About

Welcome and thanks for your interests!  This page communicates my contribution and collaboration on security industry projects.

PROJECTS

The following projects present some of my contributions to industry.

JVMXRay Project [github], JVMXRay is a technology for near-realtime monitoring of access to system resources within the Java Virtual Machine.  It’s designed with application security emphasis but is also beneficial for software quality processes and diagnostics.

OWASP Security Logging Project [github], software project that extends popular SLF4J compliant loggers like log4j and logback to include features helpful for security and auditing.  I am a project leader and code contributor with two others.  (OWASP AppSec Rome 2016 slides)

OWASP DeepViolet TLS/SSL Scanner [github], DeepViolet is a TLS/SSL DAST tool.  DeepViolet binaries come packaged for use on the command line, as a desktop application, or alternatively as an API to include within your own projects.  What can you do with DeepViolet?  Scan your web server for information regarding TLS/SSL connection characteristics like: weak cipher suites, weak signature algorithms, certificates about to expire, examine certificates and certificate chains, download certificates for offline review, and more.  DeepViolet is used within the ZAP DAST project to support TLS/SSL scanning.  ZAP is one of the largest open source web application security scanning tools and a OWASP flagship project.  I am a project leader for DeepViolet and developed the original code.  Site deprecated by me, see site for details.

OWASP DeepVioletTools [github], Proof of concept projects that implement the DeepViolet TLS/SSL API.  Two sample projects: a command line tool and a desktop application.  Shows how to build new security tools using DeepViolet.

Iron-Clad Java: Building Secure Web Applications [book], Book project on web application security I did with friends, available on Amazon.  I was the technical editor, contributed some to the Logging chapter, helped on follow-on logging project, and wrote the Foreword.  Interesting book blooper, Foreword was unintentionally omitted by the publisher but it was included on later print runs.

Enterprise Component Patterns [book], services patterns book and precursor to modern Services Oriented Architecture (SOA).  Author.

MEDIA

OWASP Board Election Interviews, 2017 [post w/audio], 2016( part 1/ part 2/ part 3/ part 4) [post w/audio], 2015 [audio],  interviewed as a candidate for the OWASP board.

Oracle Podcast: Java Spotlight, episode 142 [audio], interview by Roger Brinkley (about 4:30min mark) on Java platform security improvements and security work planned for JavaOne.  Introduced the first full security track at a large software development conference, JavaOne.   Provided some hints about the new track and sharing more about platform security for the public.

DEVOXX Interview [video],  Interview on Java Security by Yolande [video], interview regarding security improvements in Java.

Java User Group Leaders Call [audio], and related viral press InfoWorld, ComputerWorld, San Jose Mercury News,  Application Development Trends, PC Magazine, The Register, IT News, and more.  I didn’t provide any remarkable news on the call but the call came at a time when public desired a response from Oracle around a series of high profile vulnerabilities.  Navigating high profile incidents is tough and takes chops.

Java Advent [article], Java Data Protection Recommendations.  Erik Costlow and I briefly cover a few common Java cryptography challenges encountered by developers on their projects.

CONFERENCES/PRESENTATIONS

Black Hat 2013 Conference Featured Presentation [web], Oracle: On Java Security, invited to present by BH leadership candidly on Java security under Non-Disclosure Agreement to top world technology leaders.  Featured presenter of three which included, Alex Stamos [Yahoo/Facebook CSO], and General Alexander [16th Director of the National Security Agency].  An honor and amazing opportunity to share the same space as these guys.

Black Hat 2020 USA [web], JVMXRay, upcoming event, more on this soon.

Black Hat 2018 USA [web], DeepViolet TLS/SSL Scanner, TLS/SSL analysis API and tools.  Analysis engine is Java API and the DeepVioletTools project implements two reference cases, a command line executable and desktop GUI tool.

Black Hat 2016 Europe [web], DeepViolet TLS/SSL Scanner, presenting November 2016 in London.  My presentation [Slides].

OWASP 2015 AppSec USA Conference Committee [web], conference organizer, review researcher submissions.

Java 8 Security Highlights [video], presentation describing new security features for the JRE.  More of a marketing video than deep detail but it was fun to participate.

JavaOne Conference Security Track/Content Lead, 2013, 2014, 2015, 2017, security track founder/leader, conference organizer, review researcher submissions.  Made security a priority at JavaOne by adding it as a full track.  Track leader for a few years.  Presented several opening track sessions [video] describing progress on Java security for attendees.  Oracle cannibalizes their previous years conference web site to create the new site so I’m not sure where older content is located.

OWASP AppSec USA/EU Presenter, presented in the past at both OWASP AppSec USA [video] in New York City and AppSec EU in Hamburg Germany [Slides].  Also presented at AppSecEU 2016 in Rome on the OWASP Security Logging Project [slides]

All Day DevOps Track Leader, world-wide free virtual event [web] hosted by Sonatype.  I hosted the DevSecOps track

ISC^2 East Bay Chapter, 2017, presentation on security career survival.