we hack purple

In episode 79 of the We Hack Purple Podcast host Tanya Janca spoke to Isabelle Mauny , Field CTO and founder of 42Crunch! Isabelle and Tanya met way back in 2018, at an API Security workshop in Britain, having no idea they would be friends for years to come! Isabelle is extremely passionate about securing APIs, and has volunteered for several different groups and projects in order to try to steer our industry in a more secure direction, including being president of the OpenAPI group and lending her skills to the OWASP DevSlop project to fix up our Pixi app.

Together they discussed several of the challenges when creating secure APIs, including: BOLA (Broken Object Level Authorization), bots, all sorts of other broken authentication (not just object-level), verbose error messages, the fact that APIs are *not* invisible to hackers, and so much more. Isabelle covered how to have a positive security culture, and build out a DevSecOps program that includes API security, what the OpenAPI protocol is, and several inspiring customer success stories. We also talked about her free IDE Plugin that gives you a score out of 100 for security, and how Tanya’s first try at it she only got a score somewhere in the 20’s to start! Of course, we also talked about the OWASP API Security Top Ten, and how that helped bring the important of securing APIs into the mainstream, rather than an obscure thing only AppSec people like Isabelle and Tanya obsess over.

Isabelle also spoke about a webinar she will be on July 13, Mastering Secure API Development with GitHub and 42Crunch, you can sign up here: https://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/

Get to know Isabelle:
Isabelle Mauny, co-founder and Field CTO of 42Crunch, is a technologist at heart. She worked at IBM, WSO2 and Vordel across a variety of roles, helping large enterprises design and implement integration solutions. At 42Crunch, Isabelle manages customer POCs , partners integrations and product training. She is a frequent speaker at conferences and a published author. Isabelle is passionate about APIs and enjoys sharing her experience in podcasts such as this one :)

Isabelle Links!
https://tools.openapis.org
https://42crunch.com/mastering-secure-api-development-with-github-and-42crunch/
https://apisecurity.io
https://github.com/isamauny/codemotion2023/blob/main/RuggedAPIs-Codemotion-2023.pdf
https://42crunch.com/blog/

Very special thanks to our sponsor, Semgrep!

Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.

Get Your Free Trial Here! 

Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset!

In episode 75 of the We Hack Purple Podcast, host Tanya Janca interviews Enno, a security researcher from Semgrep. They discussed all things static analysis, including; how do we come up with SAST rules, what’s important to search for, important considerations when writing rules, testing rules before wider roll out, and writing rules specifically for Semgrep.

We briefly got into The Official Docs, and content creation for both internal and external use, plus its importance when trying to scale your security efforts.

Want more Enno?

They can be found here!
https://www.linkedin.com/in/enno-liu/
https://www.youtube.com/@enncoded
https://youtu.be/g_Yrp9_ZK2c
https://twitter.com/enncoded

The video by Enno that we discussed can be watched here!
https://twitter.com/enncoded/status/1648908623152844801

Very special thanks to our sponsor: Day of Shecurity! 

This annual event advocates for inclusion & diversification of gender in cybersecurity, AND it’s very soon. Day one is May 18th (virtual) and day two is May 19th, in person in Redwood City, California, United States. Tickets are FREEEEEEEEE!
View the agenda here: https://guides.dayofshecurity.com/view/314270378/
If you’re not sure, you can see videos from previous events here: https://www.youtube.com/c/DayofShecurity.

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

In episode 71 of the We Hack Purple Podcast Host Tanya Janca speaks to the Ariel Shin from Twillio! Ariel does product security, and as you might imagine, Tanya had at least 100 questions for her.  We discussed threat modelling, influence, persuasion and other communication skills needed to be an effective #AppSec person (or any security professional, for that matter). The conversation got really interesting as we dove into how to communicate with an executive, versus an engineer, versus a non-tech person, and how we can communicate and advocate for security (effectively) in the process. She talked about breaking down an argument into multiple pieces, to ensure you get the message across the best possible way. If you are someone who has struggled with convincing the rest of IT to patch or fix bugs, she breaks down how to do this in a way Tanya plans to adopt from now on. Take a listen at the links below! 

Ariel’s Bio: 

Ariel Shin is a product security team lead at Twilio. Ariel started her career as a penetration tester, specializing in web and mobile security, before moving into the product security space. Ariel enjoys building relationships with developers through secure code reviews, threat modeling, security training, and vulnerability management. Currently, Ariel is working on rolling out and expanding Self-Service Threat Models for the Twilio Org. 

Ariel’s Social Media:  linkedin.com/in/arielshin/ 

Link to the great podcast episode Ariel spoke about: “Hacker Explains One Concept in 5 Levels of Difficulty” by WIRED Podcast, featuring Samy Kamkar.  

Very special thanks to our sponsor: Women’s Society of Cyberjutsu!  

Women’s Society of Cyberjutsu are hosting CYBERJUTSU CON 4.0 and the 10th Annual Cyberjutsu Awards on June 24, 2023!!! The Con will consist of Hands-on Workshops, Capture The Flag (CTF) Competitions, Professional Headshots, Recruiting Opportunities, Celebration, and more.  Participants will walk away with hands-on knowledge that can be applied immediately on the job. You can check out the event here: https://womenscyberjutsu.org/page/CyberCon2023 

FYI the call for papers is still OPEN! Apply here: https://www.papercall.io/cyberjutsucon2023 

And the nominations for the Annual Cyberjutsu Awards are here: https://womenscyberjutsu.org/page/AWARDS2023 

Join We Hack Purple! 

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more! 

We Hack Purple Podcast Episode 67 with Jeremy Ventura

In this episode of the We Hack Purple podcast host Tanya Janca met with Jeremy Ventura of ThreatX, to discuss how we can help more people from underrepresented groups into tech and specifically into the field of Cybersecurity / InfoSec. How do we get them a seat at the table? How can we share knowledge and educate people en mass? Can we advocate for others? (Spoiler alert: Jeremy and I gave several examples of both sides of that equation) We talked about “Saying yes more often!” when we are asked to do something a bit outside our comfort zone, if it might bring us new opportunities. We talked about imposter syndrome, different learning styles, and that you can come from any career, education or background, and there’s a place for YOU in our field!

Jeremy also shared some links and events too!

• ThreatX Cyber 101 Event! March 23, 2023
• The ThreatX blog
• Jeremy’s LinkedIn

#CyberMentoringMonday
EXploring Cyber Security - web cast Date unknown - early March
Article about #CyberMentoringMonday, read here: Article about mentoring and advocacy

Jeremy’s Bio:
Jeremy Ventura is a cybersecurity professional, specializing in advising organizations on information security best practices. He has years of experience in vulnerability management, email security, incident response and security center operations. At ThreatX, he is responsible for the development and presentation of thought leadership across all areas of cybersecurity. Ventura is an industry leader that can regularly be seen in media, blog posts, podcasts and at speaking events. Previously, Ventura worked at Gong, Mimecast, Tenable and IBM, among other security organizations. Ventura holds a Master’s Degree in Cybersecurity and Homeland Security.

Very special thanks to our sponsor: The Diana Initiative!

The Diana Initiative Is: A diversity-driven conference committed to helping all underrepresented people in Information Security. This year the theme is “Lead the Change.”

The Diana Initiative is seeking sponsors for their annual event happening Monday August 7, 2023 in Las Vegas - https://www.dianainitiative.org/sponsor/ for more information

The Diana Initiative Call For Presentations opens on March 1, if you have a topic you want to share submit at tdi. https://tdi.mobi/CFP

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community:  A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

How can you create and code software that's actually secure? Hit play to find out! Join us this week as Tanya Janca discusses her new book, and offers up her top tips on secure software and knitting mittens for squirrels (yes, seriously.) 🐿🧤

We also discuss the moral dilemma of a Robin Hood-style hacking donation and all the commotion around Trump's alleged Twitter hack. Don't worry, this is an election-free zone.

All that, plus a particularly funky round of Play Your Passwords Right. 🎸🎶

🏰  Watchtower Weekly

• Mysterious 'Robin Hood' hackers donating stolen money
• "Nobody gets hacked."
• President Trump’s Twitter accessed by security expert who guessed password ‘maga2020!’
• Skepticism mounts around alleged Trump Twitter hack

🎙 Guest Interview - Tanya Janca

• Follow @shehackspurple on Twitter
• Follow @wehackpurple on Twitter
• Visit: wehackpurple.com
• Pre-order: Alice and Bob Learn Application Security

🗣 #Ask1Password

Ask us anything! Please use the #Ask1Password hashtag or send us an email at: media@1password.com

🚨  Play Your Passwords Right 

We show a password, then reveal how many times that has been in a breach. We then show another and guess higher or lower.

To play along visit: haveibeenpwned.com/passwords

Follow Us…

• Visit 1password.com
• Check out our blog
• Tweet us @1Password
• Find us on Facebook or Instagram

Please get in touch using #Ask1Password and let us know what you think of the show, you can also leave us a review on Apple Podcasts or wherever you listen to podcasts.