9:00am

Arrival & Registration

9:10am

Welcome & Ice-Breaker Exercise

9:30am

Opening Keynote:
"10 Lessons from 10 Years in AppSec"

In this keynote, we dive into Cole's decade of AppSec experiences, highlighting the pivotal lessons learned and strategies developed to counter evolving cyber threats. The session will explore the transformation of AppSec practices in response to changing technologies and threat landscapes, emphasizing the importance of an integrated, proactive security approach.

We will uncover the journey of AppSec evolution, from early reactive measures to today's sophisticated DevSecOps methodologies. This exploration will provide attendees with a comprehensive understanding of how to build resilient and adaptive security frameworks within their organizations. Key takeaways will focus on actionable insights, innovative trends, and practical strategies for enhancing application security.

Items to be covered include:

• Understanding how application security has transformed over the last decade, including shifts in threats and technology advancements.
• Key strategies for embedding security within the development lifecycle, highlighting collaboration between security and development teams.
• Developing forward-thinking AppSec measures, focusing on risk assessment, continuous monitoring, and incident response to build a robust security environment.

Speaker:
Cole Cornford, Founder & CEO - Galah Cyber

9:55am

Keynote:
Platform Engineering & DevSecOps

The evolution of industry has seen the rise of platform engineering. Explore how Platform Engineering co-exists with DevSecOps bringing it all together to enable and empower modern engineering with a focus on what is being delivered over the how.

Key items to be covered include:

• Tracing the evolution of platform engineering and its growing impact on the tech industry.
• How platform engineering integrates with DevSecOps to streamline and secure the software development lifecycle.
• Strategies for leveraging platform engineering to prioritise outcome-focused delivery and foster continuous innovation.

Speaker:
Glen Whitaker, E2E Platform Automation Group Owner (GM) - Telstra

10:20am

Morning Tea & Networking

10:50am

Keynote:
Policy at the Core: Infusing DevOps with Security

Policy as Code in DevSecOps is about treating security and compliance policies with the same level of automation, integration, and version control as application code. This approach helps organizations ensure that security and compliance requirements are consistently met throughout the software development and deployment lifecycle, reducing the risk of security misconfigurations and compliance violations for your applications.

Topics that will be covered include:

• Exploring how security and compliance policies can be integrated into DevOps practices using automation, to ensure consistent application across the software development lifecycle.
• Discussing methods and tools for automating security and compliance checks within the CI/CD pipeline, minimising the risk of misconfigurations and violations.
• Highlighting the importance of using version control for policy as code to facilitate collaboration among development, security, and operations teams, ensuring up-to-date and consistent enforcement of security standards.

Speaker:
Pas Apicella - Principal Solutions Engineer - Snyk 

11:20am

Panel:
Securing the Software Supply Chain: Navigating Challenges and Solutions

The evolution of software supply chains, increasingly reliant on third-party and open-source components, has brought about significant security challenges. This discussion will navigate through the complexities of securing these supply chains, highlighting the critical need for robust strategies to mitigate risks, ensure compliance, and maintain trust. 

Attendees will be exposed to the latest approaches in addressing the vulnerabilities inherent in software supply chains, with a focus on implementing effective governance and risk management practices. The aim is to equip participants with the knowledge to develop a resilient and secure software supply chain, capable of withstanding the dynamic threats in today’s digital landscape.

Key areas discussed will include:

• Strategies for identifying, assessing, and mitigating supply chain risks to prevent disruptions and breaches.
• Insights into securing the software supply chain, from vendor selection and management to continuous security monitoring and incident response.
• Exploring innovative approaches and technologies to enhance the resilience and integrity of the software supply chain against evolving cyber threats.

Speakers:
Edwin Kwan - AppSec Executive & Advisor
Kasvi Luthra - Product Security Engineer - SafetyCulture
Sara Gray - Cloud Security Enablement Principal - Telstra

11:50pm

Roundtable Discussions:

1. Securing Cloud Architecture
2. Optimising DevSecOps Integration
3. AI in DevSecOps + AppSec
4. DevOps Incident Response
5. Managing Supply Chain Risks
6. API Security and Management
7. Security in CI/CD
8. Serverless Security

12:50pm

Lunch & Networking

1:50pm

Panel:
Developer Training and Engagement: Cultivating Secure Coding Practices
This panel focuses on the crucial role of developer training and engagement in embedding secure coding practices within software development teams. As cybersecurity threats become more sophisticated, it is essential to equip developers with the skills and awareness needed to build secure applications from the ground up. The discussion will explore how targeted training programs and ongoing engagement initiatives can foster a culture of security, enhancing the overall defence mechanisms of organisations.

Through interactive dialogue, experts will share insights on developing and implementing effective training strategies that not only educate but also actively involve developers in security processes. This approach ensures that secure coding principles are not just learned but integrated into daily development practices.

Key points to be covered include:

• Methods for increasing developers' understanding of security risks and the importance of secure coding.
• Designing and implementing training initiatives that engage developers and promote the adoption of security best practices.
• Strategies for fostering an environment where security is a shared responsibility and integral to the development lifecycle.
• Embedding secure coding training into the CI/CD pipeline for continuous developer education.

Speakers:
Jaap Singh - Director of Customer Strategy & Co-Founder - Secure Code Warrior
Pedram Hayati  - Founder & CEO - SecDim
Abhijeth Dugginapeddi - Head of AppSec - BigCommerce

2:20pm

Keynote:
Threat Modelling Process - Architecting Cybersecurity's Backbone

In this keynote, we will explore the critical role of the threat modelling process in shaping the cybersecurity strategies of organisations. As the digital landscape becomes increasingly complex and interconnected, the ability to proactively identify, assess, and mitigate potential threats has never been more crucial. This session will delve into the fundamentals of threat modelling, illustrating how it serves as the backbone of effective cybersecurity architecture, particularly within the realms of AppSec and DevSecOps.

The discussion will cover the systematic approach to threat modelling, highlighting its importance in early detection and prevention of security vulnerabilities. Attendees will gain insights into the latest methodologies and tools that enhance the threat modelling process, enabling organizations to better understand their security posture and make informed decisions to protect their assets.

Key points to be covered include:

• Understanding the core components and stages of the threat modelling process.
• Strategies for embedding threat modelling into development and operational practices to enhance security.
• Adapting threat modelling practices to counter emerging security threats and challenges in a dynamic digital environment.

Speaker:
Alistair de B Clarkson - Head of DevSecOps - ServiceNSW

2:45pm

Panel:
Cloud and Container Security in AppSec and DevSecOps: Strategies and Challenges

This panel will delve into the critical aspects of cloud and container security within the AppSec and DevSecOps frameworks. As cloud and container technologies become central to modern application development, their security implications have grown increasingly complex. The session will explore the unique challenges these technologies pose and the strategies needed to secure them effectively, aligning with AppSec and DevSecOps principles.

Through discussions with leading experts, the panel will address how to navigate the security landscape of cloud-based and containerised environments, ensuring that security is integrated throughout the development and deployment pipeline. Attendees will learn about the latest trends, tools, and methodologies for securing cloud and container infrastructures in a way that supports rapid development and maintains strong security postures.

Key points to be covered include:

• Identifying common vulnerabilities and developing effective mitigation strategies.
• Best practices for embedding security into the continuous integration and delivery pipeline.
• Anticipating and preparing for emerging security challenges in cloud and containerised environments.

Speakers:
Chris "Stof" Langton, Founder / Application Security Specialist - Trivial Security
Timothy Stokes, Chief Architect Modernisation & DevSecOps Chapter Lead - Boeing
Gerald Bachlmayr, Principal Cloud Architect - Cuscal

3:15pm

Afternoon Tea & Networking

3:35pm

Keynote:
Communicating AppSec Risk to Internal Stakeholders: Strategies for Effective Engagement

This keynote addresses the critical challenge of communicating AppSec risks to internal stakeholders, focusing on the need for clear, impactful, and actionable dialogue. In the complex ecosystem of cybersecurity, effectively conveying the significance of AppSec risks and the necessary mitigation strategies to non-security personnel is essential for fostering an organisation-wide culture of security awareness and proactive defense.

The session will explore the best practices for translating technical AppSec concepts into business-centric language that resonates with executives, product managers, and other non-technical stakeholders. Attendees will learn how to articulate the potential impacts of AppSec risks on the organization's objectives and operations, facilitating informed decision-making and strategic investment in cybersecurity measures.

Key points to be covered include:

• Developing approaches to present AppSec risks and priorities in a way that aligns with the interests and responsibilities of various internal stakeholders.
• Techniques for demonstrating the value and necessity of AppSec initiatives in terms of risk management, regulatory compliance, and business continuity.
• Strategies for engaging and educating internal stakeholders to ensure a unified and effective approach to managing AppSec risks.

Speaker:
Nina Juliadotter, Application Security Lead Specialist - Westpac

4:00pm

Keynote:
The Real Shadow IT Problem: Navigating the Risks of Vendor Software

This session will unravel the often-underestimated realm of shadow IT, specifically focusing on the high-level risks associated with vendor software. Shadow IT, particularly through third-party and vendor-supplied applications, presents a significant and complex challenge for organisations, as it can introduce unaccounted vulnerabilities and compliance issues. The discussion will start with a high-level overview of the shadow IT problem, highlighting how vendor software can become a weak link in the cybersecurity chain.

Following the initial overview, the session will transition into technical deep dives, examining specific vulnerabilities that have been discovered in vendor software. These case studies will shed light on the nature of these vulnerabilities, their impact on organisational security, and how they were identified and mitigated. Attendees will gain a comprehensive understanding of the risks associated with vendor software and the importance of rigorous vetting, continuous monitoring, and effective management of these external components within their IT ecosystems.

Key points to be covered include:

• Defining the high-level risks of vendor software within the shadow IT landscape.
• Detailed examination of real-world vulnerabilities found in vendor software and the implications for organisational security.
• Strategies and best practices for identifying, assessing, and managing the security risks associated with vendor-supplied IT products and services.

Speakers:
Shubham Shah, Co-Founder & CTO, Assetnote
Michael Gianarakis, CEO, Assetnote

4:30pm

Event Closed