Dialogue Series

How Building Community Strengthens the Application Security Industry

by

Saying “there’s an app for that” ten years ago was a cheeky novelty. Nowadays, it’s a foregone conclusion. Applications have become ubiquitous, driving massive growth in the tech sector and making our lives easier in just about every way. The meteoric rise of cloud-native computing – making the development and delivery of applications faster and easier than ever before – is further confirmation of just how prolific applications have become within our online environments.

But the rise of cloud-native applications has ushered in an inevitable rise in cyberattacks and security threats. A recent Akami study found that web application and API attacks have skyrocketed 300% in 2022 compared to last year. Since applications are now responsible for so much of our daily lives, these attacks can be devastating – and sometimes life-threatening.

As a long-time AppSec professional, teacher, author, and founder of the application security community We Hack Purple, I know it’s impossible to underestimate the importance of keeping applications secure. I also know that working in the application security industry is challenging but rewarding — and that becoming involved in and fostering AppSec communities helps strengthen the industry (and by proxy, the outside world) even more.

In this episode of DevSecTalks, I met with host Steve Giguere to chat about my community development and education efforts through We Hack Purple, as well as the value of community and mentorship for AppSec professionals.

Why Building Application Security Communities Is So Important

I’ve always been a huge believer in the power of community – both in private and professional life. When we come together over shared goals and interests to trade knowledge, encouragement, and ideas, everyone wins. Counting the ways community has helped both my peers and me over the years proves something I’ve long known: working together works.

Building relationships and becoming part of a community is especially important in the small but mighty world of application security. As GitHub recently noted, web application security professionals are outnumbered roughly 500-to-1 by developers, and our work is critically important. We need spaces to come together, learn from each other, and crowdsource solutions that make the online world safer.

This need for community in application security is one of the reasons I’m so intensely proud of We Hack Purple. When the organization was started, it was initially what I now call ‘the Tanya Show’. It was a place to host my application security classes and blog posts – but thankfully, it quickly grew into so much more. Now, We Hack Purple boasts more than 6,300 AppSec professionals from all over the world, and although I might be a little biased, it has become my favorite place on the internet.

Growing something from nothing has given me some insights into why community is so key for application security professionals. Although the true number of benefits that community provides to our industry is much higher, I’ve identified three main ways community hubs like We Hack Purple strengthen our industry and the people who work in it.

  1. Community Empowers and Elevates AppSec Professionals
    Communities like We Hack Purple give people a safe, supportive, and positive place to be themselves around their peers, ask questions, and grow professionally. It can be hard to quantify “empowerment,” as a general concept, but I’ll offer up an example.

    As members of the We Hack Purple community, AppSec professionals have access to others in their industry with varying degrees of expertise and experience. One way we help our members grow professionally is by providing them with an opportunity to give their first-ever presentation to a group of their peers. They get feedback and even 1-on-1 coaching if they need it – helping them feel more confident and empowered when they share their knowledge and ideas with the larger community.

    I’m also extremely passionate about the role that female voices can play in the AppSec industry, and I’ve learned that community is one of the best ways to provide women with opportunities they might otherwise not have access to.

    I had the privilege of starting the internation non-profit WoSec (Women of Security), and now have the pleasure of being a part of the Forte Group, a community of more than 100 women working as security industry CISOs, CEOs, and startup founders. Together, we mentor one another, meet regularly, and advocate for women in the AppSec space. We work to make sure qualified women are represented at industry events and in AppSec conversations to foster and support our female peers.

    I’m a firm believer that if you’re going to work hard to open the door for yourself, you should hold it open for others. Community provides the perfect opportunity to do this for women in my industry.

    Making AppSec professionals feel safe and empowered is also key to promoting diversity and inclusion in the industry. It’s no secret that everyone benefits from a diverse range of peers and perspectives, but it’s hard to share those perspectives if you feel unsafe, unwelcome, or uncomfortable. That’s why at We Hack Purple we have a strict code of conduct with over 20 moderators working to make sure everyone feels safe and that conversations remain constructive and professional.

    Empowering AppSec professionals has tangible benefits. As the Harvard Business Review astutely notes, “empowered employees are more likely to be powerful, confident individuals, who are committed to meaningful goals and demonstrate initiative and creativity to achieve them.” In an industry as important as application security, powerful and confident individuals can make a huge difference.
  2. Community Helps AppSec Professionals Work Together to Find Solutions
    Working alone on tough security challenges can be daunting – application security problems can be technical and high stakes, which makes for stressful situations.

    When you connect with a community of experts, though, you gain access to a huge amount of knowledge and experience that you can leverage to solve problems. You may find the information you need in a blog post from an AppSec leader or through an online course recommended to you by a peer. Most importantly, you can directly tap your peers to help with pressing issues.

    On the We Hack Purple community forums, we keep an ‘ask anything’ corner open. Here, community members post their questions or problems to crowdsource an answer. Invariably, I watch as members submit questions and the community swoops in with suggestions, solutions, and technical advice that would otherwise have been difficult to access. In doing so, the members aren’t just strengthening the We Hack Purple community — they’re strengthening the application security sector as a whole.

    Another powerful way that community helps us work together is through opportunities for mentorship. When I started a mentorship program at OWASP, I had no idea that my first four mentees would all become powerful AppSec industry professionals. Watching them grow has been one of the most rewarding experiences of my career.

    I’m a huge proponent of mentorships, and every Monday since 2018 (yes, even Christmas) I facilitate #CyberMentoringMonday threads on Twitter, helping to identify and connect mentors and mentees. We know mentorship works: Gartner found that mentees are promoted five times more often than those not in a mentoring program. In my mind, a strong community builds strong mentor relationships, and strong mentorship opportunities build a strong application security industry.
  3. Community Facilitates Application Security Education
    We’re never done learning – especially where application security is involved! Access to education is one of the main factors in the success of the application security industry. A recent survey from BeyondSecurity discovered that “a lack of skilled personnel” remains the number one issue organizations face in their efforts to halt security threats to applications.

    While it’s true that we need more application security professionals, we have an eager base of AppSec workers who can become AppSec experts – and that’s where the support of our communities comes in. Supporting and educating the next generation of application security experts should always be a top priority because it plays a huge role in shaping the future of the industry – and in keeping the internet safe.

    The We Hack Purple Community exists to do just that, by bridging the gap between open positions and qualified AppSec professionals. These application security classes range from introductory to more advanced and in-depth offerings. The Academy also partners with application security organizations to produce free classes that are available to all community members. Members are encouraged to create courses, blog posts, and other educational content, as well as partake in personalized coaching and even mentorships.

    It’s also important to make sure that everyone has access to the courses and educational offerings that communities provide. As I noted, we need more diversity in the application security industry, and community plays a role in making that happen. That’s why We Hack Purple has worked through the problem of access and diversity by offering scholarships to all our online classes. At last count, more than 70% of the scholarships have been awarded to women of color, whose perspectives, experiences, and knowledge are desperately needed in AppSec.

Help Create Community With We Hack Purple

The role of community in AppSec is crucial and will continue to be so as the application security industry grows. I’m proud of the community we’ve built and the ways we’re working together to create a more secure future.

The strength of We Hack Purple comes from its amazing members, and we’re always looking for more dedicated AppSec professionals to join us!

For more on We Hack Purple, and to hear why I think promoting women in AppSec is so important, be sure to tune in to my full conversation on the DevSecTalks YouTube channel.

Did you enjoy this episode of DevSecTalks? Tune in to our other sessions to hear from more DevSec industry experts who are building the future of cloud security.