In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Teuta Hyseni, to learn what it's like to be an Application Security Engineer. We have an amazing conversation covering all aspects of her job and what it takes to get there!
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
For corporate virtual training contact info@wehackpurple.com
In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Teuta Hyseni, to learn what it's like to be an Application Security Engineer. We have an amazing conversation covering all aspects of her job and what it takes to get there!
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
For corporate virtual training contact info@wehackpurple.com
welcome to the we hack purple podcast
where each week
we meet a new guest from all sorts of
different backgrounds within the
information security industry
and this week we have Teuta Hyseni and we are going to
talk to her about what it is like to do
her amazing and very interesting job
this week is sponsored by thread fix and
they are our longest term sponsor and i
just want to say that we at we hack
purple are so
ridiculously grateful i want to say
happy thanksgiving
to all the awesome people in america who
are you know eating delicious turkeys or
tofurkeys
or whatever it is that you are doing i
also want to let you all know
that tomorrow is black friday and we
hack purple
is doing a special deal where if you buy
our bundle of
application security foundation courses
you get a 30 minute free consult with me
yes you get to hang out with this giant
nerd
i don't know i told them i'm like i
don't know if this will sell more or
less
anyway without further ado the
person that you
actually want to see our guest Teuta Hyseni
let's just bring her on
shall we okay here she is yes
welcome hi tanya you are so amazing um
yes hi everyone so my name is
um and well for most of americans i'm
Teuta Hyseni and so yeah i'm a
security engineer at microsoft
and i'm super happy to be actually with
tanya janca today
it's thanksgiving and you know like grab
some turkey and listen to us
yes we met when i worked at microsoft
and if you meet awesome people i feel
like you should just stay in contact
with them
so that's what we did and yeah thank you
so much for saying yes to being on
the show i'm like pretty excited to have
you
it's my privilege i have a surprise
for you um so you happen to know
the people at thread fix and as a
surprise for you
they donated 1 000 in your name to
girls who code is it
isn't that so amazing
we wanted to do something awesome for
you and they're like we've been planning
this for a while and so i was like
this is super great um well now just i
get emotional because the
threat fix and denim group has been like
a company that i worked like for
longest and i think i learned so much
it's it's yeah um well
thank you uh thank you dan thank you
john and whoever
um i i know that um
i will always be a friend uh even though
i
have not have been uh you know kind of
gone now for three years
but i know that i always have a friend
there
um and this is such an honor and i don't
know how to thank you
this is great um and it's actually it's
a cause that i really care
because i am really vocal in terms of
you know
uh educating women especially like girls
from
young ages to actually code and be part
of technology so
this is just awesome i know i thought it
was like the best idea i was like you
guys are great
i yeah i don't know this is so great i
cannot
i i'm super super excited
i know we wanted to make it a big
surprise and i was like
i'm just going to spring it on her at
the beginning
yeah well just a virtual hug to everyone
in the
denim group of thread picks um it's just
this is great i
i don't know how to express my gratitude
more and it's thanksgiving
and just like this is so amazing i don't
know
um well you y'all got me this is
this is amazing i don't know how to even
be surprised
it's so lovely and i mean the thread fix
people are lovely to work with
and they happen to be hiring so if
you're looking for a job in
application security you should check
out their careers page
and i'm gonna have to like look it up at
some point and like put it in the chat
so people can check it out
yes so yeah um for those yeah for those
who are also interested to join
um application security that's how where
i actually
everything started for me so i got
you know i got taught by best in the
industry i'm just gonna say that
yes yes they are great and we love our
sponsor and not
only because they're a sponsor yeah
they're good
they're very very good okay so now i'll
actually start the podcast
so so please tell us about your job
title and describe what your job is like
for
us yeah i um
this uh this whole start is actually
amazing i'm um
i'm you know just i'll um i cannot stop
laughing but
so my job title is security engineer
i work for microsoft i work for
office 365 and what i do
is i'm more specialized in application
security
basically my day to day would be
architectural reviews of
new or existing features
also do a lot of you know investigations
um
and the incident response
and then also a lot of education because
we have this you know culture that
if we want to educate our engineers to
empower them with the right tools so
then whenever they build
features they they already have the you
know the base
whenever they build something it's built
on a good base
and foundation so a lot of education i
do
security champions and then of course
i'm also involved in legal privacy
that's always
fun but my main kind of focus is in
application security
side cool
what is it like to be kind of like
a day in the life of doing that like
what is
what is like your day-to-day are you in
meetings all the time do you get to hang
out with software developers are you
coding
[Music]
so um all of that
i actually don't do a lot of coding but
my day-to-day one thing that i love is
that it's
never the same you know you wake up and
you get a lot of surprises so
it's one of those jobs that maybe you
can plan forty percent of your you know
quarter but sixty percent let's just say
that it's gonna be always surprised
so every day is a surprise um
and so you know you never work on the
same thing but
just to you know kind of recap like from
high level
um i spend a lot of time with
engineering product team
because as i said one of the things that
i do is threat modeling and threat
modeling from design
phase which means that
all requirements security are put in
place before the feature is actually
executed
and then of course a lot of chit
chatting
for example oh can we use this or can we
use that so a lot of console
consulting even though it's an
engineering job but it's you know
um or our job is to consult
engineers in the best practices the best
possible outcomes that a feature can be
implemented
a lot and it's interesting
my relationship with engineering and
product is like a
partnership meaning that
whenever we work it's like we work on
towards the same goal
um their goal is to execute a feature
they want to
make something easy and everything and
then we want that feature to be secure
so that's kind of like
how i spend my day is with engineering a
lot of meetings a lot of
um discussion a lot of like
architectural reviews
and then of course sometimes um there's
like uh privacy and legal
eye and this is don't necessarily am a
privacy
engineer or manager but it's there i am
like that
glue that glues everything
and then like a distributed whatever
whether a task or something across like
different teams
um and then as i said education i
would um so i initiated this program
called security champions
um i would organize
like at least one per month sometimes
a um a topic and i will talk about
i am not sure like let's say crosstalk
scripting or something
and then that will help engineers to
you know understand um from
basic to more you know convoluted things
um and then
um also it's really important to keep
updating to keep up with what is going
on
in our industry and so another thing is
i also try to keep everyone
kind of up to date with what are the
trends
and what we have to look for
okay okay cool
i am i am losing your picture for a
second a second
uh zoom app window plus i'm doing
something wrong on the screen here and
i'm
not sure what i've done but it just got
really confused about who it's supposed
to be seeing it's definitely
supposed to be seeing you interesting
we are in the we are in the corner and
we're really small
and i want us to be the full size it's
like
we're really really little and i'm just
like dragging us around the screen
whatever i'm going to ask you another
question and i'm going to figure out
what it is decided to do in the meantime
but
so your job has a lot of different parts
there's like a lot like you have to be
able to be social
you have to have like a technical mind
you have to be able to explain like
really really complex abstract concepts
to lots of different people who are all
super smart but all have different
backgrounds
what types of personality traits do you
feel like someone needs in order to be
good at your job
um definitely so
as a security engineer so i can
at least compare with with software
engineer
um so i was software engineer before as
but the difference is
with security engineer you have to have
you have to be really
resilient um and you have to be
able to deliver not so good news uh it's
interesting
if or you know as a software engineer
you're all like flashing and you know
showing off your features and as a
security engineer it's a little bit
different
but you have to be able to deliver those
those particular news in a way that is
digestible by
by everyone so communication really
resilient you have to have strong
personality
you have to be really happy person
because you know the
the interest you the reason why you're
working on what you're working is you
know it's not it's so it
it drains you so you have to have a lot
of power a lot of energy
and then of course curiosity um because
so if you think about
a you know just from technical skills
and then you know you have to combine
that with
your personality such as uh
curiosity you have to have that
detective
mind you have to be able to
think on a different perspective
always when you look something you have
to switch
lenses and think uh from we
we have heard this you know hacker
perspective but
it's actually like you have to be able
to
think through all the steps that a
militias
user will do but then that is you know
it's it's draining um you know because
you have to go down to that level
but it's interesting because it's a it
also
has to do with you know you have to
understand the philosophy of a different
people
different backgrounds different intents
um interest
on what like and also another thing is
you have to also be able to understand
your product
um your product what are the weakest
points
in how what are the most valuable things
so
a lot of analysis goes besides technical
skills
um and definitely you have to have you
have to be really resilient and be able
to
perform in practice whenever like if
it's a daring situation
so um definitely a lot
yeah it takes a lot to um a lot of
energy
a lot of you have to be a positive
person
to be able to you know power through
because sometimes it gets you know
hard and when you know things get hard
you have to be able to motivate yourself
so those are things um i would say
oh my gosh i feel like okay so i do
apptech
so i'm very biased so i think your job
is the best of all the jobs
and hyposec um
so what types of i i don't know if this
question's sort of the same as the
previous question
and so if it is you can tell me but like
in the last question it was like
personality traits like do you need a
lot of leadership do you need to be
empathetic but what about
like you know like aptitudes like a
person that has hyper focus or a person
that has like great attention to detail
um
i don't i don't know if there's certain
aptitudes that make someone better at
apsec
than someone else
yeah so um
you know attention to details is you
know really important i mean it's
it's what it is you have to have
you have to be laser focused on on
things and
analyze like small pieces because those
small pieces make a lot of difference
be able to understand patterns you know
um not just patterns like in shapes i'm
talking about like action
in pattern like patterns in terms of
action
uh you have to you have to be able to
follow those things
um because those are like pieces that
make
um you a better like i would say like
engineer security engineer than others
because you have to
as i you know always say technical
skills is there but you have to be able
to
have that ability to recognize your
small changes for example
um when you analyze in an application
um not necessary all the vulnerabilities
or like one vulnerability will you know
will be like flashing in your eye
um sometimes you have to piece things
together it's like okay so this
and that and this one this is gonna be
combined together it's gonna make this
you know whole attack possible so you
have to think on that terms
um so um you know imagination and you
know as i said
thinking on the lower level as a
malicious user those that have bad
intent
you have to be able to understand their
background their philosophy and then
act on those levels and then analyze
your product
but definitely also piecing together
piecing
pieces together attention to detail
small details
um in my experience um
i think um there is a story like when i
was
uh before as a consultant there are like
cases where applications been like
assessed for
ages and they were like oh we feel
really confident
you know that this is you know it's just
a routine or something
but it took only one small issue
that i you know had you was able to get
to you know the god mode so you know
those little oh my gosh
those are like that make the whole i
mean as i said
vulnerabilities be something that you
can scan and
um so there are technical
vulnerabilities and there are logical
vulnerabilities
technical vulnerabilities are easier to
catch because you know they all have
tools
you can automate some of the things of
course there's false positive but still
um logical vulnerabilities are those
more dangerous ones because it's where
the logic feels felt short
and that's where you know you have to be
really
really in like able to understand your
architecture and then know
what are the gaps and fill those gaps
because those are make a huge difference
do you do so like so i i'm biased again
for the 55th time but do you
feel um that
business logic security vulnerabilities
so like security flaws we could call
them
are able to be found with automated
tools super easily or do you think we
need security experts to find them
so yeah and business flaws or logic
flaws
or something that you cannot explain to
a scanner
what to find right you can you the
scanner
whatever scanner you have um it's not
going to be able to understand your
business
um and so that's where
you have to have security engineer
security
someone who has expertise on this field
because
that's uh for example
when you think about product you cannot
like automate a product
engineer like a product program manager
you cannot automate
his knowledge or her knowledge uh it's
same like you cannot
automate security expertise when it
comes to business logic because
those are like where
[Music]
i i don't want to say like less or more
but that's where like
the expertise are mostly needed
yeah i i mean i set you up to say the
thing that i think
so i don't like my words
i right away understand like where are
you trying to go
no but it's true it's so true so like a
thing that people ask me about
a lot with becoming an absec person
they're like so sometimes people will
ask me do i need any technical skills to
be an abstech engineer and i'm like yeah
and they're like which ones and i'm like
oh
what types of technical skills do you
feel that a person needs because you
need a lot of
like communication skills and social
skills but like
you know so much so what kinds of things
yeah so i you know i don't want to sound
but this is just my opinion again but
for me
so what helped me to be a good security
engineer is my
background as a software engineer
and the reason why i'm saying i'm not
talking about other engineering fields
but
application security um
[Music]
you have to you know as i said i spend
most of time
trying to consult to give advice to
do like okay so here is a remediation
plan
and this is how you can solve it you
have to know
you i don't spend time coding but i have
to be able to
you know explain okay so here is this
function this is
where we are like we we have the issue
and this is how we can fix
it so technical skills not
i don't say again it depends from
company and then there are
some some roles so you can actually you
spend time building tools
but at least for my perspective
currently i don't
code a lot but you have to be able to
at least know once uh programming
language
um not saying on you know trying to code
features
and that is not necessarily required
but how would you
how would you give advice to an engineer
when you don't have the background of
engineering at all
so i i mean it's not it's not that it's
not doable
and there are so many you know nuances
of
different roles you know you you you
have security
when we talk about security it's not
like just application security and
infrastructure security there are like
different flavors
that your skill set and you know you can
find yourself
but for application security is best
when you
actually have at least one programming
language you can read the code
how would you how would you recommend
something else
you know how would you find the issue so
i agree 100
if you if you could see the little
picture of me beside you i'm just like
it's like nodding vigorously the whole
time
i want to suggest that everyone follow
you
on twitter so yeah her twitter handle is
slightly different and i'm going to
spell it out for people who
are because you would think it would
just be her first name and her last name
but it's slightly different so it's t
e o o t a h
y s e n i so just like at
or you know just twitter.com and i have
it on the screen right under
underneath oh we have a question in the
chat
someone is saying is there a specific
language that you would recommend
learning
uh okay so
i it and you you you know to answer this
question correctly we need to go back
and see like what are the trending
languages but in enterprise level
mostly you have java c sharp ruby these
are like
kind of the common text tech that
are used in um bigger companies
but then you have python um i would
so whenever i said you have to know at
least one language
is you have to understand how
programming language works and then once
you are
once you're good with one language
even if it's slightly like if you switch
to python or
from java to c sharp or every or
whatever
you will be able to read the code that's
i think
like that's what i think a minimum
minimum bar would be but i you know
i i would have to defer
the answer would be um
based on the trends uh but majority of
companies use either
javascript ruby so those are other
languages
yeah and then of course you can get more
fancy golang and scala and everything
else but
um those are like at least
it will take time to replace these
languages
um so you know i will give a decade
if not more to be able to replace all
these applications with
you know these languages it is so
true it's so true people are always
asking me which language to learn i'm
like just learn
one that is not thousand years old
so then oh so someone someone else is
saying so
once you are proficient in a code like
two to
two to five years you could focus on
absec in that code
i would say that no you could focus on
appsec in any language
like you don't you don't like learn just
one and then work in just
one i would say yeah no
so yeah like when i said one language is
the reason
why i said long language is just so you
get you get
the structure of programming how it
works like data structures
and how programming language
works and then once you have at least
one language
that you are proficient then it's easy
for you to switch back and forth on
different languages so that's
in the context but you don't have to
work only one language that
you know never limit yourself if you can
you know i am a really big on learning
and
and you know if i would say i'm you know
i'm just
going to limit myself that is you
yeah you should not do you should not
limit yourself always aspire to learn
more
i am agreeing with her 500
and we are at the part of the podcast
where
i am going to thank our sponsor
so i want to thank
thread fix powered by denim group
because they are the most stupendous
vulnerability management system this
side
of the galaxy i told them i would say
whatever they wanted and i was like oh
my god this is the best
sentence i ever get to say ever
and then i also want to briefly tell
people about a book so i wrote a book
it is called alice bob learn application
security
and um so i'm showing like a little
picture of what the book looks like and
you can buy it from basically
uh anywhere on the internet because
wiley is
awesome like indigo chapters amazon all
those places and so
if you want to learn lots of cool stuff
about how to secure software
specifically or how to build an appstack
program all of those things that
is the type of nerd i am the type of
nerd i guess we both
are and so um yeah so i have now
officially done my marketing
i am amazing
listen bob so um
yeah and then for people i actually
followed tanya and
all her presentations i would go and
listen to her
and then so that's how i learned as well
so yeah i would follow her on all the
conferences
i follow her too just to be clear we
follow each other she's also awesome and
everyone needs to follow her and then
i'm gonna put her twitter handle on the
screen again
um so i have i have i have so many
questions
um so let's say someone's like okay that
sounds awesome
i want to work in apsec what types of
training or work experience could they
get or do or pursue so they could try to
become an
absec professional like what types of
things could
could they do like whether it be like
getting specific work experience getting
specific training
you totally can recommend things that do
not come from my company just to be
clear
this is not a trick question where i'm
like you can only say me
well so one thing is of course because
as i said i followed you like even
before you
opened your company so i know your level
of knowledge and level of
expertise um for so
i myself how i got to secure
application security is i did a lot of
hands-on
projects uh osp is my favorite i still
go towards to read things because i
think that i always need will need to
have like because there's always new
things
you can try you know um your knowledge
you know
download kali linux and you know uh work
on
and all the tools but in terms of
experience
i am again a little bit like i don't
want to
you know be siding but i would say uh
work if you want to uh start
so if you wanna the best way to learn
for me
and this is how i learn is by uh
doing it and so i would
i would say if you want you can start
very beginning with
some software engineering work uh just
so you
get used to programming and everything
but that is not necessary requirement
and then for me
i just learned everywhere like whatever
i
i could like all the sources that you
have in
um us i think your your great start
that's it and then you know you can read
books you can take classes there are
online classes for free now i you know
i am amazed the amount of knowledge we
have compared to like a decade ago
so definitely for me i would recommend
you know and this is based on my
experience and based on my how i got
to learn um is by just going off of
um different youtube uh videos you may
know like even that that helps
so and definitely you know tanya's
glasses
yes i agree my classes are awesome
we hack purple courses you should
definitely check them out if you want to
be an appstack engineer that
is obviously the first place to start
but i actually agree with all of your
advice especially
owasp and especially like trying things
out for yourself
building things learning to secure them
like trying to
kind of hack on them and break them and
then seeing how you can make them
stronger it's like such a good way to
learn
i want to add to your list the owasp
devslop
project like specifically like it's a
really
so i'm biased because it's i'm part of
this open source project but basically
like
we just wanted to learn about devsecops
so i'm like let's smash [ __ ]
let's make a pipeline let's add things
and like
let's invite cool people who know stuff
and make things with them
and it just like try i couldn't agree
more with you all the things you said so
good
we have a question in the chat so the
question is are people skills or soft
skills
underestimated or underrated or
underrepresented
in appsec or cyber security in general
do you think
i realize that i added a lot of words
there
yeah i would say no actually
so um as i said uh
at least you know as application
security engineer even as a
absec consultant before number one thing
that you do is communicate with people
and you have to be able to
you know elaborate things um and then
also it in part of partnership is
you know you have to have the empathy
you know
towards engineering towards product team
because
everyone um are you know kind of trying
to do their
best right so people skills actually is
really important as a security engineer
because
you don't want to be that security team
or
engineer that people will hide from you
or like right or hide or
not just physically hide but hide their
stuff you know hide their
not trust you not trust things with
your knowledge exactly so then they can
find a way to bypass you as as much as
possible
because that's where like then you you
know it's
it's not good um and and so like you
have to be able to
have a you know you have to cultivate
your people skills
you know i would say not like but it's
it's it's it's you know it's one of the
aspects that sets you
for success
yeah i i think that the way you said it
was so perfect like don't be the
security person that the devs hide from
this is so true it's so
true um so someone
or someone is saying basically that they
agree with you you have to have empathy
you have to have understanding
everyone is trying their best you don't
want to be that security engineer
that people hide from so i
i think they're 100 percent agreeing
with you in the chat
i so the next question is like ever so
slightly
um sensitive so i does
working in appsec and your type of job
and your field does it pay well
[Music]
um well i would say like
pay me billion dollars
never enough no i would say that it
actually
it is a well-paying job um
and um it is because
what in for example let's just say
you know i'm going back a little bit in
history and how
security has become number one problem
for
non-ceos but ceos so
it is something that is especially
like giving the pandemic and everything
like more things
becoming online or remote or whatever
you want to call it
um it's it is a
well it pays well because of the level
of stress you have
um of course and the level of
expectations from security
are when when security is good
everything is quiet
you know when when there is no problem
it's in
when you know i would say like if you
want to know
that you're doing good isn't when
nothing happens you know it's like
everything's
still um so you know that's
that that the the level stress and you
know the
all those kind of different flavors of
skill set that i've mentioned
um are that needed to actually have a
well-formed
engineer are you know generously paid
with from different companies so a way
that we have so
inadvertently on the first episode i
talked about
when i was a dev and the first time i
felt like i've made it i am an adult i
am making good
money i had gone to the grocery store
and there's like two different types of
cheese and i was like both these types
of cheese look super delicious
and then i realized i made enough money
i could get both cheese i'm like i could
get anything i want in the grocery store
so someone in the chat
who watches every week is like i demand
to know the cheese pay
so can she buy all the cheese she wants
i actually am a fan of cheese once i
realized he said i can't buy mozzarella
cheese with that
as much mozzarella as she wants does
someone wants to say hi to you in the
chat
efren sures
says hi good to see you ah
efrain right yep yay um
okay so i know him hi everyone
awesome so
my next question is are there a lot of
opportunities in this field
do you think there's jobs yeah
yeah definitely actually if
if you're interested let me know
i get reached out by a lot of recruiters
so
based on that i would say there are a
lot of opportunities
and this demand is not going to decrease
anytime soon
giving the ratio of application well
it's not application but given the ratio
of
um day-to-day things that we're making
or we are empowering or powering with
applications
it's just exponentially growing i don't
think that it's going to be sorted
i mean short is in opportunities
actually it's just going to be short
maybe short is in demand
i mean in um supply which would be like
engineering
yeah definitely it's good i mean it is
it is interesting if you know i have a
philosophy it's kind of
you know when you think about it it's
kind of sad right because you have
you know the number of you know what
your purpose is to defend so you know
that's kind of the
but anyway yeah like i
i tell people that if you want to be a
good apsec engineer you're trying your
your damnedest to put yourself out of a
job
you want to make everything self-service
you want to teach the devs every single
thing they need to know you want to have
every single thing set up
so that all the magical things work in
like nothing bad happens
and you're like i can relax which you
never can
but like that's the goal right
[Music]
[Laughter]
wait was that a movie
you're like that's not real tanya good
luck
yeah no um i wish that was the case but
um that's actually like what we
constantly strive for we want
so we want to automate things that can
be automated so then
or focus actually it's more and more
things that matter
and there are that requires
mental power and you know analysis that
a
you know still uh computers
say do whatever what we say you know
what we
teach them or what we how we feed them
so
um definitely that is like constant uh
kind of we constantly work
on trying to automate things that can be
automated and then you know so then we
can
we free ourselves to do things cool
cooler than everything
that's so true it's so true it's like we
automate so then we can do the super
cool tasks
i tell that to people and like they're
like really
yeah there are cooler tasks than run
like the first time
i don't know about you but the first
time i ran a scan i was like i
am amazing but then the tenth time i ran
a scan i'm like okay so while that's
running what can i do that's way better
exactly um yeah definitely the
you know things that can be automated we
always try to
do that so we do cool stuff i mean
no one wants to run schedules every day
right
yeah so okay so the next question
is so there's like a it's a two-parter
so
the first question or part of the
question is what do you like
best about your job and your work and
the second question which you already
probably could see coming is what do you
like the least about your job
and your work yeah
um so should i be the person
with the good news first uh i will say
the first
the good part you know and then you know
um so the good part from what i
love about my job um is the mission
um i don't know how to explain
how so whenever i moved to security
i did not understand really like the
implication the
the altitude and and you know how
how how impactful is you know security
until i moved to it um so
we as tech you know as a tech industry
we build up so many tools which is great
we want
humans to have more time but
you know we also responsible
really responsible to make sure that
those tools
are not hurting um and when i say
hurting
um because when
people say it's a virtual world no
actually everything that now is tied
to an application actually is impacting
my life
and that's not virtual at all it's
actually real time right now
if someone does something to my account
it's not a virtual world actually it's
my bank account and
my money and my sweat and my tears so
you know so those are things so
giving the fact that we are trying to
digital digital uh
digit uh digital digital eyes
lies everything because i got so
emotional
uh given the fact that we are doing you
know we're putting everything on
powered by application we are
responsible to actually protect
um those who can protect so the thing
that i love about my
job is that i know that i'm doing
something good um
so you know i'm i'm trying and i'm you
know
i'm protecting those who can't because
not everyone
you know is technical savvy um and so
my mission it's like a life mission it's
like i'm protecting those who can't
and that's like what makes my life in my
job
really easy i i know that it gets hard
and you know rusty and everything and
you know dry and you know sometimes
it's like ah should i do some more
security or should i switch to something
else but no
uh that what makes it really easy it's
mission
and so that's what i love about my job
um sadly
the bad side and i'll go back to
flipping side
it what makes it hard is
it's draining it it drains your
your energy and your ha it sucks your
happiness sometimes you know because
knowing that
you know there are that much of
malicious people um that you know that's
easy to me like something that i
i you know it drains mom you know which
i don't really like
um and yeah but other than that
it's it's something that i really enjoy
it and i do it
every morning it's like okay but
i i just go behind my mission and that's
it
awesome i love it i
i agree so much i feel like i'm just
like nodding a lot so if anyone is
listening
and they're like why is tonya so quiet
she's just nodding vigorously
and and also i wanted to mention so if
someone is watching this episode and
they're enjoying it they should click
the thumbs up
they should subscribe they should follow
we
hack purple and our amazing guest on
youtube so
or on twitter so i'm gonna put like her
twitter handle up again and try to
convince people again to follow you
because i've been flashing it all day
and then i feel like people should
subscribe
if it's an audio version that you're
listening to you should subscribe to
that but also write us a review
did you know that we prescribed to
bribery yes that's right
if you review our podcast and you send
us a screenshot on twitter
we will mail you stickers yes that's
right we are buying our reviews with
stickers
it doesn't matter what your review says
we will send i hope it's a nice review
yeah i actually you know i i still have
a handful of stickers from tanya
the what was it raccoon was it yeah
yeah raccoon doing all the cool stuff
teaching the dev security security's
everybody's job
flashing the owasp symbol oh yeah that
raccoon is cute
we have new stickers now which obviously
i should have one handy but i do not
i there's a question from the chat that
i wanted to ask you before we
wrap up because i know we're sort of
running out of time but that's okay
but someone was asking do you have any
tips for teaching
devs and like reaching devs so if
you're trying to like reach out to
developers and teach them about security
like how do you
reach them yes so it is challenging but
um so how i go about it and
you cannot teach someone who doesn't
want to be taught right
so first thing that i've done is asked
for volunteers that those engineers who
so for example the security champions is
across
all the teams um at least one engineer
per team
you can you know i the first thing that
i have done is
ask people around who are interested to
learn about security
because i mean um there are engineers
who are not interested
it's fine but there are engineers who
actually care about
you know their features and they want to
know they want to stay up
they want to stay updated on you know
all the security matters
and so the first thing that i will
suggest is
see who is interested already a little
bit in
not switching your job you know saying
but there are engineers who are
interested in security
because that's you know when a person
wants to learn that's easy you know
half of your half of their job is done
because they already have their
willingness and
they are paying attention whenever you
say something or when you're presenting
something it's it's already the
attention because
it's naturally there you're not pushing
of course there are like all other
methodologies um
because engineering is kind of tricky um
sometimes um i also gamify things
you know make make them make make it
interesting
um appreciation
goes long way um when i say for example
when an engineer does something you know
that is
you know it's not out of the way but
it's you know it's a good
good practice and they already you know
without someone
pointing they have done something from
you know from security perspective
appreciation is you know goes a long way
you know
they want you know everyone wants to be
appreciated so
uh you know i try to do that as well
so there are those are similar
techniques
um that i've used and um there are
really interesting
uh that works i'm i'm not saying like a
hundred percent
it's not bulletproof but you know those
are
some of the tips i would say you know
start there and then you know there are
all the teaching
techniques but those are successful as
well
cool so let's say someone is
is listening and they think oh my gosh
this is the coolest thing ever
i want to work in appsec do you have
some actionable
advice of things they could do to move
towards this as a goal
like if they want to work in appsec
besides saying
hi to recruiters but like before that
like let's say i'm a software
engineer or i work in help desk like
what are things i could do
so i could aim there
yes um so hey just switch like i did i
just switched
that's hard it's just like i was like
okay
no that's not bad um
so if you are already working um i think
you you know
if you want to switch to a security
engineering you have to you know first
of all
reach out to the engineering team on
your company
and just you know see what
what they're doing and if that you know
is something on your interest um
secondly
um don't switch your job right away
because you know that you know like it's
i mean i don't know but i i i loved it
so much i just were like this is
it but uh try to
um kind of test drive you know work on
you know like if you can partner with
some security engineer
um and then you know shout at them so
then you can
see from kind of first hand
how things work and what are the things
that
that the security engineer is doing
and then in terms of uh from
switching completely you know the kind
of the gear from
help desk to application security it's
not that you can
it's it's as i said um i think i
i mean education you know degree
um or it doesn't set
you for what you want to do is you know
it's a professional
um like computer science degree
will not um kind of
dictate you whether you're going to be a
good engineer or not
there are so many uh free learning um
as i said hands-on for me i mean i don't
know like you have to understand your
learning patterns what are you how do
how you learn
because you know i'm you know again just
from my
from my perspective um start hands-on
projects
first start read about application
security and then start
like hands-on projects see how you
how you work like what is synergy with
that you know the type of work
um and then slowly like um
now it's pandemic but there are so many
conferences
right um even now on you know or like so
many conferences that you can attend
that exposes you one networking you know
you know more people
in that field two you can you know
of course knowledge and then there is
like on those conferences there are also
recruiters so that is like some of the
things you can do
to you know uh plan kind of your switch
and your you know your next move
this is awesome advice so
we have come to the end and i have to
ask you the super difficult
tough question which is okay so let's
say people
probably think you're awesome now how
can they follow you how can
like if they want to learn more about
you where can they find stuff about you
i heard you might have been in one of
the tribe of hackers books i don't know
do you have a website
um so yeah definitely linkedin
twitter uh those are two things that i
actually use um um
i do i do mentor others
um so like i already yeah
i i don't i haven't i have it somewhere
else but yes
um and my chapter is the 30th
um so yeah twitter linkedin and don't
you
feel free to message me um if i don't
respond it's not that i don't want to
respond but maybe i just
opened the message on and a time that i
should not
you know and then i forgot to answer
your question but
feel free to thank me um i
i you know i make myself almost
available
for questions and i'm more than happy to
help
in any way i am going to spell out her
twitter handle so that people
can know it so it's t e o
o t a h y
s e n i but if you're gonna follow her
on
linkedin it's t e u
t a right and then space and then same
last name
h-s-h-h-y-s-e-n-i
so twitter handle's slightly different
than linkedin but she's the only one
with this spectacular name and someone
has also mentioned in the chat
if your absent career doesn't pan out
tanya you could become her salesperson
because i like the book her twitter
handle like
i'm like i'm vanna white okay
thank you so much for coming on this
show it has been such a pleasure to have
you
and like it's nice to see you again
after working with you which was a total
and complete pleasure
and with that i am going to thank you
i am really yeah i am excited so we are
going to share all of this on our
website
and this episode's going to go out
shortly but for now i have to
i bid you farewell and then do the outro
fancy pantsness that i always do
so thank you so much for coming on the
show thank you for having me this was
great
you have been watching the we hack
purple podcast
where each week we introduce a different
member of the podcast community sorry of
the information security community
so that we can learn about what it's
like to do all their different jobs
we hack purple is a community an
online community a podcast and an
academy where we teach people all about
apsec
and i know we talked about apsec today
gosh there are a lot of jobs in that
area but all of it
and the goal of this podcast is to help
you figure out where you fit into our
industry because we need you we need
more people to join our industry
i'm not just saying that because i run a
school
all areas of information security need
you
i want to thank very much our guest oh
my gosh she was so awesome
and um i'm just i'm so excited to have
like a fellow absec person on
uh i want to thank threadfix our amazing
sponsor powered
by denim group and i totally forgot to
introduce myself
i am ridiculous my name is tanya janka i
am also known as
she hacks purple on the internet and i
am
the best-selling author of alice and bob
learn application security but before i
let you go
i want to tell you about our coming
guests so every thursday except for
during the christmas break
we are having super awesome humans on
our show
so thursday december 3rd we're having
gabrielle
but so she is a leader for wosack she is
a penetration tester
she's a cyber security blogger she's a
podcaster and also she's totally awesome
the following week we're having shelly
guys branch which i know i'm saying
wrong she's also known as nerdocity on
the internet and i've been following her
for years and i'm so excited to like
kind of get to one-on-one with her
instead of just awing at her from the
internet
and she's gonna talk about doing instant
response
and that is an intense job after that
we're having
mahidina afrin and we are going to talk
to her about what it's like to be a bug
bounty hunter and then we are taking a
christmas break
until next year in january we're having
nashua
lindsay and she's going to talk about
what it's like to be a forensic
investigator
because we want you to know what every
single type of job is like
so that we can have more people join our
field so again
i'm tanya janca our amazing guest today
was Teuta Hyseni and thank you so much for
listening
i hope you subscribe and write a review