An Agnostic Approach to AppSec: Ken Johnson on Navigating the Future with AI

Ken Jonhson:

Quality software is secure software. So if you’re a craftsman and you do care, you do want your code to be secure.

Cole Cornford:

Hi, I’m Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. In this episode, I speak with Ken Johnson, co-founder of Dry Run Security and the co-host of the Absolute AppSec podcast. I’ve been listening to Absolute AppSec for years. It’s really good to have Ken on. Ken has got many years experience work in AppSec as you’ll probably gather from our conversation. He’s helped build application security progress at GitHub and LivingSocial, done a bunch of InfoSec consulting earlier in his career and more recently founded a company that really puts context as the most important thing for improving secure development. We chat about having an agnostic approach to AppSec, instead of one that’s a bit too bespoke, transitioning from being an employee to a founder, how artificial intelligence might change cybersecurity and plenty more. So let’s dive right in. Welcome Ken, how are you going mate?

Ken Jonhson:

Great, and once again, thank you for having me on your podcast. I really appreciate it.

Cole Cornford:

That’s no worries at all, mate. So first question, as I say, for all the guests who jump onto Secured, what kind of bird are you and why?

Ken Jonhson:

Yeah, I was going to tell you so yeah, I have a story about the bird I wanted to bring up, but I don’t relate to a pigeon at all, but I do have a story about a pigeon where I might’ve accidentally punched a pigeon at AppSec Cali years ago, I think, I don’t know, maybe 2016. I think. Here’s what happened. I’m sitting down at a couch. I’ve got some folks I worked with, Abdullah Munawar, really great guy, sitting right there, we’re trying to eat. This pigeon won’t leave us alone. Pecking at us trying to get to our food. I jokingly put my fist towards it and was nudging towards it and the bird and I collided as it started to move and basically I punched a pigeon. So that was the story I wanted to bring up about birds. No, say I’m probably more like a woodpecker. I just banged my head against my desk all day long. That’s probably the most realistic.

Cole Cornford:

That makes a lot of sense. I’ve had a couple of incidents with birds. None of them are, I don’t know, we’ll see how upset my viewers get. One time I was in Croatia, in Dubrovnik, and we got a kayak and I had a footlong Subway sandwich on the kayak and I just went around the island out off Dubrovnik’s coast and then came back to the shore and then, I noticed there was this seagull just pecking at my bag while I was trying to get … dragging my thing on. Yeah, yeah, and eventually it pulled out the entire sandwich, stuck it in its mouth like this, and then, I chased after it with my kayak at all, screaming at it being like, “Give me back my sandwich.” I have just kayaked around an island for two and a half hours while it flew off into the distance.

Ken Jonhson:

Imagine what that looked like to everybody watching that, just this crazy scene of you chasing after a bird for a sandwich.

Cole Cornford:

It was amazing because there was like 40 other people in the kayaking group and they were all dying hysterically laughing at me being like, I can’t believe that this bloke had his sandwich stolen by a bloody seagull off the coast.

Ken Jonhson:

You’re probably hungry for … did you get food after that? I mean were you hungry all day or-

Cole Cornford:

No, mate. I wasn’t one of those top deck cruisers. So what you do is you just go into the city and start drinking alcohol, right? So this was when I was a lot younger. Nice, nice. I know, I know. That’s awesome. A little bit … not feeling so great the next day, but it is what it is, right? That seagull ruined everything. It wasn’t my own bad decisions at night.

Ken Jonhson:

Is that the bird that’s stuck in your mind since then? Is that the bird that comes to top of mind for you now?

Cole Cornford:

No, I’ve got plenty of other bloody bird stories as well. Even locally next to my own house. We get just Kookaburra constantly, just … Kookaburra is birds that just laugh all the time, yeah, for those who are not Australian.

Ken Jonhson:

I’ve never heard of this.

Cole Cornford:

Yeah, they have a habit of diving in front of my car to go grab insects, because I live near Swamplands and so I drive along my street like a granny now because I’m just afraid of hitting the Kookaburras. There’s just too many of them. Yeah. Scary animals.

Ken Jonhson:

So they make audible laughter.

Cole Cornford:

You haven’t heard of kookaburra laugh before?

Ken Jonhson:

No, no, never. I’ve been twice, but yeah, I’ve never heard that.

Cole Cornford:

Mate, they’re also called the Bushman’s alarm clock for a reason because about 6:00 in the morning is just like a hysterical laughter just that screams around my neighborhood and you’re like, “Yep, they’re here.” I’ll send you a link to a Kookaburra laughing afterwards. We have a bunch of stupid birds in Australia, so the live bird is another one that like-

Ken Jonhson:

The wildlife in general down there is very, very different, very unique. It’s really wild wildlife.

Cole Cornford:

Growing up in Australia, I pretty much encounter an animal and I’m immediately fight or flight, what do I do? I have to think about it, very carefully. One time, I was at Menlo Park, you can hazard a guess as to what companies at Menlo Park. Anyway, I was there and a squirrel walked in front of me and everybody else was just jogging past a squirrel on their lunch breaks and so on, and I’m sitting there staring at this thing being like, “What do I do? Do I like-“

Ken Jonhson:

Are we going to fight? This isn’t going to happen now, squirrel.

Cole Cornford:

It’s literally like a random encounter and no one else really … I was just kind of petrified being like, I just have no idea how to respond to this creature. So anyway, I just walked at it after five minutes of standing in fear while it’s staring at me and then it just ran away and I was like, “Great. All right, squirrels are okay.”

Ken Jonhson:

They’re fine. Squirrels are safe, they’re fine. I don’t have to worry. That’s hilarious. I don’t know, there’s a lot of stuff I learned when I was out in Australia about wildlife that I was just … it amazed me and some of them are quite dangerous and yeah, definitely would keep you on your toes. So I understand that for sure.

Cole Cornford:

How often have you come to Australia?

Ken Jonhson:

So, I think 2019 and I want to say 2018 maybe or something like that. I mean I think it was 2018, 2019 consecutively. And then, obviously, the pandemic hit and then that closed things down for a while. And I don’t know for you all, are things kind of getting back to normal with conferences and things like that?

Cole Cornford:

Yeah. I have a funny couple of weeks coming up. I’m going to be talking about artificial intelligence in the AppSec domain actually on Saturday, so a few days.

Ken Jonhson:

That’s amazing.

Cole Cornford:

We have a few big conferences and a couple of smaller ones. So the big Australian conference is, besides Canberra, it’s about 3000 security professionals, which is quite a lot in relatively small country and most of the other ones attract about one, 200 to 300 people. So I’m going to the smaller ones to talk about AI and AppSec and then at a couple of the places I’m working at, I’m going to try practically running it out and then in a year’s time, submitting the practical results of how badly it goes or great.

Ken Jonhson:

Yeah.

Cole Cornford:

Or great, it could be great, but I’m also a measured security professional who’s worked in this industry for a while and noticed that-

Ken Jonhson:

We’re all cynical.

Cole Cornford:

Yeah, cynical. There is no silver bullet as much as people love saying it could be AI, I’m just careful about preaching is going to change the world. Yeah, I’m doing that on Saturday, so that’s going to be an interesting talk. Hopefully, I get a bunch of nice reception from folk and a lot less people asking about the top 10 because AppSec is pretty nascent too.

Ken Jonhson:

Man, well hey, that’s awesome to hear. You’re out there, conferences are happening, it’s nice to be have this all back to normal and feeling like being able to connect in person with people again, so it’s super nice.

Cole Cornford:

So for our audience members, Ken likes to run a training course with his friend Seth. They travel around the world and attach to different conferences and they teach people the good word about application security and how to do code review effectively. You have excellent adventures in it. So where did it come from? Where did you guys meet and start running this? Because you’ve been running this podcast for quite a long time now and doing the course too.

Ken Jonhson:

Yeah, so Seth and I first met when we worked at … well, he actually interviewed me for my first job outside DOD, so US military contracting, but in security. So my first professional security job was in the DOD or not … I was contracting for the DOD. In any case for my first commercial private sector position, this was fishnet security and the person that interviewed me was Seth. He was the lead on the team. He was the principal engineer. To this day I still even look at him a bit as a mentor. He’s incredibly experienced. We got along well. I think just through the years. We had worked again together. I kind of recruited him over to be a partner at a security consulting firm that we were both at before we kind of chose to depart from there.

So he started his own business at that point, RedPoint Security, I moved over to GitHub and we’ve kept in contact. We’re like good friends and like I said, we’ve worked together for quite a few years so we know each other pretty well, and we were talking at, I think it was maybe CactusCon in Phoenix, Arizona. We were talking about how secure code review material out there was all very language specific, so it would be very heavy on Java and it would follow maybe the OAS top 10, and just in a practical sense for what you face on a day-to-day basis that’s either a consultant or a practitioner internally at a company, it’s not the top 10 that always bites you. They certainly don’t manifest in … that list is great for awareness, but it doesn’t capture everything that actually manifests.

Your day-to-day challenges aren’t necessarily just vulnerabilities. The secure code material that was out there, it was just very language specific. The categories were just very limited and we felt like there needed to be something a little bit more applicable and something that’s repeatable. So when we started talking, we realized we have … about our methodologies anyways, about how we do secure code review, we started realizing, hey, there’s a lot of overlap in our methodology and I think we can build this into a system and share this with other people. And I think the first few times we did it was just completely free workshops, or at least the initial idea of it, not the full course, the full course. I think the first time we did it was at AppSec USA or something along those lines.

What we found was … what we were teaching really resonated with people, which is an agnostic approach. So what I mean by that is you as a consultant might today be working on the GoLang app, but next week someone might hand you a Node.js App and say, “Hey, figure out how Next.js Works. And you’re like, “All right, well I’ve got two weeks to do an assessment and I also have to learn this new framework.” And that is a realistic scenario that people come across, and as we’ve shared in the course, there’s a lot of nuances in these frameworks and in the tech stacks you’re using. So we give people an approach on how to build all of, essentially context on using a bunch of different data points, getting to know the application.

Getting to understand its composition, its purpose and yeah, it’s just a repeatable system for taking an agnostic approach to saying, “Here’s something you’ve never seen before, let’s do a code review on it and be comprehensive, be timely, probably not catch all the low hanging fruit, just focus on take a risk-based kind of approach.” I know it’s a super long weighted answer, but that’s the full story.

Cole Cornford:

It’s a really good one though, and it echoes my experience within Australia. I started learning application security basically from reading Vulncat descriptions from the Fortify Taxonomy of security vulnerabilities. If you are aware of that. It’s a lot. I know, back then I fully understand you can’t scan everything with the static analysis tools, so you need to have approaches for dealing with technology because it’s changing a lot. Back when I was starting out, everything was MVC and Spring Boot was just starting to be a thing. And because of that, we had all these static analysis tools that were really, really geared for Java and Dotnet and all of the training material was by the vendors who built these tools also geared for Java and Dotnet.

Of course, fast-forward a decade, now the world is a hodgepodge of all sorts of different things, microservice architectures, you’ve got infrastructure as code software defined networks. You’ve got, who knows, mate, I come across all sorts of stuff. I am really happy when someone comes to me and they say, I have six spring boot applications. And I’m like, “Wow, all right, let’s do it. I’m also not happy when they say I need something that can analyze proto buff. And I’m like, it doesn’t go into burp.”

Ken Jonhson:

Yeah, and that is the reality. Our tooling … by nature, we are always behind the curve, right? Because we are following the trend software developers are building. I came to this epiphany way too late in life or in my career, but that hey, we’re always going to be behind, we’re always adapting, but because we’re adapting, we’re always behind and they’re leading the charge on the specs, on the protocols they’re using, the languages they’re using, and just the tech stacks in general. So we just were reacting, but if we don’t have some good systems in place … and this is, I know we’re going to get into it because I want to talk about AI in AppSec with you because I am currently interested in AI in AppSec, in an AppSec context. Yeah. Anyways, I think things are evolving.

I think using more than just … really just a static scanner kind of result or even just dynamic scanner kind of result. There’s more to understand about changes that are occurring in code bases. There’s more things to just understand in general in terms of … and this is actually, I’m going to maybe briefly take a tangent or go off on a tangent here, but I think AppSec is actually getting much harder because before software was security … software security was basically what you said, right? You have a Spring Boot application or a classic ASP app or whatever and it’s like … or a PHP app and it’s like, hey, the file and the folder structure is mapped to a URL and everything is really simple and it’s like just an app. Now, you’re dealing with all these different networking protocols.

And you are dealing with … of course, on top of the software, you’re dealing with system level stuff like Kubernetes and Docker and you’re dealing with cloud services like … I mean, years ago, we started implementing serverless with Lambda and now the things that AWS or Azure offer in terms of services, it’s just like, man, you can basically build an application without ever building an app, not basically, you can build applications without building a traditional web application to your point. So you have to know … or you have to have essentially a lot of different skill set, but underpinning all of that is really, really understanding the fundamentals, really, really well. And that’s something I think is getting harder for AppSec people, but it’s more necessary. We really have to be good at the fundamentals is what I’m trying to say.

Cole Cornford:

So I run a training course for people who are looking to move into application security as opposed to product security or DevSecOps. I really don’t like either of those terms that it is what it is, but when I say application security, I think about managing risk holistically for software engineering for an organization. And then, I think product security is you have a product, let’s manage a risk for that particular product, and for DevSecOps, I just think of let’s just put a bunch of tools in the DevOps pipeline and they’re probably security tools. So I think that it’s incredibly difficult as an AppSec person to have great interpersonal skills and the ability to empathize and have people want to work with you and listen to your ideas to win hearts and minds and to be a kind person.

As well as being technically brilliant across all disciplines and domains and having some idea about security. So the agnostic approach that you teach is something that I build into my courses as well. I don’t teach code review, but I do teach engineers that they should be thinking about risk thinking about threat modeling and thinking about architecture, and then how does that all fit into whatever they’re trying to do on a day-to-day lives as far as delivering features or other non-functional requirements. It’s an evolving challenge. I don’t think we’ll ever quite solve it, but it’s been a fun journey.

Ken Jonhson:

You’re teaching them sort of a methodology around the sort of fundamental understanding of risk and how that presents itself in their work, and that lends itself to flexibility. So whatever they’re faced with, at least they have a structural foundation with these fundamentals to build upon and adapt to whatever project they’re on, whatever they’re dealing with. You’re absolutely right. I would say that was probably one of my favorite things about GitHub was that everybody was so kind and empathetic and helpful and really, I think the culture while I was there, that was pretty much across the board. I never really experienced too much in the way of any negativity. And I think our teams, from engineering to operations to security, legal, HR, we all worked really well together just because everybody was, they carried those qualities within themselves.

Cole Cornford:

I’m actually good friends with a lot of the hubbers out this way.

Ken Jonhson:

Nice. That’s awesome.

Cole Cornford:

Yeah, you probably know my good mate, Shlomi actually.

Ken Jonhson:

Yeah, yeah. Shlomi is awesome. Yeah, we had Shlomi on once. We have Shlomi coming up twice. He’s a coming on for a part two, because I was like … I don’t know man, I was fanboying out pretty heavy, because I really respect him. We didn’t get to nearly any of the topics we wanted to talk about, so he was immediately derailed by me just being like, “Oh my gosh, Shlomi is so cool.” Anyways, and thank you for the introduction because it’s funny, we worked in the same company for I don’t know how long, never talked, didn’t know each other and then, you made that connection. So I really appreciate that. He’s awesome.

Cole Cornford:

Yeah, it’s all good. That’s one of things I’m finding that kind of sucks from the pandemic actually. Just the whole remote work aspect means that people aren’t really meeting each other accidentally in the elevator or at the coffee shop or at the bar or whatever. So I try to make sure I go to a bunch of events in person nowadays, just to see who I bump into. Mostly GitHub galaxy and universe but that’s all right.

Ken Jonhson:

How are those? What do you think of them?

Cole Cornford:

So well, without being too rude to GitHub, obviously, it’s extremely sales focused.

Ken Jonhson:

No honest review. I don’t work there now, so don’t worry about it.

Cole Cornford:

I know. It’s extremely sales focused, and I think I really like the pivot that they’re doing … because GitHub advanced security is unfortunately quite difficult to sell in the Australian market, not because it’s a bad product, but because people don’t even think of GitHub as anything except as SCM and when it’s all people know of, it is just … that’s the place open source is how are you going to sell all your other products with it? Now that’s shifted tremendously with artificial intelligence and Copilot, and I’m actually trying to drive conversations to … now that we have stakeholders who have a GitHub tenancy somewhere, and we think about them and say, “Well, how can we now leverage artificial intelligence to improve AppSec?”

Because what we’ve been doing in the past of just let’s teach developers about security and everything will be good. Wait, no, that’s not working because we have constant churn and the engineers who are really good move on to big tech companies like GitHub in the end anyway. So all that time you’ve invested in these people isn’t actually resulting in more secure software or you send them out into training platforms. I don’t want to mention names, but if they’re out of their daily context, what they’re doing in a day-to-day work, and then they come back, that context switching is going to be killer and they’re not going to retain it, the information that they learn elsewhere.

Then, I think about some of the big issues of securities, it’s almost always a cost center. Everything you’re doing is creating friction and problems for the business at the end of the day. So if as soon as you introduce artificial intelligence as a way to say, “Hey, let’s accelerate how fast you can do things” and reduce the cost of these activities and make friction slightly more Teflony, then they’re going to be open-minded about it at the very least because it’s better than getting a two-week pen test every single time you release an app, right?

Ken Jonhson:

Yeah. Yeah. I mean I think you touched on a lot of different things there like yes, so training is a tough one actually, to your point, getting developers to do anything outside of what needs to be done for that sprint or for that ship or whatever, it’s just difficult in general. And also a lot of the training you kind of find that there’s some of your shining stars and most people kind of go through the training and they might retain some of it, but maybe there will be, I don’t know, eight to 10% of the people that took it that are really into it. And those are the people that tend to be what became security champions, right? And one of the things that’s interesting about that is now you’ve got folks who are … kind of what they’re given is maybe some SaaS tooling or some tooling of some kind or a GitHub advanced security.

And that’s kind of what they’re given as a signal that there might be something going on some of the code that their team owns or something like that. Basically what I’m saying is security people kind of have to offload some of that responsibility to a person, and then that person has to use maybe a tool or something to maybe get some kind of warning that they need to maybe go look at it and help out, because they’re the security person for that team or the delegated security person for that team. I don’t think that alone, just the training aspect that you touched on and how that basically is supposed to work and that trickle-down effect, it hasn’t … I don’t know if it’s really hit the mark the way it should, you know what I mean?

I think when I look at it from a practical standpoint, when people who have been security champions in the past have found things, it’s been by a lucky coincidence or they knew of maybe a sizable ship, that’s kind of where you get some awareness. So that can be valuable, but offloading the review of security results or just being there to have some level of assurance that the code changing on a daily basis is secure, yeah, that’s kind of rough. And then we could talk about tooling and procedures and all that all day long. There’s flaws in all of it, but I won’t go off on another tangent.

Cole Cornford:

Let’s stay on education for a bit though. So I have a couple of views about it. I figured that if you are training engineers in facilitator led instructed learning, then that’s really good for their careers and they get some really helpful knowledge if it is agnostic because then they can apply it across whatever they’re doing on a day-to-day basis. You’re right, I think that if you have a classroom of 20 people, two to three people are really interested in security and other people are interested in front-end frameworks and CSS and cloud environments, and they’re obviously going to gravitate to managing the things that they find really good, whether it’s spaces and tabs or-

Ken Jonhson:

And there’s nothing wrong with that, right? I mean, I think that that’s … yeah, no, and the spaces versus tabs and all, I do think that that’s okay. That’s totally fine. If that’s what you’re interested in and that’s what makes you happy and that’s why you chose this job and you’re not interested in security. I do think that … to the point, I think you’re kind of making with Copilot and AI helping out with maybe being some guardrails there, which I don’t know if that’s what you’re saying, I just assume that’s kind of where you’re going with that. If you are, I do agree. I think giving some guardrails is much more helpful than yeah, trying to infuse something someone’s not interested in on them. Sorry, I do want to say this though. So I’m going to throw out something that contradicts myself though because-

Cole Cornford:

We love that.

Ken Jonhson:

Quality software is secure software. So if you’re a craftsman and you do care, you do want your code to be secure. It just may be that either the way you’re being trained or whatever, it’s just not resonating with you, and that’s totally fine. That’s something that we in security kind of have to figure out, but I would say yeah, quality software is secure software.

Cole Cornford:

Yeah, I do agree with that. I think that it’s the reason that we call it software engineering, is that you have a lot of things that you need to be building into place and really thinking about that you’re not just going to put up a bridge so you can cross the river straight away. Here’s a piece of wood, don’t worry if it gets slippery or wet or whatever, or rots. It’s only meant to cross for a day. Oftentimes we take that approach to software when, that system could be in use for decades.

Ken Jonhson:

Yeah.

Cole Cornford:

And I have seen systems that are in use for decades,

Ken Jonhson:

Hey, and they run some serious critical infrastructure too, so you can’t knock them. I guess what’s the saying like, “If it ain’t broke, don’t fix it.” That applies here.

Cole Cornford:

So with AI, now my idea for dev training with AI is that developers need stuff that is front of mind and relevant to what they’re doing at that point in time. And what I’ve seen in the past before they got acquired, that was a good step in this direction was the company called Codebashing, which I think is now part of Checkmarx where a developer would write something and then a spell check would say, “This looks like SQL injection.” And give you a little context in the IDE that you’ve made some mistakes. What I think is actually going to be a lot better is with Copilot chat, which I think is in Beta at the moment, but the general idea is that autocorrect or identify security vulnerabilities while you are just writing your software and then instead of just being given something that an expert has written, you would be using an LLM to generate content.

That’s probably mostly correct. I know that some security guys are going to get up and angry at me and say like, “Oh, large language models are just going to say hallucinate and produce all sorts of garbage about SQL injection.” Therefore you just should never rely on it, but I figured that that’s why we have defense in depth. And also, there’s people who are joking because static analysis tools and SCA and WAFs are false positives constantly anyway, right? So it’s not like it’s any different, but the reason I think it’s going to be a nail in the coffin for a lot of these Udemy’s and Coursera’s and so on, it teach how to write secure software or here’s the top 10, is in the language that you are using at that point in time with context of the code base that you are writing in and your business context here is a little bit of guidance.

And then, you can follow on from that guidance and say, “Sorry, I didn’t understand this because this part was too lengthy, or you use too much jargon, or I just need a different way of viewing that.” And that’s what AI is really good at producing, whereas, if I go back and think about my early days with a Vulncat, yeah, it was experts who wrote extremely good content, but that content wasn’t relevant to what I was reading.

Ken Jonhson:

Yeah, well man, so I agree with you. I have so many thoughts, where to begin? With dry run, that’s kind of part of not fully what we’re doing, but that’s definitely a part of the idea, is having a bunch of different data points to build up and use this context to surface sort of risk and then have first level triage covered. So we have a security buddy kind of thing, it helps you figure out what you need to do next, and there’s some other stuff we’re doing that I won’t get into, but I will say is on the point of the cynicism that I’ve seen around LLMs, I get it, I totally understand past historical examples and whatnot. Having said that, lately I’ve been working with Langchain, I don’t know if you’ve heard of it.

Cole Cornford:

Yep.

Ken Jonhson:

It’s a good way to yeah, create your own vectors, create your own chat prompt templates, essentially have a way to direct traffic to your own dataset and kind of give it some guidelines on what’s okay to … how to talk, how to speak to the person, what’s professional, what’s not. Things like that. My point here is that you can get pretty granular in where it looks for certain data … anyways, why I think that’s pretty incredible is a few reasons, right? Instead of just going up to open AI is huge database and huge AI modeling, get results that are … you were talking about, I think SQL injection, right? Like poor SQL injection grammar or maybe a poor explanation or just didn’t make any sense.

Well, you can avoid all that through using something like a Langchain and the OpenAI library. By the way, anybody can do this. It’s open source, use Python, try it out. Maybe it’ll surprise you, because I think it gets pretty interesting when you have control over the parameters of what data is being used for what information is being requested. On top of that, everybody talks about the chat bit, but there’s a lot more underneath the hood. Again, going back to Langchain if you look at some of the documentation around agents and what’s possible there, I think there is a place to feed it quite a bit of very contextually specific information and produce very valuable quick results which … again, I don’t want to go too far into it given, I am building a company.

Anyways, it’s very interesting. Like I said, I know I understand the cynicism, but at the same time, I think if you start actually using AI, you might be surprised at what you can do.

Cole Cornford:

Yeah, I think there’s a tremendous amount of people out there who are just writing, here’s the top 10 ways you can solve AI, and it’s something like fill a glass of water or plan your day. Then, everyone is like, “Okay, cool. Look at all of these Yahoos online saying stupid stuff.” There are people out there who are actually really thinking about challenges that we can’t do without having something like this. I know Daniel Miessler, someone who’s been spending a tremendous amount of time saying that the way that we’re going be producing software in five to 10 years, although he thinks it’s two to three, I’m going to go five to 10, right?

Ken Jonhson:

That’s fair.

Cole Cornford:

It’s going to be fundamentally different, right? And I don’t want to give up any of your secret sauce for dry run, but hey guys, go have a look at dry run security. Cool guys, got some interesting stuff happening in the future.

Ken Jonhson:

Thanks. Thanks. No, I mean, honestly, I do think AI is a huge technological leap forward. Don’t sleep on it, play with it, try it. I think we’re hackers, right? Innovation is sort of a part of who we are, and I think if you start playing around with it and get to know the various libraries and services and just what’s available, how it all works, you’d be surprised.

Cole Cornford:

So how is it going, because your career has spanned consulting and then moved over to working as a perme at GitHub, and now, you’re running your own company, right? What’s it like on transitioning into being a founder?

Ken Jonhson:

I’ve done this role of being a CTO and technically not a founder on paper, but had worked kind of on the side building up a consultancy, so not quite a co-founder, but kind of, right? And that was a bootstrap business. So basically, we made our own income through doing services, through consulting service. So whether it’s training or assessments or whatever, that’s how we made our income. This is a VC backed venture. So yeah, venture capital firm plus angel investors. So it’s very different. I was building a product, right? So the goal was we paid the bills through the consulting services work, and the goal was to build a product at the end of the day with what time we had left. That was challenging.

How many hours can you actually work on the product? Whereas it’s very nice in this environment because this is all I do, is I just work on the product. It’s incredible. It’s a huge fun. It’s a huge undertaking. It’s challenging and it’s super, super fun. I’ve got great investors, great team. My co-founder James Wickett is awesome. He really is. If anybody knows James he is … or if you don’t know him, he had founded Lascon like DevSecOps Con or conference or something like that, and DevOps days, Austin, which by the way, even he … the DevSecOps names, even he makes jokes about that. So anyways, privately though. DevOpsDays Austin. So he is just been heavily involved in the community, in OAS, in AppSec, in DevOps, and he’s been of a community builder.

So anyways, it’s great to work with him. It’s weird though, because my career has been all over the place, right? I’ve kind of just gone where I thought I would have fun if I’m being honest. What was interesting at the time. That’s just honestly all I’ve ever done, except for one case where I had to pay bills, chartered communication. Anyways, yeah, besides that, just interesting stuff. So it’s taken me everywhere. I’ve been a consultant. I’ve worked at LivingSocial back when LivingSocial and Groupon were a thing. I don’t know if you all remember that, but I built a company as a CTO, went to GitHub, worked there, had almost six years of the best, one of the best times in my career. That was super fun. Yeah now, I’m here doing this CTO role again and building something I really, really believe in.

Cole Cornford:

It’s funny, I’ve spoken to a number of founders in Australia or people who are intending to found a company, and a lot of them do fall into that trap where they say, I’m going to go do security architecture consulting and I’m going to earn bank three days a week, and in those last two days, I’m going to build my product. Then, what they find is actually they’re working 60 hours a week at consulting and they have no time.

Ken Jonhson:

Yeah, and on top of the consulting, you’ve got the paperwork to handle, you’ve got people stuff to work through. You’re always doing some level of marketing, blogging. Well, I guess blogging is a part of marketing, but you’re always working on something. There’s always something that needs to be done. Also, with services, it’s very cyclical. It’s very difficult in that regard. I mean, I assume the economics are the same out where you’re at, where it’s like there is kind of a surge through Q4 where everybody has got to burn through their budget, and then that’s when services get hit really hard. Lots of people need lots of stuff, but then, it kind of just dries up for a couple quarters or not dries up completely, but definitely a steep decline in the new year, and it’s just a tough one. It’s such an up and down business.

So doing that and trying to build software is a very, very hard thing to do, and everybody tells you that. And me, I was hardheaded, I didn’t believe it until I lived it.

Cole Cornford:

It’s so easy to have to listen to other people, but unless oftentimes you won’t do that unless you go to school yourself, you got to go to the school of hard knocks and it sucks, but going to school, those lessons stick with you. When you fail and make mistakes, I’ve done plenty of them. I started my consultancy business without actually ever having done consulting previously.

Ken Jonhson:

That is a bold undertaking.

Cole Cornford:

How crazy am I, mate? I’m just like, you know what Australia needs? AppSec. Yes, my friends said, you are a brave man, and I didn’t realize that brave was a synonym for stupid at the time, so that’s hilarious. So anyway, what I did learn is a tremendous amount of things like managing cashflow and their consultancy salaries are not going to be the same as permanent staff members. Contingent workforces are a thing. Christmas is a thing. You learn to hate Christmas.

Ken Jonhson:

Yeah, it’s always a tough one, because you want to give … like a GitHub, for instance, we had I think the last two weeks of the … I mean it was more kind of the last three weeks, but it was definitely the last two weeks of December. We just had that off. People got to go just relax, and I was like, this is incredible. I haven’t felt this in years. This is amazing. Who does this? Because with consulting, yeah, it’s like you said … I mean, there were times, it’s pretty much Christmas Eve and I’m trying to get something done or someone has a question or something and it’s like, “Man, you can’t even enjoy the holidays.” So anyways, it’s a rough time. It’s a rough time.

Cole Cornford:

So outside of cybersecurity, what do you really like to do in your spare time? What’s cool and interesting?

Ken Jonhson:

Well, I have a family, so I have a wife and a 10-year-old son, almost 11 now. He and I have spent … we spend a lot of time together. Lately, we’ve been doing 3D printing. I’ve kind of gotten into that with him trying to get him into some of the science and technology stuff. He had wanted to print out a Star Wars, some toys and a uniform and stuff like that, and I was like, “Yeah, we can totally do that. Let’s teach you about printing and painting and sanding and all these useful skills.” Beyond that, Brazilian jiu-jitsu takes up a lot of my time. Well, a lot of my free time, I should say, outside of what little free time I do have, BJJ takes up, is actually a more accurate way of saying it.

Cole Cornford:

Especially as a founder.

Ken Jonhson:

Yeah, exactly. So any free time I have, but yeah, I do it competitively and well, I smoke meats and do a lot of barbecue. So beyond that, yeah, that’s it.

Cole Cornford:

Okay. What got you into BJJ? Because I’ve listened to a few Sam Harris podcasts where they’ve had a few instructors on who’ve talked about their journeys and that, but I’m not really someone who knows martial arts particularly well, so what got you into it?

Ken Jonhson:

Well, my buddy who I was in the Navy with, actually, I was in the US Navy, I had visited him … actually for Alaska. Funny enough, he lived in San Antonio, he lives in San Antonio. So I went down from Austin, visited him, hung out with him, and his wife, just kind of caught up and he was talking about UFC and I, by the way, still never watched a UFC match.

Cole Cornford:

Me either, don’t worry.

Ken Jonhson:

Yeah, I’m not really into it, but I get it, whatever. So he was watching that and he was talking about jiu-jitsu and how he had done jiu-jitsu and at first I was like, “Dude, why would I want to go to roll around on the ground with somebody? That seems ridiculous. It’s not how you fight,” right? I grew up in the 80s and 90s, right? So it’s like Jean Claude Van Damme and Arnold Schwarzenegger, so it’s punching. Yeah.

Cole Cornford:

Yep, yep.

Ken Jonhson:

Anyways, so he was like, no, look at the percentage of … so I did, I looked at the percentage of, if you were to get into an altercation, what percentage goes to the ground? That was interesting to me, and it was like, “Okay, so obviously it happens a lot and that’s most cases, and yeah, this would be a fun thing to do.” So I was like, all right, well, I want to do this. Then, I went and did the bootstrapped company where I literally worked, I mean, insane hours. There were times I slept in the office. I mean, we’re talking for a few hours, and I was right back at it. So that was a pretty crazy endeavor at times. Just totally unable to do it. So then when I went to GitHub, I was like, you know what? That was really rough in my body and my psyche. I was definitely overweight. I was big, I was overweight, I was inflexible.

I was very immobile too from sitting in a chair for years and working in front of a computer and typing on a keyboard hour after hour, day after day. So I’m like, “Well, let me do this thing, I always wanted to do anyways.” I went in and then I fell in love with all these other aspects of it. It’s very addictive. People call it human chess, and it’s very, very accurate. It is just very addictive. That’s how I started it, and now it’s just a full on addiction, it occupies a lot of times. Well, again, a lot of any free time I have.

Cole Cornford:

And you’re doing it competitively too?

Ken Jonhson:

Yeah. Friday I’m flying out to Austin to just do an open, IBJJF open, and then, that’s a precursor … this is kind of funny like DEF CON and Black Hat happened for me kind of mid-August just because I have to stay for the DEF CON training, which is after that. So that leads me to a situation where I have two weeks between DEF CON Black Hat and the big tournament I do every year, World Masters, it’s held in Vegas. And anyways, it’s like, “Man, I’m going to spend half the month in Vegas, and anyone who’s been to Las Vegas knows you don’t want to spend half a month in Las Vegas, so it’s going to be pretty interesting.

Cole Cornford:

Yeah, should just get a car and drive off somewhere and just go enjoy, deal with countryside for like … I mean, it’s all desert as far as I know, but maybe you’ll find something.

Ken Jonhson:

Yeah. Well, actually, I lived in Reno, Nevada for a while, which is like, I don’t know, it’s like a really worse version of Las Vegas. It’s just … anyways, but it’s the same kind of, yeah, just rocks for days and cactus and not much else.

Cole Cornford:

So when the pandemic hit, I kind of did everything at the same time because I was initially going to fly over to live in British Columbia, Vancouver Islands, so a city called Victoria to go work as director of security at a company called change.org. And that didn’t happen because of COVID. I basically quit my comfy banking job and then moved to … signed my visa, moved back … sold all my possessions, moved back into my dad’s house for about a day or two, and then, we were told that the world is locked down, and I was like, “Great. All right. I don’t have a job.” They kept me on, thankfully. I just said, “Well, I can’t really be a director remotely, so I’ll be a staff security engineer.” It’s all good. Who cares, right?

Ken Jonhson:

Yeah. Yeah.

Cole Cornford:

Yeah, then, during the pandemic, I met my wife. I moved out with her. I had a dog, I bought a house, I started a business. I just did everything at the same time because man, remote work gives you a lot of flexibility to do everything, I guess.

Ken Jonhson:

That’s the thing. Every time I’ve ever followed what I thought just seemed cool, interesting is what I wanted to do, maybe the thing I was doing wasn’t … same as you, it ends in an outcome that is just way more interesting, way more fun. Yeah, definitely hard, definitely challenging. Not easy by any stretch, but man, yeah, you’re excited to wake up. You’re excited to do what you do every day, and life is good, and if life is good, your family feels that. They know that you’re happy and it’s good for them too.

Cole Cornford:

I’m really happy to have a very supportive family. I know tomorrow has been intimidating for me actually because I have to give a speech at my local university for the graduation. It’s called an occasional address, and it kind of scares me to think it’s been exactly 10 years since I’ve graduated. One of the things that I have to do is try to inspire these people in some capacity, and I’m sitting there thinking to myself, well, what have I done that’s been really good for my career? And part of that was the courage to just go out and just try things and take risks, which is a bit kind of amusing for someone who works in cybersecurity trying to prevent risks, right?

Ken Jonhson:

Well, it’s calculated risk.

Cole Cornford:

Calculated, right? Dear.

Ken Jonhson:

No. Yeah. I think honestly, that’s what leads to the best outcomes, truly is taking that step and just being brave and doing what you think is going to be fun, even if it’s hard. I mean, especially if it’s hard, that’s probably the right thing to do in a lot of cases.

Cole Cornford:

That’s it. Well, do we only grove when we’re put into uncomfortable situations, right?

Ken Jonhson:

Completely agree. It’s an opportunity.

Cole Cornford:

Cool. Hey, thank you so much for coming on the podcast, Ken. I’ve really enjoyed our conversation. I’ll have to get you back sometime like you do with Shlomi.

Ken Jonhson:

Yeah, yeah, exactly.

Cole Cornford:

Any shout-outs or things you’d like to say to wrap up for our viewers?

Ken Jonhson:

Well, thank you. Again, this has been awesome. I really appreciate it. If your listeners aren’t familiar, absolutely, AppSec is podcast that I run, like you mentioned with Seth. Seth and I will be at DEF CON Las Vegas giving training. There’s still seats open. Let’s see. Yeah, we are moving into basically private beta soon with dry runs. So be on the lookout for some notifications coming very soon about our product.

Cole Cornford:

Thank you for listening to this episode of Secured. We hope you enjoyed today’s conversation. Don’t forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyber.com.au/newsletter and get high quality AppSec content straight to your mailbox. Stay safe, stay secure. I’ll see you next episode.