Welcome and thanks for your interests! This page communicates my contribution and collaboration on security industry projects.
I don’t spend much time on social media. If you need to contact me, email is best.
The following projects present some of my contributions to industry.
JVMXRay Project [Project Github] JVMXRay is a technology for near-realtime monitoring of access to system resources within the Java Virtual Machine. It’s designed with application security emphasis but is also beneficial for software quality processes and diagnostics.
OWASP Security Logging Project, [Project Wiki] software project that extends popular SLF4J compliant loggers like log4j and logback to include features helpful for security and auditing. I am a project leader and code contributor with two others. (OWASP AppSec Rome 2016 slides)
OWASP DeepViolet TLS/SSL Scanner, [DEPRECATED] [Project Wiki] DeepViolet is a TLS/SSL DAST tool. DeepViolet binaries come packaged for use on the command line, as a desktop application, or alternatively as an API to include within your own projects. What can you do with DeepViolet? Scan your web server for information regarding TLS/SSL connection characteristics like: weak cipher suites, weak signature algorithms, certificates about to expire, examine certificates and certificate chains, download certificates for offline review, and more. DeepViolet is used within the ZAP DAST project to support TLS/SSL scanning. ZAP is one of the largest open source web application security scanning tools and a OWASP flagship project. I am a project leader for DeepViolet and developed the original code. Site deprecated by me, see site for details.
Iron-Clad Java: Building Secure Web Applications, [Book] book project on web application security I did with friends, available on Amazon. I was the technical editor, wrote the Foreword, and contributed content to the Logging chapter. Interesting book blooper, Foreword was unintentionally omitted by the publisher but it was included on later print runs. The book is still in print and relevant.
Enterprise Component Patterns, [Book] services patterns book and precursor to modern Services Oriented Architecture (SOA). Author.
Oracle Podcast: Java Spotlight Episode 142: Milton Smith on the JavaOne Security Track [Audio], Advance to around 4:30, interview by Roger Brinkley regarding security improvements in Java and work on JavaOne. Introduce the addition of the Security Track at JavaOne, discuss new security features, insights on security remediation progress.
DEVOXX Interview: Interview on Java Security by Yolande [Video], interview regarding security improvements in Java.
Java User Group Leaders Call [Audio], and related viral press InfoWorld, ComputerWorld, San Jose Mercury News, Application Development Trends, PC Magazine, The Register, IT News, and more. I didn’t provide any remarkable news on the call but the call came at a time when public desired a response from Oracle around a series of high profile vulnerabilities. Navigating high profile incidents is tough and takes chops.
Article for Java Advent 2018, Java Data Protection Recommendations. Erik Costlow and I briefly cover a few common Java cryptography challenges encountered by developers on their projects.
Black Hat 2013 Conference Featured Presentation, Oracle: On Java Security, [Web] invited to present by BH leadership candidly on Java security under Non-Disclosure Agreement to top world technology leaders. Featured presenter of three which included, Alex Stamos [Yahoo CSO], and General Alexander [16th Director of the National Security Agency]. An honor and amazing opportunity to share the same space as these guys.
Black Hat 2020 USA, JVMXRay, [Web] upcoming event, more on this soon.
Black Hat 2018 USA, DeepViolet TLS/SSL Scanner, [Web] TLS/SSL analysis API and tools. Analysis engine is Java API and the DeepVioletTools project implements two reference cases, a command line executable and desktop GUI tool.
Java 8 Security Highlights [Video], presentation describing new security features for the JRE. More of a marketing video than deep detail but it was fun to participate.
JavaOne Conference Security Track/Content Lead, 2013, 2014, 2015, 2017, security track founder/leader, conference organizer, review researcher submissions. Made security a priority at JavaOne by adding it as a full track. Track leader for a few years. Presented several opening track sessions[Video] describing progress on Java security for attendees. Oracle cannibalizes their previous years conference web site to create the new site so I’m not sure where older content is located.
OWASP AppSec USA/EU Presenter, presented in the past at both OWASP AppSec USA[Video] in New York City and AppSec EU in Hamburg Germany [Slides]. Also presented at AppSecEU 2016 in Rome on the OWASP Security Logging Project [Slides]
All Day DevOps Track Leader, world-wide free virtual event hosted by Sonatype. I hosted the DevSecOps track
ISC^2 East Bay Chapter, 2017, presentation on security career survival.