Episodes

  • Testing the Untestable: LLM Security for Java Developers with Tiberius (#99)
    Jun 20 2026

    Your Java AI application is live in production. But have you tested whether it can be jailbroken, manipulated into revealing its system prompt, or tricked into printing content it should never output?

    In this episode, Iryna Dohndorf, Software Engineer at Karakun Group and creator of Tiberius, explains how to bring security testing to LLM-powered Java applications. We cover why traditional unit tests break down with non-deterministic systems, how the Scan-Fixture-Validate workflow works, what buff mutation testing is, and why even well-trained models can be cracked with something as simple as the grandmother attack.

    Topics include:

    • Why LLM non-determinism breaks the classic input/output test model
    • The Scan-Fixture-Validate principle and sharing test artifacts across teams
    • Prompt injection, jailbreaks, and emotional manipulation attacks
    • Buff mutation: testing linguistic surface coverage
    • Probabilistic security contracts and multi-trial scans
    • Fingerprinting and why your model choice should not be detectable
    • LLM as a judge: using a second model as a guardrail
    • Getting started with Tiberius in Spring Boot and LangChain4j

    Guest
    Iryna Dohndorf - Software Engineer at Karakun Group
    LinkedIn

    Links
    Article on Foojay
    Tiberius on GitHub
    Security Testing Guide

    Timestamps
    00:00 Introduction of topic and guest
    01:05 The problem Tiberius wants to solve
    06:39 How "traditional" unit tests don't work for LLM integrations
    10:23 Scan-Fixture-Validate principle and sharing artifacts
    15:15 Using different skills, for example, the grandmother skill
    17:33 Testing for required versus forbidden bias
    19:35 The probes across nine attack categories used by Tiberius
    20:44 Buff mutation testing
    26:55 Using Tiberius in your pipelines and when to fail
    29:35 Using multi-trial scans
    31:14 Fingerprinting: which model you use, should not be detectable
    32:55 Combining multiple models, model as a judge
    34:41 Sharing JSON models to improve tests
    36:05 How to get started with Tiberius in Spring and with LangChain4j
    36:41 Quarkus not supported yet, plans for the future
    39:07 Conclusions and a call out to everyone to become a Foojay author

    Show More Show Less
    42 mins
  • The End of JNI Pain: How WebAssembly Is Quietly Replacing Native Libraries in Java (#98)
    Jun 13 2026

    WebAssembly is already running inside Java applications, but most developers just don't know it yet.

    In this episode, Andrea Peruffo walks us through how WebAssembly is becoming the modern, safe alternative to JNI. Run Rust, C, and other native libraries directly on the JVM, without the crash risks, per-platform packaging headaches, or the observability blackhole that JNI creates.

    From JRuby's Prism parser to SQLite and full Postgres running as pure Java bytecode, the use cases are real. And the project making it possible, Endive, under the Bytecode Alliance, is open and ready to explore.

    Guest

    Andrea Peruffo

    • GitHub: https://github.com/andreaTP/
    • LinkedIn: https://www.linkedin.com/in/andrea-peruffo-32269178/
    • Bluesky: https://bsky.app/profile/andreatp.bsky.social

    Links


    • A New Generation of Java Libraries: Wasm Becomes the Implementation Detail

    • Chicory on GitHub

    • Endive on GitHub

    • Endive documentation

    • Bytecode Alliance

    • OpenJDK Project Detroit

    Timestamps
    00:00 Introduction of topic and guests
    00:56 What is WebAssembly?
    03:35 Comparing the performance with JavaScript
    05:45 JRuby already uses WebAssembly
    09:04 JNI versus FFM API versus WebAssembly
    13:58 Other Java-related tools that use WebAssembly
    17:56 History of the Chicory and Endive projects to bring WebAssembly to Java
    21:03 Projects of the Bytecode Alliance
    22:02 The Endive project as the glue to bring WebAssembly tools to Java
    23:30 Integration of the Redline compiler
    28:59 Why this is the perfect solution to modernize existing Java applications
    31:18 Is this approach performant?
    32:24 What future changes in Java and the JVM will make this even better
    35:04 How Endive can be used in AI development
    37:28 What to expect in Endive
    41:29 Conclusions

    Show More Show Less
    44 mins
  • From Scripting Language to AI Powerhouse: How BoxLang Is Redefining JVM Development (#97)
    May 30 2026
    BoxLang is a modern dynamic JVM language built for rapid application development. It's 100% Java-interoperable, compiles to JVM bytecode, and deployable anywhere from OS to AWS Lambda to Spring Boot. In this episode, we sit down with Luis Majano (CEO of Ortus Solutions and creator of BoxLang) and Cristobal Escobar (BoxLang community manager) to dig into the wave of innovation that has hit the platform over the past few months.We cover the BoxLang AI v3 release, a major overhaul that ships multi-agent orchestration with parent-child hierarchies, an AI Skills system based on Anthropic's open standard, MCP server integration (both consuming and serving), a composable middleware layer with six built-in classes including a FlightRecorder for deterministic CI testing, and a unified API spanning 17 AI providers. Luis and Cristobal walk us through the highlights of a 7-part BoxLang AI deep dive series, covering tools, memory systems & RAG, streaming, middleware, and MCP. We also touch on the BoxLang Spring Boot Starter, BoxLings (an interactive TDD/BDD learning platform), and TestBox 7's real-time streaming test runner.Whether you're a Java developer curious about dynamic JVM languages, an AI engineer looking for a productive alternative to Python-based agent frameworks, or just want to see what the JVM ecosystem can do in 2026, this episode is for you.GuestsLuis MajanoFoojay author pageLinkedInCristobal EscobarFoojay author pageLinkedInLinksOn the BoxLang website:BoxLang docsBoxLang AI docsBoxLang AcademyBoxLang for desktop applicationsBoxLang Spring Boot StarterBoxLingsAnnouncing MatchBox Open Beta: BoxLang, Now Running in New PlacesTry BoxLangOn Foojay:Overview of all recent BoxLang AI articles: Complete Guide to Building AI AgentsBoxLang AI v3 Has LandedBoxLang AI Deep Dive series, Parts 1–7How to Develop AI Agents Using BoxLang AI: A Practical GuideIntroducing the BoxLang Spring Boot StarterIntroducing BoxLings!Introducing skills.boxlang.io — The Open Agent Skills Ecosystem for BoxLang & the Ortus WorldContent00:00 Introduction of topic and guests01:17 What is BoxLang and how to use it05:25 Multi-runtime (WASM) with MatchBox, based on Rust07:00 Combining BoxLang with Spring Boot10:40 The abstraction approach in BoxLang AI, compared with LangChain4j and others14:18 Markdown skill files similar to Claude are also used in BoxLang AI15:21 About the 7-part Foojay BoxLang Deep Dive posts series, agents, event-driven,...19:28 BoxLang can be used for MCP server and client23:01 Premium features in BoxLang and building a company on an open-source project27:52 BoxLings, an interactive learning tool for BoxLang that teaches TDD and BDD30:25 TestBox 7, real-time streaming test execution and a browser-based IDE32:58 How to get started with BoxLang?34:14 How the evolutions in the JVM and Java language influence BoxLang development39:33 Which article to read first on Foojay about BoxLang?43:27 More learning resources and ideas for the future and desktop development48:05 Conclusions
    Show More Show Less
    49 mins
  • Run 35 AWS Services Locally FREE: Floci, Quarkus and GraalVM-Powered, LocalStack Alternative (#96)
    May 23 2026

    What if you could run 35 AWS services locally in under 25 milliseconds, using just 13 megabytes of memory, with a single Docker command and no cloud bill? That's exactly what Floci does.


    In this episode, Frank Delporte talks with Hector Ventura, the creator of Floci, a free and open-source cloud emulator built with Quarkus and GraalVM native compilation. Hector walks us through why he built it when LocalStack dropped its open-source community edition, how AI tooling helped him accelerate development of new service integrations, the challenges of keeping GraalVM happy with third-party libraries, and the road ahead for Azure and GCP support.


    If you're a developer who wants fast local testing, a DevOps engineer writing Terraform, or a student learning cloud without the cost, Floci is worth a look!


    Guest: Hector Ventura

    Foojay Author page

    LinkedIn


    Links

    On Foojay: Introducing Floci: A High-Performance, GraalVM-Powered AWS Emulator

    Floci project site

    Floci on GitHub

    Migrate from LocalStack


    Content

    00:00 Introduction of topic and guest

    01:48 What is Floci?

    02:15 How Floci compares to LocalStack

    03:01 Why Hector started Floci

    04:02 Floci emulates the cloud APIs

    05:02 How additional services got integrated with AI assistance

    06:31 Meaning of the name Floci

    07:07 Why Quarkus and GraalVM as the starting point for Floci

    09:35 How Floci starts up very fast and only uses a low amount of memory

    12:18 GraalVM can be hard with some libraries or frameworks

    14:02 What is needed to use Floci

    14:56 The challenges to support AWS, Azure, GCP and finding contributors

    20:24 Funding Floci

    21:04 How data is persisted in Floci

    22:37 Verifying Floci versus the "real" APIs with compatibility tests

    23:56 In the future: UI for Floci

    25:04 Biggest challenges while creating Floci

    25:32 Functionality compared between Floci and LocalStack and migrating

    28:15 Feedback from the Floci users

    28:58 Long-term plans for Floci

    29:59 Biggest surprises during the development of Floci

    31:00 Best use-cases for Floci

    32:12 In the next releases...

    33:31 How to get started with Floci

    35:00 Conclusion

    Show More Show Less
    36 mins
  • Is Your Java App Actually Secure, Or Does It Just Look That Way? (#95)
    May 9 2026

    Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.

    Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.

    Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy, to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.

    A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.


    Steve Poole

    • LinkedIn
    • Foojay Author profile
    • Crossing the River Styx: Spring Boot 3.5 and the Zombie Dependency Problem
    • Why Java Developers Over-Trust AI Suggestions


    David Welch

    • LinkedIn


    Content

    00:00 Introduction of topics and guests
    04:00 What are Zombie dependencies?
    05:36 What are CVEs?
    11:39 How Mythos and other AI tools are influencing the CVE reporting process
    16:53 How CVEs in the Java runtime are handled
    21:30 How the industry is looking at the increased security threats
    30:17 Developers need to make better decisions "the first time" and use the right tools
    31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...
    44:48 How "safe" is Maven Central compared to other repository systems
    50:48 What you can do as a Java developer to make your apps safer
    59:01 Should we be scared for the following years and be careful with vibe coding?
    01:04:27 Conclusion

    Show More Show Less
    1 hr and 6 mins
  • More Than a Blog: How Foojay Connects, Sustains, and Evolves the Java Community (#94)
    May 2 2026
    Foojay.io, the website for the Friends of OpenJDK, is turning six years old. To celebrate, Frank Delporte headed to JCON in Cologne, Germany, and sat down with twelve members of the Java community to talk about what Foojay means to them, what they learn from each other, and how the community is evolving.Foojay is more than a blog. It is a Mastodon server, a Slack community, the Disco API, a book on sustainability, a podcast, and now an education catalog. Six years in, it is still growing, still community-driven, and still very much a place where anyone who works with Java is welcome.00:00 Introduction02:16 Sharat Chandarhttps://www.linkedin.com/in/sharatchander/Java community and historyWhat you can learn from conferences and articles05:37 Markus Westergrenhttps://www.linkedin.com/in/markuswestergren/https://foojay.io/sustainability-for-java-developers/https://foojay.io/today/join-slack-com-t-foojay-signup/Book "Sustainability for Java Developers"How to "sustain yourself" in this strange-AI-changing-world09:46 Iryna Dohndorfhttps://www.linkedin.com/in/iryna-dohndorf/https://foojay.io/today/author/iryna-dohndorf/Mentoring about sustainability as a developer + groundness + robustness skillsHigh performance without crushing your soul13:59 René Schwietzkehttps://www.linkedin.com/in/reneschwietzke/https://foojay.io/today/the-curious-case-of-different-runtimes-with-different-training-data-jit/Diving deep into the runtime, JITWatchAbout the broad mix of topics handled on Foojay18:28 Gerrit Grunwaldhttps://www.linkedin.com/in/gerritgrunwald/ https://foojay.io/today/author/gerrit-grunwald/https://foojay.io/today/disco-api-helping-you-to-find-any-openjdk-distribution/https://sdkman.io/The Disco API, the source with all the available OpenJDK distributions, is used by SDKMAN, Gradle, and many other toolsAbout the many distributions that are available, even ones that are mainly (and only) used in Asia27:45 Catherine Edelveishttps://foojay.io/today/author/catherine-edelveis/https://www.youtube.com/watch?v=Ytdo8OGEYFIhttps://foojay.io/today/which-java-runtime-should-you-use-in-production-comparing-openjdk-distributions/Reducing Docker sizes improves security and performanceMany distributors provide builds of OpenJDK31:16 Jago de Vreedehttps://foojay.io/today/author/jago-de-vreede/About the Java community and the place of Foojay in it. What is good, what are we missing?SDKMAN, creating an UI for it, and using the many OpenJDK distributions35:05 Annelore Eggerhttps://www.linkedin.com/in/anneloredev/https://foojay.io/?s=eggerJava community, conference volunteering, mentoringHow to become a conference speakerLearn by teaching38:03 Buhake Sindihttps://www.linkedin.com/in/buhake-sindi/https://foojay.io/today/author/buhake-sindi/https://github.com/langchain4j/langchain4j-cdiJakarta EE, LangChain4J CDI, Agent to AgentImpact of AI on developer life and sustainability44:03 François Martinhttps://www.linkedin.com/in/fran%C3%A7oismartin/https://foojay.io/today/author/francois-martin/https://foojay.io/today/eliminating-flaky-tests-to-end-world-hunger/https://foojay.io/today/five-ways-to-use-gradle-enterprise-to-identify-and-manage-flaky-tests/Learn from mentoring, for example, how to earn from opensourceFoojay author, just published an article about Flaky tests48:18 Dominika Tasarz-Sochackahttps://www.linkedin.com/in/dominikatasarz/https://foojay.io/today/author/dominika-tasarz/https://foojay.io/today/join-slack-com-t-foojay-signup/https://foojay.io/today/how-to-submit-your-next-article-on-foojay-io/The future of Foojay, how can we get the community even more involvedWhat you can learn from the community51:18 Geertjan Wielengahttps://www.linkedin.com/in/geertjanwielenga/https://education.foojay.social/Java communities are everywhereHow Foojay started and grewHow can contributing to the community influence your career58:15 Conclusion
    Show More Show Less
    1 hr
  • Update Your JDK, Read More Code, and Talk to Your Users: Interviews From VoxxedDays Amsterdam (#93)
    Apr 11 2026
    In this episode of the Foojay Podcast, we're bringing you something special: a full batch of hallway-track conversations recorded live at VoxxedDays Amsterdam.Fifteen guests, one conference, and one theme that kept coming back, whether we planned it or not: Java has grown up quietly, steadily, and in ways that still surprise people who haven't looked lately. We talked about migrating between versions, new features in the latest Java releases, authorization done right, AI-assisted coding, cryptography, containers, open-source contributions, GDPR data experiments, and, yes, the things people hate about Java but secretly love.I spoke with Ko Turk, who organized this very conference, Johannes Bechberger, Lutske de Leeuw, Aicha Laafia, Marit van Dijk, Adele Carpenter, Patrick Baumgartner, Sohan Maheshwar, Jeroen Egelmeers, Erwin Manders, Alexander Shopov, Maarten Verburg, Arjan Tijms, Joost Kaan, and Stephan Janssen.That's a lot of people. That's a lot of opinions. And somehow, they mostly agree: update your JDK, read your code, and please talk to your actual users.Content00:00 Introduction00:30 Ko Turkhttps://www.linkedin.com/in/ko-turk-b271b929/Organizer of VoxxedDays AmsterdamMigrating between Java versions02:25 Johannes Bechbergerhttps://www.linkedin.com/in/johannes-bechberger/Java is boring, and that's why it's brilliantJava 26 test it, but not in productionJFR improvements in the latest versions06:28 Lutske de Leeuwhttps://www.linkedin.com/in/lutske/Volunteer at the conferenceJava is boring, and that's why it's brilliantJava 5 till 26 evolutions10:35 Aicha Laafiahttps://www.linkedin.com/in/aicha-laafia-0266a6126/Lambda stream gatherers in Java 25Simpler and more fun codeUpdate your JDK!16:16 Marit van Dijkhttps://www.linkedin.com/in/maritvandijk/Fun in coding, write Java the playful wayJava evolutions and how writing code has evolvedImportance of code reading with AI-assisted coding22:04 Adele Carpenterhttps://www.linkedin.com/in/adele-carpenter-a988623a/The things I hate about Java, but actually love it27:37 Patrick Baumgartnerhttps://www.linkedin.com/in/patbaumgartner/Organizing VoxxedDays ZurichSpring Boot optimizationUsing Buildpacks to create better containers35:02 Sohan Maheshwarhttps://www.linkedin.com/in/sohanmaheshwar/Authorization, the good wayJWT is a bad idea38:34 Jeroen Egelmeershttps://www.linkedin.com/in/jegelmeers/https://craftingaiprompts.org/documentation/se-framework/craft-frameworkAI, prompt engineering, agentic programmingThe CRAFT Framework: Orchestrating Agentic FlowThe importance of interacting with your end-users43:32 Erwin Mandershttps://www.linkedin.com/in/erwinman/Cryptography, digital signatures, and securing data and messagesComparing Kotlin and Java45:12 Alexander Shopovhttps://www.linkedin.com/in/alshopov/Developer at UberComparing different languages: Java, Python, GoHow Java is modernizing by learning from other languages49:18 Maarten Verburghttps://www.linkedin.com/in/maartenverburg/Using your own GDPR data for fun experimentsComparing early Java with the current statusJava Streams the most important change52:35 Arjan Tijmshttps://www.linkedin.com/in/arjantijms/https://omnifish.ee/Jakarta Faces, Security, Authentication and Authorization, EE,...Jakarta specs are used in SpringHow Java evolved and is still evolvingHow can you contribute to opensource59:55 Joost Kaanhttps://www.linkedin.com/in/joost-kaan/What you can learn at a conference, besides the expected language-related talksAI influences on the developer workContributing to the Java community, AI user group01:03:52 Stephan Janssenhttps://www.linkedin.com/in/stephanjanssen/https://geniebuilder.ai/The importance of the "Hallway Track" where you can chat with like-minded peopleUsing AI-assisted spec-driven codingTalking to your end-user becomes more important than ever01:09:00 Conclusion
    Show More Show Less
    1 hr and 9 mins
  • Java 26 Is Here: What's New, What's Gone, and Why It Matters in 2026 (#92)
    Mar 14 2026
    Welcome to another episode of the Foojay Podcast! In this episode, we're talking about Java 26, released on March 17 in the year 26. Again, right on schedule with Java's six-month release cadence.Now, Java 26 is not a Long Term Support (LTS) release; that was Java 25. But don't let that fool you into thinking there's nothing interesting here. This release brings ten JDK Enhancement Proposals (JEPs). They cover everything from performance improvements to long-overdue cleanups. Of those ten JEPS, five are new features, and we also get five preview/incubator features.GuestsSimon Ritterhttps://www.linkedin.com/in/siritter/Loïc Mathieuhttps://www.linkedin.com/in/lo%C3%AFc-mathieu-475b144/Content00:00 Introduction of topic and guests01:35 Differences between Long and Short Term Support05:10 Which Java versions are used by companieshttps://foojay.io/today/foojay-podcast-90-highlights-of-the-java-features-between-lts-21-and-25/07:54 Internal changes and improvements in release 26, highlighting UUIDv7 supporthttps://foojay.io/today/java-26-whats-new/12:02 JEP 500: Prepare to Make Final Mean Final13:24 JEP 526: Lazy Constants (Second Preview)16:12 JEP 517: HTTP/3 for the HTTP Client APIhttps://en.wikipedia.org/wiki/HTTP/3https://en.wikipedia.org/wiki/QUIC18:48 JEP 504: Remove the Applet API20:52 JEP 524: PEM Encodings of Cryptographic Objects (Second Preview)21:59 JEP 516: Ahead-of-Time Object Caching with Any GChttps://openjdk.org/projects/leyden/https://docs.azul.com/prime/analyzing-tuning-warmuphttps://foojay.io/today/faster-java-warmup-crac-versus-readynow/25:30 JEP 522: G1 GC: Improve Throughput by Reducing SynchronizationTrash Talk - Exploring the JVM memory management by Gerrit Grunwald28:04 JEP 525: Structured Concurrency (Sixth Preview)https://openjdk.org/projects/loom/31:09 JEP 529: Vector API (Eleventh Incubator)https://openjdk.org/projects/panama/https://openjdk.org/projects/valhalla/34:59 When do JEPs get selected to be included in a releasehttps://openjdk.org/projects/jdk/26/https://openjdk.org/projects/jdk/27/38:03 JEP 530: Primitive Types in Patterns, instanceof, and switch (Fourth Preview)https://openjdk.org/projects/amber/Java Puzzlers talk by Simon42:14 Do we need "Carrier Classes"?Amber mailing list: Data Oriented Programming, Beyond RecordsJVM Weekly newsletter by Artur Skowroński44:38 What changes does Java need for the AI world?JEP DRAFT 8361105: Code reflection (Incubator)https://openjdk.org/projects/babylon/https://www.tornadovm.org/47:53 Remarkable numeric facts about releases48:30 Conclusion
    Show More Show Less
    50 mins