The Podcast
Calendar Icon 11.06.2019
aws-section-divider
Audio Icon
Building Secure Applications with Tanya Janca
About Tanya Janca
Tanya Janca is the co-founder and CEO of Security Sidekick. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #MentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.
Links

Announcer: 
Hello and welcome to Screaming in the Cloud with your host, cloud economist, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.


Corey: 
This episode of Screaming in the Cloud has been sponsored by Manifold. Manifold powers marketplace infrastructure that connects millions of developers to the best APIs, tools, and services in the fastest-growing communities and also Kubernetes. They offer a complete toolkit that allows you to deliver your API first product to millions of developers. Check them out at manifold.co. Again, that's manifold.co.


Corey: 
Hello and welcome to Screaming in the Cloud once again. My name is Corey Quinn. I'm joined this week by Tanya Janca who is currently the co-founder and CEO of Security Sidekick. Tanya, thank you for joining us today.


Tanya: 
Thanks for having me, Corey.


Corey: 
So last time we met in person briefly at a conference, as I think we both were sprinting past each other like ships in the night, you were employed at Microsoft doing something that sounded vaguely securityesque. Again, we were sprinting past each other at a conference. Now, you've started your own company, presumably no longer at Microsoft?


Tanya: 
No longer at Microsoft.


Corey: 
Wonderful. So let's start, I guess in that timeline at the beginning. So you started off at Microsoft. First, what org were you in? Microsoft is a big company these days and it turns out that my mental model of the 10 people I know there isn't really a representative sample.


Tanya: 
So, I was a cloud advocate or a developer advocate. And basically, it was my job to create contents and get feedback from the community in the industry about what works and what doesn't work to help them change their products so they're what people actually need and want as opposed to what we think they need and want, and then create a ton of content so that people know how to do anything they want to do with it.


Tanya: 
So I specialize in application security and cloud security, so I would create a lot of content about how to create a secure app or how to verify that your app is secure in, for instance, Azure DevOps pipeline.


Corey: 
Yes. Azure DevOps of course being an ill-fated product name and not a thing that one does that is culture-oriented, correct?


Tanya: 
Yes. That's the name of the product. Yeah.


Corey: 
Excellent. I find periodically I have to remind people that that is a product, so if you see it on someone's resume, they're not smacking a bunch of words together. That is the actual name of a product. It's rare that we see a service or product name that is so bad that it can negatively impact someone's career just by mentioning it, but we've done that. Usually, the way to get a higher score I think is to come out with something bigoted.


Tanya: 
Oh, my God. Well, I wasn't in charge of naming anything.


Corey: 
Excellent. No one wants to accept responsibility for those.


Tanya: 
Definitely.


Corey: 
So we have it really?


Tanya: 
No responsibility here.


Corey: 
Exactly. And how long were you at Microsoft for?


Tanya: 
I was there for two years and I cannot tell you how much I learned. There's a lot of people-


Corey: 
That's eight years anywhere else, my God.


Tanya: 
It's basically like a thousand years anywhere else. Like it is... I learned a lot of stuff from a lot of people. It's really cool. So there's a lot of traveling around, speaking at conferences, writing blogs, making videos, things like that. But yeah, I want to just start my own company, I guess. You know when you sit down with your manager and they ask where you want to be in three to five years and then you realize it's that you want to work somewhere else. Like even though you're having fun where you are, you're like, "Oh, I want to do even bigger things." And then you tell them and they make that frowny face. They're happy for you, but they're also like, "Oh, that's not where I thought this conversation was going to go."


Corey: 
I've heard this story, but personally, whenever, I sat down with my manager, it was always a conversation that started off with, "you know what your problem is" not always from me, not always from them, and it sort of devolved from there. So for me, starting my company was more or less coming down to the fact that I'm unemployable at this point and well, it's either that or starve to death. And other people it turns out have options and the ability to have a employer-employee conversation. I just never excelled at that, but I kind of imagine what it might have been like.


Tanya: 
I do think that I am a little bit hard to manage because I have really big ideas and if a manager says not to do them, I take that as advice not as, not as like a commandment.


Corey: 
I view feedback as one person's opinion and that's fair.


Tanya: 
Mmhm.


Corey: 
Depending on where it's coming from, it has different weights on it. But it turns out that a lot of management types, specifically crappy managers could frame it as I have feedback for you, and when you have the response, thank you for your opinion is the wrong answer. It just comes down to I think an impedance mismatch sometimes when you have managers who are not great at managing, dealing with people who are, as you say, difficult to manage.


Tanya: 
Yeah. I also think that like management as a whole, because we're getting pretty off topic but just that-


Corey: 
Oh, of course, that's the point of a podcast. We can talk whatever we feel like.


Tanya: 
But there's leaders and there's managers and sometimes they're expecting managers to lead and sometimes they're expecting leaders to manage, and it's not always like those two unique skill sets and the same person.


Corey: 
Oh, absolutely. In my case though, I found that wow, every manager I had for a while was a jerk. And wait a minute, the only consistent feature here is me. So maybe it's not everyone else's fault that that realization came to me later in life than it should have. But you're right, we are getting slightly off topic.


Corey: 
So you left Microsoft doing the devreloper thing for lack of a better term.


Tanya: 
Mmhm.


Corey: 
And yes, I do call them devrelopers because I have problems. And from there, you decided to start Security Sidekick.


Tanya: 
Yeah.


Corey: 
What did the Security Sidekick do?


Tanya: 
So we do real-time web application and vulnerability, inventory and discovery. Let me explain what that means.


Corey: 
Please do.


Tanya: 
Basically, we sit on your network and we're one hop after your DNS. We're an invisible proxy, so everything just goes through us and then we can just recognize, Oh, that's an API. Oh, that's a web app. Oh, that's a SaaS product. And then we just make a list of them for you. We do a passive scan every single time you visit. So we're like, "Oh, a security header got removed." Or "Oh, you've never had this security header." And so you can actually see all the apps you have and a baseline of what's wrong with them.


Tanya: 
 And a lot of people say to me, "Well, isn't inventory kind of boring?" It is. But it's actually one of the most difficult things to get right when you work in an application security engineering role, is that developers do not necessarily tell you because they released a new API and they're like, "Oh, it's number 72." Like they don't care if there's another one that does this slightly different thing. Yes, I do care, and I really want to know. I really, really want to know about every single one of them that's living on our network. Thank you very much.


Corey: 
Yes, and that that does have significant value. But something I found when I started my consultancy aimed specifically at fixing AWS bills is that there's a lot of affinity to the security space in cost optimization, where it's easy to wind up dumping the billing equivalent of a NASA SCaN on someone. Here's the 8,000 things you can change in your environment and then that rots on the shelf and 95% of them are tiny and no one cares and Oh, do these other few things and you'll cut your bill in half.


Corey: 
You see that with security, too. And this is one of the recurring stories we see in tales of security breaches where when you have tools that identify security problems like this, there's an awful lot of noise and the signal is buried in them where it almost seems that no one implements something, and the only value these tools bring is being able to make headlines after a breach. And well, it was right there in the logs. Why didn't anyone do anything? Ignoring the fact that there was half a terabyte of logs for someone to go through and that was no one's actual direct job responsibility. How does Security Sidekick get around that?


Tanya: 
So we basically just make a list of all of your apps on this dashboard that we've created. And then you can click on the app and it tells you all of the things that we have found wrong with it. And then from there, once you know the app exists or if a new app comes out, we'll alert you. Oh by the way, this wasn't previously on your list of things, but did you know it's living on your network? Right?


Tanya: 
And then you can actually apply your processes to it. You can actually apply your policies to it. Like a lot of places I've worked, we've hired a person to do our application portfolio management, and this very fancy consultant will come in and spend a year or a year and a half interviewing people and asking them which apps they have. But if we could tell you in like 24 or 48 hours, like these are all the apps that people visited that are on your network or in your cloud or wherever it is that's within your domain, oh, okay. So great. Now I actually know what I need to look at. Right?


Tanya: 
I feel like if you can have a complete picture of what you're looking at, you know what I mean? If you're like, Oh yeah, I have 32 apps and 10 APIs, but then we come in, we're like, "You have 40 apps and you have 25 APIs." Okay, great. So now I can actually look at this up to date list and seven Excel spreadsheet that someone made four years ago that probably only has a third or half of your apps listed on it, and it has some apps that were actually taken offline that they still think exists for some reason. And then you can actually put pipelines around those things. Or you can, you know for instance, we can find... I guess at this point, we're in beta so we can find seven types of vulnerabilities. But we are building that process out.


Tanya: 
But so you have like a list of things that are wrong. Great. If you can see, if you can look at your analytics, like look at the reports we make and say, "Okay, so it turns out we have like a really big problem with doing direct object references in our URLs, like in our URL parameters. So the vulnerability is called IDOR, like an indirect object reference. But the idea is in the address bar, it's like bank account number equals one, two, three, four, five, right?


Tanya: 
So if we see that happening a lot, there's clearly like a developer or a group of developers that doesn't see this as a problem. They think it's fine. So then you can make a lunch and learn or address this with you know some training. You can address this with a new... Sorry. You can address this by going to that team and explaining the relevance and why this is important. And then you can try to eliminate classes as a whole because you finally have a complete picture.


Tanya: 
I've worked at a lot of places doing... like I do a lot of consulting and then I also have been an employee for a long time, and basically, like I would come in places and they'd be concentrating on a thing because you know a pen tester came and they could only afford a pen tester like twice a year, let's say. The pen tester would be like, "I found this injection, vulnerability injection. It's the worst thing ever. And it's awful and it is awful injections, bad." But they found one and it turns out in all your apps there was only that one. But what's really problematic is that everyone is doing cross-site scripting in every single possible input field everywhere in every single app.


Tanya: 
And you would actually do better to do a deep dive into cross-site scripting and teach everyone about that and then just address the one injection vulnerability like uniquely rather than making everyone sit through training for that, right? Because when you give training and you let's say, you pay a trainer $5,000 to come in and spend a day, everyone's like, "Oh, it was $5,000." "No, it was not." If you had all your developers sitting in a room for an entire day, that probably was $100,000 because developers costs a lot of salary dollars.


Corey: 
Oh, absolutely.


Tanya: 
If you have room full of them, you're wasting time. And it's condescending too if you're a senior developer and you're like, "Yeah, I know injection inside and out. That was you know a student that we hired or whatever." Right? Like you want to spend your time on the things that matter and if you don't have a complete kind of higher level picture of things, it's harder to decide what you actually want to do with your time and your limited budget.


Corey: 
And it gets worse than that. A lot of times, compliance requirements dictate you have to send people through the same ridiculous training.


Tanya: 
Oh, my gosh. Yes.


Corey: 
And it doesn't add a whole lot of value. It's the, we had to go and check the boxes and the rest. I see the same thing with this being an ongoing challenge where for example, in the world of cost, which is the one I know best, a lot of companies will come at this from a perspective of we want to train all of our engineers, and my response is, "really?" Because most of what they need to know about AWS billing can fit on an index card. You don't need to have a three-day training for every engineer in the building.


Corey: 
Sure. Someone should probably know the nuances in this environment, but that is a far cry from everyone having to think about this all the time. Because in almost every case, people cost more in compensation than they spend in infrastructure.


Tanya: 
Mmhmm.


Corey: 
And it's... You see the same thing when you have all these trainings on all of these different attack vectors. At some point, yeah, you should have every engineer know how to sanitize inputs, but maybe every engineer doesn't need to be a fully qualified pen tester in most companies.


Tanya: 
Oh, my gosh, Corey. There's so much training that I see teams go through. They're like, "Yeah, we're going to get..." I'm not going to name the trainings, but where it's like how to hack some random version of Unix or something. I'm like, I don't need a software development team to know that. I just don't. And so I know hackers are cool and you want to put E's and threes instead of E's in your name or whatever because you want to... Because you saw the movie hackers and you're very excited.


Tanya: 
It's like, what I actually want you to know is just like our secure coding guideline. I just want you to know these are the security headers I want you to use. You know here's an overview of why. If you want to get deep into it, come to my office, but like please just use these headers and these are the settings I'd like. If those don't work for you, come to my office and we'll talk about what we can do to make sure you get your business things done. Right?


Tanya: 
Like yeah. I feel there's a lot of money to be made in things that are cool and hacking is cool. And just like physical penetration testing, oh my gosh, you do not need the average person to learn that.


Corey: 
Right. It's the reason you can hire a specialist who do nothing but this all the time.


Tanya: 
Yeah.


Corey: 
It's strange and I've always felt somewhat aligned with iInfo Ssec [inaudible 00:14:51] folks just from a perspective of no one cares about the AWS bill and no one cares about security until right after they really, really needed to care about both of those things.


Corey: 
It's always a trailing function and there's never a great time to come in in advance and say, "Ah, but if you pay me now, you'll save orders of magnitude more in the future." And the response is generally, "Yeah, but we could also spend that time working on feature development instead, and the company is still in business later." And they're not wrong. They're absolutely not wrong.


Tanya: 
Oh yeah.


Corey: 
It's, there's a spectrum on both of these sides of things where you can be so good at it, you never get anything else done, and then the company dies. It's always a series of trade-offs and I think that that is something that is not always well understood by folks, especially in the C suite where it's, "Oh we just want to be secure, check the box please, and call it good."


Tanya: 
Yes.


Corey: 
There's always going to be tradeoffs. At what level of risk are you comfortable with? And having those conversations is always a difficult discussion to have with various stakeholders.


Tanya: 
Yes, I cannot agree with you more, Corey? There's a PCI compliance rule that you have to do continuous security testing and it is not explained what that means. And our tool works in real-time and every time you visit something, it tests it. Right? So we wanted to put continuous security testing, but I have been told that CSOs will literally start crying if we say that word.


Tanya: 
I mean as vendors, all of them apparently are saying that even if it's like you actually have to manually turn on the tool. And so I guess it's the most used word for CSOs at this point and I've been told they're allergic to the word continuous. I should just not use that word at all. I'm like, "Oh, okay, thank you. This is good information to know."


Corey: 
Don't get me started on the obnoxious challenge that seems to be using the same terms again and again, meaning different things. It's, oh, you sweet summer child. Let me explain to you what that term means you babe swaddled in the cashmere blanket of ignorance. It's always... people use these terms in a bunch of different ways. I mean we see that with definition of terms like cloud native for example, where everyone has a different definition that just happens to align perfectly with the thing they're selling in another market, but there's no broad consensus.


Tanya: 
Yes. Can I give you like... Since I don't work for a cloud vendor anymore, I'll give you my idea of what cloud native is.


Corey: 
Please do.


Tanya: 
No don’t. Then I was hoping you'd make fun of it after.


Corey: 
Oh, I got that’s for free. If not here then certainly on Twitter.


Tanya: 
Cloud native is the tools made by that vendor for their cloud that they want to sell you. They made it on purpose for their cloud. It's not going to work in the other cloud. Cloud native.


Corey: 
I liked that quite a bit, but what about multi-cloud? Remember, you have to be able to go between cloud vendors seamlessly


Tanya: 
Hmm.


Corey: 
And effortlessly despite the fact that no one in the history of time has ever done this because if not, we have nothing left to sell you. That's a different definition of cloud native,


Tanya: 
Oh yes.


Corey: 
Which means who has contributed enough money to our foundation.


Tanya: 
Oh, that's such a good point. Yeah. Multi-cloud strategies sound really... Although they're becoming more and more popular, they're very painful looking. Like yeah, it's a lot of tooling that you have to buy that has to get along very well and when you have multiple clouds and you have on-prem and all of these things, how do you keep track of all your stuff and where it is and who's in charge of it and has it been looked at?


Tanya: 
Definitely that like that is a thing we're trying to do and a lot of other vendors are trying to do, trying to actually give you visibility into all the things. I don't know what's going to happen, Corey, when there's like 50 cloud providers or a hundred or 200.


Corey: 
I'm not sure there will be. I feel like we're seeing consolidation in that space. You're going to have the big four for lack of a better term.


Tanya: 
Mm.


Corey: 
Which four I'm talking about is left as exercise for the reader. But after that you're not going to see much other than the very distant second place folks where they're pushing a strong multi-cloud narrative because if you go all in on one provider, it will certainly not be theirs and then there's going to be a long tail of specialist folks or small operations that target very specific use cases.


Corey: 
And that in turn is going to be a challenging market. I don't think that we're going to see too much more than that in the platform as a service space. Now, where we will see differentiation is going to be higher level software as a service offerings that solve very specific business problems


Tanya: 
Oh yeah.


Corey: 
That don't fit in a single Lambda function or two. And so therefore, they're no longer a trivial exercise for the reader to solve. Instead, it becomes an actual company.


Corey: 
I use the example of this that I've loved for a long time is PagerDuty where they will... They've solved for the problem of when a thing breaks, wake me up and it sounds like an easy thing to build yourself until you try it and realize, wow, we don't route between this many different providers to get to you across multiple paths in the event of any particular piece of infrastructure dying in a way that they do because they've tackled that entire problem space. You're not going to build a better version of that in your weekend's 20% time.


Tanya: 
No, definitely not. There are so many kick-ass SaaS tools coming out. Like I have a friend that's a massage therapist and she was showing me that there's... So I live in Canada and I'm from Ontario and I live in British Columbia now, but there's different rules for massage therapists in different provinces just like in America there's different states.


Tanya: 
And there's a person that has this SaaS tool that I guess like, I don't know how they know all the rules of... Maybe they took massage therapy in school but then also took computer science, but they've made this perfect tool and basically almost every single massage therapist uses it and it's really reasonably priced and it just does every single thing according to like how to book their appointments, how to make sure the taxes are charged correctly, that they you know have a place to put the exact things they have to do to obey all of the rules of their, you know of their certification.


Tanya: 
And she's just like, "Oh, yeah, everyone uses it. Why?" Like there's literally no point, like the amount of effort you'd have to do, and I think he charges like 130 bucks a year. It's like nothing. And then that person has a full-time job based off of that, and it just... you know and you can talk directly to him if there's a problem. She's like, "Oh yeah, he's a dream." And I feel like SaaS is coming out in a way where it's like making people's lives just so much better.


Tanya: 
Could you imagine before something like that,


Corey: 
Oh.


Tanya: 
 Like you'd have to install it on your computer and then you know you're a massage therapist, you're really awesome at what you do, but you're not a technologist, right? And it's like, "Oh, but I didn't back it up and then now everything's gone." No. He does that for you. He does everything, SaaS cloud, awesome."


Corey: 
That's... It also has really reduced the level of friction to running businesses. I mean, I can't imagine having to build my own payroll system, for example. I'd pay another company to make that go away.


Tanya: 
Oh, yes.


Corey: 
Every single piece of noncritical in line with what my company actually does, if I can farm that out to someone else, that becomes a terrific story and an uplifting narrative for all of it. Which is interesting coming at this perspective that you are where you're building a SaaS offering that effectively saw, or not necessarily SaaS, but a tooling story


Tanya: 
Yeah.


Corey: 
Around security where your customers need to understand on some level that they're able to outsource work, but they cannot outsource the responsibility. And that's where it feels that companies get wrapped around their own axle.


Tanya: 
Yes. Oh my gosh, Corey. It's so true. Yeah. I feel like a lot of companies don't know where to start in regards to application security because traditionally, we just we protected the perimeter and then we just walked everything down inside like enterprise security. No administrative rights for you. No installing stuff on your desktop, et cetera. Right. And then now we have all of these old guard security people where they're really good at intrusion prevention, intrusion detection, things like that.


Tanya: 
But now the weakest point is software, right? That's how if you look at the Verizon breach report, the past three years that they've issued the report, unfortunately, weak application security is like the winner of the cause of the most breaches everywhere, hands down by a landslide every single year, which is bad news, not good news. And but like we have all of these people that are slowly coming towards security that are learning about AppSec, but because it's not being taught in schools really, and it's it just... I guess it's not new, but it is, if that makes sense.


Tanya: 
Like it's been a problem for a while, but just in the past few years, it's become the weak point because like the security industry or InfoSec industry is really kicking ass in regards to protecting the perimeter and they're really kicking ass in regards to enterprise security and discovering threats. But we're not kicking butt yet in regards to securing our software. And yeah, we were hoping to help. That's our goal.


Tanya: 
Basically, I only wanted to join a company if we're going to do something brand new. And my friend Aaron and I just kept going back and forth about what we felt the biggest problems were in our space. And some of the biggest problems are, you know, developer education. So we're going to release, so everything that our tool can find, we're going to release videos for free to everyone about how to fix the thing it found. I don't know if you know, but most apps that companies actually charge you extra if you want to learn how to fix the things that it found, if you want to... [inaudible 00:25:00]. .


Corey: 
We found these things, we won't tell you how to fix it unless you pay us extra.


Tanya: 
Yeah.


Corey: 
I've always hated the I know something you don't know, but if unless you pay me, I won't tell you what it is model of pricing.


Tanya: 
Yes. Yes.


Corey: 
I have a tee shirt that get printed that I love, which is, it says on it quite simply "teach everything you know," and I try to do that myself. I can talk about any particular aspect of the AWS bill for free and I will, but it turns out doing a deep dive analysis on someone and seeing exactly which things apply to their various environments, that's a whole different series of conversations and I'm not doing that for free.


Tanya: 
Yeah. That is service.


Corey: 
That's where I draw the line.


Tanya: 
Mmhm. But that's you. That's a service, right? So I was saying to Aaron, "Well, okay, so if our tool finds something, I absolutely insist that we're going to teach our customers how to fix the thing that we found. Right?" He's like, "Of course," and I'm like, "And if I'm going to work really hard to like write you know blog posts about it and documentation and videos, it costs us nothing to put it on YouTube and give it away to everyone as opposed to just giving it to our customers." And he's like, "That's a good point." And I'm like, "And then some of those people will see it and maybe they want to be our customers, but for everyone else we'll just have... That means when we surf the internet we'll be safer."


Corey: 
Yeah.


Tanya: 
That's what I want." And so he's like, "I'm in, let's do it." So...


Corey: 
You wouldn't think you'd be asking for a lot, but there you have it.


Tanya: 
I, well I mean part of, I don't know. Part of me wanting to start a company is so that I can do good and that is grammatically correct the way I'm saying it. I want to do good like Superman does good.


Corey: 
Oh, yes. You want to do good and do it well.


Tanya: 
Yeah, exactly. And I feel that one of the things, one of the ways that I could do good is by using my expertise to help the most people possible but without just constantly working for free and being exhausted. Like you were saying, like you know you can share all of the stuff that you know like in a wide range, but if you're going to go into someone's company for the day, you have to charge for your time, right? Because you have a mortgage and bills to pay. So I wanted to calculate ways that I could do good with my life, but still you know pay all the bills. And so this is our compromise. Have you heard of the Effective Altruism movement?


Corey: 
I have not.


Tanya: 
So a whole bunch of computer scientists decided they wanted to perform good and they're like, "but we want to do the most good we possibly can." So for instance, like if you donate you know a can of beans to the food bank, right? That's not as valuable as if you give them the money that you paid for that can, that's more effective. But also you can be infinitely more effective by, for instance, giving $34 to the Anti- Malaria Foundation because then they can buy X number of bed nets from people that live in areas where there's lots of malaria. And then with $34 approximately, you can save a person's life because if you give that money away, on average, one person will not catch or however many people will not catch malaria and one of them that would have died will be avoided. Right?


Tanya: 
And so they've like taken math and statistics and all the information and then they've found a bunch of charities that are the absolutely most effective. And so I am an effective altruist, and so I'm like, "I want to do good, but I want to make sure I do the absolute most good." So yes, I could volunteer to go to the food bank and I could like move cans for them all day, let's say, or drive you know two hours a week delivering food. Right? But I have so much more value that I could deliver to a much bigger audience, if that makes sense. Right?


Tanya: 
So like I mean, as much as I like to think I'm strong and fit and I could definitely carry a whole bunch of canned foods, that's not like the best use of all my skills of how I could help people. And so yeah, I wanted to work that into our company so that I feel good. If that makes sense. Yeah. But if you do... I don't know. Check out the Effective Altruism movement. It's pretty interesting and it's just it's almost like 95% computer scientists and programmers, people like who for whatever reason all think the same way. It's like, "Let's tackle this head on.


Tanya: 
Like the Bill and Melinda Gates Foundation would be an excellent example of like effective altruism. Like they look at really big problems as a whole and then attack them strategically as a whole. Like he could just give away all of... or they could just give away all of their money to, I don't know, the food bank as an example, but instead they're trying to tackle like really big systemic problems, and I admire that quite a bit.


Corey: 
It's a common thing that I think people don't tend to fully grasp, where nonprofits can do the most good is with money. They already have optimized, streamlined pipelines for this. That's why for the tee shirt drive for last week in AWS, I wound up raising money rather than trying to go in and volunteer at a hospital or something like that. It's it just turns into the most effective way to start combating these things is to pick a decent nonprofit aimed at the problem and then give them money. I think that's something that people overlook. You don't want to go volunteer at a soup kitchen. They'd rather have money so they can start to build sustainable programs.


Tanya: 
Yes. Unless you have a very, very specific skill set. So let's say, Corey, you were going to go into a hospital and volunteer, but what you did was analyze their, their billing for their cloud and help them optimize it so they could save money every month from then on. Assuming the cloud or the hospital was so forward-thinking that they were in the cloud, which is unlikely, but let's pretend. Right? Then that would be a thing that you could do that saved them so much money in the future that is even better than the money that you raised. Right? That's another way to do effective altruism is like if you have a super special skill set.


Corey: 
With the caveat that not as many people do as think they do.


Tanya: 
Yes.


Corey: 
It turns out, for example, that, I don't know, going in to help nonprofits fix their AWS bill, not as big of a problem as you might expect it to be.


Tanya: 
Oh, I had no idea.


Corey: 
I've tried it. And that's the challenge is that it seems that very few nonprofits have a significant spend on these sorts of things compared to other drivers there because of donations and the rest and how they wind up doing things. It's a very different market and I was very surprised by that.


Tanya: 
That's really, really interesting.


Corey: 
Yeah. There are always exceptions to everything, and if you're listening to this and you're one of those exceptions, hi, get in touch. But there's that's always the weird thing to me is figuring out that the world is never exactly like I expect it to be, but that keeps it fun.


Tanya: 
I definitely could not agree more with that statement, Corey.


Corey: 
So where can people learn more about you and what you're up to? Where can they hunt you down, for lack of a better term?


Tanya: 
Well, you can hunt me down on Twitter, YouTube, Twitch, Medium, dev.to. But basically, if you just look up, SheHacksPurple, you're going to find me. Or if you go to my new company's website, securitysidekick.dev. We have a YouTube channel and a Twitter handle, secsidekick@SecSidekick. And basically, yeah, I am online a lot. If you follow me on Twitter, it's where I announce all my things. I even have a mailing list now. So I'm going to, I'll send you some links after for the podcast notes if you do that.


Corey: 
Excellent. By all means, you can find them in our show notes.


Tanya: 
Thank you. But basically just look up SheHacksPurple and that's going to be me with the purplish hair.


Corey: 
Excellent. Thank you so much for taking the time to speak with me today.


Tanya: 
Thank you so much for having me, Corey. I'm sorry I got so off topic. I'm really passionate about philanthropy and I guess it-


Corey: 
It's an important area.


Tanya: 
It just spills out sometimes. Sorry.


Corey: 
Of course. No apology needed.


Tanya: 
Thank you.


Corey: 
Excellent. Tanya Janca, founder and CEO of Security Sidekick. I'm Corey Quinn. This is Screaming in the Cloud. If you've enjoyed this podcast, please leave it a five star review on iTunes. If you hated this podcast, please leave it a five star review on iTunes.


Announcer:
  This has been this week's episode of Screaming in the Cloud. You can also find more corey@screaminginthecloud.com or wherever fine snark is sold.

Announcer:  This has been a HumblePod Production. Stay humble.