Skip to main content
DomainTools Announces Predictive Threat Feeds - Powering Preemptive Exposure Management

Zero Trust, Secure Coding & Developer Incentives: Tanya Janca on AppSec’s Biggest Challenges

Published on: 
February 12, 2025
iTunes
SoundCloud
Spotify
RSS

In this special episode of Breaking Badness, we reunite with cybersecurity expert Tanya Janca to discuss her latest book, Alice and Bob Learn Secure Coding. Tanya brings her signature blend of expertise, humor, and real-world experience to explore why security is often overlooked in software development—and what needs to change.

We explore:

  • Zero Trust: Why software needs to be designed with skepticism, inspired by how panthers behave in the wild.
  • Patching & Dependencies: Why blindly updating dependencies isn't always the best security practice.
  • Developer Incentives: How workplace culture shapes security priorities—and why the current system often fails.
  • Her New Book: How Alice and Bob Learn Secure Coding can help developers elevate their careers.

Tanya also shares fascinating personal experiences—from detecting a Christmas Day
cyberattack to navigating plagiarism in the cybersecurity world.

Get Tanya's book here: https://shehackspurple.ca/books/

Zero Trust: What Can We Learn from Panthers? 

One of the standout moments in the conversation is Tanya’s analogy comparing zero-trust security to how panthers operate in the wild. 

“Panthers are zero trust. If they see another panther, they’re like, ‘We’re going to make a baby panther, or I’m going to kill you.’” 

Unlike humans, who instinctively trust each other (and our software systems) without questioning, panthers assume danger at every turn. Tanya emphasizes that the same level of skepticism should be applied in software design. 

Instead of blindly assuming APIs, front-end interfaces, and external data sources are secure, developers should validate every step: 

  1. Is the data itself trustworthy?
  2. Is the API request from a legitimate source? 
  3. Is the user authorized to access the requested data? 

The Problem with Patching: Why Developers Can’t Just "Fix It Late 

A major theme of the episode is how organizations approach security fixes. Tanya highlights a common misconception: that security can always be “patched” after release. 

"We can’t just patch our way out of bad security habits." 

She introduces the concept of "reachability analysis", which helps teams determine if a security vulnerability actually poses a risk. Instead of updating every dependency blindly, developers should: 

  • Analyze whether the vulnerable function is even used in their code. 
  • Prioritize high-risk dependencies over low-risk ones. 
  • Use automated tools like Snyk, Dependency-Check, or OWASP Dependency-Track to assess vulnerabilities. 

Developer Incentives: Why Security Isn’t a Priority (And How to Fix It) 

Tanya also calls out a systemic issue in software development: developers aren’t rewarded for prioritizing security. 

“Developers get promoted for shipping features, not for fixing security bugs. So what do you think they’re going to focus on?” 

She argues that the corporate culture in many companies incentivizes risky behavior: 

  • Feature releases = recognition & promotions
  • Fixing security bugs = no one complains (but no rewards either)

To change this, security teams need to align security goals with business priorities. Some ideas include: 

  • Establishing Security Champions program
  • Making security fixes a KPI for developer 
  • Including security efforts in performance review 

How Developers Can Improve Their Security Mindset 

Before wrapping up, Tanya shares one critical takeaway for developers: 

"If you learn only one thing, it should be to validate everything before you proceed with the rest of the logic in your app." 

Security starts with questioning assumptions and proactively defending against threats. By integrating secure coding from the start, developers can: 

  • Stand out in their careers as security-conscious developers.
  • Reduce the number of vulnerabilities they introduce. 
  • Avoid costly security patches post-release. 

Watch on YouTube

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!

Heading

Login
Contact
Support
Request a Demo