Episode Summary

In this episode of "Build Amazing Things Securely," host Laura Bell Main interviews Tanya Janca, a prominent figure in the DevSecOps community. Tanya shares insights from her journey in software development to security, emphasizing the importance of secure software. She discusses common pitfalls in DevSecOps and shares lessons from her extensive experience consulting with over 400 companies.

Key Points

1. Tanya Janca's Background: Transition from a software developer to a security professional, now working at Semgrep and focusing on community engagement and training.
2. Common DevSecOps Mistakes: Breaking builds on false positives, neglecting security in the SDLC, and the lack of sharing mistakes within the industry.
3. Approach to Security: Emphasizing practical and incremental approaches to implementing security tools and processes in the development lifecycle.
4. Importance of Sharing Mistakes: Advocating for openness about security failures to learn and improve collectively in the industry.
5. Recommendations for Teams: Start with security training relevant to job roles and gradually integrate security practices throughout the development lifecycle.

Links and Resources

• Tanya Janca's Blog and Newsletter: SheHacksPurple
• Semgrep: Website
• Ayaan's Research: Phone-a-Friend Security Consulting
• One Hour AppSec Program: onehourappsec.com

Homework

• Evaluate Security Tools: Assess if they are configured correctly and not just breaking builds on false positives.
• Improve SDLC Security: Incorporate security practices throughout the development lifecycle, not just in the coding phase.
• Foster Openness About Mistakes: Share lessons learned from security failures within your organization to foster collective learning.