The Application Security Podcast
Chris Romeo and Robert Hurlbut dig into the tips, tricks, projects, and tactics that make various application security professionals successful. They cover all facets of application security, from threat modeling and OWASP to DevOps+security and security champions. They approach these stories in an educational light, explaining the details in a way those new to the discipline can understand. Chris Romeo is the CEO of Devici and a General Partner at Kerr Ventures, and Robert Hurlbut is a Principal Application Security Architect focused on Threat Modeling at Aquia.
The Application Security Podcast
Kevin Johnson -- Samurai Swords and Zap's Departure
Kevin Johnson is the CEO of Secure Ideas. He began his career as a developer but turned toward security when he discovered that the interface for an intrusion detection system, Snort, was out of date. This led him to create BASE (Basic Analysis and Security Engine), a testament to Kevin's proactive approach.
Kevin has a deep-rooted passion for open-source projects. He highlights the challenges and joys of initiating and sustaining such ventures, emphasizing the pivotal role of community contributions. Kevin also details how to install and start with SamuraiWTF, a tool tailored for those keen on mastering application security. He outlines two paths for developers: one focused on learning application security intricacies and another on actively contributing to the project's growth.
Kevin also discusses the notable departure of ZAP from OWASP. Kevin expresses his concerns and reflects on the broader implications of this decision on the cybersecurity community. The episode wraps up with a touch of nostalgia, as Kevin and Chris reminisce about their early tech adventures, showcasing Kevin's unwavering commitment to knowledge-sharing and community collaboration.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast
Thanks for Listening!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Kevin Johnson is the CEO of Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for Fortune 100 companies, and in his spare time, he contributes to many open source security projects. Kevin joins us to explain OWASP SamuraiWTF and how developers can successfully learn about AppSec and use AppSec web app pentest tools. Kevin also shares his thoughts on the recent departure of ZAP from OWASP as it makes its way to the Secure Software Foundation. We hope you enjoy this conversation with Kevin Johnson.
Robert Hurlbut:Hey folks. Welcome to another episode of the Application Security Podcast. I'm Robert Hurlbut, uh, principal Application Security architect at Acquia, and I'm joined by my co-host Chris Romeo. Hey, Chris.
Chris Romeo:Hey, Robert, Chris Romeo, CEO of Kerr Ventures. Super excited, uh, to hear and talk with Kevin Johnson today because I got a chance to, to meet Kevin and, and hear him give a talk at InfoSec World last year, right before a hurricane almost swept us all into the Atlantic Ocean, um, which was a fun experience all to itself. But, uh, I'm, I'm excited to dive in with him. I know he is, got a lot of, uh, a lot of good stuff to share. He's got a lot of experience in AppSec as well and has been around for a while. So,
Kevin Johnson:That's a, that's a nice way of saying I'm old.
Chris Romeo:well, I mean, if you, if you may, on the video, you may notice that, uh, I, I, I am sporting quite a gray look. I'm realizing as I look at myself in the camera here, like what happened. I was
Kevin Johnson:Yeah,
Chris Romeo:just recently.
Kevin Johnson:about the, uh, hurricane pushing us into the Atlantic because as somebody who was born and raised in Florida, that hurricane was like, yeah, whatever. And I, and I, I wanna be very clear people who don't know it, it, you know, it's bad for the people that got hit by it, but as somebody who's lived here, it was like, yeah, yeah, yeah, it's hurricane, whatever. But, but the people that were visiting InfoSec world, right? That, that had flown in and everything, the, oh my gosh, we're all gonna die. We're like, No, we're not gonna die.
Chris Romeo:So I did learn an interesting disaster recovery principle though while at InfoSec world, the best place to be in the continental United States in the event of a hurricane is Disney World. Because they have their own power grid, they have their own water facilities. They have, they also have this motto that it's the happiest place on earth. And so they don't want, even in the midst of a hurricane, they don't want you to have a bad time. And there will be food and supplies and, and if the power goes out, they'll get it back up like immediately.'cause ah, someone's gonna be unhappy. So, um, that was a,
Kevin Johnson:They are. Absolutely. If you're gonna be somewhere, if you have to shelter in place, shelter in place at the mouse. And so,
Chris Romeo:All right. We should probably talk about, uh, Kevin's security origin story. So Kevin, we always start these things off by what's your security origin story? You can go as far back into your history as you want to. Um, but we'll just, we'll let you kind of tell us where you're came, where you're coming from here,
Kevin Johnson:Well there there was this time when a man and woman had a special relationship, and then,
Chris Romeo:we probably jump a little bit past that perhaps.
Kevin Johnson:so yeah. Okay, okay. Okay. Notice I didn't say loving relationship, I said special. And so there's a reason I changed my name when I turned 18, but, um, I, I'm actually a nerd. I've been a nerd for a very long time. Um, and anybody who knows me can say, yeah, yeah, he's a nerd. And, um, I graduated high school, barely. And, um, I got a job writing code and running a bulletin board system. Um, yeah, I I'm not gonna comment on how old you guys are, but I will point out that you both started nodding when I said BBS. And so I, I ran a LAN-tastic network, which I'm embarrassed to say I ran a LAN-tastic network for this company and I wrote code and, uh, the code I was writing was for a, was for a company that had hired the. What we would call a startup now, but in 1991 was just a new company and, um, they got hired to write this code to control the power grid, and I was assigned to the project. I'm an 18 year old stupid kid. I'm now a 50 year old stupid man. But that's, you know, not much has changed. And, uh, I was asked to write code and what should really worry you is that some of that code still runs in the power grid today. Um, uh, which worries me, but, um, so I, I got started in it and then I did, uh, development and administration and noticed, I didn't say I did any of them well, but, um, I bounced, you know, my role was nerd and companies would hire me and, and whatever. And then a number of years went by and I started working at Blue Cross of Florida. And when I was at Blue Cross, I, uh, I was one of their web. Administrator. So I ran, you know, the infrastructure that ran all the applications and stuff like that. And I worked quite a bit with the networking team. And, uh, I, I was interested in security. I had, I will acknowledge that when I was a kid I might've done stupid stuff with, uh, freaking and wares and whatever, right? Um, and so I was involved, was interested, and we were rolling out intrusion detection systems. Um, at Blue Cross, um, and I bought an O'Reilly book. Is O'Reilly even still around as a publisher? Yeah. Okay. And I bought an O'Reilly book on, it was called Snort and Other Idea Systems. And I'm reading the book'cause that's what I do and I found an error in it, uh, because it, it talked about this project called ACID that was, um, the web interface for Snort. And the book, the, the introduction to that chapter said something along the lines, it's been a long time, but something along the lines of, even though it hasn't been updated in five years or whatever it is, still considered the best interface, blah, blah, blah, blah, blah. And I, I remember it clearly. I don't know why I remember this clearly, but I remember it clearly. I'm, I'm, I'm sitting on the couch in my house, or, and I, and I, I went, oh my God. I found an error in an O'Reilly book. And, and here was that the error was, there was no way I was running software on my network that had not been updated for five years. There's no way. I'm not that person. Right? Um, I found out I am that person, uh, that ACID had not been updated in five years. And, uh, so I, I got a bug in my ear and decided that I would help fix that and so I reached out to, I'm blanking on the guy, Roman Dan Lau.
Chris Romeo:Hmm.
Kevin Johnson:And I said, Hey man, can I help? It's an open source project. Can I, can I help you? And he ignored me. Maybe he didn't get the email right. I don't know. Like I say, he ignored me. That's how I felt. And I wrote a few times, I even wrote and said, look, you don't have to gimme credit. I don't need anybody to know I'm doing this, but I just, I've got some updates. I want to fix this, you know, help me out. And, uh, and I was an idiot. I didn't know how to do it any other way. And, uh, he ignored me. And so I forked the project and. Done. I can do this. That was a mistake. Here's my recommendation. Don't ever start an open source project. Um, like just don't do it. And, um, I love open source. And so I started BASE, uh, which was the Basic Analysis and Security Engine. I actually came up with what it meant after I came up the acronym. And contrary to what Mike Poor thought, uh, I was doing acid-based chemistry. Mike thought it was a drug reference'cause acid and freebase and so I, whatever you want to think. And, uh, that's how I, how I got started and I started doing this and it was the perfect thing because we actually ran base at Blue Cross, so I had a production network to test things on. Yep."Test" things on and, uh, I started running it and that led to me getting more involved in security. I actually went out to a SANS event and took a class from Mike Poor. Um, in the class. He taught my software, which was weird. Uh, he actually had me stand up and present that section, which meant he got paid for the day, but I got to do the work. And, um, so, and I've given him crap since then. Uh, and he took, uh, me and some other students out to dinner. Uh, at dinner he said, Hey, what do you wanna be when you grow up? And, uh, I said, uh, gushing, I'd like to be you. Um, I'd like to be a consultant. I'd like to be teaching people. I, I, I believe very firmly that I am where I am today because I was taught by people being willing to share their information and that it would be disgusting of me not to do the same. And so I said, I wanna be you. And he and I talked a little bit, uh, hung out in the hotel afterwards, you know, in the lobby discussing what that meant. And I got hired by InGuardians, uh, within the year. And became a consultant, worked there for a while, and then started my own thing, which will be 13 years. Uh, this month, uh, 13 years ago, I started my own thing and, uh, just for the record base, I have not updated base in years. I actually transitioned it to another. Developer years ago. Uh,'cause I hit a point where I was doing more web app security than intrusion detection and stuff like that. And I felt like I wasn't capable of maintaining the right feature set because it was out, it was not my day-to-day job anymore. Right. And so I transitioned to another guy, and again, I'm blanking on his name. Uh, he's awesome. He's maintaining the product now. He is a project now. Uh, he did move it off of, um, Uh, SourceForge. So he has a, a repo the repository on SourceForge as an announcement that says it's a dead project and to points you over to the new one.
Chris Romeo:So
Kevin Johnson:that's it. I think that's a babble of what I did.
Chris Romeo:you, so you just took me on a, a nostalgic trip down memory lane.
Kevin Johnson:Good.
Chris Romeo:I used ACID and BASE with Snort. No, but I, I, but I, but but like, but like, worlds are colliding here.
Kevin Johnson:Yeah. Yeah,
Chris Romeo:I'm like, this is the guy who, like we were, we were doing commercial, um, managed security services at Exodus Communications like in 97, eh, 98, 99. And we were using ISS Real Secure. We were using, um,
Kevin Johnson:Yo,
Chris Romeo:what was the other one? Um, I can't remember what the other one was, but we were looking at Snort as a potential way to. Get rid of the commercial products and put an open source product in. But then we were looking at how to manage it and so we were testing ACID and BASE like, wow. So this, this is just like, I'm telling you, worlds, worlds are colliding here. Like me in 1998, just like got a visit from me in 2023 and say, you're gonna meet the guy who made this Like, it was a back to the future moment here.
Robert Hurlbut:Right.
Kevin Johnson:Nice, nice. And the funny part about it is like sometime when I was at InGuardians, uh, SANS asked InGuardians to write a web pen testing course. And, and I'd like to say that I was chosen to do it as an InGuardians consultant because I was the best I. Web app, pen tester they had ever. And they asked me to write this, this class. And the reality was I was the consultant that wasn't on billable work that week. So I got assigned writing the course. And, and so most people who have dealt with me in the last 20 years, uh, not that long, uh, 15, uh, eight, somewhere between 15 and 18 years, uh, they know me as a web app pen tester. Because SANS 542 and then the advanced course, I, I was the author of that as well. I was also the author of the original mobile security course for them. I'm no longer a SANS instructor, but I, but I was for a number of years. And so most people think of me as a web app person and they don't know about the 10 years before that that I was part of NAG and intrusion detection and network backbones and stuff like that. And uh, and so it's funny when. Like, like you said, like, oh, hey, wait a minute. So yeah, I'm a nerd.
Robert Hurlbut:Very cool. So you mentioned, uh, about, uh, open source projects. Uh, so there's a, uh, a project I think you've been a lead for, for a number of years, the OWASP project, SamuraiWTF. So, um, take us through that. You know, what is it, how did you come up with the idea for that project? Uh,
Kevin Johnson:Oh, you don't wanna know how I came up with it. I, the way I came up with it was I didn't make it to DEF CON one year and I was bored. And so when you're bored, what do you do? You build Linux Operating Systems. And, um, so, uh, which sadly is a true story. Um. SamuraiWTF, which stands for now, stands for Web Training Framework, uh, when it was originally released. Oh, geez. I think this might be the 15th or 16th anniversary of Samurai this year. Um, I should have done something on the first anniversary. I shipped swords to all the project people, everybody involved in the project got a sword in the mail. Uh, which by the way, uh, I did learn that if you're gonna ship swords to people, let them know they're coming. Um,'cause at least one of the people who got a sword, uh, they were not home. They were traveling and their wife was home. They were on the phone and the wife said, uh, you know, hey, you got this odd shaped box. And he said, uh, well open it. Like, I don't know, I wasn't expecting anything odd shaped. And so she opened it, pulled the sword out, and she said, is this like a death threat? Like a dual? Like I challenge you, it can only be one. Um, so yeah, so don't send swords unsolicited
Chris Romeo:I mean, I went.
Kevin Johnson:it's my house.
Chris Romeo:I went. exactly where you were thinking though, like I'm thinking a Highlander thing going on here. Like maybe I'm a Highlander after all and maybe
Kevin Johnson:Woohoo.
Chris Romeo:yeah.
Kevin Johnson:Yeah. So, so SamuraiWTF, uh, which yes, we came up with the acronym first. Um, uh, Justin SSL and I were also gonna be write, uh, two other versions, which were SamuraiRTFM, and SamuraiSTFU. Um, but, uh, the idea behind it was just to give people, at that time a bootable CD. Yes. A bootable CD that gave them a Linux environment that had web pen testing tools pre-installed. Similar to Kali, right? How Kali has, and, and one of the things that I've, I've, and I've got lots of things to say about Kali, but um, one of the things I've always felt. About Kali, that Kali is missing is the target environments, right? Like you give a, you overwhelm people with tools, with, with Kali, and then you, okay. Uh, go forth and hack. Um, so with Samurai, we, we focused on web apps, APIs, mobile apps, whatever. And then we, um, we included, target environments. And then over the years we've realized that the training aspect is probably more important than the testing aspect. And so we've rebranded still SamuraiWTF, but we've rebranded it as the Web Training Framework. And, uh, it, it is that, uh, right now it's a virtual machine. So we moved from a Bootable CD to a Bootable DVD, and then we got to a point where, uh, We installed too many things for SquashFS to work. And so we became a virtual machine that you could use. Um, and then we're actually working right now and we're hoping, hoping, uh, to have the release sometime, uh, this month of what we will refer to as 6.0.'cause we're at 5.3 now and we're converting the entire thing to just be a set of containers that you can spin up in any container management system. So you can stand it up in Azure, in AWS local Docker installs on your local machine. And we're doing that, uh, mainly because Macs suck. Um, you know, apple made the genius idea of, uh, switching back to a non-Intel based chip and we're running into support issues where, The M1 or M2 system can't run the Intel-based operating system.'cause VMware is not an emulator, it's a virtualization system. And so we're, we're splitting it up so that we have the, and uh, we have a new project, you know, sub-project that's coming out called Shogun, which will be, um, that. The, the overarching Samurai project has a number of different parts to it. You have the base SamuraiWTF, which is the, the Linux environment. It's a vagrant. Uh, it's, you use Vagrant to build it. And then you have Katana, which is a control system. Uh, and Katana lets you pick and choose which tools you install, which targets you install. It also allows you to stop and start. The targets so that you, because you don't, you don't wanna have everything running at one time. And bluntly, a lot of people that use Samurai if they're trying to learn, so controlling Linux daemons, or containers is not what they know how to do. And so Katana is that. Uh, and then you have the Dojo collection of, uh, vulnerable apps, which is Dojo Basic, dojo Scavenger. We have Dojo Basic 2 coming out. Uh, the Wayfarer project is another vulnerable app that's part of Samurai. Uh, Wayfarer is an entire intranet. Um, one of the problems we've seen is that most vulnerable apps are not difficult to test. Like you get to a page called SQLi.php, what's it vulnerable to? Right. Uh, and so what we wanna do with Wayfarer and, and have is we've built ticketing systems and we're expanding all the d and intranet and all this so that it, it actually acts like the internal network of an organization. And then you have the, the labs, okay, now go find the problem with these pages and, and stuff like that.
Chris Romeo:So those, those vulnerable apps, are those, are you repurposing other people's vulnerable apps or, okay, so they're not, you haven't, they're not creating all these from scratch. You're kind of collecting them or so, or both.
Kevin Johnson:Both. So Wayfarer is Wayfarer and Dojo Scavenger and Dojo Basic 2 are from scratch. Dojo Basic is a port of an old version of uh, DVWA. And then we also have, so if you go into Katana, you have things like damn vulnerable web app, damn vulnerable web service, Mutillidae, sorry, Mutillidae. Wrong secrets, which is another OWASP project, things like that, that you can pull in, um, that, that get installed. Um, you also have all the different tools, right? So we have like Dan Weiser's and Jason Haddock's sec lists. We have, uh, Burp and ZAP. We have, um, just a whole bunch of different things like that, right? So, um, and, and so it's funny. We regularly get alerts from GitHub that our project has a lot of vulnerabilities in it, and we've not figured out how to tell GitHub, like, like, don't get me wrong. I like the idea of them telling me there's vulnerabilities in the pieces that I, I don't want vulnerabilities in. The problem is it's telling me about the ones I do want vulnerabilities in, and, and there's no way for me to say, Hey, uh, that one's okay. Uh, we, we just ran into this problem. We just submitted Samurai. So Samurai is considered a lab level project at OWASP, and we submitted through the process to be approved as a production level product project, uh, what we'd like to be is flagship. But, um, but so we submitted to be production. And one of the questions, one of the questions that was asked, which is a good question, right, is, uh, are you fixing all vulnerabilities that are in the system? And, and I had to write, no. Like I, I, I mean, I could have said yes and then argued semantics of we're we're fixing all of the, you know, but, but, the reality is no, we're not fixing all the vulnerabilities because we want
Robert Hurlbut:We want them there.
Chris Romeo:There's already, I mean, I mean, Bjorn's, Bjorn, Kimminich's Juice Shop, there's already a precedent for that answer to be okay to you. I mean, I think, I don't know if he's, I don't know if they're flag, if he's, flagship. If they're
Kevin Johnson:He's flag, uh, Juiceshop is a flagship project. So the, the difference between, and, and I wanna be clear, uh, full disclosure, I am a project committee member. I'm actually the vice chair of the OWASP projects committee. Um, which is funny'cause I submitted my project to be promoted. Um, I've recused myself
Chris Romeo:on, rubbers. Just stamp it. Stamp it. Pass.
Kevin Johnson:yes, it's good. Um, so the difference between flagship and production. Is nothing from quality perspective from that. The difference is is that the OWASP board has determined that that project has a significant impact on the brand OWASP. And yes, it is as vague as that, right? So as a matter of fact, there is actually no process to take something from production to flagship.
Chris Romeo:Hmm.
Kevin Johnson:Um, all of the current flagship projects have been grandfathered in. They were made flagship at some point in the past through some process, uh. Since Andrew Vanderstock took over as the executive director, he's been trying to, uh, build more formal, which is good. I, I actually think that's a good thing. I, I've got some other complaints there, but that's, I, I have to whine. Um,
Chris Romeo:Let's, talk a little bit about, uh, SamuraiWTF a little bit more in detail before we switch gears. And so, one of the things that the, the, the frames of reference we like to think about here at the Application Security Podcast is if there's a developer out there, they're listening and they're like, okay, uh, this project that Kevin built sounds cool. SamuraiWTF. What would the pathway look like for them to get the most value out of SamuraiWTF? Like walk us through what you would, what you would tell if you were sitting across from a developer and they asked you that question.
Kevin Johnson:So there's two paths I would take them through and I would actually recommend that they do both. Okay. So the first, the first path is I want to use SamuraiWTF as a way for me to learn application security. Right? Um, so very simple. Uh, you have a, you would install SamuraiWTF, and uh, you can do it one of two ways. You can either download an existing virtual machine that we have built or you can pull the code, and if you're running Vagrant already, you can do a"vagrant up." It will actually do a fresh build of the latest version of everything at that point. Uh, and then you would log in once you log in and it's a very, very secure password. Uh, the username is"samurai" and the password is"samurai". Um, and I, I joke that it's secure, but it really is'cause most people can't spell"samurai" correctly, including me. Um, I regularly typo that one as I'm trying to log in. Oh, excuse me. Once you log in, um, I would open a terminal and run Katana, the Katana command. And the easiest thing to do is say"katana[space] list". And it will list everything that it can install.'cause by default, it's a bare bones system. Right. And then, most people, I would tell them to do"katana install katana", which is a stupid command that installs the web interface for Katana.'cause that's typically easier for, for people just getting started to use. You don't have to. Uh, and then you do"katana start katana" and you hit the website. It gives you a URL that you can go to and, and open it up. Uh, and then I would pick the vulnerable apps that I was interested in. If you've never done this before, I would start with something like, uh, Mutillidae or DVWA. They are both environments to let you test while giving you tutorials on how to test it. Uh, the other thing I would do is, this is not a Samurai project, but it is, uh, is the Professionally Evil Web App Pen Testing 101 course. It is a completely free and open source six day web pen testing course. Um, that may or may not be 542 from Sam's. Um, so, um, completely open source, completely free. You're able to download that and then that would teach you how to use some tools. Uh, it is an older course, and that's what I would do. I would start practicing the techniques, understanding the technology, stuff like that. That's the first path. The, the second path I would say is I'm a really big believer that one of the best ways to get involved in learning security is to actually contribute back to the project. Right. You don't have to be a developer to do that. A lot of people are like, oh, I don't know how to code. I don't care. Um, there's lots you can do. Uh, we are constantly looking for people to help write code. We're constantly looking for people to help write documentation. Uh, if you've got a tool that you like building a YAML file so that Katana can install that tool, if it's something we don't use already, um, is a great contribution. Um, we are also about to release, uh, a new version of Katana that is internationalized. I don't know if that's the right phrasing there. Um, and so we're gonna look for, uh, people who can help translate things, uh, because I barely speak English, so I'm not the person to have translate stuff. Um, and then that way, by contributing, you're leveraging whatever skillset you have, whatever thing you're already experienced with, but you are immersing yourself in. To the security stuff and everything else like that. And I find time and time again that the best security people I know are the people that also understand how the system runs, how it was built, how it functions, right? Uh, it's not enough to just say, Hey man, I hacked that thing. It's, I hacked the thing and here's why. And this is what it did and here. So that's why I say the two paths I'd recommend. Uh, I don't believe they're mutually exclusive. I actually recommend doing both. But it's, it's, your choice is. Play with it, install it, learn, but also contribute, help be part of the project.
Robert Hurlbut:Hm. So you mentioned, uh, OWASP and we're, we're definitely, uh, fans of OWASP. and I, we've been involved for many years. I know, uh, like you have as well. Uh, so there's, uh, an interesting announcement. Uh, we just heard about, uh, ZAP leaving OWASP. Um,
Kevin Johnson:It's good of you not to say OWASP ZAP, uh, which is a habit I have
Chris Romeo:already using the new branding. Look at that. That was
Kevin Johnson:Yeah, it's awesome, man. That was good, Simon would be happy. Yeah. Uh, so ZAP joined, uh, SSP? SS... SSF.
Chris Romeo:SSF: Software Security Foundation.
Robert Hurlbut:Yeah.
Kevin Johnson:Which is part of the Linux Foundation. part of the OSSF. Um, so. I am thrilled. Simon has got a full-time job running ZAP. I am bothered that ZAP left OWASP, but I am bothered not because Simon and his team made the choice. I'm bothered because Simon and his team felt that was the only choice they could make. That I, I, I'm going to preface this with I am a lifetime member of OWASP, I paid for a lifetime membership. I am a project lead on multiple projects that we have pushed in through the OWASP Foundation. I am the vice chair of the project committee and used to run the Jacksonville chapter. I also speak at lots of OWASP events and the company I work for is a corporate member. We pay for membership for every single one of our employees. I am saying that not to brag about what I have done at OWASP, but to say that OWASP is fundamentally broken and I don't know why. Here's how I know it's a fundamentally broken. Let me ask you a question. I'm gonna put you on the spot and it's your podcast, so you can either edit this out or tell me to shut up and you won't answer the question totally up to you. Right? You said that both of you are involved in OWASP. Are you paid members?
Chris Romeo:Lifetime.
Robert Hurlbut:Lifetime.
Kevin Johnson:Good. Good. Okay. Now let me ask you a question. OWASP. You know the creation of the OWASP Top 10, which is referenced in things like PCI and federal regulation has tens of thousands of people involved in projects. Hundreds of thousands of people download their projects and use our projects every day. How many paid members do you think they have?
Chris Romeo:How many paid members? The, for OWASP in general? Or are
Kevin Johnson:How many, how many people do you believe have paid for
Chris Romeo:Um,
Kevin Johnson:at OWASP
Chris Romeo:this actually, I've heard, I've seen this number fly by, I wanna say 4,000 or 6,000 or something like that. Is that right?
Kevin Johnson:Robert, do you have a different guess?
Robert Hurlbut:Was around 5,000, something like that I thought I've heard.
Kevin Johnson:it's somewhere between five and 6,000, if I remember correctly. It, it changes obviously why?
Chris Romeo:I mean, there's, there's no ins, there just hasn't been an incentive unless you're a super fan like we are. And I'd say you're probably more of a super fan than we are even, but, you know, Robert and I, have both contributed to
Kevin Johnson:I I don't know that I'm more of a super fan, but, I I'll go with it. Right.
Chris Romeo:you, you know, you, yeah. I mean you, you're leading multi, you're, you're leading different projects and stuff. But the point is like all of us are super fans of, like, we believe in it, like we talk about it.
Kevin Johnson:I we should be giving back. I think we should be doing this stuff. I, so my question is this, we know that Simon left because of funding. He said that like, uh, uh, and this has been a topic going on for a while now. It's actually one of the ones that I have publicly spoken about. Uh, there was a letter put forward, Mark Curphey and, and Simon were two of the people that pushed it. Um, Simon is one of my favorite people. I wanna be very clear. I do not want anybody to take away from this, that I don't like Simon or that I'm unhappy with the choice he made. I'm not, I'm thrilled for him. I wish we could have done that for him. Right. Um, but there has been a push for the last, I don't know, year that OWASP has to figure out how to help fund chapters and projects and promote itself to the community. And I believe that push is wrong. It's not because I think the push to get funding for things is wrong. I think it's focused on the wrong problem. There is zero capability of OWASP to fund. Two of the ZAP Project leads now have full-time jobs building ZAP. That is beautiful. That is awesome. That is so wonderful in my opinion. But they had to leave OWASP to have that happen because OWASP can't afford that. OWASP can't do it. And the reason OWASP can't do it, in my opinion, again, Kevin's opinion is we're gonna have somewhere between four and 6,000 members that are paying$50 a year. That's it. And the three of us, we all paid$500. Ignoring the other memberships I paid for ignoring the corporate sponsorship, which means that if you and I have been members for 10 years, we're now not giving them enough money. Right. And I'm not right. And I have been a member long enough that I Right. So, so in my opinion, the thing we have to fix first, and I believe this will help fix the things like Simon leaving and, and stuff like that is we have to figure out why people don't pay for membership.
Chris Romeo:Hmm. I mean,
Kevin Johnson:have to figure out and,
Chris Romeo:There's no incentive. Right? Like, what?
Kevin Johnson:But, there is an
Chris Romeo:what, but what there, there's, there's not a clear value proposition though, to even the people that were in. Like, so I run the Raleigh Durham chapter here in Raleigh, and when we would, when we were still meeting in person, most of the people there weren't members because there really wasn't an incentive for them. I could, I, I could, doing a membership drive was like, Hey, you should become a member. Okay, what do I get? Um, you get to come here and eat pizza. Yeah. And you get to eat pizza at
Kevin Johnson:an email address? Yeah. You get an email address@os.org. cause yeah, I need another email address.
Chris Romeo:Exactly.
Kevin Johnson:I get the ability to vote in the elections. Okay. That's great. Right. I'm pro-democracy, but yeah, we don't have end, end. OWASP, and I'm not saying they're wrong to do this, but OWASP is very, very leery of how they deal with like member benefits, member discounts, things like that. Because they don't want to promote an individual company, which I, I understand. I'm not disagreeing with that. But yeah, I think that the biggest problem we have right now, and I, I predict, and this is not much of a prediction, I predict we are going to lose a significant number of other projects because, I, I've been working on Samurai for 15 plus years. I started base in 2002. I've been doing various open source projects since then. The only money I've ever gotten, other than the one guy that sent me like 20 bucks to the base project, which I had to refund because my accountant flipped out. Like, no, you can't take money for that. Um, right. Uh, Has been because jobs I worked at were willing to fund it. And of course, for the last 13 years, I own the company that's willing to fund my development. Uh, like my Twitter account says, my opinions are my employers. So I, until we fix that problem, OWASP is going to continue to fail.
Chris Romeo:Yeah, so I mean, I think it ultimately is gonna require the board to change the opinion of the amount of pushing that's gonna happen,
Kevin Johnson:I, I personally believe that the board should be let go. I, I think that I love Andrew van der Stock. He's a great guy. I think that what we have seen over the last couple years is OWASP and OWASP Corporate have been[fist slap] like that. And that is one of the key problems that we, until we fix that, we're not gonna be able to fix the other. But that's a Kevin being pissy.
Chris Romeo:That's, I mean, that's okay. We're lifetime members. We have a say in this, though. Like, this is... I'm
Kevin Johnson:allowed to be pissy.
Chris Romeo:we're we, but this is, you know, this is our, you know, this is our kind of thing. Like we should be able to have opinions about it. And, and yeah, I mean, in my opinion as well, like, I'm happy for Simon, I'm happy for the project. I'm happy the fact that they're gonna, same thing you said, I'm happy they're gonna get paid for doing this because they've spent tens of thousands, 50,000, I don't know, they've spent a lot of time on this thing.
Kevin Johnson:all their time.
Chris Romeo:all of it, Mo and most. And, and so now they're gonna get, you know, every week goes by, they will go up in 0.0001% of time they've been paid for, for doing, uh, for doing the project. But, but, but it, it does, it does point to the fact that what Curphey was pushing for, and he ran for the board, was trying to do, but he, but he, but his, his platform, he, he came on our podcast and he shared his platform, the fact that he wanted to, he wanted to fund, find a way to fund projects. And, but he quit because he couldn't, he didn't see a, he didn't see a way to get to that. And so now he started, I'll give you, I, I'll, I'll let you give, I want to hear your take as well. But like, and the way I see it is he went to SSF and, and, and they started this thing because they didn't see a way to do it in the OWASP universe right now. Which, which I wish they did. Like, I, I hate the fact we're gonna have two things, but we are, we have
Kevin Johnson:We're always gonna have two things. Yeah. I, I, uh, I'm gonna, I'm gonna give you my opinion and I wanna make it very clear. This is Kevin's opinion and Kevin is a jerk. I am disgusted with what Mark Curphey did by running for the board, because I believe the entire thing was a scam specifically to kickstart SSF. I believe that Mark ran on a platform that I happened to agree with. He joined the board long enough to say I gave it the good old college try, and then he quit to finish founding SSF. I believe that his ultimate goal was exactly what he did, and that was to become the founding member of SSF and have that kickstarted by the fact that he was fighting the man and fixing. I'm, I'm, I don't, I, I don't know that that is fair of me, but I do not believe that Mark had any intent of serving out his entire term as a board
Chris Romeo:member. But, I mean, what's the incentive though? Like what, what, what, what would be his, what does he get out of going into OWASP spending a year talking about it?
Kevin Johnson:He didn't spend a
Chris Romeo:and
Kevin Johnson:year,
Chris Romeo:six months or
Kevin Johnson:two months Right. So let me ask you a question. Before he ran for the board, when was the last time you talked about Mark Curphey?
Chris Romeo:Uh, when we had.
Kevin Johnson:He was one of the founding
Chris Romeo:I mean, he had, he had, I mean, when we did the interview with him, he admitted he had drifted away. Um, when I, I can tell you the time I, when I actually learned about him was when we had Jeff Williams do an episode and we asked him for the history lesson of OWASP.'cause I really wanted to know it. I wanted to know what happened in the early days. And so that's when he was talking about Mark. And I'm like, wait, there was a Mark that was part of this?'cause like, I only picked it up when Jeff and Dave from ASPECT were
Kevin Johnson:Yep.
Chris Romeo:appeared to be pushing it forward. Right. And
Kevin Johnson:Right, and and I'm not saying that's wrong, I'm just saying yes. In my opinion, Mark had drifted away from the industry. The AppSec, OWASP, everything else like that. And that by running for the board, and I don't know that I'm right, this is just Kevin's, I'm pissy, right? Um, is that Mark realized that for him to kickstart a thing that I hope is successful, I really do. I want open source to benefit. I like the idea of a while. I don't need funding for my projects, uh, because I've been lucky and blessed with being able to fund them myself and, and right like that. I want developers who are slaving over things, people who have project ideas to be able to come forward and say, I can't do this on my own. I need somebody to help me. I need somebody to respond to me. I need some, I want that for people. So I love what SSF is doing in theory. But I do believe that Mark ran for the board specifically because I don't believe that Mark I,... Mark is a very smart person,
Robert Hurlbut:Mm.
Kevin Johnson:and I don't believe he was malicious. I'm not saying, oh, that jerk, right? I believe that he realized very soon when he started getting back into it that there was no way OWASP was going to shift at any level of the speed that he needed it or wanted it to happen. And so what he did was he leveraged running for the board. To be able to kickstart the other, and that's why I, I think he,'cause like I said, he's smart. He looked at OWASP and said, yes, we can't fix this as fast as I want to, so let me start something new. And the way to kickstart it is to say, I give up. I can't do this. You guys are, you know, stuck in the mud. Let me go do this. I don't know that I'm right. That's Kevin's opinion.
Chris Romeo:I mean, I think it's, it's, it's something that we should, we should definitely try to understand better. And I can say like, when you think about OWASP now and SSF. There's nothing better for innovation than competition. Like, you know, there's a reason we have monopoly laws in the United States of America. Yeah. You can't just, I can't just go take a company, buy all the other companies in the market, in the same market, and then 10 x my price because I have the full. So competition is a good thing back and forth, and maybe, maybe this will spur OWASP to move quicker because they're saying, Hey, now we've got, if we lose, you know, if we start losing more projects, then maybe that 4,000 to 6,000 members start to go, well, maybe I should go to the other side of this where all the cool projects appear to be moving. And so that's so that I think it, it could help, it could be a benefit here.
Kevin Johnson:yeah, and if you look at it as a member, if you were renewing your membership every year and you could only afford one membership, Would you rather your membership go to a foundation That is not then taking that money to... that You can see... I'm not, I wanna be very clear. OWASP spends their money on lots of good things. I Right. But, but if you have a choice between an a foundation that your money goes directly to the developers of the projects somehow, or to a foundation that has this amorphous idea of what they, they do. Which would you do? And, and I don't know. I, I'm not saying they pick one or the other. I'm saying that yes, people will be making that decision and that will be a key divider for many people.
Chris Romeo:Yeah, because I mean, the, the worst thing that could happen here is OWASP goes outta business like.
Kevin Johnson:I don't think that's gonna happen. I don't you, you, and the reason I don't think that's gonna happen anytime soon. One, I think OWASP is a great organization. I, you know, I've, I've had people say to me before, oh, you must hate OWASP. No, I love OWASP. It's why I do as much as I do with them. Um, but I think that there are too many things that reference OWASP, like PCI literally says in their standards,
Chris Romeo:Yeah.
Kevin Johnson:"Teach your developers the OWASP Top 10. Right? I, so I don't think that's gonna happen anytime soon. But yeah, that's, I think that's the biggest, you know, I don't know. We'll see.
Chris Romeo:Mean, I could see a world where if other projects started to migrate, OWASP is very good at the conference side, at community, and bringing people together from that perspective. But I would hate to see OWASP become the conference event group and SSF...
Kevin Johnson:so saying OWASP would become ISS squared.
Chris Romeo:Um, yeah. Yeah. I'm saying I don't want, I, I'm, this is, I hope this, this is not a prediction that I want to come true. I'm just saying this is that I could see when you have two entities and the projects are migrating in one direction, I don't imagine that the SSF is going to, they couldn't catch up to the con to the conference steam that OWASP has. They're the, they're far, you know, they're the snowball that's almost at the bottom of the hill. They've been running for a long time. Like it would take SSF time to get up to speed on that. But yeah, I mean, this is an interesting problem. Like it's, you know, it's, it's,
Kevin Johnson:Like to see it fixed, but I don't know, a fix. Like I, this is, this is one of those cases where I'm one of those people you hate.'cause I point out what I think is wrong and then say, man, that sucks.
Chris Romeo:there's, there is gonna be a,
Kevin Johnson:Right. I don't, I don't, have a
Chris Romeo:There's gonna be a board election coming up here in, I don't know if it's this year or, or the next year, uh, if anybody's rolling in. So there's gonna be, there's gonna be, an opportunity for people to step
Kevin Johnson:We hope.
Chris Romeo:forward.
Kevin Johnson:Yeah, so, but I do think that what I just said also answers one of the questions you
Chris Romeo:I was gonna skip over that question of your most controversial take on application security check. That one's already
Kevin Johnson:I think my most controversial take is that Mark Curphey leveraged the board election to start his own foundation.
Chris Romeo:Yeah.
Kevin Johnson:And I like Mark, I think he's a great guy.
Chris Romeo:All right. Well, we can skip Robert, I think, right to that second one. Why don't you tee up that second one?
Robert Hurlbut:Sure. What would it say if you could put a single message on a billboard ad inside of the RSA or Black Hat Conference?
Kevin Johnson:Okay, so inside of RSA or Black Hat? Stop going to RSA, Black Hat, and SANS.
Chris Romeo:No, no. Kevin, you already used the controversial take. You cannot have two.
Kevin Johnson:That's not a con. No, I agree with You'cause that's not controversial.
Chris Romeo:You gotta explain. Normally we don't stop to explain, but you gotta give us a little bit of context on that.
Kevin Johnson:I personally believe that one of the things that is bad about our industry is the sheer number of$8,000 conferences that provide vendor benefit.
Chris Romeo:Hmm.
Kevin Johnson:And I'm a vendor. I, I think if we took, if, if you were new to the industry, And lots o the number of people I've talked to in the last month who are like, Hey man, I'm getting started because I get the call all the time, Kevin, help me. How do I get into the field? And uh, the number of them are like, oh yeah, I'm going to Black Hat. And I'm like, why? Right? Like, or, or I signed up for a SANS class. Ah, how did you afford it? But, um, right. And, and I don't get me wrong, there's really great things at Black Hat. There's great instructors at SANS. There's, well, there's RSA and, um, so there's good speakers at how's that? Um, but for the cost, for the sheer amount of spam you're gonna get afterwards, right? You could go to one B-sides. Engage in a glorious community. You could go to one, uh, local conference or even I, I, I. You know, Pitch of the day. I go and speak in keynote at events all the time, right? If, if, if, if, and that's, that's not a... I'm gonna sell you something. If, if you need a speaker, have me come up, right? I'm, I'm willing to do it. And people say I'm good at it. I don't think I'd, I'd hate, I hate the way I present, but other people disagree. And, um, I, I go to these conferences and the, the sheer joy and euphoria to be involved in the field. That you get at them is worth every bit of it. And that's so, yeah. My, my billboard would be, don't go to RSA Black Hat or SANS, and we can add other ones if you want. Those just, you
Chris Romeo:That's good. I get it. I get, I get what you're saying about the, the B-Sides community nature, the low cost, it's a better'cause. I mean, think about it, like what really defines our, where, where we go in this industry? It's the community we build. It's the people we meet. It's the met people that we ask to, to mentor us. It's the people we, we act as the mentor for. Like, that's, that's really what's important is those that level.
Kevin Johnson:It's one of the reasons, it's one of the reasons why every single time I see the absolute sheer misogyny that comes up in certain communities re related to InfoSec, the, the absolute bigoted language that we see, the, it's disgusting. And that is not InfoSec, except it is because we're not actively calling it out. Right. Um, I, I, I, I, It makes me so angry to see the badness, right. Um, that we, we should, uh, you know, I, I say all the time, you know, I'm a a fat straight white guy, um, that's 50 years old. So I have every bit of the privilege that we are supposed to have and that we call out. And if people like you and I aren't saying, Hey, stop being a dick to the people who are being that, then we're just as bad. And that's, that's why I love the, B-sides community. That's why I love,'cause you can get there and you can have every type of person involved in a room talking about stuff and hanging out and it's beautiful. I love it so
Chris Romeo:Well, let's, um, let's go, let's, let's give you a chance here for a key takeaway or a call to action. So, what do you want, what do you want our audience to do as a result of our conversation here?
Kevin Johnson:I want you to be the person you want to be. There's too many people that stick back, don't get involved because they're afraid to get involved, they are so focused on the day job that they hate. Whatever. Take the chance. Reach out and become involved. Don't let the jerks keep you down. Um, I know that's easy for me to say, like I said, but, um, and that's my key takeaway. Be who you wanna be. And, and, and if, and if you need something, call me, email me, I'm here. Tweet at me, blue sky at me. I don't know what the right word is anymore. Uh, I did see somebody that after Twi Twitter became X, that somebody posted that we should call them excretions. And I thought that was hilarious. Um,
Chris Romeo:That might be the best
Kevin Johnson:so.
Chris Romeo:yet. might be the best one
Kevin Johnson:Yeah. Be who you wanna be and, and reach out will help.
Chris Romeo:Very cool. So Kevin, thank you for sharing your perspectives on all these different things. It has truly been a blast just to interact with you and, and just talk about these things. I mean, you started by taking me down memory lane. So I mean, that was the beginning of this. Which always, uh, I always love a bit of nostalgia because I'm also about to turn 50. So you and I are about this probably came, grew up in the same, same realm of technology. Robert, we're all in the
Kevin Johnson:Oh, I, yeah. modem.
Chris Romeo:but, uh, it's been truly been
Kevin Johnson:2,400 Baud
Chris Romeo:Yeah, it's been a, joy.
Kevin Johnson:I appreciate it, man. I, I had a blast. Thank you.
Chris Romeo:do it again. We'll do it again. Uh, sometime, uh, in the next year or so, we'll bring you back just'cause I just wanna talk to you about interesting things.
Kevin Johnson:Cool.
Chris Romeo:Thank you.
Robert Hurlbut:Thank you.
