Now on to my noteworthy contributions/collaborations within the security industry.
—
Active Projects
JVMXRay — JVMXRay monitors Java applications in real-time via bytecode injection, detecting vulnerabilities and suspicious activity without code changes. 19 modular sensors track file access, network connections, SQL queries, cryptographic operations, authentication, process execution, and more — generating structured, machine-readable security events with automatic cross-sensor correlation.
DeepViolet TLS/SSL API — A TLS/SSL analysis API for building Java-based security tools. As a practical example, DeepViolet powers TLS analysis within the ZAP web application scanner, one of the largest open source security scanning tools on the Internet. I am the project leader and original developer.
DeepVioletTools — A companion project delivering two security scanning tools: a CLI for scripting and scheduling, and a TLS Workbench for desktop-based scanning. Both are built on the DeepViolet API and serve as both reference implementations and fully functional tools for security practitioners. I am the project leader and original developer.
Undisclosed — Working with technical book publisher Manning Publications as Technical Editor on an innovative book project. More on that in the future.
Inactive Projects
OWASP Security Logging Project — A software project extending popular SLF4J-compliant loggers like Log4j and Logback with security and auditing features. I was a project leader and code contributor alongside two others. Many of the ideas originated while helping Jim and August with their book, Iron-Clad Java. After wrapping up the book, we set out to extend a popular logging framework with some of our ideas, and the security logging project was born. Later the security logging team presented the project at, OWASP AppSec Rome 2016 Presentation. The project is still available on the net but it’s no longer maintained.
Media
ZAP Updates – March 2026 — ZAP web application security was run nearly 9.5 million times in March. ZAP team credits DeepViolet project, ‘DeepViolet: Strengthening TLS Analysis.’
ZAP: Introducing DeepViolet — I developed a blog post for the ZAP team around the DV API integration. ZAP implements a subset of the features provided by the DeepViolet API, and this post covers what Simon (Project Leader) and the ZAP team chose to ship as well as the advanced capabilities that didn’t make the initial cut. ZAP gets about 9.5 million starts per month so rolling a few of the more important features and giving the broader ZAP community an opportunity to respond with their suggestions was a good call.
Iron-Clad Java: Building Secure Web Applications — A book on web application security I worked on with friends, available on Amazon. As Technical Editor, I help to influence/develop some of the content most notably the Logging chapter, which helped launch the follow-on OWASP Security Logging Project. I also had the honor of writing the Foreword for their book. Jim and August did all the heavy lifting but it was great to be on the team and help them develop a great book.
Enterprise Component Patterns — A services patterns book and precursor to modern Service-Oriented Architecture (SOA). I completed the 300 page manuscript over a two year period and compensated by O’Reilly. Unfortunately, O’Reilly never published the book, citing business reasons. The tech book business can be rough at times. In any case, the project was a great opportunity to work with some of the very best technical writers in the world. I am proud of the project, did my best, and significantly improved my technical writing skills. O’Reilly and their team were great to work with, even though the project did not turn out as I had hoped.
OWASP Board Election Interviews — 2017, 2016 (part 1/ part 2/ part 3/ part 4), 2015, Interviewed as a candidate for the OWASP board.
Oracle Podcast Java Spotlight, Episode 142 — Interview by Roger Brinkley on Java platform security improvements and upcoming JavaOne security plans. I introduced the first full security track at a major software development conference and shared hints about what attendees could expect.
DEVOXX Interview — Interview by Yolande on security improvements in Java.
Java User Group Leaders Call — And related viral press coverage: InfoWorld, ComputerWorld, San Jose Mercury News, Application Development Trends, PC Magazine, The Register, IT News, and more. The call itself contained no remarkable news, but it came at a time when the public was demanding a response from Oracle following a series of high-profile vulnerabilities. Navigating incidents like these takes real security chops.
JavaOne 2014 Security Track Early Acceptance Sessions — As security track chair for Oracle’s JavaOne conference in San Francisco, I previewed featured sessions to build excitement for the security track.
Conferences/Presentations
Black Hat 2013 Featured Presentation — Session entitled “Oracle: On Java Security,” invited by Black Hat leadership to present candidly on Java security under NDA to top world technology leaders. One of three featured presenters alongside Alex Stamos (Yahoo/Facebook CSO) and General Keith Alexander (16th Director of the NSA). An honor and an amazing opportunity to share the stage with these leaders.
Black Hat 2020 USA — Demonstrate JVMXRay at BH tools Arsenal. This was the old JVMXRay architecture written on the java.lang.SecurityManager which was removed from Java.
Black Hat 2018 USA — DeepViolet TLS/SSL Scanner. The analysis engine is a Java API, and the DeepVioletTools project provides two reference implementations: a command-line tool and a desktop GUI.
Black Hat 2016 Europe — DeepViolet TLS/SSL Scanner, presented in London. Slides.
OWASP 2015 AppSec USA Conference Committee — Conference organizer; reviewed researcher submissions.
Java 8 Security Highlights — Presentation on new security features in the JRE.
JavaOne Conference Security Track/Content Lead — 2013, 2014, 2015, 2017. Founded and led the security track, organized a team to help review researcher conference submissions. I made security a priority at JavaOne.
OWASP AppSec USA/EU Presenter — Presented at OWASP AppSec USA 2013 in New York City and AppSec EU in Hamburg, Germany. Also presented at AppSec EU 2016 in Rome on the OWASP Security Logging Project.
All Day DevOps Track Leader — Worldwide free virtual event hosted by Sonatype. I led the DevSecOps track.
ISC2 East Bay Chapter, 2017 — Presentation on security career survival.
* Credit: some ideas on colors/visuals provided by Maggie Appleton site, blog, github.