HackInterview with Tanya- Because I’m a woman, I’ve been asked many silly questions in interviews.

On the occasion of International Women’s Day, InfoSec Write-upsbrings to you an exclusive series of interviews with women in security and…

Anangsha Alammyan

Mar 9, 2019 • 7 min read

Tanya Janca

On the occasion of International Women’s Day, InfoSec Write-upsbrings to you an exclusive series of interviews with women in security and technology.

In the second interview of the series, we have with us, ethical hacker Tanya Janca, currently working as Senior Cloud Advocate at Microsoft.

Hello Tanya. It’s a pleasure to have you here with us. Please introduce yourself for our readers.
Hi! I’m Tanya Janca. I’m a computer scientist who is obsessed with securing software, DevOps and ‘the cloud’, spends a lot of time in the OWASP (Open Web Application Security Project) and WIST (Women in Security and Tech) communities, who works for Microsoft. I’m proudly geeky, mildly addicted to public speaking, and working hard to help our industry create more secure products.
Congratulations on your one-year anniversary at Microsoft. How has the experience at one of the top companies in the world been like?
Thank you! My first year at Microsoft has been a whirlwind that has (literally) taken me around the entire world. When I left the government I was a bit afraid that I might not “cut it” in private industry, a lot of people warned me that the government was’ very soft and easy’ and that private industry would be ‘very hard’. Since I had thought that I always thought I had worked very hard in the government, I was slightly nervous. “How much harder can I possibly work?” But it turns out that Microsoft is not at all scary, and although I definitely work hard, it’s…. A lot more fun. I’ve had the chance to help them change our products so that security offerings are more inline with what the industry needs and wants, show them crazy things that can be done with their products (for better or for worse), communicate with various members of the community on their behalf, all the while getting sneak peeks at industry-changing news and tools. It’s been so amazing. Really.
What is the story behind your handle “She hacks purple”?
Like most people, I had an email that I would give away more freely, that does not have my name in it; ’shehackscomputers’. However, when I made my twitter account it said that was one character too long, and I certainly wasn’t going to be “HE hacks computers”, so I needed to come up with something new. I was currently doing my “Push Left, Like a Boss” talk quite often, where I talked about what red and blue teams are, and I always explain that “I am purple team, because I do both”. And guess what? SheHacksPurple was just short enough for twitter. :-D
Can you tell us a little bit about your project OWASP DevSlop.?
I started the OWASP DevSlop project with my friend Nicole Becher, so that the two of us could learn how to do Pentesting and other AppSec activities in a DevOps environment. We figured we’d build more modern apps (Serverless, micro services, etc) apps, break them, build pipelines, break them, etc. I built a pipeline in Azure DevOps and it turns out that “sharing” a pipeline that has a million plugins enabled is basically impossible, so I decided to start a little streaming show in efforts to “share” my pipeline that way. Along the way, Franziska Buehler joined, then Nancy Gariche. We also have several wonderful contributors as well. Teaching is a great way to learn, and doing it with friends makes it even better. I strongly recommend joining or starting a project if you want to learn new things, it has been nothing but fun.
How did you first get introduced to security?
I was first introduced to security by a friend of mine in the office. We were both in bands, and so, of course, we immediately became friends. He was (still is!) an ethical hacker, and kept trying to convince me to join security. I had already worked in security and had a bad experience so I didn’t want to try it again (performing counterterrorism activities for the Canadian government, not a fun time!). He spent a year and a half convincing me, and I became his apprentice. He helped me get my first job as a pentester and gave me many tips and tricks that set me on my way. Since then I have been lucky enough to have 3 more professional mentors. This is why I am always trying to help people find mentors, it’s what worked for me, and I want to help.
What would you consider the turning point of your journey as a security researcher?
I’m not sure I understand the question. I haven’t really had a turning point, I’m still excited about security. :-D
What are some tools that can’t be left out from a hacker’s arsenal?
I always want Burp Suite and OWASP Zap in my toolkit, I need the ability to proxy whatever I’m looking at and speak to it directly. Also, the ability to script (bash, powershell, cloudshell, python, whatever works for you). I also want a VA/network scanner, such as Nessus, Nexpose, NMap, cloud providers have their own special ones. Also, if anyone will give you the design or any other documentation that can give you a giant head start…. Which only applies if you are doing white or grey box testing. But if they offer documentation, always take it.
How did the transition from hacking to blogging and public speaking happen?
Immediately after my first OWASP meetup, I joined the organizing committee and I became one of the chapter leaders shortly thereafter. For the first two years I invited every woman in InfoSec I met to speak and they all said no. My co-leader kept saying “You need to speak Tanya” and I said “No way!”. Then my professional mentor, who was the lead organizer of B-sides Ottawa at the time, announced that I would be speaking at the next conference (without my permission, LOL). After I stopped freaking out I spend the next 5 months writing a talk, getting tons of help from all the other OWASP chapter members. Then I did it at the OWASP chapter, and when I did not die, I did it at work for every single dev team. Then I did it at B-sides and although my demo failed and another speaker made fun of me and my talk later in the day on stage, but I still didn’t die! Then I did it at the Python meetup, JavaScript, Ladies Code meetup, etc. Then I started speaking at conferences, and then conferences started sending me plane tickets and paying my expenses to come to speak. Meanwhile, I would do PenTests and AppSec and run into the exact same problems over again, especially with management standing in the way of security. It was so frustrating. I ended up working so many hours, between the day job and the night job…. It got to the point where I had to choose, day job or ‘speaking and teaching’. The timing was perfect when Microsoft offered me a job, I basically screamed “yes!” Into the phone, LOL.

The blog was at the suggestion of a colleague, Burke Holland. I honestly didn’t think anyone would want to read my blog, and I’m not sure why I thought that in retrospect. I assumed I’d have 30–40 readers at most…. It turns out that was so very incorrect.
Is there anything you would do differently if you could go back in time?
If I could go back in time there are some people in InfoSec that I would have avoided. Being a software developer for 17 years I never, ever had the drama in my professional life that I have had since I have moved into InfoSec. I’m so naive; I just assume people are honest, have good intentions, and I open my heart to them. Most of the people in InfoSec have been absolutely wonderful, but I’ve had a handful that have really hurt. :-/
With regards to your choice of career, have you ever felt you were at a disadvantage because of your gender?
I’ve been asked many silly questions in interviews such as “You’re a woman, why do you like PenTesting?” “Are you pregnant or do you plan to have children” and other inappropriate questions in interviews…. I have a feeling men aren’t generally asked if they are currently pregnant… So the answer you your question is “yes”.
You have been actively trying to help beginners find a professional mentor on social media. How was the idea of #MentoringMonday born, and how has the feedback been like so far?
The past few weeks I’ve been running a hashtag #MentoringMonday and so far it’s helped so many people! People use the hashtag and ask for or offer mentoring and which topics and many people have been pairing up. The feedback has been overwhelmingly positive. You can also just search the hashtag and respond privately, and I know quite a few people are doing that, so it’s difficult to measure, but so far the feedback is really quite wonderful. :)
I know you must be tired of hearing this, but any advice for newbie hackers, especially women?
Advice: Read my blog, watch my show and follow people who share and teach. I wrote a specific blog post on this topic here: https://code.likeagirl.io/getting-into-the-security-field-ccde63468ca8
For women, I can suggest joining your local chapter of WIST: Women in Security and Tech, so that you can make female friends who are in the industry. If there isn’t a chapter yet, message me to start one, it’s free. We “brunch like badasses”, “Crash boy meetups”, give each other tech workshops, and support each other however we can. We *do not* give lessons on soft skills, resume writing, or tell you how to change the pitch of your voice so that men will like you better. We blow off steam and have fun, sort of like a “stitch and bitch” or days past. It’s a bit different than any other women’s org I’ve heard of, we’re trying to cover the topics that other women’s groups don’t cover, and all women are welcome, no matter what career level or specialty you are. I started this with my friend Donna to make cool new friends, and it has spiraled into one of the most fun things I’ve ever done. :)
Thank you so much for having me.

Follow Infosec Write-ups for more such awesome write-ups.