Hello my friends! As you may know, I am travelling to hot, hot Las Vegas for ‘Hacker Summer Camp’ the first week of August. I have published my complete schedule here, as well as several of the events below. If you will be around, I would love to meet up with you at one of the events I will be at! Also, Semgrep is planning a scavenger hunt and several more events, and the details for the hunt will be up here shortly.

More news: I have created a petition to ask the Canadian Public Service (Canada’s government) to adopt my secure coding policy for all governmental custom software. I believe that the software that runs our country is critical infrastructure, and that we are not currently adequately protecting it. If you are a Canadian Citizen, please consider signing and/or sharing it with others. Once I have enough signatures, I am hoping that I can get an MP to support another petition to the House of Commons. If I receive 500 signatures on that, then I will be able to address the government directly with my concerns and proposed solutions. Wish me luck, I certainly need it!

I was asked for some content on threat modelling last month. I haven’t had time to make something yet, but I want you to know I’m on it and I’m going to write a blog or something for the next newsletter. Please keep the ideas coming!

Thank you so much for subscribing, I really appreciate you!

Tanya

Automate the Champion program your devs actually want to be part of.

Managing a Champion program shouldn't feel like a second job. Katilyst automates the hard parts: reward devs in JIRA when they fix vulns, celebrate milestones in Slack and Teams, and track everything with real-time metrics. Want Ninja Belts? Leaderboards? Custom badges? Go wild! Need help designing the whole thing? We’ve got that too. Our services team can co-run your rollout, host live events, and tune your program to fit your culture.

New Content!

• I interviewed Kim Wuyts for a Semgrep fireside chat called Privacy by Design: Making Threat Modeling Work for Data Protection, and it was super fun!

• I interviewed my friend Yabing Wang, the VP, CISO and CIO of JustWorks, about Real-World AppSec: What Actually Works in Practice, for a Semgrep fireside chat.

• A video of my presentation, Artificial Risks: AI, Games, and Threats

• Is my new petition considered content? You be the judge.

Events!

• July 30th, 8:00 am PST, 30 Tips for Secure Javascript with Wild West Hackin Fest Community, free! Virtual

• August 4, 2025, Diana Initiative, Vegas, NV, USA, in person, my talk is at 10:30 in track 1

• August 5, Black Hat Financial Services Summit, my panel is at 9:55 am, “Inside Risk: Managing the Growing Threat from Within“

• August 5, 6-9 pm: Omega Mart event with Semgrep! Come hang out with us and see Meow Wolf and more! This event is free!

• Aug 6, 8:00 am to 10:00 am, Coffee meetup with me, and I’m paying for the coffee! Show up at the Starbucks in Mandalay Bay, next to the food court (map here), and I will be in line or chatting, and will happy buy you a fancy coffee!

• August 6, 12-1:00 pm, Book Signing with Semgrep! Free books! Booth 5221 

• August 6, 2-3 pm: Book Signing at ReversingLabs booth at Black Hat, in person, Booth 3261

• Thursday August 7, 8:00 - 10:00 am, Black Hat Women In Security Breakfast with The Forte Group! In person, free, meet lots of other women!

• August 7, 2:30-3:30 pm, Book Signing #2 with Semgrep! Free books! Booth 5221 

• Friday Aug 8, 1:40 pm, My talk at the Def Con AppSec Village: The AppSec Poverty Line: Minimal Viable Security

• Aug 8, 3:40 pm, My talk for the Policy Village, on the Creator’s stage, “Secure Code Is Critical Infrastructure- Hacking Policy for the Public Good“

• Saturday August 9, 10:00 am to 12:00 pm, inside Def Con, at the OWASP Community Room: Building Better Security Champions Workshop with Stanley Harris of Katilyst. You need a Def Con ticket to get into the workshop, and you need to register for the workshop in advance.

• August 9, 3:40 pm: AppSec Village, I will be on a panel, ‘State of (Absolute) AppSec’ with Jason Haddix, Seth Law, and Ken Johnson!

• ***** Even more events in Vegas that I will be at in this official schedule.

• Sept 10 and 11 2025, GoSec in Montreal, Quebec, Canada

• Sept 19th, half day, live, virtual, Anti-Syphon Training Workshop: The OWASP API Security Top Ten 2023 with Tanya Janca, $25-$150 sliding scale

• Sept 30-Oct 2 - SecTor Conference in Toronto, Canada! In person!

• October 9-10, Wild West Hackin’ Fest - Deadwood, virtual talk!

• November 5, 2025 OWASP 2025 Global AppSec USA (Washington, DC), My training is $850, 1-Day Training: API Security: Hands-On Secure API Design & Hardening

• Nov 6-7, 2025 OWASP 2025 Global AppSec USA DC waiting to see if one of my talks are accepted, but either way I will be there as I get a free ticket for being a trainer.

• December 1-2, Training Session at NDC Manchester, AI & Security Secure Coding & API Hardening: Hands-On Secure Design, Development, and Threat Modelling

• December 3-4, NDC Manchester, AI & Security, Manchester, UK, I will be giving TWO talks!

• Feb 10-13, 2026 - Wild West Hackin’ Fest - Mile High, I will be giving training and also a talk! In person!

Random Topics Go Here

October is just around the corner, and with it comes Security Awareness Month. I’m curious—do you do anything for it? Is it something you look forward to, or do you try your best to ignore it? Do you find it helpful, fun, a good reminder—or is it just noise?
Whether you’re planning games, phishing simulations, training, or nothing at all, I’d love to hear what’s on your radar. Hit reply and share your thoughts!

We end with a meme.