Tanya Janca on application security in 2025 and beyond

Tanya Janca is one of the most important thought leaders in the area of application security. For the sake of transparency, we’re both in Tribe of Hackers and we’re friends. But even if I didn’t know her well, I’d want to pick her brain from time to time when it comes to the state of application security.

A few years ago, she wrote Alice and Bob Learn Application Security, which is a very accessible introduction to the topic for anyone. She is currently both the Head of Education and Community at Semgrep, and she continues to work as a secure coding trainer at her own She Hacks Purple business. Her sequel book, Alice and Bob Learn Secure Coding is coming out in February. I preordered my copy!

I asked her, “What are the biggest challenges in application security today?”

Janca: “Right now, in applications security we are facing both new and old challenges. Newer challenges include people miss using artificial intelligence, all the different tool maker is changing things around on us such that we’re not sure what to buy anymore, and shrinking budgets due to the economic downturn. But we’re still facing all the old challenges as well, finding qualified people to do the work that we need done, finding tools that suffered developers, don’t mind using, threat actors becoming more advanced all the time, secure, coding, and other security core essentials, not being taught in universities and colleges, APIs being left unsecured, and for that matter all sorts of new technologies are not being secured properly. It’s frustrating to see old problems still active, however, I do feel that there are quite a few improvements as well.”

I asked, “Are bug bounty programs worth giving a try?”

Janca: “I do think that is worth trying a bug bounty program, assuming a few things. First of all, you need to already have a good application security program, and have a addressed all of its current concerns with your system. There is no point in hiring a bunch of super brilliant security researchers to test your system to find things that you already know are wrong with it. You also need to ensure that you have software development time and resources to fix all of the things that they are going to find. You will need someone or an entire team of people to do the triage of the tons of reports that you were going to receive. You can hire companies that can help you do this, but either way, it is a lot of work to do t I would also only want to do a bounty program if I felt that I needed a high-level of security assurance, it’s not worth doing for an app that doesn’t really need that much security on it.

I would say that, lastly, if you have not run one of these programs before, it might make a lot of sense to hire a company to help you with this. I feel that a lot of companies that start bug bounty program, think that it’s going to be like running an AppSec program, but it is very different. As my friend Katie Moussouris says, it’s like someone that’s really good at cooking who wants to open a restaurant. Being a great cook isn’t enough. Companies like hers teach you how to run a restaurant. If you don’t have anyone with experience to help you run it at first, you might overspend and under deliver. It’s a serious risk, so study up or get help before you dive in, and make sure you’re ready!”

I asked, “How can a software development company deploy effective application security practices?”

Janca: “This is a huge question! I would say that they need to develop an application security program, tell everyone about it, train everyone on it, and then enforce it with policy. That is obviously a gigantic simplification. My next book comes out in February, ‘Alice and Bob Learn Secure Coding’, and in it, I give a long list of different activities that you can add to your system development lifecycle in order to make it a secure system development life. My opinion, if you add one (or more!) security activity to each phase of the system development, lifecycle, you will release significantly more secure software than if you do not.

For instance, adding security requirements to the requirements phase, adding a thread model to the design phase, adding a secure coding tool to your IDE during the coding phase or getting training or both, adding multiple types of security testing during the testing phase, adding monitoring, logging, alerts, an instant response, to the maintenance phase, etc. I could talk about this literally all day. In fact, I wrote a book about it and made several free online courses about. If people aren’t sure where to start, a good place is either buying my first book, ‘Alice and Bob Learn Application Security’, or taking my free online courses within Semgrep Academy, called ‘Application Security Foundations’. They help you build an application security program from scratch, or update the one that you currently have so that it’s better for you and your teams.

Thank you for having me Kim!”

Happy New Year, everyone!