The Security Expert Speaks: Tanya Janca on Learning to Code Securely
Release Date: 01/24/2025
Hayden Barnes and CVE-2025-33515
The Modern .NET Show
Show Notes Hey everyone, and welcome back to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. I'm your host Jamie Taylor, bringing you conversations with the brightest minds in the .NET ecosystem. This episode is a super important, top-of-the-heap, bonus episode that you definitely need to be listening to. I, basically, reached out to Hayden Barnes, who we've just now had on the show to talk about .NET never-ending support and what happens when you drop out of support with Microsoft....
info_outline
Hayden Barnes on .NET NES: Why We Need a New Approach to Open Source Maintenance
The Modern .NET Show
Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by . If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "There's a good chance it's not gonna flag for you that, you, know your point of sale system is on .NET six and is now vulnerable, you know. So to a certain extent, companies often aren't even aware and this is something I've learned to be in this space. They're not...
info_outline
Testing Made Easy: Debbie O'Brien Explains Playwright and its Game-Changing MCP Server
The Modern .NET Show
Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by . If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "It's not just guessing. It's not just saying, "oh, there's something to log in. I think we'll call the button login." It actually knows the button is called Login, it's seen it. So that makes a big difference and makes it much more resilient. So that's definitely a big...
info_outline
Building the Future of APIs: Mike Kistler's Insights on OpenAPI and MCP
The Modern .NET Show
Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by . If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "And we talk about that contract. We say, "this is your contract. This Open API definition that you have is the contract for your service." And in the end, that's how customers interact with Azure is through APIs. And so it's important to have that contract so that...
info_outline
Data, AI, and the Human Touch: Michael Washington on Building Trustworthy Applications
The Modern .NET Show
Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by . If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "What do I mean by compute? Compute is whenever you want a computer to do a thing, okay, it requires the CPU to exist and I want the CPU to do a thing. How well it can do it Is based upon what kind of CPU you have. What kind of CPU they have since have it in miniature...
info_outline
Designing APIs Like a Pro: Lessons from Jerry Nixon on Data API Builder and Beyond
The Modern .NET Show
Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by . If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "Simple is always the better choice, but easy is not always the best. So sometimes you'll go to graph, it's a little bit harder for us to write the code for around it, but the bandwidth consumption is considerably smaller. the compute consumption and the ability for it to...
info_outline
Compassionate Coding: Safia Abdalla's Insights on Empathy in Open-Source Development
The Modern .NET Show
Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by . If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "I think, regardless of how technology evolves, it's very important and us the most important thing is for us to be decent and understanding of each other and to be willing to like work towards a common goal."— Safia Abdalla Hey everyone, and welcome back to The Modern...
info_outline
Umbraco Unplugged: Emma Burstow & Mats Persson on Umbraco Being The Friendly, Truly Open-Source, CMS
The Modern .NET Show
Strategic Technology Consultation Services This episode of The Modern .NET Show is supported, in part, by . If you're an SME (Small to Medium Enterprise) leader wondering why your technology investments aren't delivering, or you're facing critical decisions about AI, modernization, or team productivity, let's talk. Show Notes "From the first engagement with any from Umbraco, it's been a friendly approach. We are friendly. It's a part of our DNA. Professional. We take our work dead seriously, but we want to have fun, but we are friendly."— Mats Persson Hey everyone, and welcome back to The...
info_outline
Learning Azure with Jonah Andersson: A Developer's Guide to Cloud Computing and Development Fundamentals
The Modern .NET Show
RJJ Software's Software Development Service This episode of The Modern .NET Show is supported, in part, by , whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations. Show Notes "So the cloud adoption framework actually has a lot of steps for organizations or IT teams to start assessing their existing environments first and planning the stage before they modernise and migrate to Azure. And then the well-architected framework allows the team, whoever is involved, developers, engineers, or architects,...
info_outline
Dapr: The Secret Sauce to Simplifying Distributed Applications with Mark Fussell
The Modern .NET Show
RJJ Software's Software Development Service This episode of The Modern .NET Show is supported, in part, by , whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations. Show Notes "Yeah, exactly. In fact, one of the central premises of Dapr has, you know, one of its goals is not only to be multi-language, in that anyone can use the APIs from any language they come from. So it has SDKs. First, you can call it HTTP if that's all you care about. But it has SDKs for Java, JavaScript, of course, .NET, Python,...
info_outlineRJJ Software's Software Development Service
This episode of The Modern .NET Show is supported, in part, by RJJ Software's Podcasting Services, whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations.
Show Notes
"From the very first lesson of "Hello, World" they teach us to make insecure code. So the first thing with "Hello, World" is how to output to the screen. That is fine. But the second part of "Hello, World" is: you ask them their name, you take their name. you don't validate it, and then you say "Hello," and you reflect their name back onto the screen with no output encoding. And then you just made cross-site scripting. And right from the very first lesson, we teach everyone wrong in pretty much every language, and so as a result we end up with a lot of people doing code the wrong way. Like, universities are still teaching lots of things wrong. And so I'm hoping that this book will help."— Tanya Janca
Welcome friends to The Modern .NET Show; the premier .NET podcast, focusing entirely on the knowledge, tools, and frameworks that all .NET developers should have in their toolbox. We are the go-to podcast for .NET developers worldwide, and I am not your host: Jamie. I'm Delilah and I will be recording the intro for this episode because Jamie's throat infection returned, making it tough for him to record this intro.
In this episode, we welcomed Tanya Janca back to the show. This conversation marks her third appearance on the show, and a slight change in focus to Secure Coding. We talk about how developers are taught to write insecure code from day one (or "Hello, World!"), about how her new book "Alice and Bob Learn Secure Coding" could help with that, the many hours of free education and learning that Tanya has created alongside the book, and how both data scientists and academics approach software development differently to some of us developers.
"There are so many amazing security features in .NET. There's so many. Like, because I... I wrote about eight different frameworks and .NET by far had the absolute most different security features. And part of it, some of them are from Windows. Some of them are from C... because I wrote about C# and .NET. And to be quite honest, audience, I mixed them up quite a bit because, "what is specifically C#, and what is specifically .NET," got a bit confused in my brain. But I'm like, all of it's good. Do all of it"— Tanya Janca
Anyway, without further ado, let's sit back, open up a terminal, type in `dotnet new podcast` and we'll dive into the core of Modern .NET.
My voice was created using Generative AI.
Supporting the Show
If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show.
Full Show Notes
The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-7/the-security-expert-speaks-tanya-janca-on-learning-to-code-securely/
Tanya's Previous Appearances:
- Episode 77 - Application Security with Tanya Janca
- Episode 105 - More Application Securuty with Tanya Janca
Useful Links
- Tanya's books
- Tanya's newsletter
- Hello, World
- Don't Accept The Defaults
- Semgrep
- Okta
- Pushing Left, Like a Boss: Part 1
- Owasp
- DAST (Dynamic Application Security Testing)
- SAST (Static Application Security Testing)
- Semgrep Academy (previously known as WeHackPurple Academy)
- Application Security Foundations Level 1
- Owasp Juice Shop
- OwaspHeaders.Core
- Owasp Top Ten
- Content-Security-Policy Trusted Types
- Jason Haddix
- Retrieval-Augmented Generation (aka RAG)
- Posting Malicious Code as an Answer
Supporting the show:
Getting in Touch:
Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend.
And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch.
You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.