AppSec & DevSecOps Summit Melbourne 2024

As the world marches forward into 2024, the ever-evolving realm of application and cloud security presents both pioneering prospects and intricate complexities. In September, the Melbourne AppSec and DevSecOps Summit stands as your indispensable gateway to navigate, negotiate, and nurture strategies in this ever-vital domain.

This paramount event congregates Australia’s top-tier software and security experts, offering profound insights into themes that mould the current application and cloud security panorama:

Software Supply Chain Risk: Delving into the risks associated with software sourcing and managing them proficiently.
Developer Training and Engagement: Cultivating an environment where developers are equipped, involved, and inspired.
Continuous Threat Modelling: Up-to-the-minute strategies for persistently evaluating and mitigating threats.
AI-Driven Software Assurance: Leveraging artificial intelligence for proactive software security.
Software Delivery Governance: Ensuring systematic and secure processes in software delivery pipelines.
App, Cloud, and Product Security: Comprehensive strategies for safeguarding today's digital assets.

Featuring a line-up of esteemed professionals and visionaries from the security sphere, the summit guarantees illuminating dialogues and unparalleled networking occasions. The insights and experiences shared will enable you to hone your security postures, fostering resilience and excellence in your establishment.

Unravel, unite, and uplift your security strategies at the Melbourne AppSec and DevSecOps Summit 2024. Boost your security prowess and be at the forefront of the application and cloud security revolution.

Fortify your security stance with precision. Register today!

9:00am	Arrival & Registration
9:10am	Welcome & Ice-Breaker Exercise
9:30am	Opening Keynote: 10 Lessons from 10 Years in AppSec In this keynote, we dive into Cole's decade of AppSec experiences, highlighting the pivotal lessons learned and strategies developed to counter evolving cyber threats. The session will explore the transformation of AppSec practices in response to changing technologies and threat landscapes, emphasising the importance of an integrated, proactive security approach. We will uncover the journey of AppSec evolution, from early reactive measures to today's sophisticated DevSecOps methodologies. This exploration will provide attendees with a comprehensive understanding of how to build resilient and adaptive security frameworks within their organisations. Key takeaways will focus on actionable insights, innovative trends, and practical strategies for enhancing application security. Items to be covered include: Understanding how application security has transformed over the last decade, including shifts in threats and technology advancements. Key strategies for embedding security within the development lifecycle, highlighting collaboration between security and development teams. Developing forward-thinking AppSec measures, focusing on risk assessment, continuous monitoring, and incident response to build a robust security environment. Speaker: Cole Cornford, Founder & CEO - Galah Cyber
9:50am	Keynote: Policy at the Core: Infusing DevOps with Security Policy as Code in DevSecOps is about treating security and compliance policies with the same level of automation, integration, and version control as application code. This approach helps organisations ensure that security and compliance requirements are consistently met throughout the software development and deployment lifecycle, reducing the risk of security misconfigurations and compliance violations for your applications. Exploring how security and compliance policies can be integrated into DevOps practices using automation, to ensure consistent application across the software development lifecycle. Discussing methods and tools for automating security and compliance checks within the CI/CD pipeline, minimising the risk of misconfigurations and violations. Highlighting the importance of using version control for policy as code to facilitate collaboration among development, security, and operations teams, ensuring up-to-date and consistent enforcement of security standards Speaker: Craig Dent, Senior Solutions Engineer - Snyk
10:20am	Panel: Security Modernisation at Enterprise Scale Building application security programs often starts with introducing new capabilities, training workforces, and introducing new ways of working. When working for a smaller institution, it's fairly easy to get traction when homogenous workloads and development infrastructure are the norm, and engineers are colocated in your offices. These assumptions break when working for large enterprises. Businesses need to manage a suite of disparate technologies, teams are distributed across regions and continents, and organisations aren't as nimble. Our panel today discusses how to make lasting change and introduce modern security practices for these enterprise scales. You'll learn about delegated authority models, working across disparate feature sets and technologies, planning for legacy and heritage software uplifts, and more. Panelists: Steve Stojanovski, Head of Engineering - Belong Neha Malik, Head of Application Security - REA Group Bari Singh, General Manager – SE&IT, Strategy and Technology Transformation - Telstra
10:50am	Morning Tea & Networking
11:20am	Audience Activity: The AppSec Scenario In this innovative session, attendees will be faced with a series of scenarios that they may face in their roles. Attendees will discuss the possible courses of action with their peers to consider the ramifications of each option before logging their own course of action. Results will be tallied and analysed by our session facilitator and results will impact the way the group moves through the activity. Will we collectively choose the right course of action?
11:40am	How I Solved.... Breaking Builds Without Breaking Hearts: the journey to building secure builds with SAST Breaking builds with a quality gate in your SAST tool might sound like a terrible idea at first. We were skeptical too (except for one team member who thrives on a bit of chaos.) AppSec continues to struggle with a bad reputation among product teams, who see us as blockers rather than enablers. Unfortunately, in some parts of the industry, this reputation is pretty well-deserved. So, adding a significant technical block to our delivery teams would seem counterproductive, right? Wrong. Join us to learn about MYOB's journey to breaking builds without breaking hearts. Discover how we used change management techniques to drive cultural change within our organisation, and how you can do the same. Speaker: Tara Whitehead, Security Engagement Manager - MYOB
11:55am	How I Solved.... Secure by Design Toby will talk through how to embed security by design into your development and delivery pipelines to make delivery cheaper, faster, and more secure. Speaker: Toby Amodio, Director and Government Cyber Delivery Lead - Fujitsu
12:15pm	How I Solved.... Securing Your K8S Workloads Explore essential tactics and methodologies for enhancing security within Kubernetes environments, emphasizing a strategy that integrates seamlessly with existing systems and workflows. Highlight fundamental security practices tailored for Kubernetes, including efficient configuration management and robust access controls. Discuss the integration of automated security measures that can promptly identify and mitigate risks without disrupting operations. Cover basic principles of incident response in Kubernetes settings, focusing on rapid detection and streamlined response strategies to minimise impact. Speaker: Vishal Ghariwala, Senior Director & CTO, Asia Pacific - SUSE
12:30pm	Roundtable Discussions: Strategies for Integration of Security Practices in DevOps Workflows Advanced Strategies for API Security Strategies for Effective Container Security Frameworks Managing Software Supply Chain Risk Innovative Strategies for Securing Cloud Architecture Secure Code Training in the Age of AI Tools Starting and Growing your AppSec Program
1:25pm	Lunch & Exhibition
2:20pm	International Keynote: AppSec: Origins to Innovations Join Seth Law & Ken (“cktricky”) Johnson on a journey through the evolution of Application Security (AppSec) and what this means for our future. In this engaging talk, the duo will explore significant milestones in AppSec, starting from early research in the 1960s, the release of JavaScript in the mid-90s, the discovery of exploits such as SQL Injection, to the modern innovations that are reshaping the field today. Key highlights include: Historical Timeline: A detailed overview of notable markers in Application Security history, including the introduction of Agile, DevOps, OWASP, and more. Tool Evolution: An examination of how security tools have evolved from basic DAST to sophisticated combinations of SAST, SCA, SBOM, and ASPM, including emerging trends in auto-threat modelling and auto-remediation. Process Evolution: Insights into the changing strategies in prevention, testing, threat modelling, and training, highlighting the shift from security expert-driven processes to developer-focused and AI-assisted approaches. Innovations in AI: A deep dive into the current capabilities and limitations of AI in AppSec, debunking common myths, and showcasing practical applications such as automated design reviews, threat modelling, and secure coding assistants. Future Opportunities: A look at how roles in security are transforming, the potential for AI to enhance security practices, and the importance of adapting to new methodologies like "Shift Smart." By understanding the past and embracing the future, we can better prepare for the evolving landscape of application security. This talk is a must-attend for anyone interested in the intersection of security, development, and innovation. Speaker: Ken Johnson, Co-Founder & Podcast Host - DryRun Security Seth Law, Founder, Principal Consultant - Redpoint Security
2:45pm	Keynote: A Tale of Adaptive Code-Assisted Security Testing When conducting code-assisted security tests there's a lot of things to consider, from understanding the unique requirements and circumstances of the project itself, through to being up to speed and across the relevant technology stacks, threats, and best practices. This talk will look at how we've invested in research and engineering to develop our own tooling and automation to help us scale, adapt, and evolve to meet the demands of performing security assessments for a mix of customers. This talk will then provide demos of tools we've built and also community projects we find helpful, then finish on how you could also adopt these tools and approaches for your own products and processes. Speaker: Matt Jones, Partner - elttam
3:10pm	The Great Debate: Is shift left dead? Join industry experts to rigorously examine the relevance and effectiveness of the Shift Left approach in today’s cybersecurity and development environments. Debate the practicality and impact of integrating security early in the development lifecycle, evaluating whether this approach still holds value amidst rapidly evolving technology landscapes. Argue over the challenges and diminishing returns that may arise from early security integration, discussing if newer methodologies or paradigms could better serve modern development and security needs. Explore potential advancements or alternative strategies that could revitalise or replace the Shift Left concept, aiming to enhance security protocols without compromising development speed and innovation. Debaters: Paul McCarty, Founder - SourceCodeRED & GitHax Toby Amodio, Director and Government Cyber Delivery Lead - Fujitsu Cole Cornford, Founder & CEO - Galah Cyber Ken Johnson, Co-Founder & Podcast Host - DryRun Security
3:40pm	Event Closed

Speakers.

Agenda Overview.

Who Attends.

Sponsors.

Venue.