DevSec Station

Tanya Janca | SheHacksPurple

DevSec Station is a security focused podcast for software developers who want to create amazing applications. Hosted by Tanya Janca, also known as SheHacksPurple, these short lessons will help you level up.

Epizode

  1. Secrets Management: Stop Playing Whack-a-Mole

    prije 12 h

    Secrets Management: Stop Playing Whack-a-Mole

    If you've ever committed an API key, password, token, certificate, or other secret to a repository, you're not alone. Most secret leaks don't happen because developers don't care about security. They happen because the easiest place to put a secret is inside the code that uses it. This episode is sponsored by Maze. In this episode of DevSec Station, Tanya Janca explains why secrets leak, why "just be careful" isn't an effective security strategy, and how developers can stop playing whack-a-mole with exposed credentials. You'll learn why secrets belong outside of source control, how secret scanning can help you find problems before attackers do, and what practical steps you can take to improve your workflow today. You'll learn: • why repositories are terrible places to store secrets • how leaked secrets are discovered and exploited • why secret leaks are a workflow problem, not a developer problem • the difference between reacting to leaks and preventing them • how secrets management tools reduce risk and operational headaches Tanya walks through a realistic example of how a secret accidentally makes its way into source control, what happens next, and how teams end up trapped in a cycle of rotating credentials and cleaning up incidents. She also shares a practical, developer-friendly process for finding and fixing exposed secrets before they become bigger problems. One practical action from this episode: Run a secrets scanner against every repository you actively work on. If you find a real secret: • rotate it immediately • move it into a secrets management solution • update the code so the secret is retrieved securely at runtime And if your team doesn't have a secrets management tool yet, make the business case for one. DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software. Follow Tanya: • https://shehackspurple.ca • https://youtube.com/@shehackspurple • https://linkedin.com/in/tanya-janca • https://tanyajanca.com This episode is sponsored by Maze. One of the biggest problems in security right now is that every vulnerability scanner says everything is critical, and honestly, no one has time for that. Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary. Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now. Learn more about Maze https://mazehq.com/devsec

    7 min
  2. Supply Chain Is More Than Just Dependencies

    4. lip

    Supply Chain Is More Than Just Dependencies

    Most developers think software supply chain security starts and ends with dependencies. But modern supply chain attacks don't stop there. Attackers look for paths into your software, and those paths often run through developers, CI/CD systems, build tools, deployment pipelines, and other trusted parts of the software delivery process. This episode is sponsored by Maze. In this episode of DevSec Station, Tanya Janca explains why the software supply chain is much bigger than libraries and packages, how modern attacks move through trusted systems, and what developers can do to better understand and protect the paths their software travels before it reaches production. You'll learn: • why dependencies are only one part of the supply chain • how attackers move through trusted developer tooling and processes • what "influence" means in a software supply chain context • why supply chain attacks often appear normal until it's too late • how to identify and protect the paths that affect your software Tanya walks through a realistic supply chain attack scenario where no application vulnerability is exploited directly. Instead, an attacker compromises a trusted part of the software delivery process and uses it to influence what gets built and deployed. DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software. Follow Tanya: • https://shehackspurple.ca • https://youtube.com/@shehackspurple • https://linkedin.com/in/tanya-janca This episode is sponsored by Maze. One of the biggest problems in security right now is that every vulnerability scanner says everything is critical, and honestly, no one has time for that. Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary. Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now. Learn more about Maze https://mazehq.com/devsec

    7 min
  3. Malicious Dependencies Aren’t an Accident

    21. svi

    Malicious Dependencies Aren’t an Accident

    Malicious dependencies are not accidents. They are often intentionally designed to look trustworthy so developers install them without hesitation. In this episode of DevSec Station, Tanya Janca explains how attackers use typosquatting, dependency confusion, fake packages, and even AI-generated recommendations to compromise developer environments and steal credentials.  This episode is sponsored by Maze. You’ll learn: • how malicious packages trick developers • why dependency attacks work so well • how attackers abuse trust and speed • why “just be careful” is not an effective defense • practical ways to add safer guardrails to your development workflow Tanya walks through a realistic example of a dependency stealing AWS credentials, explains why this is a workflow problem instead of a developer failure, and shares practical steps you can take immediately to reduce risk in your own projects. One practical action from this episode: Require new dependencies to go through pull request review, and add lightweight checks that help your team verify package names and sources before installation. DevSec Station is a podcast by Tanya Janca, focused on short, practical lessons that help software developers build more secure software. Follow Tanya: • https://shehackspurple.ca • https://newsletter.shehackspurple.ca • https://linkedin.com/in/tanya-janca • https://www.youtube.com/shehackspurple • https://TanyaJanca.com   This episode is sponsored by Maze. One of the biggest problems in security right now is that every vulnerability scanner says everything is critical, and honestly, no one has time for that. Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary. Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now. Learn more about Maze https://mazehq.com/devsec

    8 min

  4. 22. tra ·  Dodatni sadržaj

    NPM Supply Chain Attack: Active Worm Stealing Tokens, SSH Keys, and Credentials

    🚨 Emergency DevSec Station update. There’s an active npm supply chain attack happening right now. Malicious npm packages are running install scripts that quietly steal:  • SSH keys  • AWS credentials  • GitHub tokens  • Browser passwords  • Crypto wallets From there, the attack uses your npm publish token to spread into every package you maintain. That’s how this turns into a worm across the npm ecosystem. This is not theoretical. It’s already in the wild. 👉 Immediate fix:  Run  npm config set ignore-scripts true This disables install scripts and blocks the main attack path. If you work in JavaScript, Node.js, DevSecOps, or application security, take action now and tell your team. Watch the full 60-second breakdown and share this with anyone who installs npm packages. #npmSecurity #SupplyChainAttack #DevSecOps #AppSec #JavaScriptSecurity #CyberSecurityAlert

    2 min

  5. 14. tra

    How Modern Supply Chain Attacks Really Happen (Step-by-Step Breakdown for Developers)

    What if a supply chain attack didn’t start with a complex exploit… but something completely normal? A typo.  A copy-paste.  Even an AI suggestion. In this episode, Tanya Janca breaks down how modern supply chain attacks actually happen inside everyday developer workflows. These attacks aren’t one big moment. They’re a series of small, reasonable decisions that quietly introduce risk. You’ll learn:  • Why supply chain attacks are a process, not a single event  • How attackers exploit normal developer behavior  • A simple, step-by-step example of a real attack path  • Why traditional SCA tools often miss real risk  • How to focus on what actually matters 👉 If you do one thing this week:  Run your SCA tool with reachability enabled and fix one real issue. That’s how you start reducing risk. If you work in DevSecOps, application security, or software development, you need to understand this. #SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #CyberSecurity

    10 min

  6. 21. ožu

    Developers Are Now Targets: How Supply Chain Attacks Actually Reach You

    Developers are no longer just building software.  They’re being targeted directly. In this episode, Tanya Janca explains how supply chain attacks reach developers through everyday tools, packages, and workflows. These attacks don’t feel like attacks at first. They look like normal development work until it’s too late. You’ll learn:  • How supply chain attacks reach individual developers  • Why developer environments are now high-value targets  • Where risk shows up in daily workflows  • Simple ways to protect yourself without slowing down If you work in JavaScript, DevSecOps, or application security, this shift matters. 👉 Start by reviewing what you install, what runs during install, and what your tools are actually doing behind the scenes. #SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #DeveloperSecurity

    6 min
  • Broj epizoda: 6

Opis

DevSec Station is a security focused podcast for software developers who want to create amazing applications. Hosted by Tanya Janca, also known as SheHacksPurple, these short lessons will help you level up.

Informacije

  • Autor
    Tanya Janca | SheHacksPurple
  • Aktivne godine
    2 tis.
  • Epizode
    6
  • Ocjena
    Korektno
  • Copyright
    © 2026 SheHacksPurple
  • Web‑stranica emisije
    DevSec Station
  • Pružatelj sadržaja

Također bi vam se moglo svidjeti