Advocating OWASP, Securing Elections, and Standing Your Ground

June 3, 2019 • Zane Pokorny

Our guest today is Tanya Janca. She’s a senior cloud advocate at Microsoft, where she specializes in application security. She’s a popular speaker at security conferences around the world, evangelizing software security and advocating for developers. And she’s a leader in the Open Web Application Security Project (OWASP) community, as well as an advocate and mentor for underrepresented communities in the security industry.

She discusses her journey from software developer to security practitioner, how “security is everybody’s job” and why that makes strong communication between teams so important, and the need for diversity in the IT industry today.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 110 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Tanya Janca. She’s a senior cloud advocate at Microsoft, where she specializes in application security. She’s a popular speaker at security conferences around the world, evangelizing software security and advocating for developers, and she’s a leader in the Open Web Application Security Project community, that’s OWASP, as well as an advocate and mentor for underrepresented communities in the security industry.

She discusses her journey from software developer to security practitioner, how “security is everybody’s job” and why that makes strong communication between teams so important, and the need for diversity in the IT industry today. Stay with us.

Tanya Janca:

I have been coding since, I guess, I was 16, and very quickly, I started in IT and decided I wanted to be a software developer forever. Then after around 16 years of basically mostly doing software development, but with little stints as sysadmin, or network admin, or things like that, I ended up meeting an ethical hacker who kept telling me, “You really need to join security. You’d be really good.” And I said, “No, there’s nothing better than software development.” I just never wanted to do anything else, ever. The exact job description is you make something out of nothing every day, and all you do is sit at your desk and crunch problems with your brain. I’m like, “This is the best,” and he’s like, “No, hacking’s even better.”

So he kept coming into my office, and doing little presentations for us, because I ran this lunch-and-learn. Then, unbeknownst to me, he introduced me to someone else, who introduced me to someone else, and I ended up inviting almost every single ethical hacker in Ottawa to come to my … To speak to my little 12-person dev team. And they all told me later, they were like, “You were just so excited about it. It was just so fun to go in.” A lot of them usually charge money, but they were like, “You were just so excited. It was just so cute how enthusiastic you were.”

So then I joined OWASP, and started being one of the chapter leaders, and then I was his apprentice. Then, I moved on from him to more advanced mentors, and then I’m actually now moving on again to even new mentors. One of my new mentors hacks Blockchains.

Dave Bittner:

Now, what is OWASP, for folks who might not be familiar with it?

Tanya Janca:

Oh my gosh, besides it being my favorite thing, it’s the Open Web Application Security Project. It is an international community with I think around 275 chapters around the world. We have meetups. All of them are free, and we just teach about security. In Ottawa this week, we’re having our capture the flag contest that we have once a year, and we also have projects. I have an OWASP project, and then we have conferences around the world, all with the goal of trying to teach people how to make more secure software, and since that’s my favorite area, they’re my favorite people.

Dave Bittner:

Now, was it a process of being slowly won over, or was there a moment when the light bulb went off, when you said, “Oh yeah, this security side is for me?”

Tanya Janca:

Well, he did an SQL injection against one of our apps, or an app that looked just like one of our apps. I said, “Well I need to know how you did that, and then I need to know how to defend against that.” And then I got put in charge of all the security things, and became the developer. Unbeknownst to me, I guess I became the security champion, and then I moved on from there, and I led this giant effort to rewrite all the software that runs the Canadian elections. And I not only was leading the software developers, but then I took on the liaison between the security team, and we hired a bunch of ethical hackers, and code reviewers, and all these people to come in and I sat personally … I would make sure everything was fixed, and that we were doing a good job.

Then I joined the security team, and then I very quickly got promoted to CISO, and I ran all the security for the Canadian election in 2015. I responded to incidents, and did media, all the things. I was just like, “Okay, I’m in now. You can’t get rid of me.”

Dave Bittner:

It sounds like you found your people.

Tanya Janca:

Yeah, I just feel like it’s such noble work, if that makes sense, to protect and help others. And then it’s exciting, and it’s interesting, and it’s all sorts of completely new problems that I haven’t seen before.

Dave Bittner:

Take us through. What were some of the specific challenges you faced with the elections?

Tanya Janca:

We had security incidents, and we were not in the newspaper, so that means they went well. I can’t tell you about the details, obviously.

One of the things about Elections Canada is that, because … I don’t know if you know about the Canadian election system, but it’s sort of similar to the American election system, so every four years, minimum, we have an election. But in Canada, if the prime minister is elected with something called a minority government, then that means that there’s certain types of votes that happen in our parliament, and if they don’t win, they get kicked out, and we have to have another election.

Usually, it’s between nine months, a year-and-a-half, a maximum of two years. They always just get kicked out all the time. So if there’s a minority government, they have lots of staff, because at any moment there could be an election, but if it’s a majority government, everyone loses their job.

So on election night, you know, everything went surprisingly smoothly from a security standpoint. It went perfect. But at 9:00 PM, we realized that a majority government was coming in, and I looked at my staff and I’m like, “We all just lost our jobs.” And that’s hard, right? Because then I had to keep motivating them for a few more weeks while they cleaned everything up before they got rid of all of us.

And each time, they basically have a brand new security team running everything, so they have a completely different CISO now, and I mean, he got to have three-and-a-half years to prepare, so I’m sure he’s going to do a great job, but oh my gosh. Imagine just completely obliterating your security team every year or two and starting over every single time. It’s just … Whoa.

Dave Bittner:

Is there any opportunity for transition. Were you able to, you know, leave behind a set of notes or guidance for the next person?

Tanya Janca:

I did, because I … To say the least, I’m anal retentive, and I obsessively plan for the future, which is for … That’s why I got elected, or chosen to be the CISO, because I wasn’t supposed to be. They just put me in charge for a few weeks, and I just transformed everything to my anal retentive way, and they were like, “You’re it.” They told me on the third day, apparently, they had decided, but they waited until the end of the month to tell me. So, I built out a four-year plan of action, of how to mitigate four out of the five types of incidents that we had completely, then the fifth type.

There’s certain things, you know? You can’t just say, “Public, if you could just stop doing anything wrong ever. If no one could attack us, that would be great.” That’s unrealistic, but for instance, after the election, they allowed me to roll out a formalized AppSec program, based on, “This is how much our incidents cost. This is how we could have fixed them.” We did a secure coding guideline, which was my first one ever, which quite frankly, now that I know more, was pretty crappy and not that great. I’m much better. I released a complete new one for free on my blog this month, and it’s the fourth one I’ve written, and I think it’s pretty good.

Dave Bittner:

If you do say so yourself.

Tanya Janca:

If I do say so myself. I would tell you that my mom liked it, but honestly, she didn’t read it.

Dave Bittner:

Oh. Well. It’s all right.

Tanya Janca:

But yeah, so we did a secure coding guideline, and we did training, and we did specialized training for every area of IT, and for C-level executives, and things like that, because each one of them have different concerns, and meeting with the sysadmins, or just even meeting with help desk, they were like, “Thank God you finally told us what to do. Now we know how to handle this.” We met with lots of different developers, and gave them a whole bunch of different training and tools.

I remember I was talking to one of my bosses once, and I’m like, “Oh, I got an email. I’ll be right back,” and then I run over to the developer area, and then I high five this guy and then I ran back. He’s like, “What the hell are you doing?” I’m like, “He just beat the tool. He just got past the tool with nothing, and he gets a high five. That’s the deal. I can’t break the deal.” He’s just like, “You’re so weird, but it’s working. Just keep doing it.”

Dave Bittner:

Right, right. Yeah, it sounds like you’re a force to be reckoned with.

Tanya Janca:

I try to just be fun. I try to treat people how I want to be treated, and I was a developer a lot longer than a security person, and honestly I was on their dev team before I switched to the security team, and I remember a year before I joined the team, I am usually very polite, but they had done this thing, which I won’t explain, but it disabled my team drastically, and we were recruiting someone, and the person quit before they started because of the changes that they had made, that they had not given us a heads up about, and I walked up, and I was like, “Fuck you.”

And they looked at me, and I was just like, “You did this. You said you were doing this, and now you’ve done that,” and it was going to result in an amount of work that was just unfathomable for us. I’m like, “You have made me look awful for my entire team. Do you know how hard it is? To try to get a team to go up this giant mountain that we’re going up, and we have this crazy deadline that’s not moving, and then you just put a giant barrier in front of us, and it’s just so unacceptable, and I just can’t believe you went and did that and didn’t even tell me so I could talk with them first.” I’m like, “What you’ve done is wrong, and I am so pissed, so don’t come over and ask for favors from me.”

Then I walked off, but then I was on their team a few months later. They were like, “You’re the only person that tells us the truth.” They’re like, “Everyone talks behind our back. No one comes up and tells us,” and we made up, and I’m actually still friends with all of them, but I’ve never gone up and said that to someone in my career. I was like, “I can’t believe you just didn’t have any empathy or think at all, yeah, maybe they all want to come into the office, and work all night every night until the election. Maybe that’s cool.” It’s not cool.

Dave Bittner:

Yeah. Yeah. But I mean, there’s a certain degree of, well if nothing else, fearlessness, to make that move. I guess that sort of approach wouldn’t be for everyone, but it seemed like it worked out for you.

Tanya Janca:

I don’t advise telling people to F off, just for the record. I really always try hard to only use that word against my computer, or in jokes, or songs.

Dave Bittner:

Okay. All right. Very good. Fair enough. I want to shift and talk about a keynote that you gave recently. This was at BSides, and you were touching on this notion that security is everybody’s job. Can you take us through? What were you getting at there?

Tanya Janca:

Absolutely. My keynote at BSides Vancouver is amazing. It’s called “Security is Everybody’s Job” and my boss at Canada Revenue Agency, a few years ago taught me that. Her name was Tanya, and my name is Tanya, and she would do this arm pump fist thing. She’d be like, “Because, Tanya, security’s everybody’s job,” and she’d move her arm in this swing, and I’m like, “Oh you have me again.”

And I remember telling developers, you know, “It’s your job to do your job as securely as you know how, just like it’s your job to lock the door, or lock the till if you work somewhere where there’s money, and follow the general security rules. It’s the same as a developer. It’s your job to secure code as securely as you know how to, and ask for help when you need it.”

I know every security team is different, but it’s our job as security people to enable developers, and ops folks, and the business, and everyone else that we serve to do their jobs securely. If that means doing a code review, or sending them code samples, or whatever. Whatever we can do to support them. Our job doesn’t exist if they don’t have their jobs, and if there’s no business, because we got in the way of production code being released, and we added a new tool that brought us down for the fifth time without working with other teams, and then we lose tons of sales, we are not enabling.

I think sometimes, security people view themselves as a great big gate that everyone has to work really hard to get past or they don’t get to go to prod, but it’s in our interest to have everyone get to prod in a secure state, because if they don’t get to prod, we don’t have a business, we go out of business, and then there is no security team. That’s the thesis, and then I explain what DevOps is. I love the DevOps Handbook, and I love The Phoenix Project, and Accelerate, that series of books, I just can’t recommend enough.

So I explain their idea of what DevOps is, which is my idea of what DevOps is. Then I explained how we can weave security through that, so “Security is Everybody’s Job” is a couple of things the security team can do, but it’s mostly aimed at developers and operations folk, and it’s several ideas of what we can fit into the three ways.

The first way is making sure the entire process is really fast. Well, how can security people make sure we do security, but fast. Then, the second way is feedback. We want to make sure we have feedback the whole way through. The reason why a lot of waterfall projects would fail is because we’d work on it for a year and then ask, “Are we on the right track?” But with DevOps, you want feedback regularly, you want the right feedback, and you want it as soon as you could possibly get it. You don’t want to do a threat model after it’s released into prod. You’d ideally like to do a threat model during the design phase. So I talk about different activities you can do to make sure people get fast feedback. Then the third way is continuous learning. It’s how you can do culture change, and different ways and opportunities of when you can teach.

There’s all sorts of different things that I’ve learned from really awesome people I’ve met on my journeys, about how we can do security better from a learning perspective, and different situations where it’s good to learn about security. An example is elections. We had an incident. After I was the CISO and the election was over, someone else became the CISO for four months while we rested. They actually rest the staff, because there’s so much work that goes into the election for so long.

They just make you chill out and do not very much for the next few weeks so that people don’t burn out. So you do a gentle postmortem, like cleanup, but the idea is on purpose, to try to rest the staff. Someone else was manager during that time, and we had an incident, and he decided to do a talk for the software developers where he went inside-out with this incident and what had happened.

At the time, I thought it was an awful idea. I was like, “What are you doing airing our dirty laundry?” But he was so smart, because all of the … I didn’t want to share. I’d rather just teach them the things I want them to know about security, and teach them the things we have the most problems with, but there was this one team that never wanted to go to any of the training, and was really resistant.

So he held this session, and specifically invited them, and he was like, “I’m going to show you all the dirty laundry.” And afterwards, they said, “We’re interested now, Tanya. We see how this is a priority. We didn’t see before. We actually do all the things he showed us that caused this incident. We had no idea that this could happen, and we want to be the solution.” And they were 10,000 percent on board after that.

Dave Bittner:

So it really grounded them.

Tanya Janca:

Yes. Yes. And before, not that they were disrespectful at all. They were just like, “Tanya, we have a lot of crap do, and we don’t have time for this crap.”

After this, it really shocked them, and it was, in my opinion, our most scary incident that we had, and we ended up doing a great job of managing it. Everything turned out okay. But you know, it had the potential to be very bad if we hadn’t caught it in time, and all of that. So, I was very uncomfortable. I’m still uncomfortable with him sharing that information, but he did, and it was fine, and it did the exact thing he was hoping it would do, and he is a smart dude, and he taught me a great lesson that day.

I guess I have a lot of pride, and I try really hard to check that at the door when I go to work, because I want to be perfect, and everyone has their issues, and it’s hard for me to admit a giant mistake like that, but he’s taught me that that’s the best time to learn, so from then on I try to get managers to agree that we could share information, as long as the incident was 100 percent closed, and there was no … You know, we have no personal information obviously, and no sensitive secrets being released, but show them the real things that can happen.

And I started using proof of concepts to explain things to developers. They don’t want to use security headers. I’m like, “Security headers are … You know, you really need them, and here’s why,” and they’re like, “We don’t have time for your crap, Tanya,” and I know.

And it’s not in a disrespectful way, but they’re a developer. They have about 500 things in the backlog, and they only have time for 100. Why are they going to choose my thing?

So I sent then this email. I’m like, “Click on this link. You’ve won an iPod.” And they respond like, “Tanya, we know this is from you.” I’m like, “I know, but click on the link. We have 20,000 employees, and one of them’s going to click on it for sure.” So they click on it, and they’re like, “Wow, that looks just like our website.” I’m like, “It is,” and they were like, “Oh, well, you know this thing where you’re stealing the credentials, it’s bright yellow. Anyone would catch onto this.” I’m like, “It’s yellow so you can see it. Usually it’s see-through.” Then they’re like, “How do we do these security headers again? Because we need them on every page now.”

Dave Bittner:

Right. Do I have your attention now?

Tanya Janca:

Yeah, and then boom, next release, security headers.

And they’re like, “How can we do it perfectly? How can we make sure we have complete coverage?” They were all over it once they saw. They were like, “Oh, it’s not a big deal, because of this.” I’m like, “No, it is a big deal.” It wasn’t a, “I want to rub your nose in it” type of thing. I was like, “Do you see why I’m so worried?” And they were like, “Okay, we see now. Let’s do it.”

Dave Bittner:

Yeah. I want to switch gears with you for a little bit, and get your take on threat intelligence. That’s one of the main topics we discuss here. I’m curious, from your point of view, how does it fit into a company’s security posture?

Tanya Janca:

Well, I don’t generally do enterprise security. I know the regular threat monitoring isn’t really the area that people would mostly task me with. But, the Canadian government, just like the American government, just like all of the Five Eyes countries, have a search, a cyber … I don’t know what it stands for, response whatever. They send out informational messages. The government actually has its own threat intelligence, that has many sources as well as their own researchers.

So we would receive that every day, and they’d be like, “Did you get this? Did you address it yet?” Which was really helpful. A bunch of AppSec … They would send the AppSec stuff, like “You know, there’s this new Struts vulnerability. There’s this. There’s that. We heard you use Struts. What’s up? What’s your plan? Do you need help? We want this done.” It was really, really helpful, and I don’t know how we would’ve stayed on top of things without it.

Another thing in regards to threat intelligence is threat intelligence isn’t just a formalized feed that you buy from a company. Those are awesome for sure. I don’t know what I would’ve done in the Canadian government if I did not have that GC cert threat feed, but there’s just so much more than that, and sometimes you can get it faster by watching Twitter than you can from a threat feed.

Dave Bittner:

Interesting.

Tanya Janca:

Keep all your options open.

Dave Bittner:

Yeah. Well, I want to wrap up with you. I want to be respectful of your time, but before we go, I do want to hit on something that I know is very important to you, and that’s being able to recruit folks from a diverse pool of people. Why is that important to you?

Tanya Janca:

Oh, it’s important to me because I’m part of that group.

I’ve been a woman a long time, and it’s since ….

Dave Bittner:

Practically your whole life.

Tanya Janca:

Yeah, exactly. Ever since I’ve been an adult, so at the moment I was legal, I started working in IT, that moment. So I’ve worked in IT, in August, will make 22 years. Yeah, and there’s been so many silly things in my career. And I’m one of those people, it’s like, oh, I guess that person has a problem, or you know, like getting promoted late, or knowing that I get paid less than my colleagues, or knowing even once I found out someone who I was their boss, and they made more money than me. These things aren’t a thing that would stop me, if that makes sense. I’m like, “I’m going to go smash skulls.”

But, I was in hardcore bands, and punk rock bands, and a lot of other things throughout my life too, which are a lot more difficult for women to work in, so in IT, I would take that punk rock attitude in with me, so I have this, “You know, you want to be inappropriate with me, well I’m going to times it by five and bring that back to you. If that’s what you want, let’s do this.”

But that is not always a great plan, and that, I don’t think is a … You shouldn’t have to be bulletproof to work in IT. You shouldn’t have to be really, really tough. You should be able to be a sensitive human being. If we don’t adjust the way that IT, and specifically cybersecurity, works, we won’t benefit from having diverse workforces.

A lot of women that join STEM don’t stay. That’s a really, really, really big problem, and I’ve been working on one thing to help with that, called WoSEC, Women of Security. We are an international collective, I guess, or community. I think we have 19 chapters now.

Dave Bittner:

Wow.

Tanya Janca:

We just turned one years old last month. Basically, it’s just a place where women in security can just make new friends that are women. Because previously, I only had two female friends in security in Ottawa. One was named Donna and one was named Nancy, and I just didn’t know a single … And I know a lot of people, because I am extremely extroverted. So whether you like it or not, I will be your friend. So I only knew two women, and I was just like, “This sucks,” and my friend Donna and I saw this cool thing in another country, and I was like, “Why don’t we try something like that here?”

It’s just social things, or women-only workshops, so it’s less intimidating. Then we also go as a group to other events. We crashed BSides Ottawa. We had an event at BSides Vancouver, at Microsoft Build, at RSA, and then we crash meetups together. We’ll sign up, but if you go and there’s 12 women with you, the capture the flag contest isn’t so scary anymore. I am used to, my entire career, being the only woman in the room every single meeting, right? And it hasn’t improved at all, so …

Dave Bittner:

Hasn’t it?

Tanya Janca:

No, actually. The numbers in security … Big estimates are that we make up 11 percent in cybersecurity, but in some countries, it’s as low as 5 percent of the workforce. But women in computer science are between 25 to 30 percent of graduating classes. What that means is women are not staying. So they join and a lot of them leave, and it’s like, “Oh, that sucks.” So I’m hoping that if lots of women make friends, that can help. It can help their careers. But I guess what you asked is why … I haven’t really answered your question. Why does diversity in hiring matter? It matters just because we want to be fair and have a just world, but also because different … Diversity breeds different ideas breeds innovation.

As an example, at one security conference I went to, this guy had an incident, and he was like, “Can you help me manage this incident?” And I’m like, “Fine.” Yeah, I know. I’m at DEF CON in a hotel room. We’re all having beer, and then I’m managing his incident for work, because he’s the entire IT department, right? It was an event management system, and you could look anyone up without authenticating, by name or email, and see all the events that they had attended and where they were going to be.

Someone had reported it as a bug, and he was like, “It’s not a bug,” and I’m like, “It’s a privacy and safety issue.” He was like, “What do you mean?” I’m like, “I know you’re this great, big, huge man, so it’s unlikely you feel physical danger often, but lots of ladies I know, that is completely unacceptable. If I knew his system was going to publish where I was going to be, and anyone, even people that weren’t members, would be able to look me up, I don’t think I would want to go.”

Now, I am a public figure, because I speak at conferences, so obviously if I speak at a conference, you know, I’m going to be on the website. That’s obvious. But you know, if I go to a private event as an attendee, it’s no one’s business if I’m going to be there or not. And if I go to a training or something, it’s no one’s business. I’m like, “What if I had an abusive ex who was stalking me?”

I don’t, but imagine I did. You would’ve put that person in extreme danger, because it is not clear that people can look you up like that. It’s not clear that this is information that you’re giving away publicly. I’m like, “This is a serious privacy violation that is not clear to the users that they’re taking this risk, and that’s an error in your design.”

He’s like, “Oh wow. I didn’t really see what the problem was. I was like, ‘You know, the security researcher is just a jerk giving us trouble.’” And when I explained to him, “You know, you’re potentially putting people in danger, and certainly it’s a privacy violation to just be giving people’s physical whereabouts away, where there’ll be in advance. It’s just not cool.” So they changed it, and that was great, and he responded to the security researcher. But if they had had a woman … They were, a small company of 15 people, and there were no women in the entire company, and they were all scratching their heads. They were like, “I just don’t see the problem,” because it’s not a thing that affects them.

Dave Bittner:

Well, what is your advice for folks who want to do a better job diversifying their team? How do you suggest they go at it?

Tanya Janca:

Okay, so I am not an expert at this, and I just want to start by saying that. These are just personal suggestions. I am not an expert in this. The hardest thing to do is get the first woman to come work for you, because I know lots of places, I’m like, “How many women work there?” Because if the answer is none, then I usually don’t want to go. Another thing you can do is offer to host women’s meetups. For instance, WoSEC, we have chapters all over the world, and because I worked for Microsoft, they have agreed to host us in any city that we want, which is very generous, very generous.

Then lots of other really great organizations have offered to host us. But I mean, if a company is really looking to hope to welcome more women, I mean Shopify in Ottawa, for instance, has been hosting OWASP forever, and then recruiting hardcore from our meetup members. It’s been their best investment ever. They let us use this big room. Their staff just go wander in right after work, and then they have recruited many, many people from our meetups. So it’s a very good, winning relationship.

Also, have a code of conduct and then actually enforce it. I’ve heard, “Boys will be boys,” so many times in my career, and I’m like, “Do boys want to get punched in the face?” It’s just … I know that I am much more assertive than the average woman and/or person and/or Canadian, so the way that I handle things is a lot different, and I know that the way I do things aren’t options for everyone else. I had a manager that was trying to hire me to his team, approach me after hours and say something very, very inappropriate to me, wanting some kind of sexual favor from me in order to have a promotion.

I don’t know how other women would react, but I reacted … I felt threatened, and fight or flight, I am fight. So I took a step forward, so I was right in his face, and I screamed, “Get the fuck out of my office,” and then he looked at me really startled, and then I stood so my face was almost touching his face and I yelled it so loud it filled the whole room, and then he left, and then I told every man on my programming team what he did, and I was like, “He is so out of line.” So when he went to sit for lunch the next day, someone’s like, “That seat’s taken.” They were like, “We know what you said to her.”

All the programmers supported me, and he wasn’t allowed in the cafeteria for months and months, and all of them gave him the cold shoulder, and all of them were like, “What the F is wrong with you?” Now, do I think that works for everyone? No. Do I advise the average person try that crap? No.

Dave Bittner:

It’s probably not in the HR handbook, no.

Tanya Janca:

No, definitely not, but I wouldn’t … I don’t know how to explain it, but I felt like I won. I felt very safe. The guy stayed the F away from me. Great. Win. I mean, could there have been happier outcomes? Yes, but …

Dave Bittner:

Sometimes you have to stick up for yourself.

Tanya Janca:

Yes, absolutely. But I mean, I guess take complaints seriously. You know, when a woman comes forward, that’s scary as crap. I have to say, when I came forward at that office, which was towards the beginning of my career, I think I’d already worked in IT eight years, immediately, the team that investigated it … Someone was sending me lewd messages via an anonymous email address, but clearly, they were in the building, and were harassing me. And they were like, “Well, what were you wearing?” A sweater and jeans, and my manager turned to them, and she said, “It doesn’t matter what she’s wearing. A man is stalking her that’s in our building, and you are going to figure out who it is so we can fire him. Understood?” And they just kept victim shaming me, and then they gossiped about it to everyone on the floor, which was so humiliating.

But then, that’s how we found out he was harassing 10 other people, and they knew who he was, and he got fired. But still, just having everyone gossip about you sucks, and if you come forward, usually that happens, despite the fact that they’ve signed NDAs and all of those things, so when someone comes forward, it is a huge sacrifice on their part, and, oh my gosh, take them seriously. I hear so many people talk about false accusations, and it’s just like, do you understand that that is a minute, minute, minute, minute number?

And that it’s so scary to come forward, and that so many of us don’t come forward, because you know, we don’t feel we have enough proof, et cetera, et cetera. And the punishment, the social punishment that comes with it … And because it’s humiliating. It’s totally … Me telling the other programmers, I was so embarrassed that that had happened. But I was luckily more pissed off than embarrassed, I guess. But there’s still lots of stigma around those things happening to you, and people feel shame for being a victim, and there’s so many things going around it, so take it seriously. That’s, I guess, my number one thing.

Dave Bittner:

Our thanks to Tanya Janca from Microsoft for joining us. You can find her on Twitter. She’s shehackspurple.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...

Solving the Business Challenges of Governance, Risk, and Compliance

Solving the Business Challenges of Governance, Risk, and Compliance

November 18, 2019 • Monica Todros

Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk...