SecTor 2025 | Hacking Policy for the Public Good

Tanya Jen, a former Canadian government security lead turned independent advocate, used her SecTor 2025 talk to spotlight the nation’s glaring absence of a mandatory, detailed secure‑coding policy for federal agencies. Drawing on her 13‑year tenure—including pentesting the prime minister’s website and overseeing the 2015 election’s security—she now leverages her freedom from NDAs to critique the status quo and propose concrete reforms. She outlined how existing guidance—such as the Canadian Centre for Cyber Security’s “Software Security Code of Practice”—is high‑level, non‑mandatory, and devoid of actionable examples, leaving developers to interpret vague terms like “sanitize” versus “validate.” The speaker highlighted systemic gaps: no government‑wide vulnerability disclosure program, no bug bounty, and virtually no secure‑coding training for the estimated 600,000 Canadian developers, many of whom build the software that underpins critical public services. Jen illustrated the stakes with personal anecdotes: she hacked the prime minister’s site with permission, witnessed the Canada Revenue Agency hide 42 material breaches, and saw her own parents fall victim to credential‑stuffing attacks. These incidents underscore how insecure code jeopardizes privacy, public safety, and democratic confidence, especially when basic web security headers and session handling are ignored. The talk concluded with a call to action—presenting a draft secure‑coding policy, urging audience signatures on a petition, and demanding that the government adopt enforceable standards. Without such policy, Canada risks continued breaches, eroding citizen trust and exposing the nation’s digital infrastructure to escalating threats.