*This is a series.*

We’ve all been there. There’s a training you really want to take, but your boss isn’t so sure. This can be because it’s out of budget, they feel it’s too ‘off topic’ from your current job, there’s no time with your current workload, they are afraid they will lose you if you have new skills, or some other reason they won’t tell you. Let’s go through all of these reasons and figure out how YOU can get you’re training approved.

Image for post
Image for post
Photo: #WOCTechChat

Note: I run my own training company, We Hack Purple, that specializes in Application Security, Secure…


In this series we are discussing how to get your technical training approved at work. This is not the first article, and you may want to go back and read it from the start.

In the previous article, we talked about how we need to explain to our boss not only which training we want, but we must overcome any objections, if we are going to get it approved. Let’s look at the second objection in our list.

Back in the day I requested approval to take a web-app hacking course, and I recall my boss saying, “You don’t need…


Welcome to the Black Lives Matter Edition of Book Club, where we will talk about a couple of books that Tanya read recently, and what she thinks about them. The previous article in this series was about Communication and Metrics.

All of the books listed are available in audiobook; my preferred reading format.

Image for post
Image for post
#BlackLivesMatter

We are covering this topic for several reasons, but the one that makes it relevant to this membership is that when Tanya, the founder of this company, used her social media accounts to share her support for those fighting oppression and system violence and racism in America…


The Second Way of DevOps is fast feedback. In security, when we see this we should all be thinking the same thing: Pushing Left. We want to start security at the beginning of the system development life cycle (SDLC) and ensure we are there (providing feedback) the whole way through!

The previous post in this series is here.

Image for post
Image for post
Pushing Left, Tanya’s Favorite Thing

Fast feedback loops means getting important information to the right people, quickly and regularly. …


The previous article in this series is here. If you are lost reading this article, read the whole series from the start. :-D This is a long post, sit tight!

Image for post
Image for post
The First Way of DevOps

The first “Way” of DevOps is emphasizing the efficiency of the entire system. Many of us tend to focus only on our part of a giant system, and get bogged down improving only our own contributions to the larger process. It’s rare that we stand back, look at the entire thing, and realize that if we helped another team or if changed something small within our part, that it could…


The previous article in this series is here.

In this post we will explore The 3 Ways of DevOps. But first, a definition.

DevSecOps is Application Security, adjusted for a DevOps environment.

-Imran A Mohammed

DevSecOps is the security activities that application security professionals perform, in order to ensure the systems created by DevOps practices are secure. It’s the same thing we (AppSec professionals) have always done, with a new twist. Thanks Imran!

Image for post
Image for post
Photo by Marvin Meyer on Unsplash

Refresher on The Three Ways:

  1. Emphasize the efficiency of the entire system, not just your part.
  2. Fast feedback loops.
  3. Continuous learning, risk taking and experimentation (failing fast)


There are many definitions of DevOps

Image for post
Image for post
What IS DevOps?

Link to the previous post in this series.

There are many definitions of DevOps, too many, some might say. Some people say it’s “People, Processes, and Products”, and that sounds great, but I don’t know what I’m supposed to do with that. When I did waterfall I also had people, processes, and products, and that was not great. I thought DevOps was supposed to be a huge improvement?

I’ve heard other people say that it’s paying one person to do two jobs (Dev and Ops), which can’t be right… Can it? I’ve also been told once by a CEO that…


In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’. The linked video is approximately 2 minutes.

Where can we learn Threat Modelling?
  • Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
  • The question included “How can we learn by doing, not just reading?”
  • Play the game “Escalation of Privilege”, create by Adam Shostack
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play…

Image for post
Image for post
Ask Me Anything Live Streams at SheHacksPurple.dev!

In a recent ‘Ask Me Anything’ live stream, Tanya Janca of We Hack Purple discusses ‘DevSecOps versus Secure SDLC’. This video is approximately 2.5 minutes.

  • DevSecOps is you as an AppSec professional, doing your job, in a DevOps environment.
  • A secure SDLC is when you add security activities to your system development lifecycle. Preferably in every phase of the SDLC, and formalized (devs cannot avoid it).
  • Examples of secure SDLC

-Threat modelling during design

-Adding security requirements & review during requirements gathering

-Reviewing your design for security flaws and to ensure secure deign concepts are applied

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

I have a mailing list, please subscribe, it’s free!


Read the previous article in this series here.

Application Security is every action you take towards ensuring the software that you (or someone else) create is secure.

This can mean a formal secure code review, hiring someone to come in and perform a penetration test, or updating your framework because you heard it has a serious security flaw. It doesn’t need to be extremely formal, it just needs to have the goal of ensuring your systems are more secure.

Now that we know AppSec is, why is it important?

For starters, insecure software is (unfortunately), the #1 cause of data…

SheHacksPurple

Tanya Janca’s Application Security Adventures #WeHackPurple

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store