165: Tanya

Summary of 165: Tanya

by Jack Rhysider

47mNovember 4, 2025
Listen to Episode

Overview of 165: Tanya (Darknet Diaries)

This episode features Tanya Janca (SheHacksPurple), an AppSec leader who tells stories from her career that illustrate how applications become vulnerable, how incidents are investigated, and how organizations can build better security culture. Host Jack Rhysider and Tanya cover real incidents (from hidden security policies to blind SQL injection exfiltration), lessons learned running incident response and AppSec programs, and practical advice for developers, help desks, and security teams.

Key stories and highlights

  • Hidden security policy experiment

    • Jack recounts testing whether NOC technicians could find the company’s security policy on SharePoint. Most could not — it was buried and poorly named — showing that compliance artifacts must actually be discoverable and usable, not just exist for auditors.

  • Tanya’s hacking genesis and early pen-testing

    • As a developer, Tanya was shown an SQL injection bypass of a login screen by a mentor, which led her to pivot into AppSec.
    • She learned Burp Suite, practiced pen-testing, and accidentally discovered server-side request forgery (SSRF), which crashed a customer’s production web server and polluted their database — a hard lesson on testing scope and production safety.

  • Government data leak & blind SQL injection

    • While leading security at a Canadian government agency, Tanya received a tip that the agency’s data was being sold on the dark web. Investigation revealed an attacker exfiltrating records using a blind SQL injection technique (asking yes/no questions to extract data one bit/character at a time).
    • The app had poor logging (no web app logs), incomplete app inventory, and the attacker targeted times when staff were off (statutory holidays), complicating detection and attribution.

  • The “building has malware” Olympics incident

    • A satellite office appeared to be “infected” with malware because users couldn’t work. Network captures showed everyone was streaming the Winter Olympics, saturating bandwidth. The problem was policy enforcement and a rogue executive decision that bypassed the official mitigation (designated viewing rooms).

  • Help desk evidence-handling blunder

    • A help desk technician found child sexual abuse material on a user’s computer and, following routine “fix it” instincts, deleted evidence and reimaged the machine. The chain of custody was lost, preventing prosecution and causing lasting trauma to the technician. Result: training to escalate suspicious or potentially criminal findings immediately to incident response.

  • Women-focused CTF team and community impact

    • Tanya organized women into CTF teams to avoid being the only woman in competitions. Participation led devs to discover and fix real vulnerabilities in their own apps immediately—demonstrating how hands-on exercises motivate secure coding.

  • Convincing resistant dev teams

    • Initially rebuffed by a dev manager who told Tanya to “go away,” she and her leadership later ran a candid session showing the real costs of incidents. That transparency converted resistance into collaboration; the team began scanning with ZAP and fixing issues proactively.

Main takeaways and actionable recommendations

  • Make critical security artifacts discoverable and human-friendly

    • Security policies should be easy to find, clearly named, and summarized for staff. Accessibility beats obscure compliance checks.

  • Maintain a complete app inventory and adequate logging

    • Know what apps exist, where data resides, and ensure meaningful web/application logs exist (not just DB logs) to trace attacks.

  • Train and empower help desk staff

    • Help desk is the front line. Teach them what constitutes a potential security incident, instruct them to escalate immediately, and assure them that false alarms are okay.

  • Use safe testing practices and clear scoping

    • Pen-testing and tool use (Burp, ZAP) are invaluable, but avoid uncontrolled tests in production. Define scope, communicate with stakeholders, and have approvals.

  • Embrace developer collaboration

    • AppSec should help developers, not antagonize them. Show the real impacts of incidents (costs, downtime, reputational harm) to build empathy and buy-in. Offer practical, prioritized remediation guidance.

  • Practice defensive coding and input validation

    • Defend against SQL injection and SSRF by sanitizing and validating inputs, using parameterized queries, and applying the principle of least privilege.

  • Invest in detection and monitoring for timing patterns

    • Attackers may perform exfiltration during predictable low-staff windows (holidays, nights). Monitor for odd access patterns and automate alerts.

Notable insights and quotes

  • “If a document is so important that auditors ask for it, it should be front and center.” — on security policy discoverability.
  • Blind SQL injection is essentially asking yes/no questions of the database and inferring data bit-by-bit; it’s stealthy and can bypass lack of direct data return.
  • “I know you want to help. That’s why you’re good at help desk. But if you see anything that might be criminal, call us right away.” — on changing help desk behavior.

Resources mentioned

  • Tanya Janca’s books:
    • Alice and Bob Learn Application Security
    • Alice and Bob Learn Secure Coding
  • Newsletter: newsletter.shehackspurple.ca
  • Tools referenced:
    • Burp Suite (proxy/interception testing)
    • ZAP (OWASP Zed Attack Proxy) — dynamic web scanner

Practical checklist for teams (quick wins)

  • Audit where your security policy and compliance docs live; rename and move so staff can find them quickly.
  • Build and maintain a complete inventory of apps and data stores.
  • Ensure application-level logging is enabled and retained appropriately.
  • Run regular, scoped security scans (e.g., ZAP) and follow a fix-or-accept remediation matrix.
  • Train help desk with 15–20 minute annual sessions: “If you see X, call security.”
  • Encourage CTFs, blameless demos, or red-team exercises to educate devs and motivate fixes.
  • Enforce bandwidth and acceptable use policies, especially for predictable events (e.g., major sports).

Credits

  • Guest: Tanya Janca (SheHacksPurple) — AppSec leader, author, conference speaker.
  • Host: Jack Rhysider (Darknet Diaries).
  • Episode covers practical AppSec lessons, incident response stories, and cultural fixes that convert resistance into collaboration.