“Hire the right people—especially if they’re your first security person. Don’t skimp; if you’re going to do it, do it right.”

Twitter: @cktricky • Website: cktricky.com

Ken Johnson has been hacking web apps for 10 years. He started in networking, taught himself programming, and eventually built an application security consulting company before finally leaving to work at GitHub. Ken has spoken at RSA, You Sh0t the Sheriff, Insomni’hack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about AppSec, DevOps security, and AWS security. Ken’s projects include the Absolute AppSec podcast, WeirdAAL, OWASP’s RailsGoat, and the Web Exploitation Framework (wXf).

If there is one myth that you could debunk in cybersecurity, what would it be?

Self-aggrandizing. We sometimes have to accept that we’re actually not that important. I feel that we do a lot to hype our unique/special culture, our silver-bullet products, the latest threats with a sexy logo and name, etc. But in the end, we’re one small aspect of most businesses. Sure, some businesses specifically have to take security up a notch. For most, though, we’re just one component of many in the typical business unit. I say this because, if you’re a newcomer, realize this early in your career, as it pertains to your approach. If you’re ...