Actively Considering Opportunities
Roles like… Technical Team Leader, Security Researcher, Security Architect
Targeting areas like… Security tool development, AI/ML security, Java Virtual Machine runtime monitoring/analysis, Java application observability, TLS protocol analysis, industry facing contributions/projects, open source development
Work locations like… Remote, Hybrid
Milton Smith
Java security researcher & architect. Black Hat speaker, JavaOne Security Track founder, formerly Oracle Java Platform Security.
Executive Summit — Oracle On Java
Invited by Black Hat leadership to present candidly on Java security at the Black Hat USA Executive Summit — one of three featured presenters, sharing the stage with the world’s foremost security leaders, under NDA, before an audience of top global technology executives.
In addition to the Executive Summit, I presented 3 other times at Black Hat on, monitoring JVM applications and TLS analysis in both Las Vegas and London. Also in 2013, I launched the JavaOne Conference Security Track as track committee chair — establishing the first full security track at a major software engineering conference, a role I held for several years. As Java Platform security leader at Oracle, my leadership positively contributed to the platform remediation, priorities, and also the public perception of our improvement efforts.
I inherited one the industries most prickly security incidents only 14-days after joining Oracle from Yahoo. It was rough for the team and an experience I don’t necessarily wish to repeat. On the positive, as a security professional the incident built character, permitted me to do many things I would not otherwise have the opportunity, and introduced me to some of the brightest minds in industry. Few will ever make more impact in their career.
What I’m Building Now
Active open-source security tools and contributions.
Charis is an AI harness I’m developing, comparable in spirit to Claude Desktop or the Claude Code CLI, but built natively in HTML/CSS with support for rich inline visualization through libraries like D3. What sets it apart is a layer of tooling purpose-built for software security: the nvd_search tool queries the U.S. National Vulnerability Database, and a dedicated tool surfaces zero-day research from Google’s Project Zero, as well as other code and security tools. Charis currently ships 22 tool types, capable for general-purpose work, but especially strong on security.
I’m actively exploring further tooling around risk identification and classification, compliance, and guardrails for setting model boundaries. More updates to come — follow my blog to keep up.
JVMXRay monitors Java applications in real-time via bytecode injection, detecting vulnerabilities and suspicious activity without code changes. 19 modular sensors track file access, network connections, SQL queries, cryptographic operations, authentication, process execution, and more — generating structured, machine-readable security events with automatic cross-sensor correlation.
JVMXRay addresses a gap that SAST and DAST tools cannot fill: runtime behavioral visibility into production Java systems. As AI-accelerated development compresses the distance between code generation and deployment, runtime assurance becomes a critical layer.
A TLS/SSL analysis API for building Java-based security tools. DeepViolet powers TLS analysis within ZAP, one of the largest open-source security scanners on the internet — selected by the ZAP project as the foundation for its TLS analysis capability.
~9.5 million ZAP runs / monthCompanion tooling built on the DeepViolet API — a CLI for scripting and scheduling, and a TLS Workbench for desktop-based scanning. Both serve as reference implementations and production-ready tools for security practitioners.
Manning Publications — Currently serving as Technical Editor on an innovative book project. More on that in the future.
Selected Press
You’ll notice the press wasn’t always kind (and to be expected). Key to addressing user concerns was communicating the Java Platform engineering teams significant security progress in a way acceptable broadly across Oracle constituencies like, Legal, PR, and Oracle Executives. The plan was big but most noteworthy, I suggested creating a security track at JavaOne and used it as a platform to communicate key security metrics to the public like our remediation over time, vulnerabilities by category, and more. The combination of remediation and communication reduced public concern and improved confidence in the Java platform.
My work and public statements have been covered by InfoWorld, The Register, ComputerWorld, PC Magazine, San Jose Mercury News, IT News, and others — most notably following a 2014 Java User Group Leaders Call that triggered widespread industry press at a pivotal moment in platform security. It wasn’t easy on me or the team but Java emerged successful, stronger, and community trust was restored.
Conferences & Presentations
| Year | Event | Role |
|---|---|---|
| 2013 | Black Hat USA — Executive Summit FEATURED | Presenter |
| 2013 | OWASP AppSec USA, New York | Presenter |
| 2015 | OWASP AppSec USA | Committee / Organizer |
| 2016 | Black Hat Europe — Arsenal ARSENAL | Presenter · DeepViolet |
| 2016 | OWASP AppSec EU, Rome | Presenter · Security Logging |
| 2018 | Black Hat USA — Arsenal ARSENAL | Presenter · DeepViolet |
| 2020 | Black Hat USA — Arsenal ARSENAL | Presenter · JVMXRay |
JavaOne Security Track Lead — 2013, 2014, 2015, 2017 · Founded and led the first full security track at a major software development conference.
OWASP AppSec EU, Hamburg — Presenter · All Day DevOps — DevSecOps Track Leader · ISC2 East Bay Chapter, 2017 — Presenter
Publications & Media
Past Projects
A software project extending popular SLF4J-compliant loggers like Log4j and Logback with security and auditing features. Many of the ideas originated while helping Jim and August with their book, Iron-Clad Java. The security logging team later presented the project at OWASP AppSec Rome 2016.
