Summary:

In this episode of Exploring Information Security, host Timothy De Block welcomes Kevin Johnson, founder of Secure Ideas, to discuss web application penetration testing, API security, and hands-on security training. Kevin shares insights on why pentesters need to understand business risk, how API security is often misunderstood, and what participants can expect from his Breaking Bad Code workshop at ShowMeCon. He also reflects on the state of security talks at conferences, the importance of interactive learning, and Secure Ideas’ 15-year journey in the industry.

Topics Discussed:

Web Application Security Challenges – Why automated tools alone aren’t enough, and how attackers think differently.

API Security & Misconceptions – How APIs change attack surfaces and why developers often overlook key security flaws.

Breaking Bad Code Training at ShowMeCon – What attendees will learn and why hands-on hacking beats passive lectures.

Security Talks vs. Vendor Pitches – The problem with sales-driven conference talks and why real education matters.

The Evolution of Secure Ideas – Celebrating 15 years in business, plus challenge coins and community growth.

Fun Side Tangents – Muppets, hacking culture, and why Wacka Hack is the talk you don’t want to miss at ShowMeCon.

Key Takeaways:

Effective pentesting goes beyond tools—it’s about understanding the purpose and risk of an application.

API security isn’t a separate discipline—it requires a shift in attacker mindset.

Hands-on training is the best way to learn—expect to actively hack at the Breaking Bad Code workshop.

Security conference talks should educate, not sell—vendor-heavy presentations fail to engage the audience.

ShowMeCon is an invaluable event for anyone interested in offensive security and application security.

Guest Info:

Kevin Johnson – Founder & CEO of Secure Ideas, security consultant, trainer, and conference speaker.

Links and Resources:

Follow Kevin on Twitter: @SecureIdeas

Secure Ideas: secureideas.com

Samurai WTF – Web Testing Framework: samuraiwtf.org

Penetration Testing Execution Standard (PTES): pentest-standard.org