Steve Poole
Director Developer Advocacy, Sonatype
London, United Kingdom
Developer Advocate,Security Champion, DevOps practitioner (whatever that means) Long time Java developer, leader and evangelist. I’ve been working on Java SDKs and JVMs since Java was less than 1. Also had time to work on other things including various JSRs, being a committer on various open source projects including ones at Apache, Eclipse and OpenJDK. A seasoned speaker and regular presenter at international conferences on technical and software engineering topics.
Links
Area of Expertise
Topics
Future-Proofing Java: The Art of Crafting Resilient APIs
Designing APIs is an art, a creative exercise. Getting it right for the present is hard; getting it right for the future is even harder.
This talk explores designing resilient Java APIs for upward compatibility, consumability, and flexibility.
We’ll discuss the practicalities of ideas like encapsulation and inheritance, look at broader elements like consistency, effective communication of intent, and cover concepts like the Open-Closed Principle, Semantic Versioning, and other elements that are essential for seamless API evolution.
We’ll review real-world examples, Java gotchas, the latest Java API capabilities, API Check tools, and data and take a look at what Maven Central tells us about the challenge we all face (and just how good we collectively are).
Amazingly, good API design not only helps with evolving for the future, it makes the API more secure and reduces maintenance overheads - all while remaining flexible and consumable.
Time to break those bad design habits before they begin
More tales from the Dark Side: How AI is the bad guys new friend
The bad guys are clever, motivated, ruthless and armed with AI. What was scary before is now terrifying. So many new ways of tricking you: Learn about sneaky device attacks, amazing attacks-by-post , AI's imitating your coworkers, AI being corrupted, unbelievable physical choreography manipulations, open source taker overs and more!
In this talk learn a little about the scale of the challenge developers still face from assaults on our systems. Be prepared to be appalled and frightened. Fainting is not allowed.
Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
Navigating the New Normal: Collaborative Strategies in a Regulated, Secure, and AI-Powered World
In today's evolving software world, rising legislation, increasing cyber threats, and swift AI advancements are reshaping developer and DevOps roles. We must innovate, comply, secure, and optimally use AI. Missteps can end the game.
It's daunting, but achievable.
The session's first part will overview these shifts and their implications. The second introduces a tested DevOps approach that actually can unify teams to a common goal - whether compliance, security, AI or just plain old productivity
Join us to explore how this approach fosters innovation, streamlines processes, and fortifies software ecosystems, allowing teams to focus on creating exceptional software in a world governed by evolving legislation and amazing technologies
Revolutionizing Java Development: AI, Cybersecurity, and the Modern Software Supply Chain
Java remains a cornerstone of enterprise applications, and with AI's ascent, there's a golden opportunity to elevate your Java projects. Dive into strategies for integrating AI into your Java applications, considering both cloud-based solutions and local model training. As we delve into Java-specific tools and frameworks, we'll also address the pressing cybersecurity challenges in the AI realm, ensuring your software supply chain remains robust and secure. Through code snippets and practical insights, grasp the nuances of AI integration, while navigating the legislative and security landscapes. By session's end, you'll be equipped with a comprehensive roadmap for AI-driven Java development, balancing innovation with security and compliance. Join us to lead in the next phase of Java's evolution, where AI meets cybersecurity in the modern software supply chain.
Safeguarding Java Dependencies: Upward Compatibility and Downstream Stability
How reliable is semantic versioning? How easy is it to assess if a new version of a dependency will break your application? In a world where upgrading dependencies is a regular and urgent activity it’s important to be able to assess the likelihood of things not going well. Semantic versioning is one tool to help but like all contracts it relies on an understanding between producer and consumer about what upward compatibility means.
In this session we’ll explore the technical aspects of upward compatibility: what can you tell by analysing java classes, what tools are there to help. How you can write code to minimise your exposure or help consumers have a better experience.
And, since theory is not enough, well explore at what the wisdom of the crowds tells us about upward compatibly in practise; we’ll look at data from Maven Central and other places to see just how good the code out there is in being upwardly compatible and honest about semantic versioning.
Secure Your Software Supply Chain: The Three Things Each Developer Should Know
The cost of cybercrime is increasing at a staggering rate, poised to almost equal US GDP by 2027. Cybercrime syndicates are becoming increasingly professional, with elaborate scams to get your data and money. These days, their tool of choice is software supply chain attacks:
- around 61% of US firms were affected by a supply chain attack
- supply chain attacks had 40% more victims than malware in 2022
- a supply chain attack will impact 45% of the global companies
During the current presentation, We will look at what we can do now to ensure we are not part of the above stats.
Initially, we will look at the threat landscape and understand why the traditional moat couldn't protect us from Log4Shell, Spring4Shell, or other similar threats. But also, how the invasion of Ukraine changed the current landscape.
In the second part, we will look at what we can do now to ensure we are not part of the above stats. We will learn what makes a security scanner tremendous and what to look into when building a DevSecOps toolchain.
In the last section, we will zoom in on the software supply chain regulations trends that will ensure the future is brighter, safer, and more transparent.
SBOM - for transparency for both our dependencies and dependents. Not only for software but also for the Gen AI models
Reproducible Builds - for having the mechanisms to double-check the builds we use, providing the certainty that what we want is what we get even if we download binaries
SigStore - the new development in terms of signing builds. Which will ensure more accountability for the code provided.
Everything will be made practical with real-world examples and demonstration of state-of-the-art tooling.
Superman or Ironman - can everyone be a 10x developer?
It’s all about productivity or maybe it’s all about delivering value. Or creating secure applications, dealing with changing directions.
Whatever it it we often feel that we’re lacking - that it’s hard enough to be any sort of developer. That even 1x is often a challenge
In this talk we’re going to examine how to think more clearly about being a Java developer:, help you understand the tools and approaches that can offer practical insight into how you work now as well as providing guidance on alternatives that just might give you the powered armour you need.
A mix of tools, proven processes, new techniques and lessons learnt the hard way make up a session designed to help you understand that being a 10x developer isn’t about having super powers - it’s about using the powers you already have in wiser, more considered ways.
The 10X Developer mets Technical Debt
Wherever you are in your career it’s certain that you’ll have encountered the term ‘technical debt’
Whether the words instill smiles, fear or simply tired resignation depends on the battle scars you’ve taken, the nights lost and that cry of the damed: “why didn’t we fix this earlier?”
In this session we’re going to look at technical debt from three points of view - the impact to ourselves, the impact on others and some practical thoughts on how we might have avoided or reduced the situation. After all 10X Developers don't worry about technical debt do they?
Thriving in the Gen AI Era: Navigating Change in Tech
For all in IT—Developer, QA, DevOps, or SecOps—the future is driven by two game-changers: the ascent of Generative AI and heightened governmental scrutiny of software. Similar to the industrial revolution’s upheaval, their influence will revolutionise and reinvent the technology we use and our relationship with it. We’ll unpack how these factors redefine our tech practices today and tomorrow. Prepare for role evolution, new opportunities, and shifts, including the evolving dynamic with open source. Join this session to discern the real ramifications.
The Ultimate 4hr Java Workshop: Secure, High-Performance Deployment to Kubernetes and Serverless
This intensive workshop is tailored for developers and IT professionals who aim to excel in deploying Java applications in cloud environments, focusing on security and performance. Participants will engage in a comprehensive, hands-on exploration of Java application creation and deployment, emphasising secure, efficient practices using Google Cloud as the primary platform.
The secret life of Maven central
It’s just there. Just like the stars, just like electricity, just like Java.
In the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background of Maven central and what the philosophy is for dealing with problematic content.
We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
The Essential guide to Java Dependencies
Using Maven or Gradle or something else? However you manage dependencies it’s a critical element in application development. Most of us though use these tools without much thought and consume open source components with little regard to the consequences. Unfortunately our choices often come back to bite us when it’s time to upgrade those pesky vulnerable dependencies or move to the next version.
In this session we’ll explore the world of dependencies and help you understand how to select components more wisely, how to use the tools more effectively and how to make upgrading less of a scary chore.
We'll cover the data available (more than you might expect) compare the various sources of components (also more than you might expect) and show a few simple tools and configs that can help relieve the stress of upgrading: after all no one likes spending their vacation on emergency patching!
The three things you wouldn't wanted to know when 2023 started
Supply chain attacks are some of the fastest growing threats in the enterprise space, and not only. It is assumed that 40% of enterprises will suffer a breach in the next couple of years.
The biggest part of your application is written by strangers: 90% of the code in your app is open source.
That is the main reason why Open Source weaponisation is the biggest threat when it comes to open source.
Three initiatives that are not enough promoted can help in this direction:
- Software Bill Of Material for each piece of software
- Reproducible builds as a means of validating that the source you use is exactly what you think it is
- SigCode - as a means of ensuring that the author of the code is validated
During the presentation we will present statistics regarding the context of cybersecurity and open source. And present the state of the initiatives and how they will help in the supply chain hardening.
The secret life of Maven central
It’s just there. Just like the stars, just like electricity, just like Java.
In the the Java world Maven central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Maven central is sooo boring, sooo reliable that it’s understandable that we all take it for granted.
Recently though we’ve seen questions raised about the Java code that is hosted there. Other repositories have been experiencing unprecedented attempts to upload malware and even in the Java world there are significant vulnerabilities that some have called to be removed.
This talk is intended to give you the background into the history of Maven central, explain why Sonatype, who are the stewards of Maven Central, provide such a critical service and what our philosophy is for dealing with problematic content. We’ll also explore how the service works under the covers, the API’s you might not be aware of and what’s coming up next.
Maven Central is not going away - but it might just get more exciting!
The History of Hacking Through the Ages
The term hacking has been around in some form or another since 1200 BC. Its meaning in the Oxford dictionary is to “cut with rough or heavy blows” or more recently to “gain unauthorized access to data in a system or computer”. In Roman times stealing information, finding out where people live, and various forms of sabotage was happening without a computer. We also know of phreaking telephone lines from the 1950s, and our current myriad exploits in our modern age.
This talk will take you through the history of hacking from the times of ancient empires to the cyber security age. We will talk about some of the biggest hacks to have ever occurred, (remember et tu brute force, anyone?) how they happened and what could have been done to prevent them.
By the end of this talk you should be able to easily identify different types of hacking and make better judgments on your systems security posture to make sure you are not a target of the next big cyber attack.
The Anatomy of Java Vulnerabilities
Java is everywhere. According to Oracle, it’s on 4 billion devices and counting.
As we’ve seen with vulnerabilities like Log4Shell, keeping up to date with patches is critical, but each time you do, it’s an opportunity to break your code or let a new vulnerability in.
How do you decide what to patch and what to ignore?
In this talk, you’ll learn about Java vulnerabilities in general: what a ‘vulnerability’ actually is, how they are discovered, reported, managed, assessed and fixed as well as hearing a little about the specifics of attack vectors and bad actors.
Understanding how to choose your dependencies more wisely to reduce your exposure and keep your application working is a skill we all need to grow - start here to begin that journey.
Superman or Ironman - can everyone be a 10x developer?
It’s all about productivity or maybe it’s all about delivering value. Or creating secure applications, dealing with changing directions.
Whatever it it we often feel that we’re lacking - that it’s hard enough to be any sort of developer. That even 1x is often a challenge
In this talk we’re going to examine how to think more clearly about being a Java developer:, help you understand the tools and approaches that can offer practical insight into how you work now as well as providing guidance on alternatives that just might give you the powered armour you need.
A mix of tools, proven processes, new techniques and lessons learnt the hard way make up a session designed to help you understand that being a 10x developer isn’t about having super powers - it’s about using the powers you already have in wiser, more considered ways.
Peaceful Sleeping In the Age Of Shells: How Tooling Can Help You Protect Your Code Base
Log4Shell and SpringShell are just the vulnerabilities that managed to get everybody’s attention, but vulnerabilities that can be as harmful as them are also being discovered. This presentation will provide more information about the existing threats and where to stay informed about them and hint at a couple of tools that can help you keep your code base on products more secure.
In the first part extract of the data that gathered daily regarding threats and explain what are the top vulnerabilities you need to be aware of.
In the second part a couple of tools that will allow you to automate the securing of your source code and supply chain will be presented.
Even if there are two years since the two vulnerabilities were discovered they are still as present as ever.
New thoughts for dark tales. How Java Serialisation is moving on
Serialization is an important and vital part of Java but we’ve all heard the dark tales of how it can be misused and subverted. In this talk, we’ll explain the basics of how serialization works, how the inbuilt design is fatally flawed, and how it is exploited and used against us. We’ll cover why we still need serialization and what can be done today to help reduce the risks.
What does the future hold for Serialization? This talk will also cover some of the emerging ideas to evolve the Java language and runtime to make Serialization woes a thing of the past. Not all fairy tales have happy endings. This one just might.
Mother Nature vs Java - the security face off
Mother Nature has had millennia to build up its defences to the many potential hazards and attacks it may face. So, given its wisdom and expertise on this subject, what can we as software developers learn from it and bring back to the evolution of our own application’s security? In this session we’ll explore where software and biology overlap when it comes to security and lessons we can learn from nature to improve our own application security.
Maven Central++ What's happening at the core of the Java supply chain
In the Java world Maven Central is the most important single service. You can get Java SDKs and even container images from various vendors but Java code comes from only one place: Maven central.
Serving overt 10 billion requests a week, Maven Central is sooo boring, sooo reliable that it’s understandable that it’s mostly invisible. It’s just there.
Times are changing and so is Maven Central.
As cyberattacks grow the defences at Maven Central have grown too and now we're on the offence. Learn how Maven Central is working with the Linux Foundation and others to add features and services that will keep the Java community safer, more informed and better prepared.
Log4J, SpringShell and all that Jazz (or why bad things can happen to good software)
At the turn of the millennium IT organisations had about 60 days to fix software vulnerabilities. That meant from announcement to widespread exploitation took about two months. Fast forward to 2022 and, well, it’s not good. Zero day vulnerabilities have come and gone. The world now has to learn how to deal with widespread exploitation happening before a fix is available.
In this session we’ll look at Cybercrime and its bigger more dangerous cousin: Cyber-warfare. W’ll explore the drivers behind the radical shift, the software arsenal available and how and why developers are both target and unwitting helpers. Using Log4Shell as an example will help us understand the basics of how we make software vulnerable and what we can do to reduce the risks.
Governments are beginning to understand the threat and new ideas and directives are emerging. However these have consequences for developers too.
The last 20 years has been a long wake-up call. The next 20 may see software development change beyond recognition.
how to avoid the perilous pitfalls - 7 simple ways to write safer code
Developers and security: It’s a lot more than just turning on SSL. In this session we’re going to learn to think differently about designing and coding so that the application is less open to being attacked and (bonus) is often of higher quality. This talk will cover seven types of development issues that can get your application into trouble. With code examples (of course), we’ll explore a series of common code pitfalls and explain how to design and code differently. There is much to learn when creating a secure application - take your first steps here.
Hidden security features of the JVM - everything you didn’t know and more
Java 17 announced the depreciation of the Security Manager (which is ok since hardly anyone used it) but that doesn’t mean the JVM leaves you vulnerable. There are many design features in the JVM and the JDK that are there to help keep your application safe from harm.
In this session, we’ll walk through these points - from compiler, to bytecode to runtime and give you a refresher on how to get the best from these features. We’ll also look at new things in the works, compile-to-native consequences and even some off-the-wall “it’s just an idea” thoughts about how to make the JVM an even more secure environment.
Eliminate Java Deserialization Attacks
The world is increasingly threatened by cybercrime, regardless of whether it affects companies, organizations, governments, or facilities and infrastructure. Wer diese Bedrohung nicht ernst nimmt, riskiert hohe Schäden und handelt leichtfertig. In Java, serialization is the biggest security flaw. In Java, serialization is the biggest security flaw. More than 50% of all vulnerabilities are linked to serialization. In this session, you will see why we still need serialization, how the inbuilt design is fatally flawed, and how it is being exploited and used against us. Now, there is a way to protect your applications. In the second part of this talk, you will learn how you can eliminate deserialization attacks with MicroStream high-secure serialization.
Cybercrime and the Developer: Defending against the dark side
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviours you must change) to create a more secure cloud environment. The world of the cybercriminal is closer than you realise. The bad guys are clever, motivated and ruthless and have developed many ways of tricking you: Learn about sneaky device attacks, amazing attacks-by-post , unbelievable physical choreography manipulations and more! In this talk learn a little about the scale of the challenge developers face from assaults on our systems. Be prepared to be appalled and scared. Fainting is not allowed. Discover how to fight back and see how you can change your behaviour and your code to defend against these attacks.
Your destiny is clear - it’s time to be come a Cyber Defender
Case Studies of the damed. How sharing saves teams, how openness redefines you
How do you get groups of people to work together? Especially when they have little in common other than broad goals to deliver software faster and safer? In this session I’ll take you through one battle tested approach that can bring your teams closer together, focusing on the right things and, just as critically, in a way that improves communications and trust.
What is this magic pill? This talk examines how what you share will define you, how simple things like dashboards can be reimagined to bring trust and peace and how the right sort of talking can actually improve communications rather than fan the fires.
In small teams and large, co-located or remote, new or existing this approach can improve the morale and effectiveness of all the teams involved.
I’l take your through real example and case studies with various types of teams to highlight how you can apply this thinking to help make any group more effective without overloading them.
A radiography of a SBOM vulnerability scanner
Log4Shell and SpringShell were reminders that a big part of the code we use in our systems is not ours and that the maintainers we rely on have a significant responsibility.
The US President’s Executive order 140028 brought to the public the need for improving the nation’s cybersecurity. It was also the start of the SBOM frenzy, which was only accentuated by the congress bill on Securing Open Source Software Act of 2022.
Great! We have the silver bullet to all supply chain issues: the Software Bill Of Materials. Are we done? Sadly no. Using SBOMs effectively requires learning about:
What an SBOM can tell us, and how can it help us?
What tools to use?
How to use them?
How do they work?
What are the related formats?
This session will respond to each of these questions. We will also look behind the scenes and explain how an SBOM helps with vulnerability resolution more effectively than dependency scanning and why SBOMs offer more general protection.
The practical examples will be focused on the following:
Syft - for SBOM generation and transformations
Grype vs bomber - for vulnerability scanning and intelligence gathering
For the examples we will look at some of the most used libraries in the JVM world to generate their SBOM and then check for vulnerabilities.
Developer Productivity - clean | secure | fast
The old maxim of you can have it working or on time but not both is often applied to software development.
Somehow though we’ve reached the stage where we are expected to deliver functioning code on time - all the time. Isn’t that what Agile and DevOps etc are all about? Productivity is king after all.
Now though we’ve got to deal with an increased focus on security - can we add that in and still deliver as before or does something break?
In this session we’ll introduce you to several ways to deal with the challenge. From better understanding of the problem to new thoughts about how we work. We’ll help you think differently about productivity and show you how to take the first steps towards have your cake and eating it too
A new hope for 2023? - what developers must learn next
Over the last 10 years we’ve seen cybercrime accelerate beyond all comprehension, We’ve seen the growing and relentless impact it has on our society and our economies. It’s taken a long time for the world to act but finally we’re coming together to resist this uniquely 21st century evil.
At the heart of the resistance are developers. Whatever role you have, whatever programming language or software you use - the battle is at your door.
In this session we’ll brief you on the state of the situation and what you can do to be more prepared.: we’ll look at the bad guys and how they operate, we’ll examine recent legal and government responses and, most importantly, how the software industry is working together to create the tools, frameworks and education needed to help us all become the developers we need to be.
Log4Shell - Armageddon or Opportunity?
It’s said that everyone remembers where they were when a momentous event occurs. Where were you on the 10 December 2021 or did the most comprehensively dangerous Java vulnerability pass you by?
Don’t be fooled into thinking it’s all over. Even by mid year the number of vulnerable servers will still be high because organisations still fail assess their vulnerability state correctly.
In this session I’ll cover, in detail, the actual mechanics of the vulnerability and demo a simple attack. I’ll take you through why this vulnerability can be as bad as it gets and explain what the options are to protect you application and how to assess if you’re still at risk.
It’s not all bad news. The Log4Shell wake up call shows us that we’re not paying the right sort of attention to security across the board but we can learn to do better. I’ll end the talk with explaining why security really matters, what developers can do improve their understanding of security principles in general and cover some of the practical next steps that are available.
Log4Shell is changing our world - let’s make sure its for the right reasons. Opportunity is knocking on your door.
Steve Poole
Director Developer Advocacy, Sonatype
London, United Kingdom
Links
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top