Ken Johnson

Open source is dead. That’s not a statement we ever thought we’d make. @calcom was built on open source. It shaped our product, our community, and our growth. But the world has changed faster than our principles could keep up. AI has fundamentally altered the security landscape. What once required time, expertise, and intent can now be automated at scale. Code is no longer just read. It is scanned, mapped, and exploited. Near zero cost. In that world, transparency becomes exposure. Especially at scale. After a lot of deliberation, we’ve made the decision to close the core @calcom codebase. This is not a rejection of what open source gave us. It’s a response to what risks AI is making possible. We’re still supporting builders, releasing the core code under a new MIT-licensed open source project called cal. diy for hobbyists and tinkerers, but our priority now is simple: Protecting our customers and community at all costs. This may not be the most popular call. But we believe many companies will come to the same conclusion. My full explanation below ↓

@cktricky this you?

@Phant0mTrav3ler Only when it gets mouthy

Check out my latest article: The Software Security Market Is Broken Right Now - Here’s What Actually Matters linkedin.com/pulse/software… via @LinkedIn

PR FEEDBACK IS LIVE IN DRYRUN SECURITY 🔥🔥🔥 When a security finding shows up in a pull request, it shouldn’t turn into a side quest. PR Feedback closes that loop. Now when DryRun Security flags something, developers can reply directly in the thread to mark a false positive or nitpick. DryRun updates the findings instantly, regenerates the PR summary, and logs the action for a clean audit trail. No tickets to file. No separate workflow to manage. No chasing someone down to clear it. Read how it works → dryrun.security/blog/security-…

Next week, @jcran and @cktricky are doing Security Reviews, IRL: a live GitHub PR walkthrough with real agent-generated changes (Claude, Cursor, Devin) and the logic flaws that almost shipped. 🗓️ Join us: Feb 25, 1 PM EST Register at dryrun.security/webinar/securi…

Developers are already using AI in production, but most AppSec programs were not designed to see or control what happens inside LLM workflows causing blind spots across prompts, generated code, and tool calls. Join this live fireside chat "Code Velocity in an AI-era: How AppSec Teams Can Stay Ahead" with Adam Dyche, @wickett, @cktricky, and Zac F. They will explore how real teams are applying existing AppSec fundamentals to secure AI powered applications without rebuilding their entire stack. 🗓️ Feb 4 | 1:00 PM ET Save your spot and join the conversation 👉 lnkd.in/gpxEBNA9

AI did not create entirely new AppSec problems. It changed where they show up. Prompts. Generated code. Tool calls. Model integrations. The risks are familiar. The workflows are not. Join our live fireside chat, Code Velocity in an AI-era: How AppSec Teams Can Stay Ahead, with Adam Dyche with @poweredbyCMRC, @wickett , @cktricky, and Zac Fowler with DryRun Security. They'll unpack how real teams are securing LLM-powered applications without rebuilding their entire AppSec stack. 🗓️ Feb 4 | 1PM ET Register 👉 na2.hubs.ly/H037Qhw0

Are you itching to talk about the new #OWASPTopTen? Well today you have good fortune because @infosecdad is coming on the @absoluteappsec podcast with @cktricky and @sethlaw to discuss all the ins and outs. 12 Noon Eastern the livestream starts here: youtube.com/watch?v=YfDY6w…

📣REGARDING OWASP TOP 10 2025 - RC1📣 We had @infosecdad Brian Glas - the lead on this project - on the @absoluteappsec podcast with @sethlaw and I earlier today discussing what all went into the updates and refresh, check it out! youtube.com/watch?v=YfDY6w…

I posted this last Friday on LinkedIn, do you disagree? Let me hear you if so 😄

Absolutely brilliant detail from the new Reddit AI copyright lawsuit vs. Perplexity. They set a trap for Perplexity - a test post only crawlable by Google, existing nowhere else on the internet. Within hours, it was on Perplexity 😳 nytimes.com/2025/10/22/tec…

.@dryrunsec is always transparent about the good & the bad: dryrun.security/blog/how-we-tu…

Nearly spit out my coffee this morning when I read: "The World’s First Agentic Security Orchestration System" 🤣

😍😍😍

From alert to assurance in minutes. CTO and Co-founder @cktricky walks through how DryRun Security Code Insights MCP helps teams investigate NPM supply chain threats without manual toil, saving hours of effort. Teams use Code Insights MCP to move faster during incidents and reduce noisy, repetitive work from audits to alerts. 👀 Watch the rundown and see how to apply it in your environment.

Check out my latest article: Insights & malicious NPM packages linkedin.com/pulse/insights… via @LinkedIn

Been waiting to share this publicly and now we're here. We built the next HUGE efficiency gain for app/prod-sec teams. Imagine have total visibility into what is happening within your organization. 🙌🙌🙌

CodeRabbit RCE wasn’t prompt injection—it was tool execution + isolation drift + secrets exposure. We’ve stumbled too (IDOR in closed beta), which is why our sandboxed approach avoids this class of risk. 🔗Read more: na2.hubs.ly/y0S7hz0

Thanks again to The Boring AppSec podcast for having me on! You can check out the episode, here: youtube.com/watch?v=sLW1yM…