Kevin Johnson

About Me

Kevin Johnson


Kevin Johnson: Advocate for Open Source & Security Education

I’m Kevin Johnson, the CEO of Secure Ideas, and my journey in the open source community began in earnest in 2004 when I took on the role of a project lead for an open source initiative. My conviction for open source and security has been the driving force behind my contributions and endeavors throughout my career in information security.

My Dedication to OWASP & Open Source:

  • I’ve proudly served as the Vice Chair of the Projects Committee since 2020, demonstrating my commitment to enhancing open-source security through leadership and actionable initiatives.
  • As a lifetime member of OWASP, I’ve always championed its core values and overarching mission.
  • I founded and spearheaded multiple open source projects like SamuraiWTF, BASE, MobiSec, among others, showcasing my belief in fostering a transparent and cooperative security community.
  • I initiated and managed the BASE project for Snort, before passing the torch to another capable developer, ensuring that our open-source projects have a bright future.

Education and knowledge-sharing have always been at the core of my passion. I’ve penned three courses for the SANS Institute and facilitated countless trainings, briefings, and presentations around the world. Over the years, I’ve been honored to share insights at major conventions like OWASP’s conferences, RSA, DEF CON, DerbyCon, ShmooCon, and Blackhat.

On a personal note, my family is my sanctuary. Also, as an avid Star Wars aficionado, I had the privilege of being a member of the 501st Legion, a global Star Wars costuming charity led by passionate fans like me.

Throughout my career, I’ve been fueled by a dedication to open source, education, and community. In this journey, I remain ever-committed to the realm of cybersecurity.


Kevin Johnson - OWASP Candidate

Questions


How do you envision OWASP to become more reachable to individual developers and institutions?


Ah, “reachability!” It’s not just about being on the other end of a phone call or email thread; it’s about being present and relevant. If OWASP were a person, I’d want it to be that geeky-yet-cool friend every developer wishes they had. Someone you can reach out to at 2 AM when you’re neck-deep in code or during happy hour when you just want to discuss the latest in security.

1. Communication is Key (Literally and Figuratively) Before we can be everyone’s favorite security aficionado, we have to shout our purpose from the digital rooftops. Not just that we exist, but why we matter. I envision a robust communication pathway that breaks down what OWASP stands for, minus the jargon. Because let’s be real, while OWASP is well known in the security community, we are not as known to many developers and developer groups.

2. Shake Hands, Make Friends While our passion is ever-burning, funds can sometimes be a different story. To keep our fire alive and crackling, I see us joining hands with companies and organizations. We’re not just asking them to open their wallets but also to truly understand and embrace the OWASP mission. Their support can amplify our cause, transforming a whisper into a rally cry.

3. Bringing Security to the Developer Party Developer groups are like the nerve centers of the tech world. By collaborating with them, we can craft educational materials that resonate. Think of it as a “security recipe” tailored for each developer’s palate. This way, they not only implement security but champion it, helping to spread the good word of OWASP.

4. Making OWASP the Shining Star My ultimate vision? To make OWASP the crown jewel of the Open Source community. The entity everyone knows, trusts, and yes, shows off at tech meetups. A source of pride, knowledge, and a community people WANT to be a part of.

In conclusion, with clearer communication and a robust community, OWASP can be more than just a name on a screen or something people think about in passing.


What do you plan to do to increase funding for OWASP projects?


When posed with the question of increasing funding for OWASP projects, I’m reminded of a broader perspective. Why limit our scope to just the projects? As much as I acknowledge the sentiments behind the open letter – and agree with many of its points – I believe our focus needs a little adjustment.

OWASP, in essence, isn’t just an organization. It’s a vibrant community constituted of three core pillars: our projects, our chapters, and most importantly, our members. It’s this trinity that shapes OWASP’s identity and potential.

A significant observation that strikes me is the discrepancy between the vast number of individuals who utilize and contribute to our projects and chapters daily and the relatively small fraction that officially holds OWASP membership. This gap isn’t just a number; it’s an opportunity.

By emphasizing and enhancing the benefits of OWASP membership, we can tap into this latent potential. More members translate to a more substantial community voice, greater collaboration, and, by extension, more funding. This isn’t just about money; it’s about value. Increasing the perceived and actual value of an OWASP membership can motivate more individuals and institutions to join our ranks.

The revenue generated from an expanded membership base won’t solely fortify our projects. It will also strengthen our chapters, ensuring that every facet of OWASP gets the nourishment it deserves. In a nutshell, my vision revolves around a holistic growth strategy. It’s about fortifying each pillar of OWASP to ensure the entire edifice stands tall and proud.

Let’s reimagine OWASP, not as a fragmented entity but as a cohesive community where projects, chapters, and members seamlessly synergize to propel us to greater heights.


What are your plans for Foundation outreach in both government/policy and industry?


When considering outreach strategies for the Foundation within government, policy circles, and the broader industry, my vision takes a cascading approach. It begins with the very essence of our community: memberships.

At the heart of any successful outreach initiative lies a robust and engaged community. By placing an emphasis on growing both individual and corporate memberships within OWASP, we not only expand our resources but also amplify our voice. A stronger community representation will naturally position OWASP as an even more authoritative figure in application security conversations, both in the private sector and government.

But memberships are just the starting point.

Engaging Government & Policy Stakeholders: With a bolstered member base, our next move should be to actively collaborate with government bodies. By sharing insights from our projects, research, and community feedback, we can contribute constructively to policy-making. In turn, this provides an avenue for OWASP to shape the narrative around application security standards, ensuring they are both robust and practical.

Fortifying Industry Relations: On the industry front, the expanded membership will undoubtedly open doors to greater partnerships and collaborative ventures. But it’s crucial for OWASP to be proactive. By organizing industry-specific events, roundtables, and collaborative research projects, we can strengthen ties with key industry players. This not only bolsters our industry relevance but also ensures that the private sector benefits from our expertise and insights.

In essence, my plan revolves around a feedback loop. Increased memberships bolster our industry and government outreach, and successful outreach in turn attracts more members. By fostering this cyclical growth, OWASP can ensure it remains at the forefront of application security, influencing both policy and practice for the better.


Do you believe all OWASP Board discussions should happen in the open (excluding HR, Compliance, etc.)?

Yes! While I would love to create an in-depth answer to this, yes is the right one. It makes no sense to me that a board for an OPEN organization would not have their discussions in public in every way they legally can.

What are your plans to have the board and staff be more involved in project marketing/cheerleading?


While the idea of the board and staff leading the cheerleading charge may seem natural, we must ask: Isn’t the essence of OWASP found within its vibrant community? The strength of our community, including our members, chapters, and contributors, is our most significant asset. Thus, my vision prioritizes empowering this community to become the primary cheerleaders for OWASP’s initiatives, not just projects but projects AND chapters.

However, acknowledging the importance of board and staff involvement, they too should align with the larger community in this cheering brigade, not as sole torchbearers, but as members of a larger, cohesive team.

Here’s how I see us achieving this:

1. Clear Pathways for Benefit Leverage: We should establish defined channels that allow chapters and projects to access and leverage the wide-ranging benefits that come with the OWASP banner. Whether it’s tools, platforms, resources, or sponsorships, we need to ensure that individual chapters and projects can seamlessly harness the collective power of OWASP.

2. Comprehensive Marketing Guidance: While enthusiasm and passion are crucial, they’re magnified when backed by a solid strategy. By offering professional guidance in crafting marketing plans tailored to projects and chapters, we can amplify their outreach. This doesn’t just help individual projects or chapters; it reinforces the OWASP brand globally.

3. Streamlined Policies & Procedures: The wheels of any organization move smoothly when there’s clarity. We should focus on refining, documenting, and disseminating clear policies and procedures. By doing so, we not only simplify the process for projects and chapters to tap into OWASP’s resources but also create an environment of transparency and trust.

In conclusion, it’s not just about having a few cheerleaders; it’s about turning the entire stadium – our community – into a cheering arena. And for that, every voice, whether from the board, staff, or community, counts. Let’s amplify each one and make OWASP resonate louder and prouder.


Are you able to devote the time to your OWASP Board duties (can feel like a second full time job)?


As with the openness question, Yes! I have long considered if I had the time and ability to serve as a Global Board member. My family and coworkers are supporting me in this effort. As such, I have the time and ability to focus on OWASP and helping move us in the right direction based on member feedback.


Additional Question from Github issue 9

Shape the future of OWASP, how?

  • How do you envision the future of OWASP?
  • What’s your stance with respect to the open letter
  • Any ideas to get any of points on track? If so: in a sustainable way?

Context: As you might know, we lost a flagship project (ZAP) to the Linux Foundation. One board member who founded OWASP and returned stepped down in 2023. He ~ felt also a need of change but didn’t get the support needed.

https://github.com/OWASP-Foundation/Board-Election-Call-for-Questions/issues/9


The future of OWASP, in my eyes, isn’t in some high-rise boardroom decision; it’s in the chat rooms, forums, and gatherings of our community. Picture OWASP as a grand ship. While it’s crucial to have experienced hands on deck, the true direction should be determined by the collective wind of our membership. And right now, it feels like some of these winds are being muffled.

Dual Focus on Shaping: My approach is akin to the two sides of a coin, and no, I’m not just trying to put my face on some fictional OWASP currency!

Side One: Increasing Membership

  • My mantra? More the merrier! By broadening our membership base, especially focusing on roping in corporate entities and government agencies, we not only bolster our financial standing but also diversify our voice and perspectives.

Side Two: Boosting OWASP’s Visibility

  • While we’re doing great things, it’s imperative we ensure everyone knows it! By refining and rolling out clear policies and procedures, we can amplify the awareness of OWASP’s offerings. These already exist, we just need to make the membership aware of what is available.

The Open Letter and Funding: Ah, the open letter! An essential piece of correspondence that’s harder to ignore than a neon sign in a dark alley. And it’s right; funding is an issue. But where some see a problem, I see a solution waiting in the wings – membership. By zeroing in on corporate and government members, we’re not just opening the doors to potential funds but also creating avenues for long-term partnerships and sponsorships.

Unmasking the Hidden Treasures of OWASP:
It’s not just about adding more to the OWASP treasure chest; we’ve already got some pretty glittering gems! OWASP is like that multi-tool you forgot had all those cool functions. From member benefits to project support and chapter advantages, there’s a lot on the platter. My aim? To clear the fog and ensure everyone knows just how to use these tools for maximum benefit.

In essence, OWASP’s future, as I see it, is one shaped by its members, fortified by its partnerships, and driven by its sheer passion and purpose. Let’s navigate this journey together, and maybe have a few laughs along the way!