Want to close the software security skills gap? Tanya Janca says start mentoring!

Tanya Janca believes that one of the reasons most connected products are insecure from day one is the software security skills gap that comes from developers not learning security in school. Her solution: Those who know should teach those who don’t. Janca discusses mentoring in the software security industry with us.

Tanya Janca has no doubt about why most online products—computers to devices to systems—are insecure on the day they hit the market.

It’s because, as she puts it, security testing generally doesn’t get invited to the software development life cycle (SDLC) “party” until the last minute—if at all.

One of the main reasons for that, she has said in her blog posts and multiple conference talks on the topic, is that security is “definitely not what software developers are being taught in school.”

And since a major overhaul of the educational establishment does not appear to be in the works anytime soon, her solution is for those in the industry to do it themselves. Those who know should teach those who don’t know.

If you know, teach those who don’t

That, not so coincidentally, is what happened to her. Janca now has a software security guru’s resume—senior cloud advocate for Microsoft, application security evangelist, trainer, public speaker, ethical hacker, OWASP Ottawa leader, OWASP DevSlop Project leader, software developer, and, oh yes, mentor.

Because for her, it started with a mentor. “I was a software developer. He was in a band, and I was too, and we worked in the same office,” she said.

“He wanted me to become an ethical hacker, and I didn’t want to. But he slowly convinced me—told me I was going to love it and be really good at it. So I decided to try it.”

It was not an easy beginning. He told her to read books like The Shellcoder’s Handbook, which she found so dense that “I got one-third of the way through and thought, ‘I don’t want this as a career,’” she said.

But she persisted, with others like The Web Application Hacker’s Handbook. She learned a lot more through OWASP (Open Web Application Security Project). “I joined [the Ottawa chapter] and became the leader in a few minutes,” she joked.

She forced herself to improve her expertise by booking herself to do talks “about things I really wanted to learn.”

The value of multiple mentors

While her first mentoring relationship didn’t end all that well—Janca took a job her mentor didn’t want her to take—she now has three others.

Sherif Koussa, founder of Software Secured, who is also a co-leader of the Ottawa OWASP chapter, “has given me amazing advice,” she said.

Nicole Becher, a senior auditor at CipherTechs in New York, “is the one I run the OWASP DevSlop program with,” she said. (DevSlop describes itself as “the hacker jungle gym built on DevOps disasters.”) “We’re nerdy in all the same ways.”

Adrien de Beaupre is an ethical hacker and a principal instructor with SANS.

Each has been a help in different ways, she said, “just like you don’t have one friend who does everything with you.”

She recalled that when she first did talks in front of live audiences, “Adrien stood next to me” to help calm the stage fright.

Evolving from mentee to partner to mentor

Over time, those relationships have become more of partnerships, where Janca believes she helps them as much as they help her.

She has become a regular speaker, exhorting software developers to “push left” by including security testing throughout the entire SDLC.

“Everyone is getting hacked,” she said in one of her talks. “And up to 90% of all those breaches are caused by vulnerabilities in software.”

She has become an advocate for bringing more women into cyber—she helped organize and is a leader of Cyber Ladies Ottawa, which does regular online meetups and has chapters in Toronto, Vancouver, Montreal, Nairobi, London, Palo Alto, and San Francisco.

“Just today Microsoft became our sponsor,” she said, “which means paying all the meetup fees. That’s thousands of dollars.”

It has also prompted her to become a mentor herself—which has become her call to action for anybody who has been in the software security field for four years or more.

“You may not think you know that much,” she said, “but if you have a job and you know how to do it, there’s somebody else who would wish to have the same thing.

“You kind of owe it to your industry. When you mentor somebody, that means there are now two of you protecting everyone. And if you have too much work, it’s because you’re not mentoring anyone,” she said.

Some rules for mentoring

Navigating both sides of the mentor/mentee relationship has also prompted Janca to create her own list of “rules” to make it productive.

For mentors:

• Don’t abandon your mentee. “That happened once to me,” she said, “and for a while I was really”
• Talk about expectations. Be realistic about the amount of time you can commit, and make it clear that you may occasionally have to disappear temporarily.
• Listen to feedback with an open ear.
• Help them to network. You likely know many more people than they do.
• Make suggestions. It is up to them to decide what to do with them.

For mentees:

• Your mentor is not a free consultant. They will not do your work for you.
• Don’t expect a paid job offer at the end.
• If you ask for help with a tech question, “you should have Googled the hell out of it first. Otherwise, you’re not respecting that person’s time,” she said.
• Don’t expect formal assignments that will then be graded. This is not school, and it will require a lot of your own

The payback on both sides, she said, is fulfilling in terms of both career and emotional development. “I’ve been helping this woman, and now she helps me—she has amazing, brilliant ideas,” she said.

“It’s hard to tell you how proud I feel of her, but it is so worth the time and effort. It pays back in an emotional way.”

***

Tanya Janca, besides her work with Microsoft and OWASP, is host of DevSlop Live! on Sundays at 1 p.m. ET. She blogs here, and she tweets as @shehackspurple. Want to hear more from Tanya? Check out our Silver Bullet Security Podcast from April 2018, where Tanya and host Gary McGraw talk about election security, DevOps, and more.