SheHacksPurple: June

I joined a non-profit board, go me!

The SheHacksPurple Nerd-a-licious Newsletter

💜 Hit ‘reply’ to send me a message or give me feedback! I read every response and love hearing from you. 💜 

Hello

I joined the board for The Forte Group, an advocacy and education non-profit organization that focuses on women in cyber. I’m a founding member, we started in 2020, and I decided it was time to step up and help more. I will be leading their community efforts. I suspect that my choice of how I will contribute to the board is not a surprise to anyone. :-D

I will be heading down to ‘Hacker Summer Camp’ in August, in Las Vegas, USA, to speak at The Diana Initiative, as well as the following villages at Def Con: AppSec Village, Policy Village, and the OWASP room. I plan to publish my schedule just like I did last year, and will also do at least 2 book signings at Black Hat (one with Reversing Labs and another with Semgrep).

Automate Like the AppSec wizard you are.

Still debugging the same glue scripts? Jenkins judging you silently? Smithy.security can help, SaaS or On-Prem. It lets you automate your AppSec workflows without reinventing the CI/CD wheel.Write once, reuse forever without copy-pasting bash pipelines. Use it to run tools exactly when and where you want. Chain actions like “scan --> find false positives --> fix --> open PR --> send polite Slack ”. Build custom workflows with code you actually want to maintain. Plug into anything: GitHub, Jira, Jenkins, a haunted Perl script we don’t judge. It’s like giving your AppSec team an extra pair of hands (that never take PTO).

New Content!

  • I interviewed the most charming security professional I know, Laura Bell Main, about secure coding, AppSec, teaching, and gardening on my latest Semgrep webinar. Oh my gosh she had me in a fit of giggles!

  • Semgrep Interviews (different ones than last newsletter) recorded at #RSAC:

Events!

Random Topics Go Here

Since covid, I’ve become a part of a European community that was new to me, called NDC. It’s a series of 8 conferences per year, for developers and security professionals, across Europe.  At NDC Oslo last month I had the pleasure of interviewing Kjersti Sandberg, founder of the legendary NDC Conferences, about something very exciting — a brand-new AI + security + application development conference coming to Manchester in December 2025! NDC Manchester, AI & Security 

Instead of a survey, I am going to answer this question I received from last month’s newsletter from Lynn: Whose job is it to assess an organization’s data for sensitivity, to guide the right level of security? My answer would be “the CISO,” but what if it’s a small shop, or software only shop?

My answer: In a perfect world, the Chief Information Security Officer (CISO) (or their team, often called “InfoSec” or “IT Security”) leads data classification efforts. But in smaller or software-only orgs (where a CISO might not exist) the responsibility is less clear. Which I realize is that classic cop-out “it depends” answer. But let’s look deeper.

Data sensitivity classification is a shared responsibility:

  • Product owners or business analysts/reps usually understand what data the application collects and processes.

  • Security champions (which you would not likely have in such a situation), devs with security responsibilities, or the lead dev/tech lead of a team can guide how to protect that data appropriately. They understand the data, and hopefully it’s sensitivity. They also have the power to add a label and document it, which is very important.

  • Legal or compliance teams (if you have those) could help identify regulatory requirements like PIPEDA, GDPR, or HIPAA that your company needs to follow. Ideally they would create internal policy or other guidance to show everyone else what to do.

If there is no formal role or responsibility for data classification, someone has to step up. Ideally, it should be whoever has the best understanding of both the data and the risks. Even in very small teams, recognizing that “not all data is equally important or valuable” can be the first step toward protecting your sensitive data.

Do you have a question? Let me know! Also, how was my answer?

We end with a meme.

Skynet welcomes you.