’t know what AppSec was. They didn’t know what threat hunting was. They didn’t know what risk analysis was. They didn’t know that forensics or incident response existed. We would talk more and it would turn out that there is a different security focus that they’re really interested in, but they had only ever heard of penetration testing.

That was the same for me. I thought you had to be a penetration tester or a risk analyst, but there are a plethora of jobs. I started this podcast so people could figure out what types of jobs they wanted and because I really want to attract more people to our field. A big problem is there is no perfect way to enter AppSec.

Natalia: What are the biggest challenges for those in AppSec?

Tanya: The first AppSec challenge is education, with some developers not understanding how to create secure code. It’s not that they don’t want to. It’s that they don’t understand the risk. They don’t understand what they are supposed to do and a lot of them feel frustrated because they think, “I want my app to be perfect and the best ever,” and they know security is part of that, but they do not have the means to do it.

The second challenge that I see at almost every single workplace is trying to get buy-in. When I did AppSec full time, at certain places I would spend 50 percent of every day just trying to be allowed to do my job. For instance, I want this new tool, and here are the reasons why, and people would respond by saying, “That’s expensive. Developer tools are cheaper.” I would say, “I’m not a developer.” I had to learn how to communicate with management in a way I never had to do as a developer. When I was a developer, I would just say, “It’s going to be two weeks.” If they asked if I could do it faster, I would ask, “Do you want to pay overtime?” and then they would say either yes, and we would do overtime, or they would say no. There is no persuasion.

With AppSec, I had to say, “We have 20 apps. I know you want to spend a zillion dollars on hiring four penetrating testers to test our one mission-critical, super fancy app. But can we hire one for that and could we take the money and look at these legacy things that are literally on fire?” There is a lot of negotiation and persuasion that I had to learn to work in AppSec, which I was surprised about.

Natalia: What is the role of AppSec when it comes to cloud security?

Tanya: I find that everything that’s not taken becomes the AppSec person’s role because no one’s doing it and you’re freaking out about it. If you do AppSec in a company where everything is on-prem, quite often there’s an operations team and they will handle all the infrastructure, so you don’t have to. When you move to the cloud, and especially if you’re working in an org that does DevOps, you must suddenly learn cloud technology, at least the basics.

I’ve talked to many AppSec people and I’ve said, “If you’re moving to the cloud, I know that you think that you’re only in charge of the security of the software, but that’s not true anymore because of the shared responsibility model.” The shared responsibility model means that even if the cloud provider handles patches and the physical security of the data center, if you choose bad configurations, you are responsible for those. So, the first thing you need to do is check out the shared responsibility model to know what your side must do so you don’t miss super important stuff.

When we move to the cloud, understanding shared responsibility is really important and then setting out a process so you get reliable results. Ideally, every phase of the software development lifecycle has one or more security-supporting activities. If you’re using the cloud, there is a decent chance that you’re doing DevOps, in which case the developers become DevOps people. You want to talk to them about securing both development and operations. If they’re just doing development and there is a separate team doing operations, there is a security team helping the operations team but you want to make sure that they receive security assistance. It’s important for developers to understand the basics of cloud security so they don’t accidentally do something terrifying.

With the cloud, one of my favorite things is automation. I used to work for Microsoft and am an Azure fan. Azure has Security Center, which is the best and can automate a bunch of policies and check up on a lot of things for you. Learning how to use it to your advantage is important—learning which parts you want to turn on, which parts you need to budget for in the future, and which parts you’d rather have a third-party tool for. Making those decisions is important for the cloud security team and the AppSec person and then figuring out how to deploy safely and reliably into the cloud.

Keep an eye out for the second part of the interview, as Tanya Janca shares best practices on how to build an application security program and measure its success.

Learn more

• Elevate your security posture with Microsoft Cloud App Security, Microsoft’s Cloud Access Security Broker.
• Learn about Microsoft’s Cloud Security approach.
• Get started with Azure Security Center.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The biggest challenges—and important role—of application security appeared first on Microsoft Security Blog.