Episode 253: DevSecOps Worst Practices With Tanya Janca of We Hack Purple

In this Security Ledger Podcast interview from earlier this year, Tanya Janca of the group We Hack Purple (now SemGrep), talks with Security Ledger host Paul Roberts about the biggest security mistakes that DevSecOps teams make, and application development’s “tragedy of the commons,” as more and more development teams lean on open source code. [Video Podcast] | [MP3] | [Transcript] Editor’s note: since recording this conversation with Tanya, We Hack Purple was acquired by Semgrep, where Tanya Janca in now the Head of Community and Education. One of the thorny problems facing modern development organizations is the gap between their development- and application security teams. In many organizations, application develop happens separately from application security testing including pen testing, red teaming and the like. That can create bad dynamics, with appsec teams playing the role of gate keepers and finger wagging disciplinarians, rather than collaborators. Tanya Janca is the founder of We Hack Purple and the ead of Education and Community at Semgrep! Hacking Purple to Bridge The Dev-AppSec Divide Our guest this week, Tanya Janca, set out to bridge those divides. The founder of the group We Hack Purple (recently acquired by SemGrep), Tanya is a skilled developer and experienced pen tester/red team-er who has always taken it as her mission to not just identify security weaknesses in applications, but also to work constructively with development teams to address those weaknesses and to develop the secure coding skills and habits to stop making the same mistakes time and again. The organization she founded, We Hack Purple, offers courses for developers to learn core application security concepts and skills, and offers discussion groups where developers can seek help from the community around a range of issues. (Tanya also hosts her own podcast, which you can check out here.) Attacks on APIs demand a Security Re-Think DevSecOps Teams’ Worst Security Fails In this conversation, which was recorded ahead of the RSA Conference back in April, I asked Tanya to dig into the details of a talk she was giving on “DevSecOps Worst Practices.” That was based on her experience advising development and DevOps teams – things like failing to tune your testing tools and breaking builds under a tsunami of “false positives.” Supply Chain Hackers LofyGang Behind Hundreds of Malicious Packages Tanya and I also talk about some of the bigger threats to application security. Among them: threats and attacks on open source software supply chains and a “tragedy of the commons” playing out in the open sour...