Devoxx UK 2013 conference was my first Devoxx experience and my first trip to London.  Alright, I have been to London before but I don’t count the inside of Heathrow airport a London experience.

The weather was super cold, compared to California.  I thought to check the weather before departing but it’s tough to consider how cold 34 degrees fahrenheit really is until you experience it.  Lesson to me, bring some gloves and a hat.  My ears wanted to fold inside themselves, brr!  Enough about my ears.

The conference was great!  There was a lot of ground covered.  I enjoyed “Accelerated Lambda Expressions” by Stuart Marks.  I was thinking the discussion may be a little deep for me since I was really interested in an introduction but it was very informative.  If your experienced with Java but perhaps not Lambdas don’t be intimidated.  Incidentally, Devoxx posts their conference sessions free on  Even if you attended Devoxx the videos are great because often there are some overlap between sessions so it’s difficult to choose which to attend.

The Devoxx media team was busy interviewing presenters throughout the conference.  I notice my security presentation is not up on Parleys yet but the interviews have been posted to Youtube by the media team(my interview shown right).  It’s a short interview and I touch on some key points around Java security and discuss my presentation.

Most valuable experience of all was speaking with all the leaders.  I have been programming for many years but I never feel too old to learn something new.  There’s a lot of people, experts in their areas, and it’s great have access to them and to knowledge share.  I had some really great discussions with Martijn Verburg(Twitter: @karianna ) from JClarity.  Martijn provided a presentation, “Java and the Machine”.  The room was standing room only and I arrived late as usual.  Also big apology Martijn, I was the jackass who’s phone rang in your presentation and excused myself fast — duty calls. ;o)  I did get to listen to a better part of your presentation and it was great.  Thanks for the invite to present and attend!  I also had an opportunity to speak with Markus Eisele (Twitter: @myfear).  Thanks your time, the good conversation, and for your thoughtful advice!  And thanks to everyone at Devoxx.

Finally, some parting travel advice.  Don’t travel with your lock picks.  Interesting enough, lock picks are not on the Banned Items list in the UK but they still raise questions passing through airport security check points.  I was detained for awhile, bag searched carefully, every item removed.  Even my box of Altoids (breath mints) was opened.  Airport security really does not have a sense of humor these days.  I guess we can’t blame them.

When ask why I was traveling with lock picks I responded, “are lock picks on the Banned Items list”?  The agent replied, “No”.  I said, “Any concerns”?  The agent said, “No”.  And with that I was on my way.  I’m surprised that worked actually.  Anyway, better off leaving the lock picks at home next time.

JavaOne has a new track this year, “Securing Java”.  Call for Proposals is open.  Get your security session submissions in now! 
The number of sessions at JavaOne 2012 San Francisco demonstrated the level of community interest around Java security.  Check out the new Securing Java track and description at,  Whether your a software programmer, architect, security practitioner, or have data center responsibilities, you find something interesting to learn.  Security is a big challenge and touches everyone.  Take a break from the Internet baddies, come hang out with some good security guys who also love Java.  
I look forward to meeting everyone at JavaOne this year!

[Updated Post Friday November 30, 2012]

Conference videos posted,

[Original Post Follows]

This years Open Web Application Security Project(OWASP) AppSecUsa 2012 was in downtown Austin Texas at the Hyatt.  There were many sessions and speakers from across industry.  Whether your just starting out, or a seasoned computer security professional, OWASP conferences provide good value across all levels of experience.  In addition to security training, OWASP events are a great place to gather as a community and exchange ideas around security.

James Wickett (left), Milton Smith (right)

AppSecUsa was organized by the local OWASP chapter.  In the photo to the right is James Wickett (Twitter, @wickett), Austin OWASP Chapter Leader.  Josh Sokol (Twitter, @joshsokol) chairs OWASP Chapters Committee Chair, not shown.  Matt Tesauro (Twitter, @matt_tesauro) is the OWASP LiveCD Lead, also not shown.  I know I’m understating their credentials.  Amazing what these individuals have done in Austin.  Good job on the conference.  You rock and it’s great to see you again!

Jim Manico (right)

There were a number of interesting presentations this year, I will cover a few. Top 10 Web Defenses – Jim Manico (Twitter, @manicode) VP Security, Whitehat Security.  The surprise for me, Jim communicated is that SQL Injection is still the largest attack vector.  I keep hearing the same rant from others so maybe I should start believing it.  We’ve known about SQL Injection attacks for years so it surprises me and it’s disappointing.  The most pervasive attack I’ve seen to date is Cross-Site Scripting(XSS).  In fact, I contemplated interrupting or raising my hand during Jim’s presentation but the next sentence out his mouth was, “XSS is the cockroach of the Internet”.  Bravo!  Jim’s a resident of Hawaii.  No, the hand signal in the photo is not a Hawaiian gang sign, it’s a friendly greeting.

Jim provided a number of useful resources throughout his session like OWASP’s cheat sheets covering a variety of topics[1].  The cheat sheet mentioned in the session is the Password Storage Cheat Sheet[2].  Another cheat sheet mentioned is the Forgot Password Cheat Sheet which you can find on main cheat sheet page[1].   I notice there is no cheat sheet specifically for storage of application or service passwords or at least one I find.  Some of the cheat sheets are work in progress while others are more mature.  In any case, the cheat sheets are a good emerging resource for common challenges.

Discussion around Content Security Policy(CSP)[3] kept surfacing in different sessions.  CSP is new to me but one of the interesting features is that it help’s prevent content reposting.  From a practical perspective, you can use CSP to prevent attackers from iFraming your protected page content.  CSP protects content by including a new HTTP header (e.g., X-Frame-Options) communicating to browsers not to embed protected content.  Without even looking at the spec, my intuition tells me there are ways around CSP like using old browsers where CSP is not supported, MITM proxies to strip out the header, etc.  CSP is likely in the same camp as HTTPOnly, not bullet proof, but good defense-in-depth measure especially when combined with HTTPS and other measures.

Why Web Security Is Fundamentally Broken – Jeremiah Grossman, CTO, WhiteHat Security (Twitter @jeremiahg) Most noteworthy, Jeremiah demonstrated some social media hacking.  The hacking demo uses clicks provided by the user to authorize calls to social media sites like Twitter and Facebook.  In the demo, the Twitter Tweet box or Facebook Like button, usually provided on news pages or blog articles, is made to follow or tail the user’s cursor around on the page.  Anywhere, the user clicks on the page, the social media button is clicked by the user — a type of click jack.  User data is gathered from their social media site and populated into a redacted demo page.  In a real implementation, these same buttons can be made invisible so it’s not obvious the linkage between the redacted demo page and the social media sites.   The redacted form demo is clever, when users see their personal data populated into the redacted form, one field at a time before their eyes, it’s compelling and shocking.  When Jeremiah gets the real redacted demo page live it’s guaranteed to get grab some press headlines.

Real World Cloud Application Security – Jason Chan, Cloud Security Architect, Netflix. (No Twitter)  Jason’s presentation was interesting since Netflix is laying a lot of new ground with operational and engineering practices.  It’s safe to say, almost nothing in their operational or engineering practices is standard.  For instance, Netflix combined both the development and operations into a single unit.  Netflix is largely operating on Amazon’s cloud infrastructure.  An interesting fact is that 1/3 of all US Internet traffic is Netflix streams.  To harden their production infrastructure Netflix crashes their servers and applications on a regular basis.  Yup, you heard me right, they crash their systems regularly and purposefully.  To crash their systems they employe a framework of Monkeys — stay with me for a moment.  One of the monkeys, Chaos Monkey, periodically kills a process, service, or an entire virtual machines at random.  The idea of killing various cloud components at runtime is that it builds more resilient applications.  Programmers and operations staff, that enjoy sleep, quickly learn how to build fault resilient applications tolerant to environmental changes.  Phew, that must have been a prickly implementation assuming they started with traditional processes.

Armadillo Races

The photo on the right was from the Armadillo races.  Armadillo’s move really fast.  I don’t think they ever stopped moving and they almost never travel in straight lines.  I have seen many dead armadillos on the side of the road so to finally see a live one is refreshing.  Live armadillo, check.  Now I only need to see a UFO and our national debt disappear.  We also had a mechanical bull on site.  Anyone wanting to ride the lightning could give it a try.  Also so everyone knows, I do have photos of Jim Manico (Twitter, @manicode) riding the mechanical bull.  No, I’m not going to post them.  There’s some things you need to attend in person to see for yourself.

Lock Pick Village

Of course, no security event is complete without a Lock Pick Village.  Several years back I was attending a security conference with a lock pick village.  Interestingly enough, I learned how to pick locks with Johnny Long,  (Twitter, @ihackstuff) , author Google Hacking[4].  I bought my first set of lock picks at the conference(hope they are legal in California).  Actually, mine got rusty so I threw them out years ago.  You learn lots of life skills at security conferences.  Johnny’s charity organization was at the conference but he was overseas assisting helping his team.  He’s pretty active about making the world a better place, admirable.  Yes, I did buy a t-shirt.  There’s just something wrong about that URL I like.

[1] “Cheat Sheets.” OWASP. OWASP, 28 July 2012. Web. 27 Oct. 2012. <>.

[2] Manico, Jim. “Password Storage Cheat Sheet.” OWASP. OWASP, 26 Aug. 2011. Web. 27 Oct. 2012. <>.

[3] Stern, Brandon, and Adam Barth. “Content Security Policy 1.0.” Content Security Policy 1.0. W3C, n.d. Web. 27 Oct. 2012. <>.

[4] Google Hacking for Penetration Testers, Volume 2,

JavaOne logoI am presenting on security at JavaOne this year — whoot!  My session is entitled, “CON12803 – Making the Future Secure with Java”.  Full session details are at end of my post.
The energy for the conference is phenomenal.  Everyone is working super hard on their presentations and doing lots of multitasking to keep things going.  Most presenters are also spectators, myself included.  It’s great fun to see all the projects and share knowledge, see what’s new in the vendor space, and more.  I’m really looking forward to the event.
As the Java security guy, I receive many questions around Java platform security.  Anything ranging from details about vulnerabilities, which I don’t discuss, to details about future plans for Java security.  I’m still pretty new on the job but due to the tidal-wave of questions around security, a presentation on the topic is very appropriate and what better venue to present than JavaOne.  The session is intended to provide attendees some background information about our security programs as well as future direction for Java platform security.  See you at JavaOne!
Presentation Details
“CON12803 – Making the Future Secure with Java”

Monday, Oct 1, 8:30am – 9:30am
Hilton San Francisco – Continental Ballroom 7/8/9
(JavaOne media: