9:00am

Arrival & Registration

9:10am

Welcome & Ice-Breaker Exercise

9:30am

Opening Keynote:
10 Lessons from 10 Years in AppSec

In this keynote, we dive into Cole's decade of AppSec experiences, highlighting the pivotal lessons learned and strategies developed to counter evolving cyber threats. The session will explore the transformation of AppSec practices in response to changing technologies and threat landscapes, emphasising the importance of an integrated, proactive security approach.

We will uncover the journey of AppSec evolution, from early reactive measures to today's sophisticated DevSecOps methodologies. This exploration will provide attendees with a comprehensive understanding of how to build resilient and adaptive security frameworks within their organisations. Key takeaways will focus on actionable insights, innovative trends, and practical strategies for enhancing application security.

Items to be covered include:

• Understanding how application security has transformed over the last decade, including shifts in threats and technology advancements.
• Key strategies for embedding security within the development lifecycle, highlighting collaboration between security and development teams.
• Developing forward-thinking AppSec measures, focusing on risk assessment, continuous monitoring, and incident response to build a robust security environment.                                             

Speaker:
Cole Cornford, Founder & CEO - Galah Cyber

9:50am

Keynote:
Policy at the Core: Infusing DevOps with Security

Policy as Code in DevSecOps is about treating security and compliance policies with the same level of automation, integration, and version control as application code. This approach helps organisations ensure that security and compliance requirements are consistently met throughout the software development and deployment lifecycle, reducing the risk of security misconfigurations and compliance violations for your applications.

• Exploring how security and compliance policies can be integrated into DevOps practices using automation, to ensure consistent application across the software development lifecycle.
• Discussing methods and tools for automating security and compliance checks within the CI/CD pipeline, minimising the risk of misconfigurations and violations.
• Highlighting the importance of using version control for policy as code to facilitate collaboration among development, security, and operations teams, ensuring up-to-date and consistent enforcement of security standards

Speaker:
Pas Apicella, Principal Solutions Engineer - Snyk

10:20am

Panel:
Security Modernisation at Enterprise Scale

Panelists:
Steve Stojanovski, Head of Engineering - Belong
Neha Malik, Head of Application Security - REA Group

10:50am

Morning Tea & Networking

11:20am

Audience Activity:
The AppSec Scenario

In this innovative session, attendees will be faced with a series of scenarios that they may face in their roles. Attendees will discuss the possible courses of action with their peers to consider the ramifications of each option before logging their own course of action. 

Results will be tallied and analysed by our session facilitator and results will impact the way the group moves through the activity.

Will we collectively choose the right course of action?

11:40am

How I Solved.... 
Breaking Builds Without Breaking Hearts: the journey to building secure builds with SAST

Speaker:
Tara Whitehead, Security Engagement Manager - MYOB

11:55am

How I Solved.... 
Rethinking Input Validation

The concept of input validation as a security control is at least 20 years old, and it is time to reflect on how it is used, its limitations and whether it is still relevant to application security and secure software development anymore. Join me in reviewing input validation under a few different lenses to see if we should still be making this recommendation.

Speaker:
Eldar Marcussen, Head of Offensive Security - SEEK

12:15pm

How I Solved.... 

Speaker:
Peter Lees, Principal Solution Architect - SUSE

12:30pm

Roundtable Discussions:

1. Securing Cloud Architecture
2. Optimising DevSecOps Integration
3. AI in DevSecOps + AppSec
4. DevOps Incident Response
5. Managing Supply Chain Risks
6. API Security and Management
7. Security in CI/CD
8. Serverless Security

1:25pm

Lunch & Exhibition

2:20pm

International Keynote:
AppSec: Origins to Innovations

Join Seth Law & Ken (“cktricky”) Johnson on a journey through the evolution of Application Security (AppSec) and what this means for our future. In this engaging talk, the duo will explore  significant milestones in AppSec, starting from early research in the 1960s, the release of JavaScript in the mid-90s, the discovery of exploits such as SQL Injection, to the modern innovations that are reshaping the field today.

Key highlights include:

• Historical Timeline: A detailed overview of notable markers in Application Security history, including the introduction of Agile, DevOps, OWASP, and more.
• Tool Evolution: An examination of how security tools have evolved from basic DAST to sophisticated combinations of SAST, SCA, SBOM, and ASPM, including emerging trends in auto-threat modelling and auto-remediation.
• Process Evolution: Insights into the changing strategies in prevention, testing, threat modelling, and training, highlighting the shift from security expert-driven processes to developer-focused and AI-assisted approaches.
• Innovations in AI: A deep dive into the current capabilities and limitations of AI in AppSec, debunking common myths, and showcasing practical applications such as automated design reviews, threat modelling, and secure coding assistants.
• Future Opportunities: A look at how roles in security are transforming, the potential for AI to enhance security practices, and the importance of adapting to new methodologies like "Shift Smart."

By understanding the past and embracing the future, we can better prepare for the evolving landscape of application security. This talk is a must-attend for anyone interested in the intersection of security, development, and innovation.

Speaker:
Ken Johnson, Co-Founder & Podcast Host - DryRun Security
Seth Law, Founder, Principal Consultant - Redpoint Security

2:45pm

Keynote:
A Tale of Adaptive Code-Assisted Security Testing

When conducting code-assisted security tests there's a lot of things to consider, from understanding the unique requirements and circumstances of the project itself, through to being up to speed and across the relevant technology stacks, threats, and best practices.

This talk will look at how we've invested in research and engineering to develop our own tooling and automation to help us scale, adapt, and evolve to meet the demands of performing security assessments for a mix of customers.

This talk will then provide demos of tools we've built and also community projects we find helpful, then finish on how you could also adopt these tools and approaches for your own products and processes. 

Speaker:
Matt Jones, Partner - elttam

3:10pm

The Great Debate:
Is shift left dead?

Join industry experts to rigorously examine the relevance and effectiveness of the Shift Left approach in today’s cybersecurity and development environments.

• Debate the practicality and impact of integrating security early in the development lifecycle, evaluating whether this approach still holds value amidst rapidly evolving technology landscapes.
• Argue over the challenges and diminishing returns that may arise from early security integration, discussing if newer methodologies or paradigms could better serve modern development and security needs.
• Explore potential advancements or alternative strategies that could revitalise or replace the Shift Left concept, aiming to enhance security protocols without compromising development speed and innovation.

Debaters:
Paul McCarty, Founder - SourceCodeRED & GitHax
Toby Amodio, Director and Government Cyber Delivery Lead - MF & Associates
Cole Cornford, Founder & CEO - Galah Cyber

3:40pm

Event Closed