ep2024-12 Tanya Janca: Happy Holidays are Secure Code
Dec 23, 2024
auto_awesome
In this engaging discussion, Tanya Janca, an AppSec expert and author of 'Alice and Bob Learn Secure Coding', dives into the essentials of secure coding practices. She shares insights on the lack of formal security education and advocates for improved AppSec curricula. Tanya emphasizes practical training and accessible resources for developers, while also reflecting on her personal journey in learning and teaching. Key topics include the importance of not trusting input and the principle of defense in depth, all presented with a relatable touch.
Tanya Janca emphasizes the urgent need for secure coding education, revealing significant gaps in university curricula and promoting free resources.
Her book 'Alice and Bob Learn Secure Coding' aims to teach developers practical secure coding practices while addressing existing training deficiencies.
The discussion highlights the importance of context in evaluating vulnerabilities and advocates for a layered security approach known as defense in depth.
Deep dives
The Importance of Secure Coding Education
The discussion emphasizes the critical need for secure coding education in software development. Tanya Janka highlights her experience in academia, where she found a significant gap in the curriculum regarding secure coding practices. Despite initiating outreach to universities to promote the importance of secure coding training, she faced hurdles, ultimately leading her to launch free educational resources on her YouTube channel. By creating a book specifically focused on secure coding, she aims to bridge this educational gap and empower developers with the knowledge they need to produce secure applications.
Transition from High-Level AppSec to Secure Coding
Tanya Janka shares her journey from exploring various aspects of application security to focusing on secure coding. This shift was driven by her observations during public speaking at conferences, where she realized that most universities lacked dedicated courses on secure coding. Her new book, 'Alice and Bob Learn Secure Coding,' expands on her previous work and addresses problems she identified in current training practices, focusing not just on vulnerabilities but on teaching developers how to write secure code from the outset. She has developed training modules that emphasize practical guidance over rote memorization of vulnerabilities.
Practical Tools and Frameworks for Secure Coding
In her book, Janka discusses various programming languages and frameworks while providing insights into their built-in security features. She highlights popular languages and frameworks, like Swift and Django, showing how they provide security mechanisms out of the box that developers can easily implement. Additionally, she recommends tools such as Breakman and Bandit for checking vulnerabilities in Ruby and Python, respectively. This practical approach aims to help developers understand how to leverage existing resources to improve their coding practices.
The Role of Context in Application Security
The conversation delves into the significance of context when evaluating security vulnerabilities. Both speakers recount real-life examples where perceived vulnerabilities did not pose significant risks due to contextual factors, such as the importance of an application and its accessibility. This highlights the necessity for security professionals and developers to assess each vulnerability within the framework of its specific environment and infrastructure. By prioritizing security efforts based on context, organizations can make informed decisions about which vulnerabilities to address urgently.
The Need for Layered Security Measures
A major takeaway from the discussion is the concept of defense in depth, advocating for multiple layers of security to protect applications. Janka stresses that relying solely on one security measure is insufficient and emphasizes the importance of validating all inputs throughout the application landscape. She illustrates how additional layers can mitigate the impact of potential vulnerabilities by providing examples of secure patterns, such as parameterized queries and content security policies. This layered approach not only enhances security but also prepares developers to respond effectively to various attack vectors.
Some production issues caused this one to slip to December so the intro is a bit off but this is still a great episode. So, learn some lessons on creating secure code from one of my favorite guests: Tanya Janca. It was hard to keep this one to its current length as Tanya is such a great person to talk to for any reason. Enjoy and happy holidays!
Show Links:
Get your copy of Alice and Bob Learn Secure Coding! (and more):
https://shehackspurple.ca/books/
Also the newsletter so that you can join the free online streams:
https://newsletter.shehackspurple.ca/
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
