The empathetic side of secure software development

1st Mar, 2022#15

In the high stake world of software development, it is easy to put aside empathy and prioritize meeting deadlines. After all, developers are key players when you want to reduce time-to-market or deliver regular updates.

This can easily lead to the important aspect of application security not getting as much attention as it deserves. In some cases, it might even be relegated to the “extra-not-a-must” features category.

However, when empathy accompanies the entire development process, it easily extends to the users of the application. For instance, a project leader can take time to clearly explain the need for security features and give enough time for developers to implement them. This helps the developer understand the impact of the requirements they receive as it relates to how people use the application.

We Hack Purple is an online academy where developers go to learn how to create secure software. The founder, Tanya Janca, who is joining us in this episode, is a big believer in practicing kindness and empathy as a means of promoting application security.

Today, you’ll hear about what We Hack Purple does and its ultimate mission in software development. You’ll also hear about how Tanya practices empathy and the impact it has on her team. Additionally, you’ll hear about how they are empowering communities through their diversity scholarship program.

In this episode, you will learn:

  • How Tanya practices and encourages empathy in her work (01:20)

  • Practical ways in which empathy can make a difference in application security (04:30)

  • The reason Tanya opened the We Hack Purple academy (12:10)

  • Why she came up with a diversity scholarship (18:30)

Connect with Tanya:

Connect with Dave:

Connect with Andra:

Guest

Photography of Tanya Janca.

Tanya Janca

Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software.

Tanya has been coding and working in IT for over twenty years, won countless awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia).

She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger and streamer and has delivered hundreds of talks and trainings on 6 continents.

She values diversity, inclusion and kindness, which shines through in her countless initiatives.

Transcription

[00:42] Dave Smyth: In today's episode, Andra talks to Tanya Janca, founder of We Hack Purple, an academy in the community for IT professionals who want to learn how to secure software. She is also the best-selling author of “Alice and Bob Learn Application Security”. Tanya talks openly about how she came to create We Have Purple and her experience of running the academy. She also shares some great practical ways to improve working relationships between the information security specialists and the people they work with, such as developers. It's a great conversation. So, let's get to it.

[01:20] Andra Zaharia: Tanya, so excited to have you on the Cyber Empathy podcast. This was actually a dream of mine, but I really, totally never thought it could actually happen. So, this means so much to both me and Dave. So, thank you so much. So, my first question and the whole question. I wanted to ask you, Tanya, how do you practice and encourage empathy in your work which is so focused around helping developers integrate security into their workflows, and basically build safer software to power the entire world?

[01:54] Tanya Janca: When I teach, I try to always include stories. I have worked really hard to become a good storyteller over the years. And I find that when you explain, “Okay, so this is the security header, this is how it works, here's the code, go.” That's not really enough. And when I explained the reason why we use a security header, “is because…” And then I explain either things that could go wrong or how it protects against other thing or how it reduces risks. And I find that explaining the why behind things, especially if I can tell a story of when it applied to me, personally, or a customer I was serving, it really helps. So, for instance, I want us to use the security headers that don't allow people to frame our website. And Content Security Policy header is quite complex, but it's like, “I want us to use that because it helps reduce the risk of cross-site scripting and it will help us not have people frame our website.” And they're like, “Yeah, but why would someone do that?” And I'm like, “Well, here's our business model. We go door to store and get people to sign up for things. And part of it is that they trust us and they know we're doing this. Well, what if a malicious actor did that and they frame our website and they start sending it to people. And then they're collecting their credentials along the way.” And then they realize, “Oh, wow, that’d be a lot of personal information from those customers that trust us.” And like, “Yes.” I'm like, “How would you feel if someone that looked like it was from our company, knocks on your door, asks you the thing, you fill out the stuff on their iPad right there. And then your username and password are stolen, your personal information, you find it on the website – not our website, someone else's website – you would feel really bad.” And so explaining how it affects people personally, it tends to get buy-in very quickly. Because most software developers want to create awesome applications, they want the applications to be secure. But if we just say, “Do this because I said so.” Well, they're adults, and they have all sorts of conflicting things that everyone's asking them to do; they have deadlines; they have pressures to build new features; there are lots of bugs in the backlog they could be working on. Why are they working on this instead of all the other things? And when you explain it could harm our customers like this, all of a sudden, they're like, “Oh, you know what? It's a lot more important than I realized. I'm gonna put it at the front of the backlog,” or “I'm gonna do it today.” And so explaining the why and adding specific stories and experiences really helps.

[04:30] Andra Zaharia: Oh, I think that it is such a powerful example, especially because I truly believe the same. I think that people are really trying to do their best in their specific context. And obviously, everyone's context is different and they have different challenges. But there's so much more, let's say, emotional work that's part of any technical role and especially software development, which is, right now, one of the most important things in the world, one of the most important processes in the world, which we all rely on to such a bigger extent than we realize. And I think that that emotional labor that you mentioned is exactly that; having to balance priorities; having to advocate for better security; having to constantly prioritize all of these requests from all of these people, and there's always pressure. And plus, making time to, hopefully, enjoy your work and find a little self-growth. I think that that is such an important concept to keep in mind, that totally opens us up to being empathetic towards what software development means to the role of security in this entire ecosystem. And plus, the way that you mentioned that you find these ways to help them to be empathetic towards their end-users, I think that that is absolutely wonderful. And I do believe that all people, not just, let's say, people outside of technology, I don't think that more technically skilled people are less inclined to be empathetic, which I think that is a misperception that people have. So, I'm glad that we get to talk about this today and debunk tons of myths. Because I think that you're the perfect example of someone who's this passionate and this committed to contributing to solving such a huge problem, which is application security. You're the perfect example of someone who devotes almost their entire time and so much energy, and so much of their personal resources to tackle this, that it cannot come from a place devoid of empathy, and it comes from a place of huge kindness and generosity. So, thank you for sharing those examples. I think they're very powerful. I wanted to ask because you touched on this a bit, but what are some other ways in which empathy can make a huge difference in application security and cause ripple effects in the entire ecosystem? Because that's how I personally see software.

[06:57] Tanya Janca: I feel like a lot of traditional security folks didn't have experience creating software. So, when I was a software developer and I would interact with the traditional IT security team, they didn't understand, “Well, I have a client calling me at my desk,” or even walking up to my desk and halfway begging, “Could you just do this thing? We really need it. Plus, I have my boss saying, ‘The deadline is Friday for that new feature.’ Plus, there are some weird bugs that aren't working quite correctly that I definitely want to fix.” And then the security person says, “Well, I need you to fill out these 400 forms saying, ‘blah, blah, blah,’” or “You can't use inline SQL anymore. You have to use stored procedures.” And I'm like, “Why?” And they say, “Because security.” And they don't explain their reason. And I feel like if we could walk a couple of steps in each other's shoes, or just ask, “What else are you working on right now? Do you have time for this?” That was something that I never had any security person ask me. When I was a dev, they would never say, “Well, when can you get this done?” Or “Can I talk to the project schedulers so we can make some time in the project schedule?” They would always just come up and plop this giant amount of work on top of me and all the other work that I was still responsible for. 

[08:24] Tanya Janca: And I personally found that ridiculous because you better believe it if some other person came along and said, “Oh, well, you have to build these five extra features.” I would say, “That's not in the requirements list. That's not in the project schedule. That's not happening unless you want to drop other things.” But the security team just comes up and gives us a ton of extra work and doesn't say anything or help us manage that or give us resources to work on that. And so here's the software developers basically being told, “Work late.” And quite often, they're salaried, so they're not even getting extra money for that time. And it's like, “What? So, now my evenings are ruined for five days in a row. Who's gonna pick up my kids?” And the security person is like, “I don't care. You have to do this.” So, when I switched to security, I started asking those questions. I would say, “Okay, so I found a bunch of things. Where are you in your development cycle? Are you planning a release for this? Okay, cool. So, you're going to release something in three months. Can I fit these four bugs into that release? Because you have a big leg before you're doing a release. Is that possible?” We'd negotiate. And I would say, “Oh, you have a giant release in two weeks from now and you're all stressed.” I'm like, “Okay, can we meet in two and a half weeks from now and talk about this?” And I'm like, “Just let me let you go back to what you're doing.” Because I understand the stuff that's going on with them. And sometimes I would say, “Okay, so you can fix these four bugs now. But you can't fix the rest of them, that's cool. I want to put them in the backlog and then I want to meet with you again and I want to talk about when can we get these fixed, because I still have a job to do, I still have to get these fixed, but I don't have to crush you into the ground to make it happen.” 

[10:09] Tanya Janca: And sometimes I've been able to borrow a dev from another team to help them crush those security bugs in the backlog. Sometimes, if I'm really good, I can actually speak to the project scheduler at the beginning of the project and say, “Okay, so you're planning 16 sprints. Cool. Well, I need two: One near the beginning to do threat modeling and design, and this and that; and I need another one near the end, where I'm going to do a pen test. And I need them to have time to fix all the bugs I'm going to find.” And actually working it into the schedule, so the software developers actually have time to work on the thing. And that comes from empathy. And that comes from past experiences of having that behavior. It's really problematic, where software developers, I've seen it, where they'll show me a chart, and they're like, “So, I'm allocated at 400%. When do you think I'm going to fix that bug for you? When I'm supposed to be sleeping? Because apparently, I don't get evenings or weekends for the next four weeks.” And I'm like, “Okay, so that's not reasonable. So, let me talk to your boss and see what I can do about a bunch of these things.” Because to me, that's also a security problem. Because if the software developer ends up burning out, and then can't even finish the release, we have lots of troubles. And I feel like, us being able to just listen and ask each other, “Do you have time for this? Okay, you don't right now. When will you have time? What can we do about this?” And listening to them. And some of the devs will say things like, “Actually, yeah, my release is Friday, and it's Monday, but actually, those don't look that hard. Give me a shot. I'll fix them.” I had this woman named Jenny, she just fixed everything. She's like, “Actually, yeah, something else turned out to be easy.” And she just plowed through all of them. She's like, “Got anything else for me?” So, when we treat people like people and we try not to crush them or burn them out, turns out they're really helpful later when they can be.

[12:10] Andra Zaharia: Exactly. Oh, wow, I felt like I couldn't possibly interrupt in any way because you walked us so beautifully in such a detailed way through these very real and incredibly important problems. I saw them at each of my past jobs when working with developers – and I always work with developers and designers – and I saw just the immense pressure that sits on them constantly, and it never eases up. And the better you become, the more wanted and then needed you are. So, it's kind of a virtuous cycle turned into a vicious one, which definitely leads people to burnout, it leads to them being irritable, it leads to poor relationships. And to me, the common theme of all of the examples that you shared, is that the basis of everything is relationship building. And our ability to find common ground; to find things we all care about; to find ways in which to create space for one another, and protect one another, and help one another when we can. Because I, too, think that the lack of empathy in these kinds of relationships leads to these chasms between security teams and development teams, and not to mention other teams in the company as well. Instead of trying to build bridges and trying to figure out how we solve this together because it involves everyone and it impacts everyone's work and livelihood, at the end of the day, either directly or indirectly. So, thank you for giving us a glimpse into what this looks like in the real world, especially for people who probably never consider this, especially if they don't work in technology and they hope that they get to hear these stories, just realize how much effort and how much personal resilience it takes to work in these roles and to do this kind of work, especially if you want to do it well. 

[14:07] Andra Zaharia: So, was one of these experiences that you talked about until now the source of the SheHacksPurple academy and courses? Because you definitely, I feel that one of the key aspects of your work is to bring in more kindness and to create these communication paths from one person to the other. Was there a particular experience that led you to decide that you want to create an academy and courses, and create so much community support? Because, obviously, that is a huge undertaking, and we're all very glad that you decided to do this and to grow it over the years.

[14:49] Tanya Janca: So, the reason I opened the academy is kind of a weird one. So, I left Microsoft to start a startup with a friend and it failed very quickly. It took around nine weeks for us to figure out that we both had very different ideas about things we've been discussing forever. And so it's better to fail fast if you're going to fail. Plus, I felt pretty burned out; working at Microsoft was quite intense, and then starting a startup and having it fall apart so quickly was pretty intense. So, I was like, “I need a little break.” So, I went on Twitter and I said, “So, my startup failed, and I'm not sure what I'm going to do next. What do you think I should do?” And then I just opened up my calendar, and let anyone who wanted to book time with me, for a few weeks. And I met with startup founders, I met with tons of community members who were interested in meeting me, which was amazing. I met with business owners, etc. And so I had all sorts of interesting things happen. Person after person said, “I have all these software developers, could you come and train them? Because we really like the talks and the workshops you did, could you make a whole day of training for us?” And I was like, “Okay.” And then someone else asked, and someone else asked. And this really wonderful human named Karen, she's great, she said, “You should take those courses that you're teaching at enterprises, and you should film videos of them, and then charge less so that the average person could attend. So, the average individual who's actually paying out of pocket could pay way less, but you still charge enterprises through the nose, the going rate that everyone else is charging, so you make more money that way.” I started asking people, “Do you think that would work?” and people were like, “Yes!” 

[16:38] Tanya Janca: And so I started, at first, just selling memberships to my blog for $7 a month. And before I knew it, I could pay all my bills. And then I made a minimal viable product of just a course called AppSec 101. And I sold, maybe, 130 of those really quickly. And so then I got someone that actually knows about filming, and I got better equipment, and I made the Application Security Foundation program and opened up an academy. And that resulted in more sales and more people joining. And then we're making money, so it's like, “Well, why bother charging for the online community? Instead, let's just make it free. We don't really make very much money at all, let's just make it open to everyone.” And I made the community so I could hang out there, as weird as that sounds but it’s the nicest place on the internet. We have a strict code of conduct, but we've never had to enforce it. And everyone there is always helpful and talking to each other really nicely. And it's like, “Hey, I have this problem at work.” And then people bending over backward to try to problem-solve with them. And people read articles, share articles, we have little events and stuff. It sounds weird, but it's like, although that's a lot of work, and it doesn't really make money, it brings me great joy. And so I'm like, “Then we're doing it.” And you can do that when you own your own company, you can do kind of whatever you want. As long as you pay your employees and you pay your taxes, you're usually pretty good. And so, yeah, it's pretty exciting to have those opportunities open to me. So, I opened the academy because people just kept asking me to do it, basically. I was like, “Oh, do you think I'd be good at this?” They're like, “Yes! Yes, we think. Tanya, come on!”

[18:30] Andra Zaharia: I have to concur. I think that when you always show up for the community, the larger community, whether it's security, whether it's development, whether it's anything in between – I feel that you show up with such generosity and such high spirits in so much enthusiasm, and you communicate that so well. And I appreciate that you mentioned that it took effort and that it was something that you cultivated intently because sometimes I think that people tend to keep themselves from truly talking about their work or something that they're passionate about simply because they believe they need to have native talents, like innate talent, that you'd have to be born with it. And I always tell people that this is such a misconception because anything can be cultivated if you're really good at learning something and trying your best to apply it, I think that you can improve almost anything. So, you sharing that, I feel will really help people who are struggling with imposter syndrome to realize that there is a way, obviously, to improve your communication skills, and to then use that to connect to more people, and to get them to share that enthusiasm. And to build this momentum, like you built with the academy, to me, that is absolutely wonderful. I love how people react to the things that you do. I see how the language is just like you mentioned, that it is kind, it is supportive, it is polite, it is everything that we would like to have as a community. And I think that setting these positive examples is a very, very powerful way to be very practical about cultivating empathy in cybersecurity and technology, in general, whatever shape or form it may have. So, one of the elements that I wanted to particularly ask about is that in the academy, you have a Diversity Scholarship, which is not something that many courses offer. I wanted to ask how did that come about? How did you decide how to structure it? And how did it come together?

[20:35] Tanya Janca: So, I was on the internet, on Twitter, chatting with an acquaintance who is a black woman, who lives in the United States, and she's disabled. And she was tweeting, “How could I, as a black woman, ever be able to afford a Sam's course?” And I don't mean to pick on one of my competitors. I feel her pain because I'm Canadian, my dollars were significantly less than hers, and our cost of living is higher. And I'm a white lady, and I've never been able to afford to take any of their courses, even though quite frankly, a lot of them look amazing. But I've wanted to. She was saying, “How could I ever do that.” And people were responding and saying, “They charge white people the same price as black people.” And I responded, “They do. That's true. But generally, because of systemic racism, black people aren't starting at the same starting line as white people. And so they're more likely to not have family pay for university. They're more likely to have a family member in jail. They're more likely to suffer all sorts of prejudice and injustices and mistreatments that lead them to be paid less for the same work, to not have the same promotion opportunities, etc.” And I'm like, “So, because of that, she's not going to end up having the same amount of spare income, on average –” because she's black, versus me who's white – “if I lived in her country,” which I don't. But because of that, and she's like, “It's just so unfair, how can we lift people up?” They say, “Oh, there's a pipeline problem. It's not that we're not interested, it's that we don't have that hand up to do it.” And I was like, “You know what? I have the power to help with this.” So, I said, first 10 women of color that respond to this tweet, I'm going to send you through our entire Application Security Foundations program for free. And 10 women said yes, immediately. And so I set them all up. And we helped a bunch of them even find jobs when they graduated. 

[22:47] Tanya Janca: And then someone wrote me and said, “I love what you did, how much does one of those cost?” I’m like, “They’re a thousand bucks, but if you pay for someone else, and you let us give it away to a person from an underrepresented group, we'll match you. So, we'll give away two for your one that you paid for. So, we'll give away three.” So, a whole bunch of private individuals wrote me and sent me money. And so we gave away a ton more. And then someone who owns a big company, who's a really huge, wonderful advocate of women, Katie Moussouris, who owns Luta Security wrote me, and she's like, “Girl, this is awesome. How many can I buy?” And she kind of like gently was like, “Other companies might be interested in this too.” And so my team talked, we made a Diversity Scholarship that companies could sponsor, and then we would tweet and thank them. And so we made it a marketing thing for them so they could use their marketing dollars. I think we set up close to 100 people who are underrepresented. And so we let people tell us how they're underrepresented. So, sometimes people would be like, “I'm a white male but I'm out of work, so I'm underrepresented.” And we're like, “No.” But sometimes people would say just all sorts of stories and reasons. And basically, if their story was good at all, we would say yes. And so as many grants as we could get, we would give. And sometimes we would just give extras away, even though we're technically not supposed to according to our rule. We're allowed to give more away, we're just not allowed to give less away. 

[24:28] Tanya Janca: And so, yeah, person after person, started these programs. And not all of them graduate, but that's normal of people who even pay out of pocket or people whose work send them, lots of them – it's hard, so they don't finish. And we'll check in on them. I started making little videos and be like, “Hey, I see you're halfway through, can I send you this motivational video?” To try to convince them to finish the course. And then when they're done, for quite a while, we would set them up with job interviews. But then, eventually, we had so many people that we couldn't keep up with that. But we found a lot of those first 10 women of color jobs, either a paid internship or a junior, entry-level position doing application security, which is really awesome. And companies had good experiences, so sometimes they'll write us and say, “Where are your grads? I want to meet some. How do I do that?” And so now we have a jobs channel, and we let people put jobs in there, and we make introductions to graduates quite often. And that's really exciting. Sometimes they get hired before they're done. And they're like, “I'm having trouble finishing your course.” Because there are a lot of companies that need to secure their software. 

[25:40] Andra Zaharia: Of course. I love the way that you're doing this. What a wonderful example you're setting for everyone. What great experiences you're infusing into their lives, which I'm sure that they'll take forward and amplify, and then teach other people, and connect with them based on the same values and same principles, and help amplify that in a way that will probably have these incredible ripple effects that you might not be able to get to see but that we will all benefit from. And to me, that is incredibly generous. So, you're giving all of these people so many wonderful experiences that show them how you can grow when you have a little bit of help when you have someone rooting for you, and just how much that matters. But I was wondering, could you share an example when you were on the receiving end of an empathetic experience, whether in development or security-related? I'm trying to understand what that felt like for you? And what did it teach you?

[26:46] Tanya Janca: I have had so many people show me kindness, it's ridiculous. When I started We Hack Purple, I had a lot of people that own their own businesses take me aside and say, “I want to help you. What are you having trouble with? I want to solve your problems. How can I enable you more?” The people at ThreadFix, also known as Denim Group, who got purchased by Coalfire – and congratulations to them – they're so helpful, they're so nice, they're so supportive, like sponsoring my podcast, offering help. They hired tons of our grads. They're just like over the top wanting to help us. People from Contrast Security reaching out and trying to offer us help making introductions. So many people. And then also when I left Microsoft, the thing that a lot of people don't talk about when you do Developer Relations is, so people booked me up to 12 months in advance to do a talk. And then I stopped working at Microsoft, I still had all these commitments all over the planet. I had a lot of people help. So, some of them, for instance -- I'm sure she'd be okay with me sharing this. So, Alyssa Miller was just like, “Hey, you can share my hotel room with me –” I know, a hotel room at RSA costs five zillion dollars – “I have one because my company's paying, you could just share with me.”

[28:05] Andra Zaharia: Alyssa is fantastic. She's incredible. She's one of my favorite people in security. I cannot get enough of all of the ways in which she helps create so much. She's just a kind, wonderful, generous soul. And I continue to see, they're bringing that to everyone that she can. So, I hope that she gets to hear this a little bit. And I hope that she remembers how awesome she is.

[28:34] Tanya Janca: Yes. And so many people helped me in different ways. Before I started We Had Purple, and after I left Microsoft, a lot of people and a lot of communities where I had agreed to speak for free, and they didn't have to pay any sort of travel or whatever, and lots of them were like, “Well, we still have some budgets, so we're gonna pay half your plane ticket,” or “We're gonna do this or that.” And I'm like, “Oh, I know I agreed. I said that I didn't need travels.” They’re like, “No, no, no, no, we see the situation you're in and we don't want you to cancel.” Because if you just cancel all of your speaking engagements, you're gonna ruin your career. Your reputation is sort of toast. And so, having so many people just reach out and try to ease the financial stress of that, try to make it easier, it was really great. It's funny because I've had people say, “You're so nice. Don't you get tired of that?” I'm like, “No, it always comes back.” People show me kindness and generosity all the time, and so just pushing it back out into the world seems right. 

[29:39] Andra Zaharia: And that is a perfect way to wrap up this much-too-short conversation. I wish that I could have enough time without taking up too much of your time to dig even deeper into your work, but I am sure that it will help give people a glimpse into why application security is such a complex thing, and why we need more and more kindness, and to be more supportive and understanding of others, and try to find that common ground and find a way to make security something that we can talk about because we all care about it and not because someone imposes this on someone else's work. So, thank you for sharing so generously, both in this podcast and well beyond that. Your examples of generosity and empathy are traveling far beyond than you can imagine, online and off. And I'm really excited to continue to root for you and continue to try to support, and then direct people to you and the academy because I know that they'll have a lot to gain from this.

[30:46] Tanya Janca: Thank you so much for having me on, Andra.