We Hack Purple Podcast

We Hack Purple Podcast 15 with Teuta Hyseni

November 27, 2020 We Hack Purple! Season 1 Episode 15
We Hack Purple Podcast
We Hack Purple Podcast 15 with Teuta Hyseni
Chapters
We Hack Purple Podcast
We Hack Purple Podcast 15 with Teuta Hyseni
Nov 27, 2020 Season 1 Episode 15
We Hack Purple!

 In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Teuta Hyseni, to  learn what it's like to be an Application Security Engineer. We have an amazing conversation covering all aspects of her job and what it takes to get there!

This episode sponsored by Thread Fix

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
For corporate virtual training contact [email protected]

Show Notes Transcript

 In this episode our host Tanya Janca (also known as SheHacksPurple), talks to our guest Teuta Hyseni, to  learn what it's like to be an Application Security Engineer. We have an amazing conversation covering all aspects of her job and what it takes to get there!

This episode sponsored by Thread Fix

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter here: https://newsletter.wehackpurple.com/
For corporate virtual training contact [email protected]

 welcome to the we hack purple podcast 

 where each week 

 we meet a new guest from all sorts of 

 different backgrounds within the 

 information security industry 

 and this week we have Teuta Hyseni and we are going to 

 talk to her about what it is like to do 

 her amazing and very interesting job 

 this week is sponsored by thread fix and 

 they are our longest term sponsor and i 

 just want to say that we at we hack 

 purple are so 

 ridiculously grateful i want to say 

 happy thanksgiving 

 to all the awesome people in america who 

 are you know eating delicious turkeys or 

 tofurkeys 

 or whatever it is that you are doing i 

 also want to let you all know 

 that tomorrow is black friday and we 

 hack purple 

 is doing a special deal where if you buy 

 our bundle of 

 application security foundation courses 

 you get a 30 minute free consult with me 

 yes you get to hang out with this giant 

 nerd 

 i don't know i told them i'm like i 

 don't know if this will sell more or 

 less 

 anyway without further ado the 

 person that you 

 actually want to see our guest Teuta Hyseni 

 let's just bring her on 

 shall we okay here she is yes 

 welcome hi tanya you are so amazing um 

 yes hi everyone so my name is 

 um and well for most of americans i'm 

Teuta Hyseni and so yeah i'm a 

 security engineer at microsoft 

 and i'm super happy to be actually with 

 tanya janca today 

 it's thanksgiving and you know like grab 

 some turkey and listen to us 

 yes we met when i worked at microsoft 

 and if you meet awesome people i feel 

 like you should just stay in contact 

 with them 

 so that's what we did and yeah thank you 

 so much for saying yes to being on 

 the show i'm like pretty excited to have 

 you 

 it's my privilege i have a surprise 

 for you um so you happen to know 

 the people at thread fix and as a 

 surprise for you 

 they donated 1 000 in your name to 

 girls who code is it 

 isn't that so amazing 

 we wanted to do something awesome for 

 you and they're like we've been planning 

 this for a while and so i was like 

 this is super great um well now just i 

 get emotional because the 

 threat fix and denim group has been like 

 a company that i worked like for 

 longest and i think i learned so much 

 it's it's yeah um well 

 thank you uh thank you dan thank you 

 john and whoever 

 um i i know that um 

 i will always be a friend uh even though 

 i 

 have not have been uh you know kind of 

 gone now for three years 

 but i know that i always have a friend 

 there 

 um and this is such an honor and i don't 

 know how to thank you 

 this is great um and it's actually it's 

 a cause that i really care 

 because i am really vocal in terms of 

 you know 

 uh educating women especially like girls 

 from 

 young ages to actually code and be part 

 of technology so 

 this is just awesome i know i thought it 

 was like the best idea i was like you 

 guys are great 

 i yeah i don't know this is so great i 

 cannot 

 i i'm super super excited 

 i know we wanted to make it a big 

 surprise and i was like 

 i'm just going to spring it on her at 

 the beginning 

 yeah well just a virtual hug to everyone 

 in the 

 denim group of thread picks um it's just 

 this is great i 

 i don't know how to express my gratitude 

 more and it's thanksgiving 

 and just like this is so amazing i don't 

 know 

 um well you y'all got me this is 

 this is amazing i don't know how to even 

 be surprised 

 it's so lovely and i mean the thread fix 

 people are lovely to work with 

 and they happen to be hiring so if 

 you're looking for a job in 

 application security you should check 

 out their careers page 

 and i'm gonna have to like look it up at 

 some point and like put it in the chat 

 so people can check it out 

 yes so yeah um for those yeah for those 

 who are also interested to join 

 um application security that's how where 

 i actually 

 everything started for me so i got 

 you know i got taught by best in the 

 industry i'm just gonna say that 

 yes yes they are great and we love our 

 sponsor and not 

 only because they're a sponsor yeah 

 they're good 

 they're very very good okay so now i'll 

 actually start the podcast 

 so so please tell us about your job 

 title and describe what your job is like 

 for 

 us yeah i um 

 this uh this whole start is actually 

 amazing i'm um 

 i'm you know just i'll um i cannot stop 

 laughing but 

 so my job title is security engineer 

 i work for microsoft i work for 

 office 365 and what i do 

 is i'm more specialized in application 

 security 

 basically my day to day would be 

 architectural reviews of 

 new or existing features 

 also do a lot of you know investigations 

 um 

 and the incident response 

 and then also a lot of education because 

 we have this you know culture that 

 if we want to educate our engineers to 

 empower them with the right tools so 

 then whenever they build 

 features they they already have the you 

 know the base 

 whenever they build something it's built 

 on a good base 

 and foundation so a lot of education i 

 do 

 security champions and then of course 

 i'm also involved in legal privacy 

 that's always 

 fun but my main kind of focus is in 

 application security 

 side cool 

 what is it like to be kind of like 

 a day in the life of doing that like 

 what is 

 what is like your day-to-day are you in 

 meetings all the time do you get to hang 

 out with software developers are you 

 coding 

 [Music] 

 so um all of that 

 i actually don't do a lot of coding but 

 my day-to-day one thing that i love is 

 that it's 

 never the same you know you wake up and 

 you get a lot of surprises so 

 it's one of those jobs that maybe you 

 can plan forty percent of your you know 

 quarter but sixty percent let's just say 

 that it's gonna be always surprised 

 so every day is a surprise um 

 and so you know you never work on the 

 same thing but 

 just to you know kind of recap like from 

 high level 

 um i spend a lot of time with 

 engineering product team 

 because as i said one of the things that 

 i do is threat modeling and threat 

 modeling from design 

 phase which means that 

 all requirements security are put in 

 place before the feature is actually 

 executed 

 and then of course a lot of chit 

 chatting 

 for example oh can we use this or can we 

 use that so a lot of console 

 consulting even though it's an 

 engineering job but it's you know 

 um or our job is to consult 

 engineers in the best practices the best 

 possible outcomes that a feature can be 

 implemented 

 a lot and it's interesting 

 my relationship with engineering and 

 product is like a 

 partnership meaning that 

 whenever we work it's like we work on 

 towards the same goal 

 um their goal is to execute a feature 

 they want to 

 make something easy and everything and 

 then we want that feature to be secure 

 so that's kind of like 

 how i spend my day is with engineering a 

 lot of meetings a lot of 

 um discussion a lot of like 

 architectural reviews 

 and then of course sometimes um there's 

 like uh privacy and legal 

 eye and this is don't necessarily am a 

 privacy 

 engineer or manager but it's there i am 

 like that 

 glue that glues everything 

 and then like a distributed whatever 

 whether a task or something across like 

 different teams 

 um and then as i said education i 

 would um so i initiated this program 

 called security champions 

 um i would organize 

 like at least one per month sometimes 

 a um a topic and i will talk about 

 i am not sure like let's say crosstalk 

 scripting or something 

 and then that will help engineers to 

 you know understand um from 

 basic to more you know convoluted things 

 um and then 

 um also it's really important to keep 

 updating to keep up with what is going 

 on 

 in our industry and so another thing is 

 i also try to keep everyone 

 kind of up to date with what are the 

 trends 

 and what we have to look for 

 okay okay cool 

 i am i am losing your picture for a 

 second a second 

 uh zoom app window plus i'm doing 

 something wrong on the screen here and 

 i'm 

 not sure what i've done but it just got 

 really confused about who it's supposed 

 to be seeing it's definitely 

 supposed to be seeing you interesting 

 we are in the we are in the corner and 

 we're really small 

 and i want us to be the full size it's 

 like 

 we're really really little and i'm just 

 like dragging us around the screen 

 whatever i'm going to ask you another 

 question and i'm going to figure out 

 what it is decided to do in the meantime 

 but 

 so your job has a lot of different parts 

 there's like a lot like you have to be 

 able to be social 

 you have to have like a technical mind 

 you have to be able to explain like 

 really really complex abstract concepts 

 to lots of different people who are all 

 super smart but all have different 

 backgrounds 

 what types of personality traits do you 

 feel like someone needs in order to be 

 good at your job 

 um definitely so 

 as a security engineer so i can 

 at least compare with with software 

 engineer 

 um so i was software engineer before as 

 but the difference is 

 with security engineer you have to have 

 you have to be really 

 resilient um and you have to be 

 able to deliver not so good news uh it's 

 interesting 

 if or you know as a software engineer 

 you're all like flashing and you know 

 showing off your features and as a 

 security engineer it's a little bit 

 different 

 but you have to be able to deliver those 

 those particular news in a way that is 

 digestible by 

 by everyone so communication really 

 resilient you have to have strong 

 personality 

 you have to be really happy person 

 because you know the 

 the interest you the reason why you're 

 working on what you're working is you 

 know it's not it's so it 

 it drains you so you have to have a lot 

 of power a lot of energy 

 and then of course curiosity um because 

 so if you think about 

 a you know just from technical skills 

 and then you know you have to combine 

 that with 

 your personality such as uh 

 curiosity you have to have that 

 detective 

 mind you have to be able to 

 think on a different perspective 

 always when you look something you have 

 to switch 

 lenses and think uh from we 

 we have heard this you know hacker 

 perspective but 

 it's actually like you have to be able 

 to 

 think through all the steps that a 

 militias 

 user will do but then that is you know 

 it's it's draining um you know because 

 you have to go down to that level 

 but it's interesting because it's a it 

 also 

 has to do with you know you have to 

 understand the philosophy of a different 

 people 

 different backgrounds different intents 

 um interest 

 on what like and also another thing is 

 you have to also be able to understand 

 your product 

 um your product what are the weakest 

 points 

 in how what are the most valuable things 

 so 

 a lot of analysis goes besides technical 

 skills 

 um and definitely you have to have you 

 have to be really resilient and be able 

 to 

 perform in practice whenever like if 

 it's a daring situation 

 so um definitely a lot 

 yeah it takes a lot to um a lot of 

 energy 

 a lot of you have to be a positive 

 person 

 to be able to you know power through 

 because sometimes it gets you know 

 hard and when you know things get hard 

 you have to be able to motivate yourself 

 so those are things um i would say 

 oh my gosh i feel like okay so i do 

 apptech 

 so i'm very biased so i think your job 

 is the best of all the jobs 

 and hyposec um 

 so what types of i i don't know if this 

 question's sort of the same as the 

 previous question 

 and so if it is you can tell me but like 

 in the last question it was like 

 personality traits like do you need a 

 lot of leadership do you need to be 

 empathetic but what about 

 like you know like aptitudes like a 

 person that has hyper focus or a person 

 that has like great attention to detail 

 um 

 i don't i don't know if there's certain 

 aptitudes that make someone better at 

 apsec 

 than someone else 

 yeah so um 

 you know attention to details is you 

 know really important i mean it's 

 it's what it is you have to have 

 you have to be laser focused on on 

 things and 

 analyze like small pieces because those 

 small pieces make a lot of difference 

 be able to understand patterns you know 

 um not just patterns like in shapes i'm 

 talking about like action 

 in pattern like patterns in terms of 

 action 

 uh you have to you have to be able to 

 follow those things 

 um because those are like pieces that 

 make 

 um you a better like i would say like 

 engineer security engineer than others 

 because you have to 

 as i you know always say technical 

 skills is there but you have to be able 

 to 

 have that ability to recognize your 

 small changes for example 

 um when you analyze in an application 

 um not necessary all the vulnerabilities 

 or like one vulnerability will you know 

 will be like flashing in your eye 

 um sometimes you have to piece things 

 together it's like okay so this 

 and that and this one this is gonna be 

 combined together it's gonna make this 

 you know whole attack possible so you 

 have to think on that terms 

 um so um you know imagination and you 

 know as i said 

 thinking on the lower level as a 

 malicious user those that have bad 

 intent 

 you have to be able to understand their 

 background their philosophy and then 

 act on those levels and then analyze 

 your product 

 but definitely also piecing together 

 piecing 

 pieces together attention to detail 

 small details 

 um in my experience um 

 i think um there is a story like when i 

 was 

 uh before as a consultant there are like 

 cases where applications been like 

 assessed for 

 ages and they were like oh we feel 

 really confident 

 you know that this is you know it's just 

 a routine or something 

 but it took only one small issue 

 that i you know had you was able to get 

 to you know the god mode so you know 

 those little oh my gosh 

 those are like that make the whole i 

 mean as i said 

 vulnerabilities be something that you 

 can scan and 

 um so there are technical 

 vulnerabilities and there are logical 

 vulnerabilities 

 technical vulnerabilities are easier to 

 catch because you know they all have 

 tools 

 you can automate some of the things of 

 course there's false positive but still 

 um logical vulnerabilities are those 

 more dangerous ones because it's where 

 the logic feels felt short 

 and that's where you know you have to be 

 really 

 really in like able to understand your 

 architecture and then know 

 what are the gaps and fill those gaps 

 because those are make a huge difference 

 do you do so like so i i'm biased again 

 for the 55th time but do you 

 feel um that 

 business logic security vulnerabilities 

 so like security flaws we could call 

 them 

 are able to be found with automated 

 tools super easily or do you think we 

 need security experts to find them 

 so yeah and business flaws or logic 

 flaws 

 or something that you cannot explain to 

 a scanner 

 what to find right you can you the 

 scanner 

 whatever scanner you have um it's not 

 going to be able to understand your 

 business 

 um and so that's where 

 you have to have security engineer 

 security 

 someone who has expertise on this field 

 because 

 that's uh for example 

 when you think about product you cannot 

 like automate a product 

 engineer like a product program manager 

 you cannot automate 

 his knowledge or her knowledge uh it's 

 same like you cannot 

 automate security expertise when it 

 comes to business logic because 

 those are like where 

 [Music] 

 i i don't want to say like less or more 

 but that's where like 

 the expertise are mostly needed 

 yeah i i mean i set you up to say the 

 thing that i think 

 so i don't like my words 

 i right away understand like where are 

 you trying to go 

 no but it's true it's so true so like a 

 thing that people ask me about 

 a lot with becoming an absec person 

 they're like so sometimes people will 

 ask me do i need any technical skills to 

 be an abstech engineer and i'm like yeah 

 and they're like which ones and i'm like 

 oh 

 what types of technical skills do you 

 feel that a person needs because you 

 need a lot of 

 like communication skills and social 

 skills but like 

 you know so much so what kinds of things 

 yeah so i you know i don't want to sound 

 but this is just my opinion again but 

 for me 

 so what helped me to be a good security 

 engineer is my 

 background as a software engineer 

 and the reason why i'm saying i'm not 

 talking about other engineering fields 

 but 

 application security um 

 [Music] 

 you have to you know as i said i spend 

 most of time 

 trying to consult to give advice to 

 do like okay so here is a remediation 

 plan 

 and this is how you can solve it you 

 have to know 

 you i don't spend time coding but i have 

 to be able to 

 you know explain okay so here is this 

 function this is 

 where we are like we we have the issue 

 and this is how we can fix 

 it so technical skills not 

 i don't say again it depends from 

 company and then there are 

 some some roles so you can actually you 

 spend time building tools 

 but at least for my perspective 

 currently i don't 

 code a lot but you have to be able to 

 at least know once uh programming 

 language 

 um not saying on you know trying to code 

 features 

 and that is not necessarily required 

 but how would you 

 how would you give advice to an engineer 

 when you don't have the background of 

 engineering at all 

 so i i mean it's not it's not that it's 

 not doable 

 and there are so many you know nuances 

 of 

 different roles you know you you you 

 have security 

 when we talk about security it's not 

 like just application security and 

 infrastructure security there are like 

 different flavors 

 that your skill set and you know you can 

 find yourself 

 but for application security is best 

 when you 

 actually have at least one programming 

 language you can read the code 

 how would you how would you recommend 

 something else 

 you know how would you find the issue so 

 i agree 100 

 if you if you could see the little 

 picture of me beside you i'm just like 

 it's like nodding vigorously the whole 

 time 

 i want to suggest that everyone follow 

 you 

 on twitter so yeah her twitter handle is 

 slightly different and i'm going to 

 spell it out for people who 

 are because you would think it would 

 just be her first name and her last name 

 but it's slightly different so it's t 

 e o o t a h 

 y s e n i so just like at 

 or you know just twitter.com and i have 

 it on the screen right under 

 underneath oh we have a question in the 

 chat 

 someone is saying is there a specific 

 language that you would recommend 

 learning 

 uh okay so 

 i it and you you you know to answer this 

 question correctly we need to go back 

 and see like what are the trending 

 languages but in enterprise level 

 mostly you have java c sharp ruby these 

 are like 

 kind of the common text tech that 

 are used in um bigger companies 

 but then you have python um i would 

 so whenever i said you have to know at 

 least one language 

 is you have to understand how 

 programming language works and then once 

 you are 

 once you're good with one language 

 even if it's slightly like if you switch 

 to python or 

 from java to c sharp or every or 

 whatever 

 you will be able to read the code that's 

 i think 

 like that's what i think a minimum 

 minimum bar would be but i you know 

 i i would have to defer 

 the answer would be um 

 based on the trends uh but majority of 

 companies use either 

 javascript ruby so those are other 

 languages 

 yeah and then of course you can get more 

 fancy golang and scala and everything 

 else but 

 um those are like at least 

 it will take time to replace these 

 languages 

 um so you know i will give a decade 

 if not more to be able to replace all 

 these applications with 

 you know these languages it is so 

 true it's so true people are always 

 asking me which language to learn i'm 

 like just learn 

 one that is not thousand years old 

 so then oh so someone someone else is 

 saying so 

 once you are proficient in a code like 

 two to 

 two to five years you could focus on 

 absec in that code 

 i would say that no you could focus on 

 appsec in any language 

 like you don't you don't like learn just 

 one and then work in just 

 one i would say yeah no 

 so yeah like when i said one language is 

 the reason 

 why i said long language is just so you 

 get you get 

 the structure of programming how it 

 works like data structures 

 and how programming language 

 works and then once you have at least 

 one language 

 that you are proficient then it's easy 

 for you to switch back and forth on 

 different languages so that's 

 in the context but you don't have to 

 work only one language that 

 you know never limit yourself if you can 

 you know i am a really big on learning 

 and 

 and you know if i would say i'm you know 

 i'm just 

 going to limit myself that is you 

 yeah you should not do you should not 

 limit yourself always aspire to learn 

 more 

 i am agreeing with her 500 

 and we are at the part of the podcast 

 where 

 i am going to thank our sponsor 

 so i want to thank 

 thread fix powered by denim group 

 because they are the most stupendous 

 vulnerability management system this 

 side 

 of the galaxy i told them i would say 

 whatever they wanted and i was like oh 

 my god this is the best 

 sentence i ever get to say ever 

 and then i also want to briefly tell 

 people about a book so i wrote a book 

 it is called alice bob learn application 

 security 

 and um so i'm showing like a little 

 picture of what the book looks like and 

 you can buy it from basically 

 uh anywhere on the internet because 

 wiley is 

 awesome like indigo chapters amazon all 

 those places and so 

 if you want to learn lots of cool stuff 

 about how to secure software 

 specifically or how to build an appstack 

 program all of those things that 

 is the type of nerd i am the type of 

 nerd i guess we both 

 are and so um yeah so i have now 

 officially done my marketing 

 i am amazing 

 listen bob so um 

 yeah and then for people i actually 

 followed tanya and 

 all her presentations i would go and 

 listen to her 

 and then so that's how i learned as well 

 so yeah i would follow her on all the 

 conferences 

 i follow her too just to be clear we 

 follow each other she's also awesome and 

 everyone needs to follow her and then 

 i'm gonna put her twitter handle on the 

 screen again 

 um so i have i have i have so many 

 questions 

 um so let's say someone's like okay that 

 sounds awesome 

 i want to work in apsec what types of 

 training or work experience could they 

 get or do or pursue so they could try to 

 become an 

 absec professional like what types of 

 things could 

 could they do like whether it be like 

 getting specific work experience getting 

 specific training 

 you totally can recommend things that do 

 not come from my company just to be 

 clear 

 this is not a trick question where i'm 

 like you can only say me 

 well so one thing is of course because 

 as i said i followed you like even 

 before you 

 opened your company so i know your level 

 of knowledge and level of 

 expertise um for so 

 i myself how i got to secure 

 application security is i did a lot of 

 hands-on 

 projects uh osp is my favorite i still 

 go towards to read things because i 

 think that i always need will need to 

 have like because there's always new 

 things 

 you can try you know um your knowledge 

 you know 

 download kali linux and you know uh work 

 on 

 and all the tools but in terms of 

 experience 

 i am again a little bit like i don't 

 want to 

 you know be siding but i would say uh 

 work if you want to uh start 

 so if you wanna the best way to learn 

 for me 

 and this is how i learn is by uh 

 doing it and so i would 

 i would say if you want you can start 

 very beginning with 

 some software engineering work uh just 

 so you 

 get used to programming and everything 

 but that is not necessary requirement 

 and then for me 

 i just learned everywhere like whatever 

 i 

 i could like all the sources that you 

 have in 

 um us i think your your great start 

 that's it and then you know you can read 

 books you can take classes there are 

 online classes for free now i you know 

 i am amazed the amount of knowledge we 

 have compared to like a decade ago 

 so definitely for me i would recommend 

 you know and this is based on my 

 experience and based on my how i got 

 to learn um is by just going off of 

 um different youtube uh videos you may 

 know like even that that helps 

 so and definitely you know tanya's 

 glasses 

 yes i agree my classes are awesome 

 we hack purple courses you should 

 definitely check them out if you want to 

 be an appstack engineer that 

 is obviously the first place to start 

 but i actually agree with all of your 

 advice especially 

 owasp and especially like trying things 

 out for yourself 

 building things learning to secure them 

 like trying to 

 kind of hack on them and break them and 

 then seeing how you can make them 

 stronger it's like such a good way to 

 learn 

 i want to add to your list the owasp 

 devslop 

 project like specifically like it's a 

 really 

 so i'm biased because it's i'm part of 

 this open source project but basically 

 like 

 we just wanted to learn about devsecops 

 so i'm like let's smash [ __ ] 

 let's make a pipeline let's add things 

 and like 

 let's invite cool people who know stuff 

 and make things with them 

 and it just like try i couldn't agree 

 more with you all the things you said so 

 good 

 we have a question in the chat so the 

 question is are people skills or soft 

 skills 

 underestimated or underrated or 

 underrepresented 

 in appsec or cyber security in general 

 do you think 

 i realize that i added a lot of words 

 there 

 yeah i would say no actually 

 so um as i said uh 

 at least you know as application 

 security engineer even as a 

 absec consultant before number one thing 

 that you do is communicate with people 

 and you have to be able to 

 you know elaborate things um and then 

 also it in part of partnership is 

 you know you have to have the empathy 

 you know 

 towards engineering towards product team 

 because 

 everyone um are you know kind of trying 

 to do their 

 best right so people skills actually is 

 really important as a security engineer 

 because 

 you don't want to be that security team 

 or 

 engineer that people will hide from you 

 or like right or hide or 

 not just physically hide but hide their 

 stuff you know hide their 

 not trust you not trust things with 

 your knowledge exactly so then they can 

 find a way to bypass you as as much as 

 possible 

 because that's where like then you you 

 know it's 

 it's not good um and and so like you 

 have to be able to 

 have a you know you have to cultivate 

 your people skills 

 you know i would say not like but it's 

 it's it's it's you know it's one of the 

 aspects that sets you 

 for success 

 yeah i i think that the way you said it 

 was so perfect like don't be the 

 security person that the devs hide from 

 this is so true it's so 

 true um so someone 

 or someone is saying basically that they 

 agree with you you have to have empathy 

 you have to have understanding 

 everyone is trying their best you don't 

 want to be that security engineer 

 that people hide from so i 

 i think they're 100 percent agreeing 

 with you in the chat 

 i so the next question is like ever so 

 slightly 

 um sensitive so i does 

 working in appsec and your type of job 

 and your field does it pay well 

 [Music] 

 um well i would say like 

 pay me billion dollars 

 never enough no i would say that it 

 actually 

 it is a well-paying job um 

 and um it is because 

 what in for example let's just say 

 you know i'm going back a little bit in 

 history and how 

 security has become number one problem 

 for 

 non-ceos but ceos so 

 it is something that is especially 

 like giving the pandemic and everything 

 like more things 

 becoming online or remote or whatever 

 you want to call it 

 um it's it is a 

 well it pays well because of the level 

 of stress you have 

 um of course and the level of 

 expectations from security 

 are when when security is good 

 everything is quiet 

 you know when when there is no problem 

 it's in 

 when you know i would say like if you 

 want to know 

 that you're doing good isn't when 

 nothing happens you know it's like 

 everything's 

 still um so you know that's 

 that that the the level stress and you 

 know the 

 all those kind of different flavors of 

 skill set that i've mentioned 

 um are that needed to actually have a 

 well-formed 

 engineer are you know generously paid 

 with from different companies so a way 

 that we have so 

 inadvertently on the first episode i 

 talked about 

 when i was a dev and the first time i 

 felt like i've made it i am an adult i 

 am making good 

 money i had gone to the grocery store 

 and there's like two different types of 

 cheese and i was like both these types 

 of cheese look super delicious 

 and then i realized i made enough money 

 i could get both cheese i'm like i could 

 get anything i want in the grocery store 

 so someone in the chat 

 who watches every week is like i demand 

 to know the cheese pay 

 so can she buy all the cheese she wants 

 i actually am a fan of cheese once i 

 realized he said i can't buy mozzarella 

 cheese with that 

 as much mozzarella as she wants does 

 someone wants to say hi to you in the 

 chat 

 efren sures 

 says hi good to see you ah 

 efrain right yep yay um 

 okay so i know him hi everyone 

 awesome so 

 my next question is are there a lot of 

 opportunities in this field 

 do you think there's jobs yeah 

 yeah definitely actually if 

 if you're interested let me know 

 i get reached out by a lot of recruiters 

 so 

 based on that i would say there are a 

 lot of opportunities 

 and this demand is not going to decrease 

 anytime soon 

 giving the ratio of application well 

 it's not application but given the ratio 

 of 

 um day-to-day things that we're making 

 or we are empowering or powering with 

 applications 

 it's just exponentially growing i don't 

 think that it's going to be sorted 

 i mean short is in opportunities 

 actually it's just going to be short 

 maybe short is in demand 

 i mean in um supply which would be like 

 engineering 

 yeah definitely it's good i mean it is 

 it is interesting if you know i have a 

 philosophy it's kind of 

 you know when you think about it it's 

 kind of sad right because you have 

 you know the number of you know what 

 your purpose is to defend so you know 

 that's kind of the 

 but anyway yeah like i 

 i tell people that if you want to be a 

 good apsec engineer you're trying your 

 your damnedest to put yourself out of a 

 job 

 you want to make everything self-service 

 you want to teach the devs every single 

 thing they need to know you want to have 

 every single thing set up 

 so that all the magical things work in 

 like nothing bad happens 

 and you're like i can relax which you 

 never can 

 but like that's the goal right 

 [Music] 

 [Laughter] 

 wait was that a movie 

 you're like that's not real tanya good 

 luck 

 yeah no um i wish that was the case but 

 um that's actually like what we 

 constantly strive for we want 

 so we want to automate things that can 

 be automated so then 

 or focus actually it's more and more 

 things that matter 

 and there are that requires 

 mental power and you know analysis that 

 a 

 you know still uh computers 

 say do whatever what we say you know 

 what we 

 teach them or what we how we feed them 

 so 

 um definitely that is like constant uh 

 kind of we constantly work 

 on trying to automate things that can be 

 automated and then you know so then we 

 can 

 we free ourselves to do things cool 

 cooler than everything 

 that's so true it's so true it's like we 

 automate so then we can do the super 

 cool tasks 

 i tell that to people and like they're 

 like really 

 yeah there are cooler tasks than run 

 like the first time 

 i don't know about you but the first 

 time i ran a scan i was like i 

 am amazing but then the tenth time i ran 

 a scan i'm like okay so while that's 

 running what can i do that's way better 

 exactly um yeah definitely the 

 you know things that can be automated we 

 always try to 

 do that so we do cool stuff i mean 

 no one wants to run schedules every day 

 right 

 yeah so okay so the next question 

 is so there's like a it's a two-parter 

 so 

 the first question or part of the 

 question is what do you like 

 best about your job and your work and 

 the second question which you already 

 probably could see coming is what do you 

 like the least about your job 

 and your work yeah 

 um so should i be the person 

 with the good news first uh i will say 

 the first 

 the good part you know and then you know 

 um so the good part from what i 

 love about my job um is the mission 

 um i don't know how to explain 

 how so whenever i moved to security 

 i did not understand really like the 

 implication the 

 the altitude and and you know how 

 how how impactful is you know security 

 until i moved to it um so 

 we as tech you know as a tech industry 

 we build up so many tools which is great 

 we want 

 humans to have more time but 

 you know we also responsible 

 really responsible to make sure that 

 those tools 

 are not hurting um and when i say 

 hurting 

 um because when 

 people say it's a virtual world no 

 actually everything that now is tied 

 to an application actually is impacting 

 my life 

 and that's not virtual at all it's 

 actually real time right now 

 if someone does something to my account 

 it's not a virtual world actually it's 

 my bank account and 

 my money and my sweat and my tears so 

 you know so those are things so 

 giving the fact that we are trying to 

 digital digital uh 

 digit uh digital digital eyes 

 lies everything because i got so 

 emotional 

 uh given the fact that we are doing you 

 know we're putting everything on 

 powered by application we are 

 responsible to actually protect 

 um those who can protect so the thing 

 that i love about my 

 job is that i know that i'm doing 

 something good um 

 so you know i'm i'm trying and i'm you 

 know 

 i'm protecting those who can't because 

 not everyone 

 you know is technical savvy um and so 

 my mission it's like a life mission it's 

 like i'm protecting those who can't 

 and that's like what makes my life in my 

 job 

 really easy i i know that it gets hard 

 and you know rusty and everything and 

 you know dry and you know sometimes 

 it's like ah should i do some more 

 security or should i switch to something 

 else but no 

 uh that what makes it really easy it's 

 mission 

 and so that's what i love about my job 

 um sadly 

 the bad side and i'll go back to 

 flipping side 

 it what makes it hard is 

 it's draining it it drains your 

 your energy and your ha it sucks your 

 happiness sometimes you know because 

 knowing that 

 you know there are that much of 

 malicious people um that you know that's 

 easy to me like something that i 

 i you know it drains mom you know which 

 i don't really like 

 um and yeah but other than that 

 it's it's something that i really enjoy 

 it and i do it 

 every morning it's like okay but 

 i i just go behind my mission and that's 

 it 

 awesome i love it i 

 i agree so much i feel like i'm just 

 like nodding a lot so if anyone is 

 listening 

 and they're like why is tonya so quiet 

 she's just nodding vigorously 

 and and also i wanted to mention so if 

 someone is watching this episode and 

 they're enjoying it they should click 

 the thumbs up 

 they should subscribe they should follow 

 we 

 hack purple and our amazing guest on 

 youtube so 

 or on twitter so i'm gonna put like her 

 twitter handle up again and try to 

 convince people again to follow you 

 because i've been flashing it all day 

 and then i feel like people should 

 subscribe 

 if it's an audio version that you're 

 listening to you should subscribe to 

 that but also write us a review 

 did you know that we prescribed to 

 bribery yes that's right 

 if you review our podcast and you send 

 us a screenshot on twitter 

 we will mail you stickers yes that's 

 right we are buying our reviews with 

 stickers 

 it doesn't matter what your review says 

 we will send i hope it's a nice review 

 yeah i actually you know i i still have 

 a handful of stickers from tanya 

 the what was it raccoon was it yeah 

 yeah raccoon doing all the cool stuff 

 teaching the dev security security's 

 everybody's job 

 flashing the owasp symbol oh yeah that 

 raccoon is cute 

 we have new stickers now which obviously 

 i should have one handy but i do not 

 i there's a question from the chat that 

 i wanted to ask you before we 

 wrap up because i know we're sort of 

 running out of time but that's okay 

 but someone was asking do you have any 

 tips for teaching 

 devs and like reaching devs so if 

 you're trying to like reach out to 

 developers and teach them about security 

 like how do you 

 reach them yes so it is challenging but 

 um so how i go about it and 

 you cannot teach someone who doesn't 

 want to be taught right 

 so first thing that i've done is asked 

 for volunteers that those engineers who 

 so for example the security champions is 

 across 

 all the teams um at least one engineer 

 per team 

 you can you know i the first thing that 

 i have done is 

 ask people around who are interested to 

 learn about security 

 because i mean um there are engineers 

 who are not interested 

 it's fine but there are engineers who 

 actually care about 

 you know their features and they want to 

 know they want to stay up 

 they want to stay updated on you know 

 all the security matters 

 and so the first thing that i will 

 suggest is 

 see who is interested already a little 

 bit in 

 not switching your job you know saying 

 but there are engineers who are 

 interested in security 

 because that's you know when a person 

 wants to learn that's easy you know 

 half of your half of their job is done 

 because they already have their 

 willingness and 

 they are paying attention whenever you 

 say something or when you're presenting 

 something it's it's already the 

 attention because 

 it's naturally there you're not pushing 

 of course there are like all other 

 methodologies um 

 because engineering is kind of tricky um 

 sometimes um i also gamify things 

 you know make make them make make it 

 interesting 

 um appreciation 

 goes long way um when i say for example 

 when an engineer does something you know 

 that is 

 you know it's not out of the way but 

 it's you know it's a good 

 good practice and they already you know 

 without someone 

 pointing they have done something from 

 you know from security perspective 

 appreciation is you know goes a long way 

 you know 

 they want you know everyone wants to be 

 appreciated so 

 uh you know i try to do that as well 

 so there are those are similar 

 techniques 

 um that i've used and um there are 

 really interesting 

 uh that works i'm i'm not saying like a 

 hundred percent 

 it's not bulletproof but you know those 

 are 

 some of the tips i would say you know 

 start there and then you know there are 

 all the teaching 

 techniques but those are successful as 

 well 

 cool so let's say someone is 

 is listening and they think oh my gosh 

 this is the coolest thing ever 

 i want to work in appsec do you have 

 some actionable 

 advice of things they could do to move 

 towards this as a goal 

 like if they want to work in appsec 

 besides saying 

 hi to recruiters but like before that 

 like let's say i'm a software 

 engineer or i work in help desk like 

 what are things i could do 

 so i could aim there 

 yes um so hey just switch like i did i 

 just switched 

 that's hard it's just like i was like 

 okay 

 no that's not bad um 

 so if you are already working um i think 

 you you know 

 if you want to switch to a security 

 engineering you have to you know first 

 of all 

 reach out to the engineering team on 

 your company 

 and just you know see what 

 what they're doing and if that you know 

 is something on your interest um 

 secondly 

 um don't switch your job right away 

 because you know that you know like it's 

 i mean i don't know but i i i loved it 

 so much i just were like this is 

 it but uh try to 

 um kind of test drive you know work on 

 you know like if you can partner with 

 some security engineer 

 um and then you know shout at them so 

 then you can 

 see from kind of first hand 

 how things work and what are the things 

 that 

 that the security engineer is doing 

 and then in terms of uh from 

 switching completely you know the kind 

 of the gear from 

 help desk to application security it's 

 not that you can 

 it's it's as i said um i think i 

 i mean education you know degree 

 um or it doesn't set 

 you for what you want to do is you know 

 it's a professional 

 um like computer science degree 

 will not um kind of 

 dictate you whether you're going to be a 

 good engineer or not 

 there are so many uh free learning um 

 as i said hands-on for me i mean i don't 

 know like you have to understand your 

 learning patterns what are you how do 

 how you learn 

 because you know i'm you know again just 

 from my 

 from my perspective um start hands-on 

 projects 

 first start read about application 

 security and then start 

 like hands-on projects see how you 

 how you work like what is synergy with 

 that you know the type of work 

 um and then slowly like um 

 now it's pandemic but there are so many 

 conferences 

 right um even now on you know or like so 

 many conferences that you can attend 

 that exposes you one networking you know 

 you know more people 

 in that field two you can you know 

 of course knowledge and then there is 

 like on those conferences there are also 

 recruiters so that is like some of the 

 things you can do 

 to you know uh plan kind of your switch 

 and your you know your next move 

 this is awesome advice so 

 we have come to the end and i have to 

 ask you the super difficult 

 tough question which is okay so let's 

 say people 

 probably think you're awesome now how 

 can they follow you how can 

 like if they want to learn more about 

 you where can they find stuff about you 

 i heard you might have been in one of 

 the tribe of hackers books i don't know 

 do you have a website 

 um so yeah definitely linkedin 

 twitter uh those are two things that i 

 actually use um um 

 i do i do mentor others 

 um so like i already yeah 

 i i don't i haven't i have it somewhere 

 else but yes 

 um and my chapter is the 30th 

 um so yeah twitter linkedin and don't 

 you 

 feel free to message me um if i don't 

 respond it's not that i don't want to 

 respond but maybe i just 

 opened the message on and a time that i 

 should not 

 you know and then i forgot to answer 

 your question but 

 feel free to thank me um i 

 i you know i make myself almost 

 available 

 for questions and i'm more than happy to 

 help 

 in any way i am going to spell out her 

 twitter handle so that people 

 can know it so it's t e o 

 o t a h y 

 s e n i but if you're gonna follow her 

 on 

 linkedin it's t e u 

 t a right and then space and then same 

 last name 

 h-s-h-h-y-s-e-n-i 

 so twitter handle's slightly different 

 than linkedin but she's the only one 

 with this spectacular name and someone 

 has also mentioned in the chat 

 if your absent career doesn't pan out 

 tanya you could become her salesperson 

 because i like the book her twitter 

 handle like 

 i'm like i'm vanna white okay 

 thank you so much for coming on this 

 show it has been such a pleasure to have 

 you 

 and like it's nice to see you again 

 after working with you which was a total 

 and complete pleasure 

 and with that i am going to thank you 

 i am really yeah i am excited so we are 

 going to share all of this on our 

 website 

 and this episode's going to go out 

 shortly but for now i have to 

 i bid you farewell and then do the outro 

 fancy pantsness that i always do 

 so thank you so much for coming on the 

 show thank you for having me this was 

 great 

 you have been watching the we hack 

 purple podcast 

 where each week we introduce a different 

 member of the podcast community sorry of 

 the information security community 

 so that we can learn about what it's 

 like to do all their different jobs 

 we hack purple is a community an 

 online community a podcast and an 

 academy where we teach people all about 

 apsec 

 and i know we talked about apsec today 

 gosh there are a lot of jobs in that 

 area but all of it 

 and the goal of this podcast is to help 

 you figure out where you fit into our 

 industry because we need you we need 

 more people to join our industry 

 i'm not just saying that because i run a 

 school 

 all areas of information security need 

 you 

 i want to thank very much our guest oh 

 my gosh she was so awesome 

 and um i'm just i'm so excited to have 

 like a fellow absec person on 

 uh i want to thank threadfix our amazing 

 sponsor powered 

 by denim group and i totally forgot to 

 introduce myself 

 i am ridiculous my name is tanya janka i 

 am also known as 

 she hacks purple on the internet and i 

 am 

 the best-selling author of alice and bob 

 learn application security but before i 

 let you go 

 i want to tell you about our coming 

 guests so every thursday except for 

 during the christmas break 

 we are having super awesome humans on 

 our show 

 so thursday december 3rd we're having 

 gabrielle 

 but so she is a leader for wosack she is 

 a penetration tester 

 she's a cyber security blogger she's a 

 podcaster and also she's totally awesome 

 the following week we're having shelly 

 guys branch which i know i'm saying 

 wrong she's also known as nerdocity on 

 the internet and i've been following her 

 for years and i'm so excited to like 

 kind of get to one-on-one with her 

 instead of just awing at her from the 

 internet 

 and she's gonna talk about doing instant 

 response 

 and that is an intense job after that 

 we're having 

 mahidina afrin and we are going to talk 

 to her about what it's like to be a bug 

 bounty hunter and then we are taking a 

 christmas break 

 until next year in january we're having 

 nashua 

 lindsay and she's going to talk about 

 what it's like to be a forensic 

 investigator 

 because we want you to know what every 

 single type of job is like 

 so that we can have more people join our 

 field so again 

 i'm tanya janca our amazing guest today 

 was Teuta Hyseni and thank you so much for 

 listening 

 i hope you subscribe and write a review