In an effort to address decades of security vs developers friction, Tromzo recently decided to hold an event to bridge the gap and focus on practical security missions that overlap and relate with developer building focuses. This was the first Developers and Security are Friends Day event in Austin, Texas, and I truly hope more are to follow. I’m an avid conference-goer, and this is one of the few, if not only event i’ve seen that had a near 50/50 split from builders and breakers alike. Likewise, I offered my time and gave a free training on managing good/fast/cheap infosec resources, sharing the respective stages alongside some good friends, new and old:

Jim Manico - Manicode Secure Coding Education
Matt Johansen - Vulnerable U / Reddit
James Wickett - DryRun Security
Esha Kanekar - Netflix
Colleen Dai - Semgrep
Johnathan Kuskos - Chaotic Good Information Security (it would be weird to not include myself, right?)

Harshil Parker, CEO and Co-Founder of Tromzo recently shared an editorial on the event on his Future of Application Security Newsletter, and you can read his synopsys here: https://www.linkedin.com/pulse/good-fast-cheap-security-pros-reveal-how-have-all-without-parikh-eyoic

Additionally, I also sat down with Eric Sheridan, pioneer of static code analysis, co-founder of Infrared Security, and current Chief Innovation Officer for Tromzo to talk shop, share some war stories, and discuss the realities of where security programs miss the mark on being good partners to their development counterparts. You can find our discussion here: https://tromzo.com/podcasts/ep-48-chaotic-good-s-johnathan-kuskos-on-testing-for-functionality-priorities-and-better-incident-response

Cheers, and happy hacking everyone.

Recently I was humbled to run a 3 hour gauntlet with one of the original legends of the infosec industry, Robert Hansen, who now runs his own podcast The RSnake Show. This is Episode 1 of Season 6 for them, and I’m thrilled to be able to kick off the new season by giving my perspectives on all kinds of nuances in the pentesting world, with topics ranging from how I grew WhiteHat Securities hacker army, to how the stakes raise for LLM’s and prompt injection, all the way to the economics of remediating vulnerabilities.

The full 3 hour interview can be found here, enjoy!

Hello friends! It’s been an absolutely wild and exciting last few months. For those seeing this for the first time, I’m Johnathan Kuskos, and I stepped away from 12 years of leading and building world class information security teams in top F100 and fintech companies to start Chaotic Good Information Security. The goal is admittedly selfish but simple, hacking has always been my favorite part of the job and as my career escalated the days became less and less about hacking. I’m absolutely bursting with fun focus areas here and am excited to grow this consultancy in an extremely grassroots way. Here’s a little transparency and honesty in where we’re at and where I see us going:

• We have a website! That means we’re real, right? Thank you to Sarah Lawrence for advising on logos and various branding thoughts. Although branding and marketing isn’t my sole focus, some effort was required to be spent here.

• Around September of this year we’ll be officially open for business, so Q4 will be the first real business push. We’re in more of a soft launch / friends and family mode at the moment while I iron out the repeatable processes and get automations in place for intake, response, secure data storage, blog focuses, content creation, newsletters, etc. In the mean time I’m happy to start building relationships with prospective clients, send me a message if you’d like to get in while we’re early(and very cost effective).

• Back in the day around 2012-2013 before bugcrowd/hackerone/intigriti and all of the other responsible disclosure platforms popped up, I paid off six figures of student loan debt through moonlighting bug bounties(big thanks to google and mozilla mostly for that). During the downtime between client assesssments, I intend to spend most of my time getting back into the space here. Since these spaces have had the better part of a decade to mature I have a bit of catching up to do.

• This company will be 100% hacker driven and operated. No if’s, and’s, or but’s. As we grow, and whether that’s slow or fast, everyone on this team will understand how to perform a basic penetration test. This includes sales, marketing, accounting, any and all of the above if we ever get to that point. At the end of the day I want us to be known for our deep connection the problems faced on the front lines of application and product security. No one is allowed to say “just shift left” without having actually attempted to transition an enterprise from spontaneous compliance driven pentests to automated remediations through ci/cd integrations. As much as the enterprise sales folks love to pitch that, I promise you it’s 100x harder to execute on than it sounds.

• Looking forward to getting back into public speaking, as it was admittedly momentum derailed when I began joining fintech companies, and the first training is already booked. If you’re in the Austin area in September, myself and a few other leaders in the field are putting on a free workshop intended towards developers with a security focus, you can find more details here: https://tromzo.com/developers-and-security-are-friends-day

Next up on the roadmap is a chance to take a second, breathe, reflect on what’s been done and what still needs to be accomplisehed, enjoy an upcoming 2 week vacation to Europe with the family, and then come home to BlackHat/Defcon/BSidesLV in Vegas. Thank you to everyone following this journey, your support means the world to me, and I’m excited to see where this goes!

Happy Hacking ~ Kuskos