I wanted to make up a cool t-shirt to wear to DEFCON 23 this year.  The graphic is on the front of the t-shirt with a small cutout of the back.  I know it’s hard to read but it says, “In a time of universal deceit, telling the truth is a revolutionary act”, a quote by George Orwell.  I loosely designed the t-shirt based upon a graphic for an Intercept story, “The Computers Are Listening”.  I am not selling these t-shirts.  I made a single t-shirt for my own use only.

You can easily make your own t-shirt at customink.com.  This link is not sponsored but instead provided as a service to readers.

JavaOne is a software developers conference held each fall in San Francisco California.  The conference is held at the same time as Oracle’s larger product conference – OpenWorld.  Together both events bring in about 110,000 attendees to the city.  Many streets near the Moscone Center and O’Farrell are only open to foot traffic and serve snacks and beverages to attendees.  There’s something decadent about drinking a hot latte in a recliner on a blocked off street in the middle of San Francisco.

I thought a post was in order since many are surprised to learn Oracle’s JavaOne conference has a security track.  This year is the third year for the security track at JavaOne.  I can’t share too much about this years track just yet but I can share about last years track.  In previous years, the security track included around 40 sessions held over the course of the conference week.  Content covers various areas like open source projects, technologies, platform security, labs, and more.  Many industry verticals are covered like finance, insurance, banking, government, academia, as well as independent researchers.  A key differentiator for JavaOne is that that conference sessions are defensive in nature.  For example, we focus on defensive techniques developers use to strengthen software applications as opposed to offensive techniques to exploit software weaknesses.

JavaOne 2014 Security Sessions (Article)

The security track is not the focus of attention for JavaOne so we don’t have a keynote like other tracks but we provide an opening presentation that launches the track.  Following is the presentation I provided last year to give you some background.

One thing I will say about JavaOne 2015 security track and opening session – you will love it!  To launch the event I invited a security hero of mine.  He’s an early luminary in the security industry, a company founder, testified before Congress on security, interviewed on film, and more.  He will be doing most of the speaking this year and I’m looking forward to his presentation.
JavaOne 2014 USA, Security Track Amazeballs! (More information on JavaOne 2014 security track)
How interesting the security track at JavaOne is depends upon you!  JavaOne is community driven.  Got an interesting proposal on security for JavaOne?  We would love to hear about it.  The CFP is still open but closing soon.

Submit JavaOne 2015 Proposals (Oracle Speaker Registration)

See you at JavaOne!

Honored for invitation to OWASP AppSecUSA 2015 San Francisco conference Call for Papers(CFP) review team.  If you have an interesting security talk submit your proposal.  CFP closes on March 14, 2015.  In the event your not aware, OWASP is an organization of application security professionals and has many free resources to keep your software applications safe.

The following URLs are security content from Oracle’s JavaOne 2014 software developers conference in San Francisco California.  My list is not entirely comprehensive and more sessions become available, I will update the list.

Security Testing for Developers using OWASP ZAP, Simon Bennetts

Put a “Firewall in Your JVM Securing Java Applications, Debbie Fuller

Understanding the New JDK 8 Security Features, Sean Mullan

Securing Against Cross-Site Request Forgery, Aaron Hurst

Security Solutions for Java Distributed Architectures: A Smart Grid Use Case, Frederic Vaute

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together, Dan Cornell

Java Secure Coding Guidelines, Andrew Gross

Building Secure Applications with Java EE, Patrycia Wegrzynowicz

Security Starts in the Head(er), Dominik Schadow

RESTing on Your Laurels Will Get You Pwned, Abraham Kang, Dinis Cruz, Alvaro Munoz Sanchez

Security with Java Deployment, Chris Bensen

Code-Level Security Games And Puzzles in Java, Brenton Phillips

Seven Security Tools and Libraries Every Developer Should Know About, Dominik Schadow

Applying Java’s Cryptography, Erik Costlow

High Security for the Internet of Things with Java and a Secure Element, Anne-Laure Sixou, Thierry Bousquet, Frederic Vaute

Retrofitting OAuth 2.0 Security into Existing REST Services, Irena Shaigorodsky

Anatomy of Another Java Zero-Day Exploit, David Svoboda, Yozo Toda

Securing JAX-RS Services with OAuth 2, Miroslav Fuksa

Securing RESTful Resources with OAuth2, Rodrigo Condido da Silva

Five Keys for Securing Java Web Apps, Frank Kim

Leveraging Open Source for Secure Java Website Construction, Jim Manico

The Anatomy of a Secure Web Application Using Java, John Field, Shawn McKinney

Securing Java: Track Opening Presentation, Milton Smith

JavaOne 2014 USA concluded October 2, 2014 in San Francisco, California.  The war on security is sometimes takes it toll on all of us.  This year, whenever I feel depressed I pull out my Nerf Duke, give him a squeeze, and reflect upon what we all did at JavaOne 2014.  The JavaOne security track was, hands down, amazeballs!

“JavaOne is the first developer conference to dedicate an entire track to security.” Frank Kim SANS Institute

During the Call for Proposals (CFP) the submissions for the security track stalled until the very last week.  I was really wondering if I would have to give up on the security track.  Teammates told me not to worry since it’s normal for submissions to come in late.  The idea of throwing in the towel on the security track was depressing.  According to Frank Kim of SANS Institute, “JavaOne is the first developer conference to dedicate an entire track to security”.  The last week of the CFP more than three quarters of the submissions for the security track rolled in.  The moral of the story?  Unless you want this track leader to have a heart attack get your submissions in early ;o)

Photo: JavaOne 2014 keynote

Photo: Oracle Customer Appreciation Event

This year security was highlighted early at JavaOne.  In fact, security made it to the JavaOne keynote presentation provided by Georges Saab (Twitter: @gsaab).  In his slides (photo on right) Georges is noting facts about the security track at JavaOne.  In particular, my security track opening presentation and the new web appsec book I finished with Manico (Twitter: @manicode) and Detlefsen (Twitter: @codemagi).  A little birdie told me, Georges was surprised how many comments and retweets he received on all this security stuff, lol.  Well it’s because me, all my friends, and many others live, breath, and eat security day and night.  A slide or two on security at a developer keynote is a huge positive and just the right level of attention on web application security.  Sorry we Tweet slammed you Georges but much appreciated!

On Wednesday Oracle held the Customer Appreciation Event.  How was it?  Fan-freaking-tastic, is the word that comes immediately to mind.  Employees are not generally invited to customer event.  I received two tickets in a odd quirk of fate.  A quick call to my wife and she arrived a few hours later and we were off to see the event.

Photo: book signing event at Oracle book store

The appreciation event was incredible.  Aerosmith was great.  I checked Wikipedia and it reported Steve Tyler’s age as 66.  Phew, I hope I could perform at such levels at age 66.  Likewise, Macklemore was great.  I recognized a few of their songs and enjoyed their music.

The appreciation event left me with about 3hrs of sleep and there was lots happening on Thursday.  I had to arrive at the conference early, lots to do.  No sleeping in for me.  I downed a Starbucks Venti Pike Place, a Red Bull, and another Starbucks coffee when I arrived at the hotel.  I would do it all over again the event was great.

Photo: NEC biometrics at Open World

This month was the release of our new web application security book Iron-Clad Java.  The Iron-Clad Java team, Manico, Detlefsen, and Me, had a book signing over at the Moscone center.  Unfortunately, it was a bit of a bust for book signing.  The book signing was scheduled in the wrong venue at Oracle Open World.  We signed a few books but honestly everyone who would like our book was attending JavaOne, two blocks away.  Oracle reminds me of my Marine Corps days, requisition 1000 roles of toilet paper and receive 1000 lightbulbs.  As long as you receive 1000 of something delivered on time then the Logistics organization never cared.  I wanted to rest on the couches and chat with friends anyway.

While over in the Open World vicinity, I later headed to the vendor floor to visit my friend Beau Broker at NEC.  Beau showed me some pretty interesting facial recognition software by his company.  In the photo (on left) you can see how it recognizes Beau’s face after he’s registered with the system.  It’s pretty interesting technology.  It’s also available on mobile and tablet devices.  The technology is multi-purpose and may be used to unlock a desktop or recognize unauthorized individuals in a crowd.

Finally, I will finish up with a selfie photo of the crowd at my security track opening session.  This is my view from the podium.  It’s amazing in a short time how far the security track has come.  My first year I presented at JavaOne there was no security track and something like 47 people attended my session and most found their way to my session purely by accident.  No credit to me attendees are interested to learn security.  Now we are filling security sessions with developers cross across the security track.  All these bright minds eager to learn about Java security gives me hope.  Message to Me and Oracle, developers care about security.  Hat tip to Oracle for taking a chance on a security track like in one of the world most expensive conference venues in the world.  Bringing a security track directly to a developers conference is innovative, has a tremendous impact on developers, and I challenge more developers conferences to do the same.

–Milton