These industry leaders bring a wealth of knowledge and experience in Application Security, and we are excited to have them share their insights and spicy opinions with us.
Tanya Janca
Head of Education & Community @ Semgrep
Speaker bio
Kim Wuyts
Manager Cyber & Privacy @ PWC
Speaker bio
Cassie Crossley
VP Supply Chain Security @ Schneider Electric
Speaker bio
Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’. She is also the Head of Education and Community at Semgrep, sharing content and training that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty-seven years, won countless awards, and has been everywhere from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker, active blogger & podcaster and has delivered hundreds of talks on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
Dr. Kim Wuyts is a leading privacy engineering expert with over 15 years of experience in security and privacy. Before joining PwC as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy threat modeling framework. Her mission is to raise privacy awareness and get organizations to embrace privacy engineering best practices. She is a guest lecturer, experienced speaker, and invited keynote at international privacy and security conferences such as OWASP Global AppSec, RSA, Troopers, CPDP, and IAPP DPC.
Kim is also a co-author of the Threat Modeling Manifesto, program co-chair of the International Workshop on Privacy Engineering (IWPE), and a member of ENISA’s working group on Data Protection Engineering.
Cassie Crossley, Vice President, Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric, is an experienced cybersecurity technology executive in Information Technology and Product Development. She has many years of business and technical leadership experience in supply chain security, cybersecurity, product/application security, software/firmware development, program management, and data privacy. Cassie has designed frameworks and operating models for end-to-end security in software development lifecycles, third party risk management, cybersecurity governance, and cybersecurity initiatives.
Akira Brand
AppSec Engineer and DevRel consultant
Speaker bio
Chris Romeo
CEO and Co-Founder @ Devici
Speaker bio
Dustin Lehr
Co-founder @ Katilyst Security
Speaker bio
Akira is an AppSec Engineer and DevRel consultant. She delights in the dance between security and software development and is on a mission to enable software developers to integrate security into their day-to-day practices. One of her favorite hobbies is introducing developers to the cybersecurity world in a way that relates to their lives, not the lives of the security team. For fun, she’s turning her lawn into a pollinator habitat and food forest.
Chris Romeo is a leading voice and thinker in application security and threat modeling and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly-rated industry speaker and trainer. Chris has been a startup founder multiple times and was Cisco's Chief Security Advocate. Chris has twenty-seven years of security industry experience spanning multiple disciplines, including application security, security engineering, incident response, and various Executive roles.
Before shifting into cybersecurity leadership, Dustin Lehr spent 13 years as a software engineer and application architect in a variety of industries, including retail, US DoD, and even video games. This background has helped him forge close partnerships with development teams, engineering leaders, and security professionals to design programs that maximize engagement. He is currently the Co-Founder and Chief Solutions Officer at Katilyst, which assists companies with culture change through security champion programs. He founded and co-leads the global virtual open discussion meetup "Let's Talk Software Security!" and authored the free Security Champion Program Success Guide.
Jacob Salassi
Co-Founder @ Stealth-mode Startup, Former Director of Product Security at Snowflake
Speaker bio
Mel Reyes
Global CIO & CISO turned Executive Coach & Advisor, Creator @ The Fellowship of Digital Guardians
Speaker bio
Ariel Shin
Security Engineering Manager @ Datadog
Speaker bio
Jacob Salassi is a Co-Founder of Stealth-mode Startup and former Director of Product Security at Snowflake. Jacob led Snowflake's pre- & post IPO transformation from a bottlenecked, security engineer centric process that slowed teams down to a developer owned security process that ships features faster and more securely. Today his teams handle security architecture, software security assurance, software engineering, threat detection, incident response, and vulnerability research for the Snowflake product. Jacob is an active member of the application security and threat modeling communities, and his team is known for their industry leading approach to modeling threats.
Mel is a seasoned technology executive with nearly 30 years of experience building high-performing teams that drive quantifiable results for global enterprises, startups, and non-profit organizations. As a CIO and CISO, Mel has successfully navigated through the IT drama, managing application development, eCommerce, backend data integration, and global compliance with a focus on security, infrastructure, and fraud management. As a "Chaos to Order" Enterprise Security and Information Technology leader, Mel has navigated through four startups, two IPOs, three M&As, two divestitures, three Financial Services institutions, three Media Agencies, a 5-year CPG contract with Pepsi, and worked in the manufacturing sector as well as T-Mobile, Lowe's, Priceline, Publicis Groupe, and Omnicom agencies.
Ariel is Security Engineering Manager at Datadog and a former Product Security Manager at Twilio. She has been instrumental in shaping the Product Security program at Twilio and promoting a heightened sense of security awareness within the Engineering organization. Through her empowering approach to security, Ariel led the charge in democratizing vulnerability management—an initiative that yielded significant risk reduction across the entire company. Her dedicated efforts contribute significantly to fortifying Twilio's security posture, making her a respected voice in the Product Security field.
Alina Yakubenko
Senior Application Security Engineer @ Toast, Inc.
Speaker bio
Aravind Sreenivasa
Manager, Application Security @ SeatGeek
Speaker bio
James Berthoty
Founder @ Latio Tech
Speaker bio
Alina, Senior Application Security Engineer at Toast, Inc and former developer and QA Engineer., is dedicated to empowering developers by integrating security into everyday practices. Passionate about building a culture of security awareness, she works to ensure that security is a core component of development processes, helping teams build safer, more resilient applications.
Aravind Sreenivasa is a Application Security Manager at SeatGeek and former Application Security Engineer at DocuSign. He started his career as a software developer and transitioned to security after obtaining a graduate degree in computer science. Aravind is passionate about making security developer friendly and integrating security with the software development process.
James Berthoty has been in technology for over 10 years across engineering and security roles. An early advocate for DevSecOps, he has a passion for driving security teams as contributors to product and built Latio Tech to help connect people with the right products. He lives in Raleigh, NC with his wife and three children, and is pursuing a PhD in philosophy.
Sandesh Mysore Anand
Co-founder @ Seezo.io Former Head of Security @ Razorpay
Speaker bio
Antoine Carossio
Co-Founder and CTO @ Escape
Speaker bio
Amit Bismut
Head of Product @ Backslash Security
Speaker bio
As the co-founder of Seezo, Sandesh is trying to solve Cyber Security challenges using Gen AI. Before this, Sandesh spent a decade in various cybersecurity roles including as the head of Security at Razorpay.
Antoine is cofounder & CTO of Escape. He is a former French National Secret Agency and Apple security engineer and penetration tester. He is one of the maintainers of Clairvoyance and the co-author of GraphQL Armor.
Amit Bismut is the Head of Product Management at Backslash Security, leveraging extensive cybersecurity experience. Amit's focus is on cloud and application security, having held previous product management roles at Aqua Security and Radware. In his spare time, Amit enjoys playing the guitar, spending time with his family, and baking.
Ran Ne'man
VP Product Management @ BeyondTrust (Entitle)
Speaker bio
Swan Beaujard
Security Software Engineer @ Escape
Speaker bio
Tristan Kalos
CEO @ Escape
Speaker bio
Ran is an innovation driven expert in cloud services for the cyber security, fraud, identity, with over 25 years of experience in start-up companies, NASDAQ traded enterprises and government agencies.
Swan is a security software engineer at Escape, specializing in DAST and Threat Intelligence. He is a core contributor to open-source projects focused on GraphQL security and reverse engineering. Swan is also passionate about machine learning and reverse engineering.
Tristan Kalos, co-founder and CEO at Escape, draws from a background as a software engineer and Machine Learning Researcher at UC Berkeley. Motivated by firsthand experience witnessing a client’s database stolen through an API in 2018, he has since become an expert in API security, helping security engineers and developers worldwide building secure applications. He is an experienced keynote and conference speaker, presenting at Forum InCyber, Platform Summit, APIdays, GraphQL conf, and other international software development and cyber security conferences.
Jeevan Singh
Director of Security Engineering @ Rippling
Speaker bio
Kyle Kelly
Tech Lead Supply Chain Security Research @ Semgrep
Speaker bio
Munawar Hafiz
CEO @ OpenRefactory
Speaker bio
Jeevan Singh is the Director of Security Engineering at Rippling, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Jeevan is responsible for a wide variety of tasks including architecting security solutions, working with development teams to resolve security vulnerabilities and building out security features. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years.
Kyle is the Tech Lead for Supply Chain Security Research at Semgrep and the founder of the CramHacks newsletter. With a background in consulting and research, he specializes in supply chain security, using his expertise to shape the insights he shares. Through CramHacks, Kyle is dedicated to empowering readers to actively engage in improving the cybersecurity landscape and deepening the analysis of software security within supply chains.
Munawar Hafiz is the founder and head of innovations of OpenRefactory, Inc., an application security company that intends to improve the way developers write secure, reliable and compliant code. Munawar had a body of work on automated bug fixing in academia which lays the foundation for OpenRefactory. He is a champion of pushing SAST bug detection tools for better precision and introducing code rewriting capabilities to fix bugs automatically.
Anmol Agarwal
Senior Security Researcher @ Nokia
Speaker bio
Dr. Anmol Agarwal is a senior security researcher that specializes in AI security. She works on using AI for security as well as securing AI. Dr. Agarwal is also an active speaker and has spoken at numerous events and conferences to educate the public about cybersecurity and data science concepts. She holds a doctoral degree in cybersecurity analytics where her research focused on attacking machine learning models. In her free time, she enjoys mentoring others in the community and traveling.
Track 1 - General AppSec Topics
Explore what’s broken in AppSec and how to fix it. This track is full of bold insights and spicy takes that challenge the status quo.
Tanya Janca
Shifting Left Doesn’t Mean Anything Anymore
9:05 AM - 9:35 AM
Abstract
Kim Wuyts
Compliance is overrated
9:40 AM - 10:10 AM
Abstract
Cassie Crossley
Accountability in Application Development
10:15 AM - 10:45 AM
Abstract
Our job is to make the software more secure. It’s not to find all the bugs. It’s not to deploy tools. It’s not to spend money or write checks. It’s not to be frustrated with developers. It’s not to be “right”. It only matters if we reduce organizational risk. If we are not doing that, regularly and consistently, we are failing.
Privacy has been gaining more attention since the GDPR and other data protection legislations have been requiring organizations to invest in it. Where did that compliance run got us so far, and, is it enough?
Developers are rarely given time to fix defects and vulnerabilities, thus the products they create are more susceptible to attacks as the code ages. Why isn't more time given to teams for maintenance and improvements? Whose fault is it when a product is not maintained? This presentation challenges the topic of "duty of care" for application owners and developers.
Akira Brand
Mycelium as the Path: How the Fungi Kingdom Guides us Toward Resilience in Our Cyber Programs
10:50 AM - 11:20 AM
Abstract
Chris Romeo
Why the 'Secure by Design' pledge won't save us from AppSec failures
11:25 AM - 11:55 AM
Abstract
Dustin Lehr
Building a Proactive Developer Security Culture - Can We Actually Make it Work?
12:00 PM - 12:25 PM
Abstract
This talk is about cyber resilience in the face of emerging geo-political, climate, and economic threats. Drawing inspiration from the fungi kingdom, this short course examines how the fantastical mushroom world informs us on effective communication, symbiosis with different departments, elegantly responding to stress, and repairing breached environments. Come hear the lessons of the earth to inform our cyber strategy and tactics. Gain a fresh perspective on how to draw inspiration from the natural environment and integrate it into your cyber organization.
Since the dawn of software, a simple goal has existed: make software resilient against threats and protect the personal information it stores. CISA has been at the forefront of Secure by Design, producing guidance, alerts, and a pledge. The problem with the pledge is that it won’t move our industry forward.
Real meaning exists through implementing secure and private by design with real products and applications. Examine tactics for designing software that incorporates a secure, private-by-design mindset and how to implement these tactics at scale. Then, discover how they converge with threat modeling as the vehicle for discovering and mitigating threats.
Walk away with an understanding of tactics for applying these concepts, best practice tips for actionable threat modeling, and a roadmap for building a solid and successful threat modeling and secure and private by design program. Oh yeah, and why you can ignore the meaningless pledge.
No, it's not enough to simply satisfy minimal "check the box" compliance requirements, react to incidents, or fix security vulnerabilities after they're in production. Focusing only on the "right side" of the process is a recipe for eventual disaster, and is ultimately costly to pursue. You need to focus on shifting habits and behaviors to proactively address issues long before they reach production. You need to build a culture that is full of security best practices: training, threat modeling, architecture reviews, and so on.
But HOW? In this talk, we'll discuss techniques for shifting your culture and motivating your employees to make the right choices by incentivizing and rewarding their behaviors. We'll focus on the "people" side, and use proven techniques from the fields of behavioral science and psychology to bring your awareness and appsec game to the next level. Security takes more than just tech and this is the piece you've been missing to make a lasting difference in your company's security posture.
Jacob Salassi
Shift left sucks for SWEs: AppSec is a structured data problem
1:05 PM - 1:35 PM
Abstract
Panel:
Mel Reyes, Ariel Shin, and Alina Yakubenko
The Challenge of Scaling AppSec: Why It's Harder Than You Think
1:40 PM - 2:10 PM
Abstract
Aravind Sreenivasa
My mistakes in building an AppSec team
2:15 PM - 2:45 PM
Abstract
If you think getting every single developer in your organization to threat model every single feature using a repeatable, easy, on-rails process could be a terrible idea: you're right. If you think appsec is fundamentally structured data problem being approached as an unstructured train wreck: you're right. If you think these two problems might be related and there must be engineering solutions to it: you're right.
Scaling AppSec is often seen as the ultimate solution to secure growing organizations, but the reality is much more complex. In this panel, seasoned experts from leading companies will discuss the often-overlooked challenges that make scaling security harder than it seems. From limited resources to the cultural obstacles within leadership and engineering teams, our speakers will share their opinions on what might work best in your organization. Discover what it really takes to build a scalable AppSec program and whether the pursuit of perfect scalability can be realistic.
Most talks in security spaces are about best practices and cool new exploits. But most of the security journey is failing three times before succeeding once. Inspired by the failure resumes, I’ll share the mistakes I made while building my first security team. These mistakes occurred despite following security best practices to fault and taking cognisance of every threat vector. I will be sharing the lessons these mistakes taught me so you can avoid them. This talk is about how I fell short of building the most effective security team in pursuit of the “best security team”.
Track 2 - Focus on AppSec Tools
This track is perfect for those who want to hear speakers' specific takes on different AppSec tooling. You can expect roasts of tools’ features, examples of nonsensical marketing, and of course, several mentions of how XYZ is dead.
James Berthoty
A future of Security free from CNAPP
9:05 AM - 9:35 AM
Abstract
Panel:
Sandesh Mysore Anand, Antoine Carossio, and Amit Bismut
Can we actually measure the effectiveness of AI in cybersecurity?
9:40 AM - 10:10 AM
Abstract
Ran Ne'man
Is PAM Dead?! Long live Just-in-time Access!
10:15 AM - 10:45 AM
Abstract
As cloud-native architectures grow more complex, the limitations of CNAPPs are becoming more obvious. Although CNAPPs promise comprehensive security through a unified platform, they often fall short, especially in delivering detailed protections needed for environments like Kubernetes. This talk will look at the future of security beyond CNAPPs, suggesting that specialized point solutions can be more effective than all-in-one platforms. I'll dive into the key shortcomings of CNAPPs, particularly in runtime protection and developer integration, and show how in some cases targeted solutions can provide stronger, more adaptable security.
Feeling uneasy about AI taking over cybersecurity, or are you already relying on it too much? AI's promises sound incredible, but how can we really tell if it's living up to the hype and measure its real impact? In this expert panel, you'll hear from security, technical, and product leaders, each bringing a unique viewpoint to the table. They’ll tackle the challenges of evaluating AI performance in cybersecurity tools, discuss the metrics that matter, and share real-world successes and failures. Join us for a lively discussion on whether AI is truly enhancing application security
Let’s face it PAM (AKA privileged access management) was built for servers from circa 20 years ago. The cloud-native ecosystem has evolved significantly since its early days, in tandem with the increased sophistication of modern threat actors and the exploit landscape. This begs the question, why are organizations still protecting their most sensitive assets and accounts with access control that is optimized for legacy systems? In this talk we’ll walk through the evolution from on-prem to the modern cloud, focusing on the four core elements that impact your security posture when it comes to privileged cloud resources: connectivity, authentication, fine-grained authorization (FGA), and visibility.
We’ll demonstrate through real examples where PAM breaks down and just-in-time access comes in to level up your cloud security. We’ll wrap up with better practices when it comes to access control for modern cloud environments. You’ll come away from this session with practical ways to de-escalate unnecessary privileges, lower costs, reduce man-in-the-middle (MITM) as well as single points of failure, and hopefully provide you with some peace of mind when it comes to your cloud security.
Swan Beaujard
DAST is dead, or is it?
10:50 AM - 11:20 AM
Abstract
Tristan Kalos
We have been doing API security wrong
11:25 AM - 11:55 AM
Abstract
Jeevan Singh
Most Security Tools are expensive paperweights: How to get your money’s worth
12:30 PM - 1:00 PM
Abstract
"DAST is dead." It’s a phrase that’s been making the rounds on social media, but what if 2024 is the year it becomes reality? For the past decade, DAST has been a cornerstone of application security testing, but it’s time to step aside for the next generation—Business Logic Security Testing. As the industry evolves, so do the challenges, and today’s most critical security issues go beyond what traditional tools can detect. Many security engineers remain skeptical that any tool can truly understand the business logic of applications. But why is mastering business logic security more important than ever? In this talk, I’ll explore exactly why—and how it can reshape your approach to application security.
For the past decade, API security has centered around traffic monitoring, relying on deep integrations with applications, gateways, and reverse proxies. This approach overlooked a critical issue: API development within most enterprises is decentralized, leaving security teams unaware of how many APIs they need to secure, where those APIs are deployed, or their business criticality. As a result, adoption has been slow, coverage incomplete, and investments in API security difficult to gauge.
In this talk, I’ll explore why traditional approaches, such as API-centric DAST and runtime API protection, have failed to scale and deliver the expected results. And how shifting our overall AppSec strategy might improve the way enterprises secure their APIs.
Many organizations invest heavily in security tools that end up being costly and not useful. In this talk, we’ll explore why most security tools fail to deliver on their promises, focusing on issues like misalignment with real needs, poor integration, and ineffective utilization.
We’ll dissect common pitfalls that lead to wasted resources and reduced security effectiveness, using real-world examples to illustrate these failures. You’ll learn why your current tools might not be working as expected and how to address these challenges.
Finally, we’ll provide practical strategies to optimize your security tools, ensuring they integrate well into your existing systems and deliver tangible value. Discover how to turn these investments into powerful components of your security strategy.
Kyle Kelly
The Dumpster Fire of Software Supply Chain Security
1:05 PM - 1:35 PM
Abstract
Munawar Hafiz
Our SAST Tools Have Failed Us
1:40 PM - 2:10 PM
Abstract
Anmol Agarwal
AI in AppSec: Why We Need To Prioritize Security
2:15 PM - 2:45 PM
Abstract
Buckle up for some hot takes as we dive into the frustratingly unclear world of software supply chain security. We’ll call out the tools that can’t properly identify components and spotlight ecosystems getting little to no love (looking at you, C/C++). Expect a deep dive into the glaring gaps in security disclosures for open-source software and the dismal rates of transparency across the board. We’ll also break down the confusing, overly complex, and completely unenforced vulnerability reporting processes that are leaving everyone exposed. If you thought supply chain security was under control, think again.
Our SAST tools cannot detect critical bugs. Instead they generate a lot of noise and waste our time. We have a gut feeling that the observations stated above are correct. But do we know exactly how bad the situation is? The SAST tools and the industry need to start talking about metrics that they have conveniently bypassed so far. Some suggested metrics are as follows: an account of false negatives and false positives against benchmark data, the percentage of false warnings on real applications, the percentage of reports that lead to an actionable security issue fix, the effectiveness of remediation advices provided now, etc. In this talk, we will explore these metrics for leading SAST tools. We will identify the gaps that should be filled by SAST 2.0. SAST 1.0 is dead, Long Live SAST 2.0 !
AI is now being used to enhance AppSec. It is a powerful tool that is used for data analytics. While innovators are quick to adopt AI for its benefits, many tend to overlook the security concerns that AI brings. Unfortunately, discussions around AI security are often too high level or complex for wider industry understanding. I’m here to explain why that is - and how we can change it.
In this presentation, you will learn about why more importance needs to be placed on securing AI in AppSec and strategies the audience can use to secure AI.
%20(1).png){kind=logo}
