Micah Silverman
Director, Security Advocacy @ Snyk
Virginia Beach, Virginia, United States
Actions
Micah is Snyk's Director of Security Relations. With 30 years of Java Experience (yup, that's from the beginning) and 23 years as a security professional Micah's authored numerous articles, co-authored a Java EE book, and spoken at many conferences. He's a maker, who's built full-size MAME arcade cabinets and repaired old electronic games (http://afitnerd.com/2011/10/16/weekend-project-fix-dark-tower/). He brings his love of all things security and Java to a conference near you!
Area of Expertise
Topics
Kicking JavaScript to the Curb with Vaadin
I've been using Spring Boot for a very long time. I learned Vue.js in order to build a modern web app that's been in use for about 7 years.
I recently learned Vaadin and refactored the application so that it's end-to-end Java.
In this talk, I share the experience and dive into real-world challenges going from a frontend JavaScript to using Java all the way.
I cover coding, security, testing, debugging, and migrating. The pace is quick, but you learn a lot!
Breaking AI: Live coding and hacking applications with Generative AI
Is your organisation ready to revolutionize your coding experience with generative AI tools, like copilot, ChatGPT, or code whisperer? Do you know how to code safely with generative AI tools increasing your delivery speed without compromising security? In this session, we’ll discuss some of the dangers of generative AI, including hallucinations and security risks. We’ll live code a Spring coffee shop application using copilot, and ChatGPT, and live hack the results, showing how the generated code can be exploited in a running app. We’ll uncover generated SQL injections, Cross site scripting, directory traversal and more. Don't miss this electrifying opportunity to explore the cutting edge of coding technology. Join us and embark on a journey where velocity meets security, and innovation knows no bounds. Secure your spot now and get ready to code like never before! In this session you'll learn how you can leverage the power of AI to increase your velocity while mitigating risks and staying secure.
Live exploiting your open source dependencies
Today, almost all software heavily relies on the use of third-party dependencies. While open source modules are undoubtedly awesome, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. Including the wrong package can introduce severe vulnerabilities, exposing your application and your user’s data.
We’ll look at examples in the wild that have been exposed, some more famously than others, before showing you how to guard against these important security issues.
Capture the Flag 101
Capture the Flag events are exciting and competitive. But, they can be scary to developers and security practitioners who have never participated in them.
In this session, I introduce CTFs, discuss their benefits to developers, and examine an easy and medium-difficulty CTF challenge in depth.
Together, we walk through the wiley attacker's thought process and how to pick up clues based on the programming language and protocols involved. We google, form theories and test against what little information is provided in the challenge.
You don't need any prior knowledge of a specific programming language. Rather, we focus on developing the skills needed to participate in a Capture the Flag event.
After an introduction to Capture the Flag events, we dig into two challenges. These are real challenges from past CTF events.
For each challenge, we follow a pattern of discovery:
1. Introduce the challenge
2. Review clues from the challenge text and challenge interface
3. Give participants time to take on the challenge
4. Pause and review progress and give a hint
5. Give participants more time to solve the challenge
6. Review the solution and lessons learned
Beautiful SDK Design in Java for APIs
Often times Java SDKs for APIs look more like the API they represent than idiomatic Java.
This talk examines how great SDKs are built using design patterns.
It covers: enforced separation of Java api and implementation, use of generics, a caching layer and hiding network traffic.
---
The (now defunct) Stormpath SDK had a great design approach from its original author, Les Hazlewood.
It has an enforced separation of api and implementation. It does this by using the api module as a compile time dependency and the implementation module as a runtime dependency.
It has a DataStore interface that makes heavy use of generics to support CRUD operations for all objects represented in the API. The implementation hides the actual network traffic and includes rich support for retry with backoff and error handling. Developers only ever have to deal with the DataStore, POJOs and method calls to “interact” with the API.
It also has a rich, interface-based caching layer. The default implementation is robust and suitable for single-JVM environments. It’s easy to drop in a distributed caching layer, such as Redis or Hazelcast.
All of this combined makes this one of the best designed SDKs in Java. In this talk, all these secrets are revealed against a completely different API: DigitalOcean’s Droplet API. There’s a few slides and lots of code, including some live-coding.
Hacking OAuth: Pitfalls and Remedies
Elevator Pitch
OAuth 2.0 is the most widely used standard for secure authorization on the Internet for modern Web and Mobile apps. There are a lot of pitfalls that can lead to an insecure app.
Description
In this talk Micah gives a brief overview of OAuth and its mechanics. Then he leads you through a number of risks and remedies to best secure your applications. This isn’t just theory, but the practical application of certain risks and how to configure OAuth and write your code to mitigate those risks.
Load Testing the Hard Way with JMeter and DigitalOcean
Sure, Dockerizing JMeter in server mode for use in Digital Ocean’s cloud service would be super easy. But, that’s no way to learn a DevOps API!
In this talk, I walk through an application written using Spring Boot that executes 99,000,000 requests in about 40 minutes across 100 machines.
---
A friend and colleague runs a very popular API service called ipify.org. At times, it’s handled 2.5 million requests per second. It simply returns your IP address as the Internet sees it. This friend is moving his API service from Heroku to Digital Ocean (often referred to as DO). I thought it’d be a fun exercise to load test his new infrastructure and learn the Digital Ocean API in the process.
At under $0.01 / hour / small virtual machine, DO itself seemed like the perfect place to do this load testing. How much traffic could I generate across, say, 100 of these small instances? This thought naturally led to JMeter. Not only does JMeter allow you to run complex HTTP interaction scripts, it’s built for distributed processing. You fire up a bunch of server machines to do the heavy lifting. A single client machine distributes the same test script to each of the server machines. As each server machine executes the test script, the client gathers up the test results into a single raw results file. Spoiler alert: I was able to run a distributed test with 19,800 concurrent requests in under an hour that generated a total of 99,000,000 requests to ipify.org.
I’m a big fan of Zed Shaw’s The Hard Way series of courses. The idea is that there’s value in deep, slow learning of a given topic. Early on in working with the DO API it became clear that the easiest way to accomplish my goal would be to use Docker containers for my JMeter servers. That would not give me a lot of experience with the DO API, though. Too easy! So, instead, I wrote a program using Spring Boot that interacts directly with the API.
Impractical Solutions: Build a 2FA token from an ArduBoy
ArduBoy is a hobby platform for running monochrome games. It's made to look like a classic Nintendo GameBoy, but is the size of a credit card.
There are much better ways to make an TOTP (Time Based One-Time Passcode) token in software. You're probably using one on your mobile phone.
In this talk, I delve into the TOTP standard, talk about some pitfalls and demo the ArduBoy in action!
Optional: Buy yourself an ArduBoy and load the code on for yourself!
https://arduboy.com/
OAuth 2.0 and OpenID Connect (In Plain English)
There's no shortage of information out there on OAuth and OpenID Connect. Much of it is not helpful for people not already familiar with the standard. This talk takes you through it all - in plain English, including a “Live Action OAuth Theater” segment (https://www.youtube.com/watch?v=NYzf2JBdUM8) in which volunteers act out a common OAuth interaction.
If you’ve ever tried to search for information on OAuth and/or OpenID Connect, you’ve probably encountered deep dive code examples or references to the specifications. The specifications are great if you’re building OAuth from scratch or suffer from insomnia. Many examples focus on just code, rather than concepts. These types of resources are not useful for understanding the concepts and historical backdrop for why OAuth and OIDC exist.
In this talk we start with the foundations of federated and delegated authentication and authorization, work our way through concepts and foundations for OAuth and OIDC and end with some practical demonstrations of the standards in action.
KCDC 2022 Sessionize Event
Devintersection & AngleBrackets Fall 2021 Sessionize Event
TechBash 2021 Sessionize Event
KCDC 2021 Sessionize Event
Destination: Zero-Trust Sessionize Event
DevFestAB 2020 Sessionize Event
DevSecOps Days Rockies - Virtual Sessionize Event
Camp Cloud Native Sessionize Event
DeveloperWeek 2020 Sessionize Event
Little Rock Tech Fest 2019 Sessionize Event
Music City Tech 2019 Sessionize Event
KCDC 2019 Sessionize Event
KCDC 2018 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top