165: Tanya

November 4, 2025

47 min episode · 2 min read

Tanya Janka

Episode

47 min

Read time

2 min

AI-Generated Summary

Published Jan 1, 2026

Key Takeaways

✓SQL Injection Detection: Blind SQL injection attacks ask databases yes/no questions to extract data character-by-character without direct output, making them harder to detect. Attackers queried if field names existed and tested each letter individually to reconstruct sensitive information.
✓Security Policy Accessibility: Security policies buried in poorly-named SharePoint documents with cryptic titles like ISP_overview become useless when 9 out of 10 employees cannot locate them within 15 minutes of searching, defeating the purpose of compliance documentation and audit requirements.
✓Help Desk Incident Training: IT help desk staff need specific security incident training because their instinct to fix problems immediately can destroy evidence. One technician deleted child exploitation images and reformatted the drive, breaking chain of custody and preventing criminal prosecution.
✓Developer Security Buy-In: Showing development teams the actual cost of security incidents, including a $500,000 SQL injection breach requiring privacy commissioner reporting and weeks of overtime, transforms resistant managers into enthusiastic security champions who proactively scan and fix vulnerabilities.

What It Covers

Tanya Janka shares real-world application security incidents from her career in Canadian government and enterprise, demonstrating how SQL injection vulnerabilities, poor security policies, and inadequate incident response training create exploitable weaknesses in organizational systems.

Key Questions Answered

•SQL Injection Detection: Blind SQL injection attacks ask databases yes/no questions to extract data character-by-character without direct output, making them harder to detect. Attackers queried if field names existed and tested each letter individually to reconstruct sensitive information.
•Security Policy Accessibility: Security policies buried in poorly-named SharePoint documents with cryptic titles like ISP_overview become useless when 9 out of 10 employees cannot locate them within 15 minutes of searching, defeating the purpose of compliance documentation and audit requirements.
•Help Desk Incident Training: IT help desk staff need specific security incident training because their instinct to fix problems immediately can destroy evidence. One technician deleted child exploitation images and reformatted the drive, breaking chain of custody and preventing criminal prosecution.
•Developer Security Buy-In: Showing development teams the actual cost of security incidents, including a $500,000 SQL injection breach requiring privacy commissioner reporting and weeks of overtime, transforms resistant managers into enthusiastic security champions who proactively scan and fix vulnerabilities.

Notable Moment

An entire government office building appeared infected with malware during the Winter Olympics, triggering evacuation discussions and executive panic. Investigation revealed every employee was simultaneously streaming figure skating, creating a self-inflicted denial of service that clogged the network bandwidth completely.

Know someone who'd find this useful?