Micah Silverman
Director, Security Advocacy @ Snyk
Virginia Beach, Virginia, United States
Actions
Micah Silverman leads Security Advocacy for Snyk. With 29 years of Java Experience (yup, that's from the beginning), he's authored numerous articles, co-authored a Java EE book and spoken at many conferences. He's a maker, who's built full size MAME arcade cabinets and repaired old electronic games (http://afitnerd.com/2011/10/16/weekend-project-fix-dark-tower/). He brings his love of all things Security and Java to a conference near you!
Area of Expertise
Topics
Live exploiting your open source dependencies
Today, almost all software heavily relies on the use of third-party dependencies. While open source modules are undoubtedly awesome, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. Including the wrong package can introduce severe vulnerabilities, exposing your application and your user’s data.
We’ll look at examples in the wild that have been exposed, some more famously than others, before showing you how to guard against these important security issues.
Capture the Flag 101
Capture the Flag events are exciting and competitive. But, they can be scary to developers who have never participated in them.
In this session, I introduce CTFs, discuss the benefits to developers and do a deep dive into a medium difficulty CTF challenge.
I'll walk through the thought process of the wiley developer and how to pick up on clues based on programming language, protocols involved, googling against what little information is provided in the challenge and local testing.
While the examples are in python and JavaScript, no prior knowledge of either is required.
Developer Security Essentials
In this workshop, we'll dive into how developers can improve security without becoming a security professional.
We start with an overview of the security problem space, including custom code and open source dependencies.
We'll examine how to catch security issues in your code early and how to choose the best (most secure) libraries for your application.
The session ends with a fun, interactive game where you find and fix vulnerabilities in public, open source projects. You get points on the leaderboard for everything you fix and there are prizes at the end for the top socerers.
Beautiful SDK Design in Java for APIs
Often times Java SDKs for APIs look more like the API they represent than idiomatic Java.
This talk examines how great SDKs are built using design patterns.
It covers: enforced separation of Java api and implementation, use of generics, a caching layer and hiding network traffic.
---
The (now defunct) Stormpath SDK had a great design approach from its original author, Les Hazlewood.
It has an enforced separation of api and implementation. It does this by using the api module as a compile time dependency and the implementation module as a runtime dependency.
It has a DataStore interface that makes heavy use of generics to support CRUD operations for all objects represented in the API. The implementation hides the actual network traffic and includes rich support for retry with backoff and error handling. Developers only ever have to deal with the DataStore, POJOs and method calls to “interact” with the API.
It also has a rich, interface-based caching layer. The default implementation is robust and suitable for single-JVM environments. It’s easy to drop in a distributed caching layer, such as Redis or Hazelcast.
All of this combined makes this one of the best designed SDKs in Java. In this talk, all these secrets are revealed against a completely different API: DigitalOcean’s Droplet API. There’s a few slides and lots of code, including some live-coding.
Hacking OAuth: Pitfalls and Remedies
Elevator Pitch
OAuth 2.0 is the most widely used standard for secure authorization on the Internet for modern Web and Mobile apps. There are a lot of pitfalls that can lead to an insecure app.
Description
In this talk Micah gives a brief overview of OAuth and its mechanics. Then he leads you through a number of risks and remedies to best secure your applications. This isn’t just theory, but the practical application of certain risks and how to configure OAuth and write your code to mitigate those risks.
Load Testing the Hard Way with JMeter and DigitalOcean
Sure, Dockerizing JMeter in server mode for use in Digital Ocean’s cloud service would be super easy. But, that’s no way to learn a DevOps API!
In this talk, I walk through an application written using Spring Boot that executes 99,000,000 requests in about 40 minutes across 100 machines.
---
A friend and colleague runs a very popular API service called ipify.org. At times, it’s handled 2.5 million requests per second. It simply returns your IP address as the Internet sees it. This friend is moving his API service from Heroku to Digital Ocean (often referred to as DO). I thought it’d be a fun exercise to load test his new infrastructure and learn the Digital Ocean API in the process.
At under $0.01 / hour / small virtual machine, DO itself seemed like the perfect place to do this load testing. How much traffic could I generate across, say, 100 of these small instances? This thought naturally led to JMeter. Not only does JMeter allow you to run complex HTTP interaction scripts, it’s built for distributed processing. You fire up a bunch of server machines to do the heavy lifting. A single client machine distributes the same test script to each of the server machines. As each server machine executes the test script, the client gathers up the test results into a single raw results file. Spoiler alert: I was able to run a distributed test with 19,800 concurrent requests in under an hour that generated a total of 99,000,000 requests to ipify.org.
I’m a big fan of Zed Shaw’s The Hard Way series of courses. The idea is that there’s value in deep, slow learning of a given topic. Early on in working with the DO API it became clear that the easiest way to accomplish my goal would be to use Docker containers for my JMeter servers. That would not give me a lot of experience with the DO API, though. Too easy! So, instead, I wrote a program using Spring Boot that interacts directly with the API.
Impractical Solutions: Build a 2FA token from an ArduBoy
ArduBoy is a hobby platform for running monochrome games. It's made to look like a classic Nintendo GameBoy, but is the size of a credit card.
There are much better ways to make an TOTP (Time Based One-Time Passcode) token in software. You're probably using one on your mobile phone.
In this talk, I delve into the TOTP standard, talk about some pitfalls and demo the ArduBoy in action!
Optional: Buy yourself an ArduBoy and load the code on for yourself!
https://arduboy.com/
OAuth 2.0 and OpenID Connect (In Plain English)
There's no shortage of information out there on OAuth and OpenID Connect. Much of it is not helpful for people not already familiar with the standard. This talk takes you through it all - in plain English, including a “Live Action OAuth Theater” segment (https://www.youtube.com/watch?v=NYzf2JBdUM8) in which volunteers act out a common OAuth interaction.
If you’ve ever tried to search for information on OAuth and/or OpenID Connect, you’ve probably encountered deep dive code examples or references to the specifications. The specifications are great if you’re building OAuth from scratch or suffer from insomnia. Many examples focus on just code, rather than concepts. These types of resources are not useful for understanding the concepts and historical backdrop for why OAuth and OIDC exist.
In this talk we start with the foundations of federated and delegated authentication and authorization, work our way through concepts and foundations for OAuth and OIDC and end with some practical demonstrations of the standards in action.
Breaking AI
Is your organisation ready to revolutionize your coding experience with generative AI tools, like copilot, ChatGPT, or code whisperer? Do you know how to code safely with generative AI tools increasing your delivery speed without compromising security?
In this session, we’ll discuss some of the dangers of generative AI, including hallucinations and security risks. We’ll live code a Spring coffee shop application using copilot, and ChatGPT, and live hack the results, showing how the generated code can be exploited in a running app. We’ll uncover generated SQL injections, Cross site scripting, directory traversal and more.
Don't miss this electrifying opportunity to explore the cutting edge of coding technology. Join us and embark on a journey where velocity meets security, and innovation knows no bounds.
KCDC 2022 Sessionize Event
Devintersection & AngleBrackets Fall 2021 Sessionize Event
TechBash 2021 Sessionize Event
KCDC 2021 Sessionize Event
Destination: Zero-Trust Sessionize Event
DevFestAB 2020 Sessionize Event
DevSecOps Days Rockies - Virtual Sessionize Event
Camp Cloud Native Sessionize Event
DeveloperWeek 2020 Sessionize Event
Little Rock Tech Fest 2019 Sessionize Event
Music City Tech 2019 Sessionize Event
KCDC 2019 Sessionize Event
KCDC 2018 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top