At the end of each chapter of Alice and Bob Learn Application Security there are questions for the reader to ponder. As the author, I will be hold streaming sessions every 4 weeks to discuss the questions, starting March 20, 2021. If you would like invites to the streams, please sign up here.

All of the streams are free, and I would love to have you join us live! …


I joined the NeuraLegion Advisory Board because they’re really fun to work with. Gosh that would make for a short blog post, wouldn’t it?

When I started my quickly-failed startup in 2019, Security Sidekick, Bar Hofesh reached out to me to see if he and Gadi Bashvitz could help. I was pleasantly surprised to have several people in my industry reach out to me, and even other small companies reaching out to see how they could help me with my startup. InfoSec is full of kind and generous people, let me tell you.

When I left Microsoft, I had committed…


In this series we are discussing how to get your technical training approved at work. This is not the first article, and you may want to go back and read it from the start.

In the previous article, we talked about how we need to explain to our boss not only which training we want, but we must overcome any objections, if we are going to get it approved. Let’s look at the second objection in our list.

Back in the day I requested approval to take a web-app hacking course, and I recall my boss saying, “You don’t need…


*This is a series.*

We’ve all been there. There’s a training you really want to take, but your boss isn’t so sure. This can be because it’s out of budget, they feel it’s too ‘off topic’ from your current job, there’s no time with your current workload, they are afraid they will lose you if you have new skills, or some other reason they won’t tell you. Let’s go through all of these reasons and figure out how YOU can get you’re training approved.

Photo: #WOCTechChat

Note: I run my own training company, We Hack Purple, that specializes in Application Security, Secure…


Welcome to the Black Lives Matter Edition of Book Club, where we will talk about a couple of books that Tanya read recently, and what she thinks about them. The previous article in this series was about Communication and Metrics.

All of the books listed are available in audiobook; my preferred reading format.

#BlackLivesMatter

We are covering this topic for several reasons, but the one that makes it relevant to this membership is that when Tanya, the founder of this company, used her social media accounts to share her support for those fighting oppression and system violence and racism in America…


The Second Way of DevOps is fast feedback. In security, when we see this we should all be thinking the same thing: Pushing Left. We want to start security at the beginning of the system development life cycle (SDLC) and ensure we are there (providing feedback) the whole way through!

The previous post in this series is here.

Pushing Left, Tanya’s Favorite Thing

Fast feedback loops means getting important information to the right people, quickly and regularly. …


The previous article in this series is here. If you are lost reading this article, read the whole series from the start. :-D This is a long post, sit tight!

The First Way of DevOps

The first “Way” of DevOps is emphasizing the efficiency of the entire system. Many of us tend to focus only on our part of a giant system, and get bogged down improving only our own contributions to the larger process. It’s rare that we stand back, look at the entire thing, and realize that if we helped another team or if changed something small within our part, that it could…


The previous article in this series is here.

In this post we will explore The 3 Ways of DevOps. But first, a definition.

DevSecOps is Application Security, adjusted for a DevOps environment.

-Imran A Mohammed

DevSecOps is the security activities that application security professionals perform, in order to ensure the systems created by DevOps practices are secure. It’s the same thing we (AppSec professionals) have always done, with a new twist. Thanks Imran!

Photo by Marvin Meyer on Unsplash

Refresher on The Three Ways:

  1. Emphasize the efficiency of the entire system, not just your part.
  2. Fast feedback loops.
  3. Continuous learning, risk taking and experimentation (failing fast)


There are many definitions of DevOps

What IS DevOps?

Link to the previous post in this series.

There are many definitions of DevOps, too many, some might say. Some people say it’s “People, Processes, and Products”, and that sounds great, but I don’t know what I’m supposed to do with that. When I did waterfall I also had people, processes, and products, and that was not great. I thought DevOps was supposed to be a huge improvement?

I’ve heard other people say that it’s paying one person to do two jobs (Dev and Ops), which can’t be right… Can it? I’ve also been told once by a CEO that…


In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’. The linked video is approximately 2 minutes.

Where can we learn Threat Modelling?
  • Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
  • The question included “How can we learn by doing, not just reading?”
  • Play the game “Escalation of Privilege”, create by Adam Shostack
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play…

SheHacksPurple

Tanya Janca’s Application Security Adventures #WeHackPurple

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store