DeepSec 2017 Talk: Insecurity In Information Technology – Tanya Janca
A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation is further strained. This silo-filled, tension-laced situation, coupled with short deadlines and mounting pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.
In this talk Tanya Janca will explain how people’s personal insecurities can be brought out by leadership decisions in the way we manage our application security programs, and how this can lead to real-life vulnerabilities in software and other IT products. This is not a soft talk about “feelings”, this is a talk about creating programs, governance and policies that ensure security throughout the entire SDLC.
No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioural influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal clear expectations.
We asked Tanya a few questions about her topic of interest.
Please tell us the top 5 facts about your talk.
The way many companies run their security and development programs causes serious friction between the two teams. This “friction” can cause job insecurity. When people feel job insecurity they act out in predictably negative ways. Those ways of acting out negatively often result in insecure software. We must fix this problem.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I have seen similar behaviour in my different places that I have worked. As I started speaking at conferences and meeting many, many people in InfoSec, it turns out that it’s happening all over, not just the places I have worked. It’s systemic. And I love fixing problems, so I decided I would create this talk in hopes that I can help.
Why do you think this is an important topic?
I’m passionate about application security. I was a developer a long time, and dealing with the security team was unpleasant at times. We are going to have secure software any time soon if we don’t fix the system issues. I feel this issue is systemic.
Approximately 27% of security incidents are caused by insecure software. That’s quite a bit. This issue should be important to everyone.
Is there something you want everybody to know – some good advice for our readers maybe?
We need to stop blaming each other and pointing fingers when things happen and instead focus on how to ensure we fix issues so that we are more secure in the future. We need to take responsible and do better, and put our egos aside. It’s time to get to work.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I predict that there are going to be quite a few new jobs in the application security field, until we start figuring out how to make creating secure software a lot easier. Right now it’s very difficult. It has to get easier.
Tanya Janca is an application security evangelist, technical advisor, web application penetration tester and vulnerability assessor, trainer, public speaker, ethical hacker, OWASP DevSlop Project Leader, Chapter Leader of OWASP Ottawa, Effective Altruist and has been developing software since the late 90’s. She has worn many hats and done many things, including; Web App PenTesting, Technical Training, Custom Apps, Ethical Hacking, COTS, Incident Response, Enterprise Architect, Project and People Management, and even Tech Support. She can currently be found helping the Government of Canada secure their web applications.