Devnexus: Bringing Java Into The Age Of AI
Atlanta, Georgia, is home to many records. The city itself is where the first Coca-Cola was served in 1886. The city also is home to the College Football Hall Of Fame, giving a public home for the many records that hundreds of players and coaches earned over the years. It made the perfect backdrop for a community celebrating a record of its own, as it was here that the oldest and largest Java community conference on Earth marked its 21st edition at Devnexus 2025.
Java is celebrating 30 years since James Gosling's original release of the coding language this year, adding excitement and pride to the already momentous event. Over 1200 developers, DevOps, and other professionals contributing to the open source enterprise ecosystem gatherers for 3 days of workshops and talks from 135 presents. While the core of almost all the talks was improving our organizations by embracing better tools and techniques or Java, as with almost all other conferences lately, there was a heavy focus on using AI to accelerate change.
The state of Java security is the state of enterprise security
Java remains one of the most widely deployed programming languages in enterprise environments, making its security challenges inseparable from the broader concerns of enterprise security. Roughly 90% of Fortune 500 companies rely on Java in some capacity, and it remains a foundational component of business-critical applications across all industries.
Java was key to microservices architecture's original conception and popularization as enterprise applications sought more scalable, modular solutions beyond monolithic designs. Many of today’s most pressing software security concerns, such as supply chain attacks, dependency management, API security, and workload isolation, have long been part of Java’s security story.
Before cloud-native architectures became the norm, Java developers faced challenges such as deserialization vulnerabilities, classpath manipulation attacks, and insecure reflection-based code execution. The infamous Log4Shell vulnerability underscored how critical Java security is to the enterprise, impacting cloud and on-premise systems alike.
Securing secrets in Java is mission critical
Just like with any other Enterprise tool or service, secrets for Java-based applications are an attacker's favorite vector and need to be secured. For example, Neo4J, the extremely popular graph database, is written in Java and is extensively used for building knowledge graphs in LLM applications. Attackers gaining access to this layer can manipulate these systems in a wide variety of ways. Unfortunately, Neo4J credentials saw the highest year-over-year increase in leaks in public GitHub repos, as shown in our most recent State of Secret Sprawl report.
Another popular Java-based tool where a secrets compromise could mean a disaster is Keycloak, the open source IAM platform. Many organizations rely on Keycloak to manage single sign-on (SSO) and user federation. Someone gaining access to a leaked admin API key can quickly escalate privileges or lock an entire organization out of its own application. Keeping these secrets safe is mission critical.
Authentication and authorization for Java
A full five of the ten sessions in the security track at Devnexus dealt with authentication and/or authorization. Your author was able to give a talk handling secrets security at scale. While not Java-specific, I was happy to have a number of conversations around the real challenges of vault sprawl in the enterprise and the issue of long-lived credentials permeating legacy applications and infrastructure. I hope to have inspired some conversations among teams on how they can best evolve their secrets security posture.
Some sessions focused on handling authorization in the application itself, such as "There's an Authz for that: Spring Security in 2025" from Josh Cummings, Staff Software Engineer at VMware Tanzu and lead Spring Security committer. This session was all code examples, walking through multiple, increasingly efficient approaches to leveraging authorization in the Spring framework.
Other sessions introduced concepts in a less code-heavy way, such as "Protect The Bat-Computer! Understanding OAuth2 (With The Help Of Some Super Friends)" from Kelly Morrison, Application Architect at Daugherty Business Solutions. In his talk, he used comic book heroes to explain how OAuth2 allows clients to obtain Identity Tokens and Access Tokens from Authorization Servers. While we looked at some examples of JWTs, this stayed at a high level and was an excellent introduction.
Writing AI into enterprise applications
The Java community, while well-established, is quick to adopt technologies that they see as beneficial to the enterprise. AI is no exception and is being employed rapidly where it makes sense. Throughout the event, there was a real sense of cautious optimism about the possibilities AI brings to the Java development ecosystem.
While almost all the sessions at Devnexus focused on Java, the topics of AI and LLMs were at the center of 16 talks and workshops this year. There full-day in-depth workshops such as "AI-Driven Development: Enhancing Java with the latest AI Innovations," sessions focused on a single aspect of leveraging AI, such as "AI Tools for Jakarta EE" from Gaurav Gupta and even sessions on how to effectively build better AI using open source tools, as in "AI Ready Data with Apache Iceberg: Unifying, Controlling, and Optimizing Your Data for Effective AI" from Andrew Madson.
In the security track, there were AI sessions on the legal aspects and safety of AI at scale. Brian Vermeer, Staff Developer Advocate at Snyk, and Lize Raes, Developer Advocate and Product Manager at Naboo, presented the joint session "Securing LLM-Powered Applications: Overcoming Security and Privacy Challenges." They walked us through some of the most common and, unfortunately, extremely simple-to-execute attacks against AI chat agents. In one part of their talk, Lize got an AI bot to give her the application users' private data by asking very directly and repeatedly. Any secrets in the training data can potentially be obtained the same way.
They did provide some excellent remediation advice along with their showcasing of RAG injection, jailbreaking, and even SQL injection. The good news is that these precautions are fairly straightforward to implement, but the other side of this is that implementing these remedies takes dedication and time. As we are using AI more and more to deliver faster and faster, their call to action was to get humans in the loop more often and much sooner. Just like with credentials, we need to tighten the scope of services AI agents can access to reduce the potential for abuse by a bad actor.
A bright future of an established community
Many people, when first entering the world of application development, believe that JavaScript, Python, Go, and Rust are where the future is headed. However, Java is still the language of choice for enterprises that prize scalability and dependability above all traits. Given the prevalence across some of the largest companies in the world, the future depends on developers continuing to learn new skills for writing and deploying Java applications.
Thankfully, the community is still very active and very welcoming, as Devnexus has proved for over 20 years now. But there is no need to wait until next Devnexus to connect with a tech community near you. Over 300 Java User Groups (JUGs) exist around the globe with members who would love to help you learn to build and secure your Java applications.
GitGuardian is proud to stand behind open source. This is why we offer free repository secrets scanning for any Java projects (or projects in any other language) you need to secure. Security is an ongoing journey, and we look forward to helping Java stay safe for the next 30 years of the project.