Developers are like water: if you make your security protocols too difficult, they will find a way to flow right around them. This week on Dev Interrupted, bestselling author and OWASP Top 10 Project Leader Tanya Janca returns to unpack why vibe coding has officially made the list of the most critical security risks in software development. Tanya breaks down the psychology of bad code, explains why the modern software engineer has become the primary attack surface, and shares actionable strategies for shifting security left directly into your AI prompts. Finally, she provides practical, behavioral solutions for building a golden path that makes secure coding the easy choice for your engineering team.
Show Notes
- SheHacksPurple: Learn secure coding from Tanya at shehackspurple.ca
- DevSec Station: Listen to Tanya's bite-sized security podcast for developers at devsecstation.com
- Secure My Vibe: Download Tanya's free AI secure coding prompt library at securemyvibe.ca
- The Psychology of Bad Code: Read Tanya's insightful blog series on behavioral economics and application security on the SheHacksPurple Blog
- OWASP Top 10: Learn more about the most critical security risks to web applications at owasp.org
- Tanya’s Newsletter: Sign up for Tanya’s newsletter at newsletter.shehackspurple.ca
- Connect with Tanya: LinkedIn | Twitter/X
Transcript
(Disclaimer: may contain unintentionally confusing, inaccurate and/or amusing transcription errors)
[00:00:00] Andrew Zigler: So welcome back to Dev Interrupted. I'm your host, Andrew Zigler, and on the show, we've been learning how the world of autonomous agents are pushing deployment speeds to the limit with security paying the ultimate price. And we've been covering the ongoing software supply chain crisis with leaders like CEO Dan Lorenc of Chainguard. And today we're pushing the topic even further with a returning guest who also happens to be OWASP distinguished member and hacker of the year. Yes, joining me is a favorite who has proven throughout her career that security isn't a product, it's a practice, and that it can be purple too. She's the bestselling author of Alice and Bob Learn Application Security, and Alice and Bob Learn Secure Coding, which we covered on the show. a former rock star and most recently project leader for the OWASP Top 10 2025. Tanya Janca, AKA shehackspurple, welcome back to the show
[00:00:56] Tanya Janca: Andrew, thank you so much for having me
[00:00:59] Andrew Zigler: We're so excited to [00:01:00] have you. And I just wanna start by saying, you know, it's always so impressive for me to read your list of credentials and your background. I think you've had such an amazing career, and you have such a really unique perspective to bring to our listeners, especially with your passion around security. Um, as I say constantly, we just never give enough of a spotlight to that topic, and so I'm really happy to have you here, especially with all of the work you've been doing with OWASP. Uh, I'm really excited to dig in. So you served as a project leader, uh, for the Top 10 2025. What was that, what was that like?
[00:01:34] Andrew Zigler: Can you maybe kind of, uh, orient some of our listeners who maybe are less familiar with that world?
[00:01:39] Tanya Janca: So OWASP is an international nonprofit where we have three-- over 300 chapters where people meet in person every month, over 100 open source projects. We have international conferences that move around the world. Um, and then there's a nonprofit foundation as well. And our most popular project of all time that is [00:02:00] over 20 years old is called the OWASP Top 10, which is supposed to be the top 10 risks to web apps, but it actually is just the top 10 risks to software in general.
[00:02:10] Tanya Janca: And this time there's 13.
[00:02:14] Andrew Zigler: Ooh.
[00:02:15] Tanya Janca: Yeah, that's right.
[00:02:15] Andrew Zigler: before?
[00:02:16] Tanya Janca: No. So we had to decide what to put in the what's next, and we had a tie for number 10. And then there was another one that was just extremely noteworthy, and then we had to talk about vibe coding. So I was like, let's just, you know, in the what next, there's just three extra items that I was-- We're not gonna do another top 10 for two to three years, and I'm like, we can't just not talk about vibe coding.
[00:02:39] Tanya Janca: We can't skip that. And so the team talked about it and they're like, "Well, what's the worst that can happen is the community yells at us." And no one did. So yay.
[00:02:49] Andrew Zigler: And that's a signal in and of itself that there's so many top of mind critical security topics that we all need to be talking about that it- we had to throw away [00:03:00] the templated approach we used to talk about them in, like, the bracket. We had to expand the bracket because now there's more threats than ever.
[00:03:08] Andrew Zigler: How, how did y'all kind of ap- uh, approach that challenge? And you say vibe coding makes the list, so I'm curious, you know, uh, in this world where you're kinda scoping out problems for web apps, but really, you know, all software, what were some of the biggest things that are standing out to you now that maybe didn't stand out years in the past when we- you've made this list?
[00:03:28] Tanya Janca: Absolutely. So the way that they... So I mean, the, the first top 10 list, let's just be really blunt, a bunch of experts just got together, had a couple bottles of wine, and just made the top 10 things they always found in pentests. And then going forward, they're like, "Okay, so we probably need some data." Um,
[00:03:47] Andrew Zigler: As it goes. So then you start getting the data practice to figure out what are actually these application security problems that are plaguing developers
[00:03:55] Tanya Janca: Yeah. Yeah, but the, the issue is gathering data. So, guess who gives us data? [00:04:00] A couple of great pen testing companies who are so awesome to anonymize and share their data with us, which is extremely effortful. Then we have a whole ton of static analysis and dynamic analysis vendors who then just show us what they know how to find, right?
[00:04:18] Tanya Janca: But what we really care about and what data I wish we could have that no one will ever, ever give us is, um, specifically incident response data and breach data. So, I know that there's the Verizon breach report, and there's the CrowdStrike report, and the Microsoft whatever, right? But those are really big public breaches.
[00:04:35] Tanya Janca: I mean, the average AppSec nerd responding to attacks that are happening that make a giant mess of everything, it's like, what was that? What caused that? What hurt your company? Because that's what we actually care about the most is, 'cause this top 10 list is an awareness document, and I actually don't care about vendors are good at finding this.
[00:04:56] Tanya Janca: I care about this is what will help you move the needle on protecting your [00:05:00] organization and your customers. And so, when we got to talking about it, Andrew, you were talking about, like, what really stood out. So, what we used to have on the list was using outdated and vulnerable components. So, you use a library, and there's like 12 CVEs in it, and you're like, "Is that really a good life choice that you're making here?"
[00:05:17] Tanya Janca: Um, and we expanded that to include the entire software supply chain.
[00:05:22] Tanya Janca: So, is your CI locked down? Can just anyone push code to prod? You know, your code repo, is it set to public by accident? 'Cause I have found that on customer sites more than once. Um, are there secrets places they shouldn't be? So, every single thing you do to create and maintain your software till the day that you retire that software.
[00:05:44] Tanya Janca: Um, so we changed that. And then, um, another one was, so we used to just have, you know, you're bad at logging. Um, and now we have you're really bad at error handling, and you're really bad at logging and monitoring, because those, [00:06:00] we separated them because they just cause so many problems. And then vibe coding.
[00:06:07] Tanya Janca: So, we didn't have any data to support this except for every single day lived experience. Right?
[00:06:15] Andrew Zigler: so, so, so you, you throw vibe coding in this mix, and vi- what does vibe coding's danger profile look like?
[00:06:21] Tanya Janca: Okay, so I define vibe coding. So using an AI to assist you to write code, awesome. Assuming you still do the general application security program that you would, you review the code, you make it your own, you understand it and agree it's good before you commit it. To me, vibe coding is the AI's writing everything, you have no time to review it, or you're not taking the time to review it, and you're just committing what the AI says.
[00:06:48] Tanya Janca: And Andrew, I teach secure coding, and I teach a lot of code review right now, and I teach how to use the AI assistant, and I have, like, this prompt library that we [00:07:00] use. And last week I was teaching it with a new client, and all of us used the same security prompt and the same build prompt, and there were 60 of us, and 59 of us got some really good code.
[00:07:11] Tanya Janca: And the 60th person, he's like, "Is this bad? This seems bad." And we were writing in Python and, um, I, I don't know if you know, but there's, like, a Python linter, and there's a comment that you can put to say, "Ignore the following lines."
[00:07:27] Andrew Zigler: Mm-hmm.
[00:07:27] Tanya Janca: had added that and then intentionally leaked secrets Yeah.
[00:07:33] Andrew Zigler: It...
[00:07:34] Tanya Janca: Yeah, d-
[00:07:35] Andrew Zigler: just, that was in your, that was in your security workshop. So you're like, jackpot, exactly what I'm talking about. These are the dangers of not going back and reviewing your code. Because it also goes back to, you know, you, there were 60 people in the room, 59 of them got it right.
[00:07:48] Andrew Zigler: That's the reality of agentic engineering or vibe coding. Um, and if you don't then have the right kinds of structures and harnesses and, and looking at, and like hooks and like actually looking at the code, [00:08:00] then when you're, you sometimes are that one out of 60, gonna have the protection needed to even understand it's there
[00:08:07] Tanya Janca: And that was with the secure coding prompt that applies... Um, so I took basically, um, my yellow book, the secure coding, uh, Alice and Bob book, and I boiled it down to 84 things, and I, I turned it into this guideline, and then I turned it into prompts, and it applies it as a prompt before it, like, as it's building the code for you, and it still did that.
[00:08:31] Tanya Janca: So
[00:08:32] Andrew Zigler: so you took everything within your book, distilled it down to, like, a prompt that effectively worked like a skill to drive the whole process, and,
[00:08:39] Tanya Janca: Mm-hmm.
[00:08:39] Andrew Zigler: it still immediately, uh, encountered these, these major problems
[00:08:44] Tanya Janca: Oh
[00:08:44] Andrew Zigler: code. So, uh, it goes back to then, like, uh, this is why this becomes a sticky vulnerability, a sticky problem we have to pay attention to, uh, because it's lurking underneath everywhere right now.
[00:08:55] Andrew Zigler: Like you said, it's a lived e- lived experience every day. We cover that constantly here, how [00:09:00] that's just the reality of engineering now
[00:09:02] Tanya Janca: It's so true, Andrew. And I have examples just over and over and over again, like when I work with clients and we're reviewing things and we just see, "Surprise, it decided to remove all the error handling when we switched from Python over into Java. I don't know why." But it's
[00:09:20] Andrew Zigler: Yeah
[00:09:20] Tanya Janca: I'll just let the global exception handler catch everything and remove Tanya's beautiful error handling."
[00:09:25] Tanya Janca: I'm like, "No, Claude, no."
[00:09:28] Andrew Zigler: And in this case, we're just talking about, like, the static analysis kind of world. Like, it's leaving weird little things left over in your files or, like, there's something hanging out. Uh, maybe you have a secret that's leaked somewhere. And these are things that are just, like, obviously big problems to, to see and find and root out. There's another element of this that I'm sure y'all have thought extensively about, and that's that, you know, this list and the way that we talk about vulnerabilities, they tend to be really compartmentalized. Like, there's this vulnerability and this vulnerability, and we talk about them as if they live in completely different [00:10:00] lands.
[00:10:00] Andrew Zigler: Like, they're not side by side next to each other in the same files, in the same process. And so then when you combine that with, um, like an, an, an agent or any kind of, um, um, agentic kind of whether it's an external person or your own coding assistant, now they have the forethought to maybe chain and combine these different elements that we haven't even thought of before.
[00:10:23] Andrew Zigler: So defending security is now just no longer, like, identifying the patterns. It's understanding how are they combined, which is not a practice that I think is n- is natural for a lot of security engineers.
[00:10:35] Tanya Janca: I absolutely agree, Andrew. Honestly, like, so when I, um, learned security, so I was, I was a software developer for a long time, and then I got a professional mentor that was teaching me about pen testing. Uh, and the f- the first mentor, uh, who I write about in my books taught me what not to do. Um, and then pre- previous mentors since then have all taught me more ethical lessons.
[00:10:58] Tanya Janca: Uh, but, [00:11:00] like, when I started speaking at conferences, it was just so I could get in free, right? I just wanted to learn from all the other people. And a lot of people all focused on these are the vulnerabilities. But when I started teaching, I was like, "I don't think I want a developer to memorize 600 CVEs or just, like, a list of 10 things.
[00:11:19] Tanya Janca: What I really want is for them to know how to write safe code." So I'd rather teach them the defense. So for instance, um, you know, you should always lock the front door before you leave, rather than teaching them, you know, someone might rob you, someone might do this, there might-- they might do that, and, like, having them memorize all of these dangers.
[00:11:42] Tanya Janca: Instead, it's like a best practice is that you always lock your door, or, you know, a best practice is that, you know, you handle your errors, you fail closed, right? And teaching them those patterns, there's way less to learn. Um, way, way... And specifically, like, when I teach those [00:12:00] 42 things, and a lot of them are, like, three or four things that are actually just one complete security control.
[00:12:08] Tanya Janca: And if we could just, you know, all apply those security controls, and by, by control, I mean the code that does the security thing, so, uh, manages your session or, you know, verifies your identity, which is called authentication, right? So if we could just do those controls and, and follow whatever the best practices are for each one, it, it doesn't matter what the top 10 says.
[00:12:30] Tanya Janca: And I know, like, I helped write the new top 10, so I shouldn't... I still think it's valuable because a lot of developers, and, and I'm one of them, is like, "Why? Why do I have to do that," right? So knowing the why is important to a lot of people, but I think that if we're gonna only have so much of their attention, I'd rather teach them the what you should do rather than the this is the scary boogeyman.
[00:12:55] Andrew Zigler: Exactly. And especially because everyone's drowning in information [00:13:00] right now, um, and there's definitely an asymmetry between these defenders and cybersecurity engineers and the perpetrators and hapless, unprotected agents that are, you know, causing a lot of pain for the software-powered world that we live in right now. Um, and it's really just like a matter of, you know, days now between major incidents that we all are constantly talking about, whether they're breaches or outages, and we come back to guardrails and security things, but you also get a lot of data exfiltration and, and groups that are able to combine these secur- insecurities in really unique ways that take advantage of unprepared companies and, and enterprises, right?
[00:13:39] Andrew Zigler: So like there's a lot of engineering leaders right now who are strategizing for like we're, are coding at the speed of light. We're delivering customer value at a speed never before seen. Do you see this chart? Do you see how it goes up and to the right and how great that is? And at the same time, you know, when they [00:14:00] close that Zoom call, they're like, "Oh God, like I got... I have a pile of code to review. I have to understand what we've built and w- and where the direction's going." And so people make compromises, and security oftentimes slides and slides and slides down this list. So w- what do you think engineering leaders should do right now to have kind of like a wake-up call, use this OWASP Top 10 as a roadmap for figuring out how am I gonna protect my org while still like taking advantage of all the cool stuff in the world right now?
[00:14:29] Tanya Janca: Okay. So, I feel that the OWASP Top 10 is a really good tool for getting people to pay attention to security. I usually don't like the whole fear, uncertainty, and doubt thing that the security industry marketing teams are so good at,
[00:14:47] Andrew Zigler: Yes
[00:14:47] Tanya Janca: it works. And so if software developers are like, "Oh, I don't care about this, it doesn't matter," it's a thing that can make them care because they, like, you know, for each example, we have, like, these [00:15:00] giant breaches to show that it's true, and it, and it explains the concept and it helps them understand the why.
[00:15:06] Tanya Janca: But if they're already on board and you already have a positive security culture, I don't think, as much as I love the Top 10 and me and Torsten and, and Neal, and we all worked really hard on it, um, if you already have a positive security culture and everyone already cares, and that is not everywhere, um, but if you're already on that ship, instead I, I would start w- with either, um, teaching them what to review for, and that's something, you know, you can hire out for, but you, you can also do it internally, right?
[00:15:36] Tanya Janca: Like, there's a secure code review project from OWASP. There's all sorts of things, right? So y- quite frankly, you could buy my book, um, and, and, and you could show them. And, um, I'm doing free lessons each month on my book on YouTube, and so there are cheap options to learn, okay? Um, so teach them what to do if they're already aware that it's a [00:16:00] priority.
[00:16:00] Tanya Janca: Another thing, um, and again, this is like a little self-serving, I created a free AI secure coding prompt library, which you can go get right now at securemyvibe.ca and I know, right?
[00:16:15] Andrew Zigler: I love that URL so much. It's a
[00:16:17] Tanya Janca: Thank you. But basically it, it takes-- So there's like a, a main system prompt that you would add for, you know, your Claude main instructions, like in your settings, like instructions for Claude that run every...
[00:16:30] Tanya Janca: So every time you generate code, do this. And then I have a whole bunch of things that, um, quite frankly, we just turn into skills together if we work together. And one's like a, a code review one. One's, you know, I'm building an A- uh, an API. One is, you know, I'm doing a threat model. And it guides you of what to fill in and then creates security requirements for you.
[00:16:54] Tanya Janca: So, you know, if you're, if you do have to build authentication from scratch, these are the [00:17:00] security requirements to make sure you don't screw it up. And I essentially just took... Thank you. Thank you. Um, and
[00:17:07] Andrew Zigler: Yeah
[00:17:08] Tanya Janca: again, it's not perfect, right? So reminder, you still have to review the code after. Even if you use the code review task, you still, if you're gonna submit work as your own, you should know what it says, you should understand it, and if you don't understand it, ask the AI to walk you through it.
[00:17:22] Tanya Janca: So I, I would start with that, and I think a lot of us need to modernize our AppSec programs because quite frankly, no one wants to have like a, a backlog with like 40,000 critical vulnerabilities, right? And right now what I see is, you know, devs are expected to produce like 100x the code that they previously did, and then they run the stack analysis tool, and it's like, do you know how wrong you are?
[00:17:50] Tanya Janca: Because you're very wrong. And then it gives you like five trillion vulnerabil- like bugs that you're supposed to fix, and people are just [00:18:00] pushing by it. And so we need to try to get as much security in the generation, like of the code as we can, then run the code review, then, then do the other steps we would do.
[00:18:12] Tanya Janca: I-
[00:18:13] Andrew Zigler: It
[00:18:13] Tanya Janca: Yeah
[00:18:13] Andrew Zigler: like you're saying we should shift that security left in the code generation process.
[00:18:19] Tanya Janca: I know it's, I, um, yeah
[00:18:22] Andrew Zigler: these things again? We're all back full circle, I guess. You
[00:18:25] Tanya Janca: I know
[00:18:26] Andrew Zigler: I agree with you. The practice has got to go, go in early because, uh, agentic rework is a nightmare.
[00:18:30] Andrew Zigler: Anybody who has been trying to, like, uh, play this game of Whac-A-Mole with outputs, you know that it's always better to be extremely aligned at the very beginning. Uh, it's great that you have these proto skills or these, like, prompts that are like proto skills. People can fill them out with their own kind of information.
[00:18:47] Andrew Zigler: Um, I think all of the best skills work this way. They start by interviewing you, understanding what really matters and, and what it should care about for you, and then kind of like transforming, uh, into exactly what you need. I think that's a great place for [00:19:00] people to start. You know, use your actual roadmap.
[00:19:01] Andrew Zigler: Don't use a boogeyman. Don't use some abstraction of security. Use the hard real code that people are re- reading and writing every day, and put practices in people's harness, and just kind of reboot your security practice in general, and remembering that it's, like, everybody's responsibility because it's not just the engineers writing code anymore.
[00:19:19] Andrew Zigler: The surface area of the code in your organization's broader than it's ever been. Uh,
[00:19:24] Tanya Janca: Yeah
[00:19:25] Andrew Zigler: are popping up everywhere, even, like, in stuff getting vibe coded in your marketing department. So
[00:19:30] Tanya Janca: Yes. Yes. I, uh, I, I knew a c- so I work with so many companies, and one of the companies apparently, like the CEO just got super pissed at the marketing team for not doing things he wanted, and then he missed a flight, and while he was sitting there stranded in the airport, he programmed, like he vibe coded an entirely new website for the company and then published it over top of their real one and was just
[00:19:54] Andrew Zigler: he,
[00:19:54] Tanya Janca: like...
[00:19:54] Andrew Zigler: like rage coded. He like rage vibe
[00:19:56] Tanya Janca: he rage vibe coded. Um, and then like they made up by Monday [00:20:00] and put like the real website back and, but then the marketing team got on board with what the CEO wanted, right? And w- yeah. Um, I wanted to say two more things. So one other thing about if you do it at the code generation level. So right now, a lot of us are not paying for all the tokens we're using, and one day we're gonna have to actually pay the real price, and it's not gonna be $20, Andrew.
[00:20:24] Tanya Janca: And so if we
[00:20:25] Andrew Zigler: that all the time on this show, Tanya.
[00:20:28] Tanya Janca: we do the security, as much of the security as we can at the code generation level, we will save a gazillion dollars.
[00:20:34] Andrew Zigler: That's exactly right. Better learn now
[00:20:36] Tanya Janca: and the other thing is, so when you see a, a breach in the news or whatever, that's a material breach. What that means is that there's some legal reason that they have to inform us.
[00:20:48] Tanya Janca: There's at least 100 more breaches for every one of those that they do not legally have to inform us and they're not telling us. And then for all of those, there's many, many more security incidents where there isn't a [00:21:00] specific data breach, but there is still a problem and an incident that was caused.
[00:21:05] Tanya Janca: And in Canada, the, the tax people are called CRA, Canadian Revenue Agency, and in 2025 there's an article about how they had hidden 42 material breaches.
[00:21:17] Andrew Zigler: Oh my
[00:21:17] Tanya Janca: How many security incidents do you think they had? Right? And so
[00:21:22] Andrew Zigler: Right
[00:21:25] Tanya Janca: that is the, the tiniest, tiniest tip of the iceberg of what is actually occurring at all of these companies and businesses, and we are losing trillions and trillions of dollars a year to this.
[00:21:34] Tanya Janca: And so we need to get ahead of this, and I am trying to help the best I can. Um, I have some projects in the work that I, I am... When I have something good to report, I'll, I'll let you know when I have something to show. But we-- not only do we have to, you know, start security earlier, we need to completely rethink the way we do security 'cause the tool set we have, first of all, it just pisses devs off.
[00:21:57] Tanya Janca: Um, it, it really does. Like, [00:22:00] and it is, is not working. It is not affordable. It's not fast enough, and it is getting sideswiped or, or put to the side all the time. Circumvented, I think is the word. And we need something that actually works, and what we're doing is not working.
[00:22:16] Andrew Zigler: Exactly. Security has always been this like skeleton in the closet for companies, and now we're accumulating those skeletons at a rate never before seen. The closet isn't even big enough. And frankly, all of that, in all of that time while we're accumulating all of this stuff that we don't know what to do with, how do we learn from it?
[00:22:35] Andrew Zigler: Do we even have to report this? You know, it just becomes this accumulated like, uh, baggage on the company and everything that you're building. You have to remember that all of those skeletons in your closet is an attacker's learning, is something an attacker is leveraging over you, is, is something that is out there in the wilds, and it's, it's producing those skeletons, right?
[00:22:57] Andrew Zigler: And so that thread is growing [00:23:00] bigger and larger. Those skeletons have to come from somewhere. And this goes back from the asymmetry of defenders versus attackers in the security space. Like we've talked a little bit here about like just having good security practices and doing them early because of the compounding benefits like financially and also just security-wise later on downstream. But there's also the reality of, you know, we're building and shipping software and we're pretending that like the, uh, uh, the package-based ecosystem that we use to, to modularize and run all of our software just is gonna keep working as usual and we're just gonna have lots more velocity on it. But in reality, it's being, uh...
[00:23:37] Andrew Zigler: it's coming apart at the seams and becoming one of the biggest, uh, vulnerabilities that any of us could possibly think of, and it all always exists outside of our org. This becomes everyone's responsibility. And so the software supply chain risk is larger than ever before. How did y'all think about that with, with your list, but then how do you think about that personally with how you advise [00:24:00] folks to think about, um, how their software interacts with the rest of the world?
[00:24:05] Tanya Janca: So I actually have a slightly different take than what we put in the document. So in the OWASP Top 10, we talked about how supply chains are being attacked. So, you know, someone is a- attacking your code repository, they're doing malicious dependencies, um, they're, you know, they're trying to attack the pieces that you use to create and maintain your software.
[00:24:26] Tanya Janca: Um, but I actually have a slightly different opinion that kind of goes, um, one layer up from that. And if you look at the Verizon Breach Report, CrowdStrike, all, all of those great, smart, amazing folks that put those annual reports together, they call it a supply chain attack. But if you're the type of nerd that reads that stuff, which I am, um, if you look at some of the things that they call a supply chain attack, what actually happened for some of the biggest ones is it was actually one software developer employee, one human being that was [00:25:00] compromised.
[00:25:00] Tanya Janca: And because they're so powerful and they have so much access, it broke open multiple parts of the chain. And when I hear a company call themself a supply chain security company, and all they do is tell you if your dependencies are safe, I'm like, "Well, you're doing 1/19th, in my opinion, of the job." To me, there, like, there's so many different parts, and basically in, in my opinion, the software developer themselves has become a target.
[00:25:29] Tanya Janca: And, and, and it, it's amazing. Um, there's another podcast called "Darknet Diaries," and there was this woman on there called Mattie Stone, and she basically, she's part of Project Zero. She's this brilliant, amazing human. Um, and she announced at Black Hat all these vulnerabilities in the, in the Android, um, operating system, whatever, and how, like, how she had, like, kind of detected Pegasus, which was this spyware software, and, like, the five things that she had found or whatever.
[00:25:59] Tanya Janca: And [00:26:00] she said there were around 200 people in the room, and then later, um, like a week later, all of those were, were changed. And she's like, "And there was no recording available yet, so that means those people were literally in the room and went and changed the code based on what I said." And then she was saying she went to Israel and some men came up to her and talked to her who worked at that company.
[00:26:21] Tanya Janca: And I would poop my pants, Andrew. She handled it way better than I would've.
[00:26:26] Andrew Zigler: that's terrifying. You're so right that, like, the software engineer themselves becomes the attack surface
[00:26:32] Tanya Janca: Yeah. And so, like, uh, imagine, you know, uh, I don't know if you read XKCD comic, but there's, there's this comic about, you know, all the different things you can do to, like, encrypt your password in all these safe ways, and then the guy's like, "I have a wrench, and I'm just gonna hit you with it until you tell me your password."
[00:26:48] Tanya Janca: It's like, "I'll just tell it to you now."
[00:26:52] Andrew Zigler: Absolutely.
[00:26:53] Tanya Janca: 'Cause that, that's what would really happen. And so, like, as, like, some of these breaches are, like, hundreds of millions of [00:27:00] dollars, right? Like, they're, they're these huge things. And so, uh, we have to pr- so as security professionals, we need to protect our developers.
[00:27:08] Tanya Janca: Like,
[00:27:08] Andrew Zigler: Yeah
[00:27:09] Tanya Janca: uh, like physical protection of your building is one thing, but I, I mean, like, protect their workstations, protect their online accounts, protect their passwords, give them a password manager, teach them about digital safety. And I know that they're way more knowledgeable than the average person, right?
[00:27:27] Tanya Janca: But they need to be 100 times more knowledgeable because they're such an amazing target
[00:27:32] Andrew Zigler: Mm-hmm. Right. That's exactly the point is that you have to remember something's producing those skeletons in the closet. There are dangers that are lurking in the space in which you work, and they're invisible to you because you work from your living room. But you underestimate how much is connected to all of the machines that you can log into.
[00:27:49] Andrew Zigler: And there are so many ways to get compromised now in a, such a small localized way that can have these catastrophic effects. Even just the [00:28:00] idea of trying to, uh, code something up on your computer, and so you throw together a little project. And so it's gonna grab a few, uh, dependencies to strap something together for you really fast.
[00:28:10] Andrew Zigler: And then before you know it, there's a pre-install script on one of those NPM packages that has now all of your environmental variables. And this happens constantly to the point where packages get comp- huge packages that, uh, any LLM would reach for as, "Oh, I wanna build a website. This is one foundational building block I'm gonna grab for every time." Those ones get targeted, and then in a matter of minutes, then they would get, like, a deployed, uh... Like, someone would control their, like, uh, their, like, container deployment. They would deploy, like, a new version. All of these, uh, AI workflows and stuff are gonna download it and run it, and now it's just like they've all been compromised, and the surface area of that is huge. And it's quantified in a way where it's like we've never really had to quantify it in that way, level before. It's like that kind of compromise is not new. The speed at which it happens [00:29:00] is terrifying. There have been projects where I've worked on and where it's like I-- the only, the only way that I could secure myself was to stand completely still. Just to... I had to stop what I was doing, and it's like you can't pull anything. You-- I can't trust these packages. There's a serious issue that's affecting a lot of things I know, that I know are related to what I'm working on right now. I literally can't even work on it 'cause I'm too afraid of what vulnerability it might pull in.
[00:29:27] Andrew Zigler: And I-- And so that is a new way of working, I think, for a lot of engineers, and I, I think a, a lot of folks are, are still not aware of those lurking threats.
[00:29:37] Tanya Janca: If I could offer a small amount of technical advice, I would, if possible, disable post-install scripts for your entire organization by default, and I know that that will break some stuff. You will find those things very, very quickly, and then you examine them and decide, is this post-install cr- script trustworthy, right?
[00:29:58] Tanya Janca: And then you run or do not run it. [00:30:00] Also, if you are doing npm auto-update, make it so that everything you auto-update is seven days old or older, because the npm ecosystem within 24 to 48 hours seems to be able to find things. They are working their buns off on it. And so if you make it seven days or older, that i- is a lot better.
[00:30:20] Tanya Janca: Um, so if you could just like... If everyone could just do those two things, that would be a huge improvement just to start
[00:30:26] Andrew Zigler: I love that. You just shifted that left for me. I'm gonna start doing that myself. And I'm sure this is something that I would've learned if I would've taken one of your proto prompts and turned it into a skill, and it probably would have, pushed me to do that practice. So this is, I think, a good reminder for folks that there are a lot of things that we could be shifting left earlier now, uh, in our process and, uh, just those small little things can have huge, uh, improvements.
[00:30:47] Andrew Zigler: I appreciate that, that tip
[00:30:49] Tanya Janca: I actually, um, so I have a new podcast that are five-minute security lessons for software developers, and both of those things were in my lessons. And so it's called DevSec [00:31:00] Station, and it's just five or six minutes long. So, um, yeah, if people want that little tiny... And I give you homework 'cause I'm a teacher and I can't help it.
[00:31:10] Tanya Janca: Um, but it, but one of the homework is those things
[00:31:14] Andrew Zigler: Amazing. Well, we're definitely gonna include those links so folks can go check out your security tidbits, because I think these are just little reminders we all need, uh, that way we can find those earlier ways to be more, uh, secure. So we've talked about how, like, know, there's a lot of different places now where security breaks down.
[00:31:29] Andrew Zigler: There's an asymmetry in attackers and defenders, and how ultimately this comes down to building stronger practices, having those conversations earlier, but then also getting n- side by side with developers in the, in the way that they're working, understanding it, and then figuring out how to secure it.
[00:31:47] Andrew Zigler: Because, like, engineers have become this in- incredibly vulnerable surface area for organizations, and, uh, it, that threat is really hard to, um... It becomes like a boogeyman. And like you said [00:32:00] in the beginning, Tanya, like, it's hard to teach abs- like, security against this, like, boogeyman kind of thing. How do you fight the boogeyman?
[00:32:07] Andrew Zigler: Well, you just know what good is, and you cultivate strong habits yourself. Uh, and you know, I think security large in- largely is not really a knowledge problem. It... You've said before that it's a training problem. I completely agree with you, because it's not that we don't understand these things, it's just that we don't know how to necessarily apply them, and we don't have the rigor to know when we should stop ourselves and reconsider what we're doing. So what are some, like, training habits that you've been instilling in your classes right now, uh, that, uh, are kind of improving the way that they start to make this shift?
[00:32:43] Tanya Janca: Oh my gosh. So I, I teach all of the basic security controls. So the first one, the number one, if you were gonna do one single thing, period, would be input validation. So every single piece of input to your system. So that means something that's in the URL parameter, [00:33:00] something that's in a hidden field. A hidden field says, "Oh my gosh, malicious actor, look here, it's gonna be so good."
[00:33:05] Tanya Janca: Um, so anything that, right, anything that comes into your system that you don't completely control, untrusted. And so then validating that it is exactly what you're expecting, and if not rejecting it, don't fix it, right? And then escaping or sanitizing out special characters that you must accept, and then doing it on a trusted system with an allow list rather than a block list.
[00:33:27] Tanya Janca: So if everyone did that, we would be awesome. And so what we do is we, we talk about that, and then I'm like, "Let's look at some code." So then we look at bad code, where we're doing that wrong, right? So, you know, we're getting the data and using it and then validating it after, or we're validating with a block list or whatever.
[00:33:44] Tanya Janca: We're just doing it wrong, right? So that they can spot it from then on. Then it's like better code. So it's like, let's, let's fix that one thing. And then we do the best code, which is like, here's 12 layers of defenses of how we [00:34:00] could make this rock solid. Now, do you need 12 defenses every time? No, you don't.
[00:34:04] Tanya Janca: It depen- like, you don't wanna spend $2 million defending something that's worth $100,000 unless lives or national security or, or, you know, extraordinarily valuable intellectual property or something else like that's involved, right? So then you talk about like, how many precautions do we actually need, right?
[00:34:23] Tanya Janca: And so if they can spot a problem easily, stuff will stop getting past them. 'Cause what, what you wanna do, uh, instead of like having people memorize stuff, is what you wanna do is teach them pattern recognition and good habits. And so if they can just spot it, or you can't stop seeing it, Andrew. Like you, you just, you see it all the time from then on.
[00:34:48] Tanya Janca: It's like if you... So I used to own a blue Honda Fit. I've re-
[00:34:52] Andrew Zigler: once you have a blue Honda Fit, it's like once you s- once you own a car, you always see your car everywhere else. It's like, "Oh, there's my car
[00:34:58] Tanya Janca: [00:35:00] Right?
[00:35:00] Andrew Zigler: it's like a, it's like a, it's like a bias, right? 'Cause now you're paying more attention to it than you ever would've before, and so you have to hijack that same part of your brain that is obsessed with your Honda Fit
[00:35:09] Tanya Janca: Exactly. And, and so when we see patterns and we have this pattern recognition, you're gonna see it all the time, and then you're not gonna tolerate it. And with us needing to review code, that's what we re- that's what we really need, is to know just the basic security controls and how to spot when they're not there, like not where they should be, or that they're not looking right
[00:35:31] Andrew Zigler: Exactly. I love also too how you remind us that, you know, Security is a gradient, and you have to understand where on that gradient you have to invest your time. I ... This is difficult for a lot of engineers. And we, we, we love zeros and ones. We love checking that box completely. And so a security practice and doing it in what we would think of as, like, a half-assed way is a really hard pill to swallow when you're gonna be like, "I'm gonna be the application security nerd and [00:36:00] transform how secure my org is," right?
[00:36:02] Andrew Zigler: And so but you have to re- remember that, like, not every level of investment is worth all of that effort and security, but then also too, what is the level of sensitivity of what's going on inside of that system that you're trying to secure? So there's actually a lot of nuance that's subjective to evaluating and understanding those things. Um, and so it's about pointing out the patterns and, and also probably having a, like, earlier conversations about what secure looks like. And that probably also means that if you aren't already provisioning full kind of environments for your developers to work in, that sounds like a great place to start so that they know, like, "Oh, this is what a secure coding environment for my org looks like," right?
[00:36:44] Tanya Janca: Absolutely. I was a software developer longer than I've worked in security. So I'm on-- So in July is 29 years, uh, in IT for me, and I programmed for years before that. And so I was a dev [00:37:00] way longer than I worked in security still. And it's funny, Andrew, because sometimes the security team will be like, "Are you one of them or one of us?"
[00:37:07] Tanya Janca: And I'm like, "I'm one of them. I'm sorry. I'm just a really security-obsessed dev." And I did, like... So I'm, I find that, like, I can be a little more compromising than some other security people, 'cause I, I, I'm just like, "I don't wanna die on this hill."
[00:37:21] Andrew Zigler: You're being pragmatic
[00:37:23] Tanya Janca: Yeah. Because then I get more of what I want. Because if you die on every hill, guess what?
[00:37:28] Tanya Janca: You're gonna, they're just gonna go around you all the time. Software developers are like water. I don't know if you've ever had water damage at your home, but water can just go around everything, right? And so when a software d- when a software developer obeys policy, it's because they're being obedient and a well-behaved employee, not because they damn well have to.
[00:37:47] Tanya Janca: They can go around any technical control we give them if they really want to. And so if, if you die on every hill, like, first of all, you're gonna be dead every day. Um, you're gonna have terrible relationships, and you're not gonna get a lot of what you [00:38:00] want. And if you can be more reasonable and just look at, like, this is legitimate business risk or this isn't.
[00:38:06] Tanya Janca: Like, the hardest part was just learning how to communicate clearly, and I still sometimes struggle with explaining it in a way where everyone gets what I'm saying. But once I could do that, I got way more of what I wanted. And sometimes I'm talking to the security team and explaining, like, "Listen, I know that the standard is TLS 1.3, and they're doing 1.2, but, like, our little, you know, static webpage, no one cares.
[00:38:34] Tanya Janca: No one cares. A nation state would be requi- So before Mythos was released, a nation state level effort would be required to break this encryption for what? Our website's public. No one cares. No one cares. Calm down. Calm down." Um, anyway, sorry.
[00:38:51] Andrew Zigler: I that. It's, uh... And what you just said a moment ago about engineers being water, I could not agree with that more. I'm [00:39:00] gonna go back to something that was said on the show way back, maybe almost, uh, it was over, like, a year and a half ago. We had Tara Hernandez from MongoDB, and we were hosting an event in San Francisco.
[00:39:09] Andrew Zigler: She's on the stage with Rob Zubere, CTO of CircleCI. We're talking about making development easier, uh, in an agentic world, and she said something that really stuck with me: "Make the golden path the easy path." And were talking about the realm of developer experience and how to ship things while using, like, oh, the tooling and, like, the processes that you want. But security is one of those processes. And so if you friction in your security adoption within your org, engineers are gonna flow around you. You might as well have a pool in your attic, right? And so it's not going to, uh, work out well, and you're not gonna have visibility. We all know about shadow IT, shadow AI, shadow everything.
[00:39:50] Andrew Zigler: Developers love a shadow. And so you're not gonna win that war. What you do have to do, though, is understand what, like, why they're flowing [00:40:00] around what you want. Why is what you want different from what they want? 'Cause secretly it's not. It's just that you're talking past each other. So if you're in a situation where, like, oh, we've set up this tool, we've set up this golden path, we want everyone to go through this review and then do it like this and submit it here, and you find no one's doing it, well, is it a visibility problem? Is it an unnecessary friction? Is it something you introduced without asking them what they were even doing or doing discovery on what you would need to do to meet them where they're at? Uh, being told to do something is really different from being partnered up with on how we're gonna build something more secure. Uh, is that a, a mindset difference that you see at companies that h- are more successful with their security?
[00:40:45] Tanya Janca: Oh, absolutely. Absolutely. I'm- I've been writing this blog series called "The Psychology of Bad Code," and I, I did a talk on it, and now, you know, when you blog, you can just be as nerdy as you want 'cause there's no time limit, right?
[00:40:59] Andrew Zigler: it great?[00:41:00]
[00:41:00] Tanya Janca: I know. Um, and, and basically I had read all these behavioral economic books, which is the reason why people make the decisions they do, and then interventions of things we can do to help them choose the happy path.
[00:41:13] Tanya Janca: So not social engineering, where you make people have fear, you put pressure, you manipulate. This is more about presenting everything in a different way to help them make the right choice. So, for instance, in Canada, if you're an organ donor, you have to go and sign up to be an organ donor, but in other countries, you're an organ donor by default.
[00:41:32] Tanya Janca: Well, guess what? 90-plus percent of people are organ donors, and the few that don't want to opt out, where in Canada you have to opt in, and a very small percentage of us are organ donors, and I think that sucks as a person that's an organ donor. Um, and so if we can re-architect
[00:41:47] Andrew Zigler: Mm-hmm.
[00:41:48] Tanya Janca: are so that we guide them, like, with secure defaults, with policies, with culture and all these things so that, like you said, the happy path is the secure path.
[00:41:56] Tanya Janca: And, and so these behavioral economic interventions, [00:42:00] essentially they've done all these scientific experiments to prove that when you do it this way, you get more of what you want. And then if a developer doesn't do it, they're making an active decision not to, and most of the time it's because there's a business requirement or there's some sort of incentive that's making them do that, right?
[00:42:19] Tanya Janca: And so one of the things I talk about is perverse incentives, where we're like, "We take security seriously," but then you're given zero time to fix bugs. The projects have no time to, like, do the secure code review or the threat model or any of the thing, and it's not even on the schedule or in the project charter, right?
[00:42:39] Tanya Janca: And then you only get promoted or get raises when you release features. Well, actually, we don't take security seriously. In fact, it sounds like security's pretty damn optional when you look at how we're incentivizing developers at a lot of places. And so I'm, I'm trying to give people as many ideas as I can so that they can make the incentives bring [00:43:00] people where they want them to go or set up the defaults or, or whatever the th- each, uh...
[00:43:04] Tanya Janca: I think I'm on, like, blog post number six now, and I, I'm gonna do, uh, 10 different th- ideas, and then I give many, many examples for each one. So I think I just did one on documentation and, like, how to get people to actually write the documentation they're supposed to, 'cause when we have no documentation, Andrew, and then there's a security incident, it sucks even more than it needs to.
[00:43:26] Andrew Zigler: You don't even know where to start. Was like, "What do you mean? I didn't write this code. I didn't review this code. I didn't even wr- write, write docs or read those docs on the code. Like, what do you mean docs?" And we're getting really abstracted away from the stuff we're building. But,
[00:43:40] Tanya Janca: Mm-hmm.
[00:43:41] Andrew Zigler: you're reminding us, Tanya, that security is a practice and it's the responsibility of everybody within an organization.
[00:43:47] Andrew Zigler: It's not just a, a product you can buy or a checkbox that you can check. And, you know, the work that you're doing at SheHacksPurple and OWASP, it's transforming how folks are able to build securely. I think that everything we talked about [00:44:00] today is only gonna become more important. And why do I think that?
[00:44:03] Andrew Zigler: Well, because last time we talked, everything we've talked about since has come true and has only become more important. So I just know that we're gonna have to have you back again in the future to do another check-in on security and the world. But in the meantime, you're shipping a lot of stuff that's helping teams ship and learn how to, uh, uh, build securely.
[00:44:23] Andrew Zigler: Looks like there's a lot of resources and entry points for folks to come into your world and figure out how they can, uh, become more secure coders. So, uh, where do you think folks should go to, like, start learning about you or otherwise engage with some of the stuff that you talked about?
[00:44:36] Tanya Janca: If you want a list of literally everything, go to newsletter.shehackspurple.cam. Once a month, I will give you all the content I created. I'll send you little presents like the AI prompt library, which I sent out last month. Um, you'll get all the events I'm doing, the podcast, every single thing that I do each month, plus you get a silly meme
[00:44:58] Andrew Zigler: Oh, well you, I love the silly memes. [00:45:00] Sign
[00:45:00] Tanya Janca: Right?
[00:45:01] Andrew Zigler: I'm gonna be on the email list, and I hope to see our listeners there as well. And we're gonna include all these links in the show notes so that you can go and become a more secure coder yourself. And Tanya, thanks again for coming on Dev Interrupted.
[00:45:13] Andrew Zigler: It was a blast to talk with the queen of purple and cover all things security in the last year. Thanks again
[00:45:19] Tanya Janca: Oh my gosh, Andrew, it's always a pleasure with you
[00:45:23] Andrew Zigler: See you next time
