Screaming in the Cloud - Building Secure Applications with Tanya Janca
Episode Date: November 6, 2019About Tanya JancaTanya Janca is the co-founder and CEO of Security Sidekick. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 ...years and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #MentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.LinksTwitter Username: @shehackspurpleLinkedIn URL: https://www.linkedin.com/in/tanya-janca-60ab0998/Personal site: https://dev.to/shehackspurpleCompany site: https://securitysidekick.devSponsor: www.manifold.co
Transcript
Discussion (0)
Hello and welcome to Screaming in the Cloud with your host, cloud economist Corey Quinn.
This weekly show features conversations with people doing interesting work in the world of cloud,
thoughtful commentary on the state of the technical world,
and ridiculous titles for which Corey refuses to apologize.
This is Screaming in the fastest growing communities, and also Kubernetes. They offer a complete toolkit that allows you to deliver your API-first product to millions of developers.
Check them out at manifold.co.
Again, that's manifold.co.
Hello and welcome to Screaming in the Cloud once again.
My name is Corey Quinn.
I'm joined this week by Tanya Jenka,
who is currently the co-founder and CEO of Security Sidekick. Tanya, thank you for joining
us today. Thanks for having me, Corey. So last time we met in person briefly at a conference,
as I think we both were sprinting past each other like ships in the night, you were employed at
Microsoft doing something that sounded vaguely security-esque. Again, we were sprinting past each other like ships in the night. You were employed at Microsoft doing something that sounded vaguely security-esque.
Again, we were sprinting past each other at a conference.
Now, you've started your own company, presumably no longer at Microsoft?
No longer at Microsoft.
Wonderful.
So let's start, I guess, in that timeline at the beginning.
So you started off at Microsoft.
First, what org
were you in? Microsoft is kind of a big company these days, and it turns out that my mental model
of the 10 people I know there isn't really a representative sample. So I was a cloud advocate
or a developer advocate. And basically, it was my job to create content and get feedback from the community and the industry about what works and what doesn't work to help them change their products so they're what people actually need and want, as opposed to what we think they need and want.
And then create a ton of content so that people know how to do anything they want to do with it.
So I specialize in application security and cloud security. So I would create
a lot of content about like how to create a secure app or how to verify that your app is secure
in, for instance, Azure DevOps, a pipeline. Yes. Azure DevOps, of course, being an ill-fated
product name and not a thing that one does that is culture oriented, correct?
Yes. That's the name of the product.
Excellent. I find periodically I have to remind people that that is a product. So if you see it
on someone's resume, they're not smacking a bunch of words together. That is the actual name of a
product. It's rare that we see a service or product name that is so bad that it can negatively impact
someone's career just by mentioning it. But we've done that. Usually the only way to get a higher score, I think, is to come out with something bigoted.
Oh my God.
Well, I wasn't in charge of naming anything.
Excellent.
No one wants to accept responsibility for those.
Definitely.
We have it, really.
No responsibility here.
Exactly.
And how long were you at Microsoft for?
I was there for two years and I cannot tell
you how much I learned. There's a lot of, there's a lot of years anywhere else. My God. It's basically
like a thousand years anywhere else. Like it is. I learned a lot of stuff from a lot of people.
It was really cool. So there's a lot of traveling around, speaking at conferences, writing blogs,
making videos, things like that. But yeah, I wanted to start my own company, I guess. You
know when you sit down with your manager and they ask where you want to be in three to five years,
and then you realize it's that you want to work somewhere else. Like even though you're having
fun where you are, you're like, oh, I want to do even bigger things. And then you tell them and
they make that frowny face. They're happy for you, but they're also like, oh, that's not where I thought this conversation was going to go. I've heard the
story, but personally, whenever I sat down with my manager, it was always a conversation that
started off with, you know what your problem is? Not always from me, not always from them.
And it sort of devolved from there. So for me, starting my company was more or less coming down
to the fact that I'm unemployable at this point. And well, it's either that or starve to death. And other people, it turns out, have options and the ability to have
a employer-employee conversation. I just never excelled at that. But I kind of imagine what it
might have been like. I do think that I am a little bit hard to manage because I have really
big ideas. And if a manager says not to do them, I take that as advice,
not as like a commandment.
I view feedback as one person's opinion.
And that's fair.
Depending on where it's coming from,
it has different weights on it.
But it turns out that a lot of management types,
specifically crappy managers,
frame it as I have feedback for you.
And the response, thank you for, I have feedback for you. And when you get the response,
thank you for your opinion, is the wrong answer. It just comes down to, I think, an impedance
mismatch sometimes when you have managers who are not great at managing, dealing with people who are,
as you say, difficult to manage. Yeah. I also think that management as a whole,
because we're getting pretty off topic. Oh, of course. That's the point of a podcast. We can talk about whatever we feel like.
But there's leaders and there's managers, and sometimes they're expecting managers to lead,
and sometimes they're expecting leaders to manage. And it's not always like those two unique
skill sets in the same person. Oh, absolutely. In my case, though,
I found that, wow, every manager I had for a while was a jerk. And wait a minute,
the only consistent feature here is me. So maybe it's not everyone else's
fault. That realization came to me later in life than it should have. But you're right,
we are getting slightly off topic. So you left Microsoft doing the dev reliper thing,
for lack of a better term. And yes, I do call them dev relipers because I have problems.
And from there, you decided to start Security Sidekick. What does Security Sidekick do?
So we do real-time web application and vulnerability inventory and discovery.
Let me explain what that means.
Basically, we sit on your network and we're one hop after your DNS. We're an invisible proxy.
So everything just goes through us. And then we can just recognize, oh, that's an API. Oh,
that's a web app. Oh, that's a SaaS product. And then we just make a list of them for you.
We do a passive scan every single time you visit. So we're like, oh, a security header got removed
or, oh, you never had this security header.
And so you can actually see all the apps you have and a baseline of what's wrong with them.
And a lot of people say to me, well, isn't inventory kind of boring?
It is, but it's actually one of the most difficult things to get right when you work in an application security engineering role is that developers do not necessarily tell
you because they released a new API and they're like, oh, it's number 72. Like they don't care
if there's another one that does this slightly different thing. Yes, I do care. And I really
want to know. I really, really want to know about every single one of them that's living on our
network. Thank you very much. Yes. And that does have significant value. But
something I found when I started my consultancy aimed specifically at fixing AWS bills is that
there's a lot of affinity to the security space in cost optimization, where it's easy to wind up
dumping the billing equivalent of a NASA scan on someone. Here's the 8,000 things you can change in
your environment. And then that rots on the shelf. And 95% of them are tiny and no one cares.
And oh, do these other few things
and you'll cut your bill in half.
You see that with security too.
And this is one of the recurring stories we see
in tales of security breaches,
where when you have tools
that identify security problems like this,
there's an awful lot of noise
and the signals buried in them,
where it almost seems that no one implements something. And the only value these tools bring is being able to make headlines
after a breach. And while it was right there in the logs, why didn't anyone do anything,
ignoring the fact that there was half a terabyte of logs for someone to go through,
and that was no one's actual direct job responsibility. How does Security Sidekick
get around that? So we basically just make a list of
all of your apps on this dashboard that we've created. And then you can click on the app and
it tells you all of the things that we have found wrong with it. And then from there, once you know
the app exists, or if a new app comes out, we'll alert you, oh, by the way, this wasn't previously
on your list of things, but did you know it's living on your network, right? And then you can actually apply your processes to it.
You can actually apply your policies to it. Like a lot of places I've worked, we've hired a person
to do our application portfolio management. And this very fancy consultant will come in and spend
a year or a year and a half interviewing people and asking them which apps they have. But if we could tell you in like 24, 48 hours, like these are all the apps that
people visited that are on your network or in your cloud or wherever it is that's within your domain.
Oh, okay. So great. Now I actually know what I need to look at, right? I feel like if you can
have a complete picture of what you're looking at, you know what I mean? If you're like, oh yeah, I have 32
apps and 10 APIs, but then we come in, we're like, you have 40 apps and you have
25 APIs. Okay, great! So now I can actually look at this up-to-date list in
7 Excel spreadsheet that someone made four years ago that probably only has a
third or
half of your apps listed on it. And it has some apps that were actually taken offline that they
still think exists for some reason. And then you can actually put pipelines around those things.
Or you can, you know, for instance, like we can find, I guess, at this point we're in beta,
so we can find seven types of vulnerabilities, but we are building that process out.
But so you have like a list of things that are wrong.
Great.
If you can see, if you can look at your analytics, like look at the reports
we make and say, okay, so it turns out we have like a really big problem with
doing direct object references in our URLs, like in our URL parameters.
So, um, the vulnerability is called IDOR, like an indirect
object reference. But the idea is, you know, in the address bar, it's like bank account number
equals one, two, three, four, five, right? So if we see that happening a lot, there's clearly like
a developer or a group of developers that doesn't see this as a problem. They think it's fine. So
then you can make a lunch and learn or address this
you know with some training. You can address this with a newsletter. You can address this by
going to that team and explaining the relevance and why this is important and then you can try
to eliminate bug classes as a whole because you finally have a complete picture. I've worked at
a lot of places doing like I do a lot of consulting and then I also have been an employee for a long time.
And basically, like I would come in places and they'd be concentrating on a thing because, you know, a pen tester came and they could only afford a pen tester like twice a year, let's say.
And the pen tester would be like, I found this injection vulnerability injections, the worst thing ever.
And it's awful. And it is awful. Injection is bad. But they found one. And it turns out in all your apps, there was only that
one. But what's really problematic is that everyone is doing cross-haze scripting in every
single possible input field everywhere in every single app. And you would actually do better to
do a deep dive into cross-hsite scripting and teach everyone about that and
then just address the one injection vulnerability like uniquely rather than making everyone sit
through training for that right because when you give training and you let's say you pay a trainer
five thousand dollars to come in and spend a day everyone's like oh it was five thousand dollars no
it was not if you had all your developers sitting in a room for an entire day,
that probably was $100,000.
Because developers cost a lot of salary dollars.
Absolutely.
And if you have a room full of them, you're wasting time.
And it's condescending, too, if you're a senior developer and you're like,
yeah, I know injection inside and out.
That was, you know, a student that we hired or whatever, right?
Like, you want to spend your time on the things that matter.
And if you don't have a complete kind of higher level picture of things,
it's harder to decide what you actually want to do with your time and your
limited budget.
And it gets worse than that.
A lot of times compliance requirements dictate you have to send people through
the same ridiculous training.
Oh my gosh. Yes.
And it doesn't add a whole lot of value.
It's the, we had to go and check the boxes and the rest.
I see the same thing with this being an ongoing challenge
where, for example, in the world of cost,
which is the one I know best,
a lot of companies will come at this from a perspective of,
we want to train all of our engineers.
And my response is, really?
Because most of what they need to know about AWS billing
can fit on an index card you don't need to have a three-day training for every engineer in the
building sure someone should probably know the nuances in this environment but that is a far
cry from everyone having to think about this all the time because in almost every case people cost
more in compensation than they spend in infrastructure and it's you see the same thing when you have all these trainings on all of these different
attack vectors.
At some point, yeah, you should have every engineer know how to sanitize inputs, but
maybe every engineer doesn't need to be a fully qualified pen tester in most companies.
Oh my gosh, Corey, there's so much training that I see teams go through.
They're like, yeah, we're going to get, I'm not going to name the trainings,
but where it's like how to hack some random version of Unix or something. I'm like, I don't need a software development team to know that. I just don't. So I know hackers are cool and you
want to put E's and threes instead of E's in your name or whatever, because you saw the movie
Hackers and you're
very excited. It's like, what I actually want you to know is just our secure code and guideline.
I just want you to know these are the security headers I want you to use. Here's an overview
of why. If you want to get deep into it, come to my office. But please just use these headers and
these are the settings I'd like. If those don't work for you, come to my office and we'll talk
about what we can do to make sure you get your business things done.
Right?
Yeah, I feel like there's a lot of money to be made
in things that are cool and hacking's cool
and just like physical penetration testing.
Oh my gosh.
You do not need the average person to learn that.
Right, there's a reason you can hire specialists who do nothing but this all the time.
It's strange. And I've always felt somewhat aligned with InfoSec folks, just from a perspective of
no one cares about the AWS bill and no one cares about security until right after they really,
really needed to care about both of those things. It's always a trailing function and there's never a
great time to come in in advance and say, ah, but if you pay me now, you'll save orders of magnitude
more in the future. And the response is generally, yeah, but we could also spend that time working on
feature development instead and the company is still in business later. And they're not wrong.
They're absolutely not wrong. There's a spectrum on both of these
sides of things where you can be so good at it, you never get anything else done. And then the
company dies. It's always a series of trade-offs. And I think that that is something that is not
always well understood by folks, especially in the C-suite where it's, oh, we just want to be
secure. Check the box, please, and call it good. There's always going to be trade-offs. At what level of risk are you comfortable with? And having those conversations
is always a difficult discussion to have with various stakeholders. Yes, I cannot agree with
you more, Corey. There's a PCI compliance rule that you have to do continuous security testing. And it is
not explained what that means. And our tool works in real time. And every time you visit something,
it tests it, right? So we wanted to put continuous security testing. But I have been told that CISOs
will literally start crying if we say that word because vendors, all of them apparently are saying that, even if it's like you actually have to manually turn on the tool.
And so I guess it's the most used word for CISOs at this point.
And I've been told they're allergic to the word continuous and I should just not use that word at all.
I'm like, oh, OK, thank you.
This is good information to know.
So get me started on the obnoxious challenge that seems to be using the same terms again and again,
meaning different things. It's, oh, you sweet summer child. Let me explain to you what that
term means, you babe swaddled in the cashmere blanket of ignorance. It's always, people use these terms
in a bunch of different ways. I mean, we see that with definition of terms like cloud native,
for example, where everyone has a different definition that just happens to align perfectly
with the thing they're selling into the market, but there's no broad consensus.
Yes. I, um, can I give you like, uh, since I don't work for a cloud vendor anymore, I'll give you my idea of what cloud native is.
Please do.
No, don't. Then I was hoping you'd make fun of it after.
Oh, I hope that comes for free. If not here, then certainly on Twitter.
Cloud native is the tools made by that vendor for their cloud that they want to sell you.
They made it on purpose for their cloud.
It's not going to work in the other cloud.
Cloud Native.
I like that quite a bit.
But what about multi-cloud?
Remember, you have to be able to go between cloud vendors seamlessly and effortlessly,
despite the fact that no one in the history of time has ever done this.
Because if not, we have nothing left to sell you. That's a different definition of
cloud native, which means who has contributed enough money to our foundation. Oh, that's such
a good point. Yeah. Multi-cloud strategies sound really, although they're becoming more and more
popular, they're very painful looking. Like, yeah, it's a lot of tooling that you have to buy
that has to get along very well and when you have multiple clouds and you have on-prem and all of
these things how do you keep track of all your stuff and where it is and who's in charge of it
and has it been looked at definitely that like that is
the thing we're trying to do and a lot of other vendors are trying to do trying to actually give
you visibility into all the things i don't know what's going to happen corey when there's like 50
cloud providers or 100 or 200. i'm not sure there will be i feel like we're seeing consolidation in
that space you're going to have the the big four for lack of a better term, which four I'm talking about is left as exercise for the reader. But after that, you're not going
to see much other than the very distant second place folks where they're pushing a strong
multi-cloud narrative because if you go all in on one provider, it will certainly not be theirs.
And then there's going to be a long tail of specialist folks or small operations that target very specific use cases.
And that in turn is going to be a challenging market.
I don't think that we're going to see too much more than that in the platform as a service
space.
Now, where we will see differentiation is going to be higher level software as a service
offerings that solve very specific business problems that don't fit in a single Lambda
function or two.
And so therefore, they're no longer a trivial exercise for the reader to solve. Instead,
it becomes an actual company. An easy example of this that I've loved for a long time is PagerDuty,
where they've solved for the problem of when a thing breaks, wake me up. And it sounds like an
easy thing to build yourself until you
try it and realize, wow, we don't route between this many different providers to get to you across
multiple pads in the event of any particular piece of infrastructure dying in a way that they do,
because they've tackled that entire problem space. You're not going to build a better version of that
in your weekend's 20% time. No, definitely not. There are so many kick-ass SaaS tools coming out. Like I have a
friend that's a massage therapist and she was showing me that there's, so I live in Canada
and I'm from Ontario and I live in British Columbia now, but there's different rules for
massage therapists in different provinces, just like in America, there's different states. And there's a person that has this SAS tool that I guess, like, I don't know how they
know all the rules of maybe they took massage therapy in school, but then also took computer
science, but they've made like this perfect tool.
And basically, almost every single massage therapist uses it, and it's really reasonably
priced.
And it just does every single thing according to like how to
book their appointments how to make sure the taxes are charged correctly that they you know have a
place to put the exact things they have to do to obey all of the rules of their you know of their
certification and she's just like oh yeah everyone uses it why like there's literally no point like
the amount of effort you'd have to do and I think i think he charges like 130 bucks a year it's like nothing and then that person has a full-time job
based off of that and it just you know and you can talk directly to him if there's a problem
she's like oh yeah he's a dream and i feel like sass is is coming out in a way where it's like making people's lives just so much better.
Could you imagine before something like that?
Like you'd have to install it on your computer and then, you know, you're a massage therapist.
You're really awesome at what you do, but you're not a technologist, right?
And it's like, oh, but I didn't back it up.
And then now everything's gone.
No, he does that for you.
He does everything.
SaaS, cloud. Awesome. That's, it also has really reduced the level of friction to running
businesses. I mean, I, I can't imagine having to build my own payroll system. For example,
I pay another company to make that go away. The every single piece of non-critical in line with
what my company actually does. If I can farm that out to someone else, that becomes a terrific story and an uplifting narrative for all of it, which is
interesting coming at this perspective that you are, where you're building a SaaS offering that
effectively, or not necessarily SaaS, but a tooling story around security, where customers
need to understand on some level that they're able to outsource work,
but they cannot outsource the responsibility. And that's where it feels that companies get
wrapped around their own axle. Yes. Oh my gosh, Corey. It's so true.
Yeah. I feel like a lot of companies don't know where to start in regards to application security
because traditionally we just, we protected the perimeter and then
we just walked everything down inside like enterprise security, no administrative rights
for you, no installing stuff on your desktop, et cetera.
Right.
And then now we have all of these old guard security people where they're really good
at intrusion prevention, intrusion detection, things like that.
But now the weakest point is software, right?
That's how, if you look at the Verizon breach report the past three years that they've issued the report, unfortunately, weak application security is like the winner of the cause of the most breaches everywhere, hands down by a landslide every single year, which is bad news, not good news. But like we have all of these people that are slowly coming towards security that are learning about AppSec, but because it's not being taught in schools really.
And it's, it just, I guess it's not new, but it is, if that makes sense.
Like it's, it's been a problem for a while, but just in the past few years, it's become the weak point because the security industry or InfoSec industry is like really kicking ass in regards to protecting their perimeter.
And they're really kicking ass in regards to enterprise security and discovering threats.
But we are not we're not kicking butt yet in regards to securing our software.
And yeah, we were hoping to help.
That's our goal.
Basically, I only wanted to join a company if we're going to do something so every, everything that our tool can
find, we're going to release videos for free to everyone about how to fix the thing it found.
I don't know if you know, but most app set companies actually charge you extra if you want
to learn how to fix the things that it found. If you want to. We found these things. We won't tell
you how to fix it unless you pay us extra. I've always hated the, I know something you don't know,
but if unless you pay me, I won't tell you what it is,
model of pricing.
Yes.
I have a t-shirt that ConvertKit printed that I love,
which says on it quite simply, teach everything you know.
And I try and do that myself.
I can talk about any particular aspect of the AWS bill for free,
and I will.
But it turns out doing a
deep dive analysis on someone and seeing exactly which things apply to their various environments,
that's a whole different series of conversations. And I'm not doing that for free.
Yeah. That's a service.
That's where I draw the line.
Mm-hmm. But that's you. That's a service, right? So I was saying to Aaron, well,
okay, so if our tool finds something,
I absolutely insist that we're going to teach our customers
how to fix the thing that we found, right?
And he's like, of course.
And I'm like, and if I'm going to work really hard to write blog posts about it
and documentation and videos, it costs us nothing to put it on YouTube
and give it away to everyone as opposed to just giving it to our
customers. And he's like, that's a good point. And I'm like, and then some of those people will
see it and maybe they'll want to be our customers, but for everyone else, we'll just have,
that means when we surf the internet, we'll be safer. That's what I want.
And so he's like, I'm in, let's do it. You wouldn't think you'd be asking for a lot, but there you have it.
Well, I mean, part of, I don't know, part of me wanting to start a company is so that I can do good.
And that is grammatically correct the way I'm saying it.
I want to do good like Superman does good.
Oh, yes. You want to do good and do it well.
Yeah, yes. You want to do good and do it well. Yeah, exactly. And I feel
that one of the things, one of the ways that I could do good is by using my expertise to help
the most people possible. But without just constantly working for free and being exhausted,
like you were saying, like, you know, you can share all of the stuff that you know,
like in a wide range. But if you're going to go into someone's company for the day, you have to charge for your time, right?
Because you have a mortgage and bills to pay.
So I wanted to calculate ways that I could do good with my life, but still, you know, pay all the bills.
And so this is our compromise.
Have you heard of the effective altruism movement?
I have not. This is our compromise. Have you heard of the effective altruism movement?
I have not.
So a whole bunch of computer scientists decided they wanted to perform good. And they're like,
but we want to do the most good we possibly can. So for instance, like if you donate, you know,
a can of beans to the food bank, right, That's not as valuable as if you give them the money that you paid for that can. That's more effective. But also, you can be infinitely more
effective by, for instance, giving $34 to the anti-malaria foundation, because then they can
buy X number of bed nets from people that live in areas
where there's lots of malaria. And then with $34 approximately, you can save a person's life.
Because if you give that many away, on average, one person will not catch or however many people
will not catch malaria, and one of them that would have died will be avoided, right? And so they've
like taken math and statistics and all
the information and then they've found a bunch of charities that are the absolutely most effective
and so um i'm an effective altruist and so i'm like i want to do good but i want to make sure
i do the absolute most good so yes i could volunteer to go to the food bank and i could
like move cans for them all
day, let's say, or drive, you know, two hours a week delivering food.
Right.
But I have so much more value that I could deliver to a much bigger audience, if that
makes sense.
Right.
So like, I mean, as much as I like to think I'm like strong and fit and I could definitely
carry a whole bunch of canned foods, that's not like the best use of all my skills of how I could
help people and so yeah I wanted to work that into our company so that I feel good that makes sense
yeah but if you if you do um I don't know I checked it check out the effective altruism
movement it's pretty interesting and it's, it's almost like 95% computer scientists and programmers, people like who
for whatever reason, all think the same way.
And it's like, let's tackle this head on.
Like the Bill and Melinda Gates foundation would be an excellent example of like effective
altruism.
Like they look at really big problems as a whole and then attack them strategically as a whole. Like he could just
give away all of, or they could just give away all of their money to, I don't know, the food bank as
an example, but instead they're trying to tackle like really big systemic problems. And I admire
that quite a bit. It's a common thing that I think people don't tend to fully grasp where
nonprofits can do the most good is with money.
They already have optimized streamlined pipelines for this. That's why for the t-shirt drive for
last week in AWS, I wound up raising money rather than trying to go in and volunteer at a hospital
or something like that. It just turns into the most effective way to start combating these things
is to pick a decent non- nonprofit aimed at the problem and then
give them money. I think that's something that people overlook. You don't want to go volunteer
in a soup kitchen. They'd rather have money so they can start build sustainable programs.
Yes, unless you have a very, very specific skill set. So let's say, Corey, you were going to go
into a hospital and volunteer, but what you
did was analyze their billing for their cloud and help them optimize it so they could save
money every month from then on.
Assuming the hospital was so forward thinking that they were in the cloud, which is unlikely,
but let's pretend, right?
Then that would be a thing that you could do that saved them so much money in the future
that it's even better than the money that you raised, right?
That's another way to do effective altruism is like if you have a super special skill set.
With the caveat that not as many people do as think they do.
It turns out, for example, that, I don't know, going in to help nonprofits fix their AWS bill,
not as big of a problem as you might expect it to be.
Oh, I had no idea.
I've tried it, and that's the challenge,
is that it seems that very few nonprofits
have a significant spend on these sorts of things
compared to other drivers there
because of donations and the rest
and how they wind up doing things.
It's a very different market,
and I was very surprised by that.
That's really, really interesting.
There are always exceptions to everything.
And if you're listening to this
and you're one of those exceptions,
hi, get in touch.
But that's always the weird thing to me
is figuring out that the world
is never exactly like I expect it to be.
But that keeps it fun.
I definitely could not agree more
with that statement, Corey.
So where can people learn more about you and
what you're up to? Where can they hunt you down, for lack of a better term?
Well, you can hunt me down on Twitter, YouTube, Twitch, Medium, Dev.to. But basically,
if you just look up SheHacksPurple, you're going to find me. Or if you go to my new company's website,
SecuritySidekick.dev, we have a YouTube channel and a Twitter handle, Sec Sidekick. And basically,
yeah, I am online a lot. If you follow me on Twitter, it's where I announce all my things.
I even have a mailing list now. So I'll going to, I'll send you some links after for the podcast
notes, if you do that. Excellent. By all means, you can find them in our show notes. Thank you.
But basically just look up SheHacksPurple and that's going to be me with the purplish hair.
Excellent. Thank you so much for taking the time to speak with me today.
Thank you so much for having me, Corey. I'm sorry I got so off topic.
I'm really passionate about philanthropy.
And I guess it's an important area.
It just spills out sometimes.
Sorry.
Of course.
No apology needed.
Thank you.
Excellent.
Tanya Jenka, founder and CEO of Security Sidekick.
I'm Corey Quinn.
This is Screaming in the Cloud.
If you've enjoyed this podcast,
please leave it a five-star review on iTunes.
If you hated this podcast,
please leave it a five-star review on iTunes.
This has been this week's episode of Screaming in the Cloud. You can also find more Corey at Screaminginthecloud.com
or wherever Fine Snark is sold.
This has been a HumblePod production.
Stay humble.