Episode #078: 🔥 Burn Your 30-page Policies: Tanya’s Got Better Ideas

Apr 22, 2025

In this engaging chat, Tanya Janca, known as SheHacksPurple, shares her insights as an AppSec expert and author. She discusses why traditional security policies often flop and how to make them more effective. Bridging the gap between developers and policy writers is key—Tanya emphasizes the need for practical, simplified guidelines. She also touches on her advocacy work in enhancing cybersecurity within government sectors. Tune in for her tips on empowering developers and making security accessible!

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

ANECDOTE

Developer Ignored Overwhelming Policies

Tanya Janca shared how as a developer she was clueless about the many unread policies enforced on her team.
When she wrote new secure coding policies with dev feedback, the team finally found them helpful and practical.

ADVICE

Policy Writing Requires Evangelism

Write policies with lots of developer feedback and multiple consultations before socializing them.
Promote policies actively through presentations, workshops, and easy wiki access to maximize awareness and adoption.

ADVICE

Use TL;DR for Better Reading

Keep policies extremely short with a TL;DR page featuring key points to encourage reading.
Accept some need to read more, but shorter concise documents achieve better developer engagement.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Alice and Bob Learn Secure Coding

Tanya Janca

This book offers a refreshing approach to secure coding by using analogies, stories of the characters Alice and Bob, real-life examples, technical explanations, and diagrams. It covers secure coding in popular languages like Python, Java, JavaScript, C/C++, SQL, C#, PHP, and more, as well as security for frameworks such as Angular, .Net, and React. The book includes topics on security best practices for APIs, mobile, web sockets, serverless, IoT, and service mesh, major vulnerability categories, the Secure System Development Life Cycle, threat modeling, testing, and code review. It is designed for a diverse audience, including software developers of all levels, budding security engineers, software architects, and application security professionals.

The web application hacker's handbook

Dafydd Stuttard

This practical book is completely updated and revised to discuss the latest step-by-step techniques for attacking and defending web applications. It covers new technologies and attack techniques, particularly on the client side, including remoting frameworks, HTML5, cross-domain integration, UI redress, framebusting, HTTP parameter pollution, and more. The book also features a companion website with interactive content, answers to chapter questions, and a summarized methodology and checklist of tasks.

Alice and Bob Learn Secure Coding

Tanya Janca