Today’s interview is with appsec wizard Ken Johnson. Ken specializes in application security and is a Senior Application Security Consultant with Fishnet Security performing code reviews, pen-tests, and mobile security assessments.
We would like to give a big shout-out to Andrew “@andrewsmhay” Hay, who started this whole Information Security D-List Interview idea. Similar to how we created the NovaInfosec Twits concept based on the popular Security Twits lists, we decided to bring this interview format to our blog but just focused on people that live, work, or play in NoVA, DC, and MD. The whole idea is to help the local infosec community get to know one another a little bit better. Finally, if you’d like to nominate someone for a NovaInfosec D-List Interview, please Contact Us and let us know why they should be featured.
And without further ado, here’s the interview…
Q1: How did you get started in infosec and end up in the metro-DC area?
A: I didn’t really know “Infosec” existed at the time. Long story short, a friend (Jack Mannino) knew about my “hobby” and told me there was actually a professional career in it. At the time I was doing my 9-5 Network Engineering job at a local ISP and THEN getting to do the fun stuff at night from home. It seemed simpler to get paid to do it all day long. So I packed everything in my truck, drove across country and have lived in the area ever since.
Q2: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
A: I’ve had a wide variety of certifications from Fiber Optics to Cisco and the CEH. In terms of added value, the short answer is “not really”. My career in infosec consists of consulting. Multiple choice answers do not prepare you for the challenges you face as a consultant.
For example, in the last year mobile application security assessments have really picked up. Nobody had any courses/certs available during the time that demand for the service started trickling in. Actually, to my knowledge there still isn’t much training available at the moment. So in this case, to formulate possible attacks, test, and provide remediation advice is dependent upon the persistence, research and creativity of the consultant. Not a certificate.
Q3: What advice would you give to people who want to start an infosec career in the local area?
A: Join the NoVA Hackers. This is a great group and especially fantastic for local networking. My current position is a direct result of participation on the mailing/meet-ups. Beyond that, if you’re into AppSec join the OWASP NoVA or OWASP DC mailing lists and attend meetings if possible.
Q4: What was your favorite local infosec assignment (and why)?
A: Originally I came here to do work with the government but after about 2 years I discovered it isn’t really the right environment for me. So the private sector work is really what I’ve enjoyed most. I think that is a big decision which you need to figure out when coming to a government centric area such as the DC-Metro/NoVA. It will save you a lot of stress in the long run to understand what works and what best fits your personality.
Q5: There are a lot of metro-DC infosec meetups and conferences. Which ones do you recommend attending (and why)?
A: There are the standard ISSA and 2006 meetings. Honestly the only meetings I’ve really been able to make it out to are NoVA Hackers and occasionally the OWASP NoVA chapter meetings. I’ve heard that CapSecDC is pretty awesome as well.
Q6: What are your favorite locally based infosec resources (e.g., blogs, podcasts, email lists, IRC channels, forums, and social network lists/groups/fan pages) (and why)?
A: Well as we’ve discussed, I’m a big fan of your site:
I enjoy novainfosecportal because it truly is “one-stop shopping”. Everything from public and private sector news to the blogs of local researchers can be found on one site.
Regarding the the NoVA Hackers site, I enjoy it mainly, and this is sad, because my reading time is limited these days. The videos shot by Georgia Weidman of local hacker monthly talks are extremely helpful. Generally I can keep those videos on one side of the monitor while writing code in the other.
Lastly, this is not really a local podcast but I always enjoy Jim Manico’s OWASP Podcasts. Beyond security, Ted Talks are a must.
Q7: If you had advice to give to the federal government and their contractors to improve “cybersecurity,” what would it be (and why)?
A: That is a really loaded question, lol. One which I’m not really qualified to answer. However, in my opinion I think the simplest way to answer that is as follows. The federal government should pay attention to the way successful private sector organizations of similar sizes operate. I don’t mean in terms of similar size to the entire DoD or to an entire Agency, I mean more so in terms of the local command/base/HQ/etc. This all goes back to deploying standards, which are enforced across the entire body of the organization. Honestly, this factor alone keeps the government less agile and flexible than it needs to be.
Q8: What projects (if any) are you working on right now?
1) Web Exploitation Framework (“wXf”) is my primary focus at the moment. This has been a year long effort that originally was really slow going but has really picked up lately. The primary reason behind this is we (Seth Law and I) were not sure where it was going. Also, we were fairly new to the intricacies of advanced Ruby techniques such as metaprogramming.
The original idea of wXf, which we’ve stuck to, is to glue testing scripts, practical exploitation and the like into a familiar interface and address newer web technologies. Basically we want to create an interface, make the framework easy to add to, provide the right libraries and let people decide what they want to get out of it. For now, it’s just an experiment and a way to share various ideas and techniques that AppSec folks use in their daily jobs.
2) Ben Null, Rob Fuller and I ran the AppSec DC 2010 CTF Contest and plan on doing that again in 2011. Honestly, it was a blast and I was really impressed by the folks that participated.
3) Mobile stuff. That is all I can really say for now.
Q9: Is there anything else you would like to let your fellow infosec pros know?
A: Get involved. There are always projects that need help and there are always conferences that need volunteers. Also, don’t limit yourself to only attending security related conferences. There are a ton of technology conferences out there and it will expand not only your horizon but possibly help bring your expertise and advice to developers or engineers who really need it.
Q10: How can people get a hold of you (e.g. blog, twitter, etc.)?