Click here for full interview.
In this show, we speak with Tanya Janca, aka SheHacksPurple, a renowned code security trainer with nearly 30 years of experience in application development, engineering, and testing. In the past, she’s worked in counterterrorism for the Canadian government and as chief security officer for the federal election in Canada. When she was coding in the early days, she also moonlighted as a musician and comedian, skills she draws on to make her courses entertaining.
And she’s just released her latest book, Alice and Bob Learn Secure Coding. In Chapter 6, she writes that almost everything is built on C and C++, followed by JavaScript and Java. She also covers many other languages, but the truth of the matter is, most of today’s embedded and legacy systems supporting our infrastructure are indeed C-based.
“C is not Web. C is embedded and everything else under the sun. The Internet came later. If you look around your house, a smart thermostat is probably programmed in C. Just look around your office,” she says.
So, in this show, she explains how that trend will continue because of the versatility and flexibility that C languages offer developers, even though C languages are known for memory safety issues. We also go over the risks introduced by C languages, along with best practices for developers … and top mistakes to avoid.
In terms of memory safety risks in C languages, she calls out numerous vulnerabilities that coders should watch out for: Buffer overflows, string overflows, heap overflows, integer overflows, off-by-one errors, and more.
“A lot of what I preach in the book is about being intentional,” she notes. “There are lots of functions we maybe shouldn’t use anymore. Static analysis tools—my favorite kind has an IDE (integrated development environment) plug-in running all the time—are very helpful for training. They ask a developer, ‘Are you sure you should be using this function? This other one would be nicer.’”
She also explains some of her awards, like Hacker of the Year. “I was really surprised I won. Although I did some hacking, I’m like the cuddly AppSec person who helps you make more secure apps. Yes, I do smash things sometimes because that’s part of the job.”
Tune in here for the full interview.
Resources:
- Amazon link to both of Tanya’s books
- Robert Seacord’s book Secure Coding in C and C++
- SEI CERT++ Coding Standard
- Shehackspurple.ca – in-person training for developer teams
- academy.semgrep.dev includes free secure coding courses acquired from Tanya’s company
- Integrating SAST into the SDLC
- Integrating SAST with VS Code and Dev Containers
