Wednesday Apr 27, 2016

JavaOne 2016 Call for Proposals

JavaOne 2016 has opened its Call for Proposals to speak at the conference. This year, security topics take place in the Core Java Platform track.

Speaker Proposals must be submitted by May 9th. The conference itself takes place from September 18-22 in San Francisco. Accepted speakers will receive a gratis pass to attend.

Before each JavaOne conference, we receive a number of great submissions from Java community members around the globe, about different security topics. Our review committee also tries to call attention to help solicit interesting proposals and guide speakers. If you are familiar with running or coding Java and want to speak at JavaOne, consider applying your expertise to the following areas:

  • Architecture & Analysis – how should security architects and developers build/integrate applications to evaluate and verify security?
    • How does this change for green-field versus inherited applications?
    • How should you build and maintain a threat model of an application and its environment? (bonus for breaking a threat model down into JDK 9 jigsaw modules)
    • What is the importance of library code, and how/when/why should it be updated? What are strategies to test compatibility?
    • When micro-services are connected, how does that impact trust boundaries?
  • Development – how can developers evaluate and test their own applications?
    • Code analysis (both for what you write and use)
    • Penetration testing or scanning of Java applications
    • There are many different secure development standards frameworks. What are they and how can they be used to test applications?
  • Operations – when running Java, what are the proper strategies for configuring, managing, and upgrading JVMs?
    • What are strategies between minor versions (e.g. 8uA to 8uB) and major versions (e.g. from JDK 8 to JDK 9)? How is the compatibility guide used?
    • What are monitoring strategies to analyze JVM security events? What are connections between current logging frameworks and/or the planned Unified Logging API for JDK 9?
    • How should a JVM or Java web server be tuned to achieve an A+ rating on SSL Labs? What about TLS for non-HTTPS uses, such as JDBC?
      For helpful tools, see Diagnosing TLS, SSL, and HTTPS as well as Deep Violet.
  • Other ideas – there are many great ideas in the Java ecosystem, so please submit yours!

Tuesday Mar 31, 2015

JavaOne 2015 Call For Proposals Is Open

The call for proposals is now open for JavaOne 2015. If you are interested in speaking, please submit your abstract to the site.

Key Information

  • JavaOne 2015 will run from October 25th to the 29th in San Francisco.
  • The call for proposals ends on April 29 at midnight PDT. Submit your talk by then.
  • Accepted speakers receive complimentary passes to attend the conference.

Choose the best track for your topic

JavaOne features several different tracks based on different roles and interest. These tracks include core platform, security, JVM languages, DevOps/Cloud, Internet of Things (embedded), Server-Side development, Clients, and Tools & Agile methodologies. The 2015 tracks page provides a complete listing and description of each track.

Videos and materials from the 2014 conference are available for on-demand replay and access through both ActiveEvents and Parleys.

Security Track

This is the third year for a dedicated Security track at JavaOne, and I am honored to be on the review committee. Last year’s security track featured many great presentations. Among them, Frank Kim was recognized as a JavaOne Rock Star presentation for his talk on "Five Keys for Securing Java Web Apps." Typical talks on this track were about methodologies, analysis techniques to find threats/vulnerabilities, and advanced tool usage.

For those submitting talks, a few good topics would be:

  • Explain the relation between new Java 8 features and security. For example Java 8 introduced type annotations and their ability to annotate data such as local variables. By storing this information in bytecode, how can tool authors and library writers support each-other to make it easier to write secure code? What opportunities are present for things like the checker-framework’s tainting checker?
  • Designing code for security analysis, or designing security analyzers. As developers write code and as users run applications, how can we detect or prevent security issues before code gets released? How does the Java platform facilitate this detection both for Java as well as other languages featured on the JVM Language track?
  • Tools, libraries, and techniques. How does your team or organization make security decisions? If you have mastered usage of certain techniques or tools, share guidance and experience with your peers.

Monday Apr 07, 2014

JavaOne 2014 Security Track Early Acceptance Sessions

J1 LogoJavaOne 2014 is Oracle's flagship software developers conference event for Java.  Security has been a focus at the conference for many years but last year Oracle brought security to the forefront by including it as a track.  If you have ideals for interesting Java security sessions we would be delighted to review them.  The JavaOne CFP is open until April 14, 2014.

 Back to the security track, each year the tracks highlight their early acceptance sessions to build momentum for the conference.  This year I would like to highlight the following early acceptance sessions for the security track and show a little of what we are planning.  

CON2120 Anatomy of Another Java Zero-Day Exploit

Presenter:  David Svoboda, Software Security Engineer, Carnegie Mellon

Abstract:  Java was recently hit by several major exploits. These exploits were written in pure Java and relied on several obscure components of the Java library. Understanding how exploits undermine Java security is a fundamental step in understanding and improving Java security and producing secure Java code. Consequently, this session demonstrates and examines a public exploit. It dissects the code of the exploit and illustrates how the exploit managed to attack an unpatched Java Virtual Machine, focusing on the techniques the exploit used, with references to relevant guidelines from the CERT Oracle Secure Coding Standard for Java. The session concludes with an explanation of how Java was patched to defeat the exploit.

CON1713 Leveraging Open Source for Secure Java Website Construction

Presenter:  Jim Manico, Secure Coding Instructor, Manicode Security (JavaOne Rock Star)

Abstract:  The need to master the skills required to build secure Java web and webservice applications gets stronger every day. There is help for you in the world of opens source! Do not build your own web application security controls from scratch! This presentation describes the use of several Oracle, OWASP, Apache and Google open source Java projects that are essential tools for constructing a secure web application.

In addition to community speakers, we will have Oracle experts from the Java security team to discuss new security features and improvements like the recent release of Java SE 8.  See you at JavaOne!

Wednesday Mar 12, 2014

JavaOne 2014 Call for Proposals is open

The call for proposals to JavaOne 2014 is currently open. Those looking to speak may submit topics through the JavaOne website. This year’s conference takes place from September 28th through October 2nd in San Francisco.
There are several tracks for those wishing to speak. See the 2014 track listing for details.
  • Clients and UI
  • Core Java Platform
  • Internet of Things
  • Java Virtual Machine Languages
  • Java and Security
  • Tools and Techniques
  • Server-Side Java
  • Java in the Cloud
  • Agile Development
For inspiration, you may look at the list of sessions from JavaOne 2013 or sort the presentations by vote.

Science Duke
This blog contains topics related to Java SE, Java Security and Usability. The target audience is developers, sysadmins and architects that build, deploy and manage Java applications. Contributions come from the Java SE Product Management team.


« July 2016