Foojay.io | Friends of OpenJDK and Java Programming

Your Java AI application is live in production. But have you tested whether it can be jailbroken, manipulated into revealing its system prompt, or tricked into printing content it should never output?In this episode, Iryna Dohndorf, Software Engineer at Karakun Group and creator of Tiberius, explains how to bring security testing to LLM-powered Java applications. We cover why traditional unit tests break down with non-deterministic systems, how the Scan-Fixture-Validate workflow works, what buff mutation testing is, and why even well-trained models can be cracked with something as simple as the grandmother attack.Topics include:Why LLM non-determinism breaks the classic input/output test modelThe Scan-Fixture-Validate principle and sharing test artifacts across teamsPrompt injection, jailbreaks, and emotional manipulation attacksBuff mutation: testing linguistic surface coverageProbabilistic security contracts and multi-trial scansFingerprinting and why your model choice should not be detectableLLM as a judge: using a second model as a guardrailGetting started with Tiberius in Spring Boot and LangChain4jGuestIryna Dohndorf - Software Engineer at Karakun GroupLinkedInLinksArticle on FoojayTiberius on GitHubSecurity Testing GuideTimestamps00:00 Introduction of topic and guest01:05 The problem Tiberius wants to solve06:39 How "traditional" unit tests don't work for LLM integrations10:23 Scan-Fixture-Validate principle and sharing artifacts15:15 Using different skills, for example, the grandmother skill17:33 Testing for required versus forbidden bias19:35 The probes across nine attack categories used by Tiberius20:44 Buff mutation testing26:55 Using Tiberius in your pipelines and when to fail29:35 Using multi-trial scans31:14 Fingerprinting: which model you use, should not be detectable32:55 Combining multiple models, model as a judge34:41 Sharing JSON models to improve tests36:05 How to get started with Tiberius in Spring and with LangChain4j36:41 Quarkus not supported yet, plans for the future39:07 Conclusions and a call out to everyone to become a Foojay author

WebAssembly is already running inside Java applications, but most developers just don't know it yet.In this episode, Andrea Peruffo walks us through how WebAssembly is becoming the modern, safe alternative to JNI. Run Rust, C, and other native libraries directly on the JVM, without the crash risks, per-platform packaging headaches, or the observability blackhole that JNI creates.From JRuby's Prism parser to SQLite and full Postgres running as pure Java bytecode, the use cases are real. And the project making it possible, Endive, under the Bytecode Alliance, is open and ready to explore.GuestAndrea PeruffoGitHub: https://github.com/andreaTP/LinkedIn: https://www.linkedin.com/in/andrea-peruffo-32269178/Bluesky: https://bsky.app/profile/andreatp.bsky.socialLinksA New Generation of Java Libraries: Wasm Becomes the Implementation DetailChicory on GitHubEndive on GitHubEndive documentationBytecode AllianceOpenJDK Project DetroitTimestamps00:00 Introduction of topic and guests00:56 What is WebAssembly?03:35 Comparing the performance with JavaScript05:45 JRuby already uses WebAssembly09:04 JNI versus FFM API versus WebAssembly13:58 Other Java-related tools that use WebAssembly17:56 History of the Chicory and Endive projects to bring WebAssembly to Java21:03 Projects of the Bytecode Alliance22:02 The Endive project as the glue to bring WebAssembly tools to Java23:30 Integration of the Redline compiler28:59 Why this is the perfect solution to modernize existing Java applications31:18 Is this approach performant?32:24 What future changes in Java and the JVM will make this even better35:04 How Endive can be used in AI development37:28 What to expect in Endive41:29 Conclusions

BoxLang is a modern dynamic JVM language built for rapid application development. It's 100% Java-interoperable, compiles to JVM bytecode, and deployable anywhere from OS to AWS Lambda to Spring Boot. In this episode, we sit down with Luis Majano (CEO of Ortus Solutions and creator of BoxLang) and Cristobal Escobar (BoxLang community manager) to dig into the wave of innovation that has hit the platform over the past few months.We cover the BoxLang AI v3 release, a major overhaul that ships multi-agent orchestration with parent-child hierarchies, an AI Skills system based on Anthropic's open standard, MCP server integration (both consuming and serving), a composable middleware layer with six built-in classes including a FlightRecorder for deterministic CI testing, and a unified API spanning 17 AI providers. Luis and Cristobal walk us through the highlights of a 7-part BoxLang AI deep dive series, covering tools, memory systems & RAG, streaming, middleware, and MCP. We also touch on the BoxLang Spring Boot Starter, BoxLings (an interactive TDD/BDD learning platform), and TestBox 7's real-time streaming test runner.Whether you're a Java developer curious about dynamic JVM languages, an AI engineer looking for a productive alternative to Python-based agent frameworks, or just want to see what the JVM ecosystem can do in 2026, this episode is for you.GuestsLuis MajanoFoojay author pageLinkedInCristobal EscobarFoojay author pageLinkedInLinksOn the BoxLang website:BoxLang docsBoxLang AI docsBoxLang AcademyBoxLang for desktop applicationsBoxLang Spring Boot StarterBoxLingsAnnouncing MatchBox Open Beta: BoxLang, Now Running in New PlacesTry BoxLangOn Foojay:Overview of all recent BoxLang AI articles: Complete Guide to Building AI AgentsBoxLang AI v3 Has LandedBoxLang AI Deep Dive series, Parts 1–7How to Develop AI Agents Using BoxLang AI: A Practical GuideIntroducing the BoxLang Spring Boot StarterIntroducing BoxLings!Introducing skills.boxlang.io — The Open Agent Skills Ecosystem for BoxLang & the Ortus WorldContent00:00 Introduction of topic and guests01:17 What is BoxLang and how to use it05:25 Multi-runtime (WASM) with MatchBox, based on Rust07:00 Combining BoxLang with Spring Boot10:40 The abstraction approach in BoxLang AI, compared with LangChain4j and others14:18 Markdown skill files similar to Claude are also used in BoxLang AI15:21 About the 7-part Foojay BoxLang Deep Dive posts series, agents, event-driven,...19:28 BoxLang can be used for MCP server and client23:01 Premium features in BoxLang and building a company on an open-source project27:52 BoxLings, an interactive learning tool for BoxLang that teaches TDD and BDD30:25 TestBox 7, real-time streaming test execution and a browser-based IDE32:58 How to get started with BoxLang?34:14 How the evolutions in the JVM and Java language influence BoxLang development39:33 Which article to read first on Foojay about BoxLang?43:27 More learning resources and ideas for the future and desktop development48:05 Conclusions

What if you could run 35 AWS services locally in under 25 milliseconds, using just 13 megabytes of memory, with a single Docker command and no cloud bill? That's exactly what Floci does.In this episode, Frank Delporte talks with Hector Ventura, the creator of Floci, a free and open-source cloud emulator built with Quarkus and GraalVM native compilation. Hector walks us through why he built it when LocalStack dropped its open-source community edition, how AI tooling helped him accelerate development of new service integrations, the challenges of keeping GraalVM happy with third-party libraries, and the road ahead for Azure and GCP support.If you're a developer who wants fast local testing, a DevOps engineer writing Terraform, or a student learning cloud without the cost, Floci is worth a look!Guest: Hector Ventura Foojay Author page LinkedInLinks On Foojay: Introducing Floci: A High-Performance, GraalVM-Powered AWS Emulator Floci project site Floci on GitHub Migrate from LocalStackContent00:00 Introduction of topic and guest01:48 What is Floci?02:15 How Floci compares to LocalStack03:01 Why Hector started Floci04:02 Floci emulates the cloud APIs05:02 How additional services got integrated with AI assistance06:31 Meaning of the name Floci07:07 Why Quarkus and GraalVM as the starting point for Floci09:35 How Floci starts up very fast and only uses a low amount of memory12:18 GraalVM can be hard with some libraries or frameworks14:02 What is needed to use Floci14:56 The challenges to support AWS, Azure, GCP and finding contributors20:24 Funding Floci21:04 How data is persisted in Floci22:37 Verifying Floci versus the "real" APIs with compatibility tests23:56 In the future: UI for Floci25:04 Biggest challenges while creating Floci25:32 Functionality compared between Floci and LocalStack and migrating28:15 Feedback from the Floci users28:58 Long-term plans for Floci29:59 Biggest surprises during the development of Floci31:00 Best use-cases for Floci32:12 In the next releases...33:31 How to get started with Floci35:00 Conclusion

Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy, to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.Steve PooleLinkedInFoojay Author profileCrossing the River Styx: Spring Boot 3.5 and the Zombie Dependency ProblemWhy Java Developers Over-Trust AI SuggestionsDavid WelchLinkedInContent00:00 Introduction of topics and guests04:00 What are Zombie dependencies?05:36 What are CVEs?11:39 How Mythos and other AI tools are influencing the CVE reporting process16:53 How CVEs in the Java runtime are handled21:30 How the industry is looking at the increased security threats30:17 Developers need to make better decisions "the first time" and use the right tools31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...44:48 How "safe" is Maven Central compared to other repository systems50:48 What you can do as a Java developer to make your apps safer59:01 Should we be scared for the following years and be careful with vibe coding?01:04:27 Conclusion