We Hack Purple, Acquired by Bright!

Big things are happening! Tanya’s friends over at Bright recently bought We Hack Purple, and we could not be more thrilled. Bright makes a DAST (dynamic application security testing tool) that is developer-friendly. Tanya has worked on their advisory board for a few years and has gotten to know the team. Additionally, they just released a brand new tool for the lucky framework (crystal programming language), which creates security-focused unit tests, automagically! Plus, they have more on the way!

Bright Security!
Bright Security!

As part of the deal, all We Hack Purple courses are now FREE to We Hack Purple community members! The community has no hidden fees, so you can learn with no strings attached!

In the coming years, Tanya plans on working with Bright to create more content (which means more free courses!), running the community, speaking at conferences, and helping make Bright’s products even more amazing!

Additionally, Tanya will start writing her next book, Alice and Bob Learn Secure Coding! Stay tuned for more updates; thank you all for your continued support!

The future is Bright!

Teaching Security Champions

In the previous article, we talked about how to engage your champions. We want them interested, revved up and ready to go.

You are in a room full of brand-new security champions and they are itching to learn all about ‘cyber’, what do you do? What do you teach them? How do you impress them?

Only teach them what they need to know. Nothing more.

As someone who creates security training professionally, I have to say, I’ve seen a LOT of filler. Extra content that just does not need to be there. Software developers do not need to know the history of Diffie-Hellman, or the difference between symmetric and asymmetric encryption, unless they are building encryption software. So don’t try to teach it to them unless they have a keen interest and have asked about it.

What they really DO need to know is:

What you need, expect and want from them, as champions.

You should define the goals of your program and share them with your champions. Share your plans for them, as much as you can. Give them timelines, training information or anything else you have. You need to make clear what you are expecting, or you may not get it.


Technical topics for teaching your security champions:

  • Formal training on secure coding, with labs!
  • Threat modelling
  • Secure architecture (whiteboarding)
  • Code Review
  • How to fix the bugs they find
  • Repeat yearly as a minimum


Topics specific to your organization:

  • Which policies, standards and guidelines apply to them
  • Help them create missing guidelines
  • Teach them how to be compliant, help them get there
  • Their role during an incident
  • Job shadowing

Hold consultations to let them provide input on the policies that will affect them. Trust me, their feedback will be priceless AND it will make them feel heard.


The last topic you need to ensure they learn is tooling. If you expect them to use a tool you need to show them how, what the output means, how to validate the results, how to install and configure it. It is also your job to either help them pick excellent tools or involve them when you are choosing tools for them.


In the next article we are going to discuss how to Recognize Your Champions.