The Elephant In AppSec Conference Schedule

We were promised that DevSecOps and “shifting left” would help us catch security issues early, fix them faster, and reduce risk at scale. But what we got instead was... backlog overload. Teams are drowning in security findings—tens of thousands of alerts, many of them meaningless. Tools have multiplied, context has disappeared, and developers have started ignoring the warnings altogether. We're automating vulnerability detection faster than we can address even 1% of it. In this talk, we’ll examine what went wrong: why DevSecOps created more noise than clarity, how “security at scale” turned into “overwhelm at scale,” and why prioritizing based on raw CVSS or tool output is setting us up to fail. Then we’ll look at several ways to do better. You'll learn how to:
- Reduce your backlog to vulnerabilities that actually matter
- Align security signals with real business risk
- Avoid the DevSecOps trap of "more automation = more security"
- Evaluate which tools deserve to stay—and which need to go
- Design a smarter, smaller, risk-based AppSec pipeline
Because a nation-state doesn’t care about your t-shirt company’s TLS version—and neither should you.

When security champions started to transition into security culture? And are "champions" even the right word to describe this role? This panel will dive into the messy reality of how security champions began to shift from isolated efforts to organizational transformation. We’ll challenge conventional thinking on execution, scaling, and incentivizing security culture, exploring what approaches are actually working and how they vary across organizations.

Automated penetration testing is all the hype these days...But when can we expect manual pentesting to be actually dead? Are we really ready to trust machines with our most critical vulnerabilities, or is there still an irreplaceable value in the human touch? Let’s dig into the truth behind the hype and decide if manual pentesting is truly on its way out or if it’s just getting started.

We don't buy software; we buy our vendors' mistakes. It's time to stop confusing compliance with security. Most vendor security reviews are theater. We trade SOC2 reports, spreadsheets, and pen test reports for the illusion of security while the real risk go unnoticed. This talk exposes why current third party reviews fail and how to rebuild them into something that works. The elephant in the room: compliance is only a part of security, not the full picture.

Every organization wants a "mature" Secure Software Development Lifecycle, but what does that actually mean? As a consultant, I've seen dozens of companies at every stage of their journey, from chaotic to cutting-edge. This talk is a candid, behind-the-scenes look at what Secure SDLC maturity really looks like. I'll deconstruct the buzzwords and provide a pragmatic, phased approach that any organization can use to assess where they are and build a realistic roadmap for improvement, focusing on impactful changes over performative security.

AI has quickly become the shiny answer to every security challenge. Vendors promise it will find every bug and stop every attack — all while continuing to ignore the “human problem.”

But here’s the reality: both sides have access to AI, along with the same tools and tech. It’s all table stakes. Attackers use AI to automate the same ol’ SQLi, phishing, and credential stuffing, while defenders tune their AI to automate detection and patching. The bases are covered.  

In this talk, longtime developer and AppSec leader Dustin Lehr will explain why breaches will still happen in the AI era — because attackers are people: creative, adaptive humans who won’t stop when their automated exploits fail. He’ll show why defenders must also lean into creativity, awareness, and responsibility, and why believing AI can replace the human factor in security is a dangerous illusion.  Attendees will learn why developers must review and take responsibility for AI-generated code, why champions are critical for influencing peers, and why security leaders must design for culture change, not just compliance. AI may uplevel both attackers and defenders, but it won’t change the fact that security succeeds or fails through human behavior. Join this session to learn how to prepare for the future of AppSec — where AI is table stakes, and people are still the variables.