These industry leaders bring a wealth of knowledge and experience in Application Security, and we are excited to have them share their insights and spicy opinions with us.
Tanya Janca
Author Alice & Bob Learn Secure Coding & Application Security, Secure Coding Trainer @ She Hacks Purple
Speaker bio
Marisa Fagan
Head of Product, Katilyst, OWASP 2026 Global Board Member
Speaker bio
Izar Tarandach
Sr. Principal Security Architect, Co-author "Threat Modeling: A Practical Guide for Development Teams"
Speaker bio
Tanya Janca, also known as SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Application Security’ and 'Alice and Bob Learn Secure Coding'. Tanya has been coding and working in IT for over twenty-seven years, won countless awards, and has been everywhere from public service to tech giants, writing software, leading communities, founding companies and ‘securing all the things’. She is an award-winning public speaker, active blogger & podcaster and has delivered hundreds of talks on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.
Marisa Fagan is Head of Product at Katilyst and has 16 years experience building security champion communities. She's dedicated her career to building security into the SDLC and empowering developers to own secure code. Marisa shares practical insights into what actually works when it comes to motivating developers, measuring program success, and avoiding common pitfalls. With an impressive background as a security culture expert at tech giants like Atlassian, Salesforce, Meta, and Bugcrowd, Marisa has been at the forefront of the security champions movement, helping transform how development and security teams collaborate.
Izar Tarandach is a seasoned security expert with deep experience in application and cloud security, threat modeling, and secure software development. He is a co-author of the book Threat Modeling: A Practical Guide for Development Teams and a frequent speaker on integrating security practices into modern software development lifecycles. He is also a co-creator of the Threat Modeling Manifesto and a founding contributor to the IEEE Center for Security Design. Tarandach has held leadership and senior-level security roles at companies like SiriusXM, Datadog, Squarespace, and Autodesk. He holds a master's degree in Computer Science/Security from Boston University and has served as an instructor in Digital Forensics and Secure Development. He likes long walks in the beach while playing devil's advocate to AppSec angels.
Kennedy Toomey
Application Security Researcher & Advocate at Datadog
Speaker bio
Jackie Mak
Director, Cyber Threat Management, KPMG US
Speaker bio
Dustin Lehr
Application Security Advocate @ Security Journey
Speaker bio
Kennedy Toomey is an Application Security Researcher & Advocate at Datadog. Previously she was an Application Security Engineer where she spent her time working with developers to help fix vulnerabilities and write more secure code.
Jackie is a Director in KPMG’s Cyber Threat Management practice where he primarily specializes in DevSecOps, Application Security, and Security Operations. His core mission is to help clients navigate the complex landscape of software security and protect their most valuable enterprise assets from cyber threats. He works with teams to assist with cyber security strategy and governance, operational optimization and performance improvement, and the assessment and mitigation of cyber risk.
Dustin Lehr is the Application Security Advocate at Security Journey and Co-founder of Katilyst, where he helps organizations design developer-centric AppSec programs that motivate secure behavior at scale. A former software engineer turned security leader, he brings more than 20 years of experience architecting technology solutions and bridging the gap between developers and security teams. He is the author of The Security Champion Program Success Guide, co-founder of the Let’s Talk Software Security community, and a frequent conference speaker and podcast guest. Known for applying behavioral science to application security, Dustin shows how motivation, influence, and culture change are just as critical as technology, tools, and AI in building proactive security practices.
Alina Yakubenko
Staff Product Security Engineer, Tech Lead Manager @ Toast, Inc.
Speaker bio
Mohamed AboElKheir
Sr. Staff Application Security Engineer, Ironclad
Speaker bio
Ariel Shin
Senior Security Engineer, Stripe
Speaker bio
Alina, Staff Product Security Engineer, Tech Lead Manager at Toast, Inc and former developer and QA Engineer., is dedicated to empowering developers by integrating security into everyday practices. Passionate about building a culture of security awareness, she works to ensure that security is a core component of development processes, helping teams build safer, more resilient applications.
I am currently an Application Security engineer at IronClad, where I am building a new Application Security Program. Before that, I was also an Application Security Engineer at Amazon for ~ 4 years, and during this period, I reviewed and collaborated on 500+ AWS services/features/tools. You can check my blog at https://medium.com/@mohamed.osama.aboelkheir
Ariel is a Senior Security Engineer at Stripe and a former Product Security Manager at Twilio. She has been instrumental in shaping the Product Security program at Twilio and promoting a heightened sense of security awareness within the Engineering organization. Through her empowering approach to security, Ariel led the charge in democratizing vulnerability management—an initiative that yielded significant risk reduction across the entire company. Her dedicated efforts contribute significantly to fortifying Twilio's security posture, making her a respected voice in the Product Security field.
Sana Talwar
Product Security Engineer @ ServiceNow
Speaker bio
Antoine Carossio
Co-Founder and CTO @ Escape
Speaker bio
Enrique Larios Vargas
Security and Learning Specialist, Adyen
Speaker bio
Sana Talwar is a Product Security Engineer at ServiceNow, where she helps build secure software and strengthen product resilience. Her journey in tech began in high school when she was featured in the CodeGirl documentary for creating an app that solved a community problem. She teaches cybersecurity at a local community college and speaks on topics that bridge security, education, and emerging technologies.
Antoine is cofounder & CTO of Escape. He is a former French National Secret Agency and Apple security engineer and penetration tester. He is one of the maintainers of Clairvoyance and the co-author of GraphQL Armor.
Enrique Larios Vargas is a Security and Learning Specialist with over 8 years of experience designing impactful learning and enablement programs across fintech, engineering, and security domains. With a background as a university lecturer in software engineering in Peru, the Netherlands, and Canada, he brings a unique blend of technical insight and behavioral science to his work. Enrique is the lead author of the research paper “DASP: A Framework for Driving the Adoption of Software Security Practices”, which explores how behavioral models like COM-B can drive secure development. He is passionate about helping developers move beyond compliance and build a meaningful, human-centered security culture.
Jyoti Raval
Director, Cyber Security Engineering with Baker Hughes
Speaker bio
Nohé Hinniger-Foray
R&D Engineer @ Escape
Speaker bio
Alekh Gadekar
Senior Application Security Manager, Backbase
Speaker bio
Jyoti Raval works as Director, Cyber Security Engineering with Baker Hughes. She is Author of Phishing Simulation and MPT: Pentest in Action and presented at InfosecGirls, Nullcon, Defcon27, Blackhat Asia, HITB Singapore, OWASP NZ, Shecurity, Defcon32, Blackhat London before. She also heads OWASP Pune chapter. An application security enthusiast by heart and avid badminton player by passion.
Nohé is Full-Stack R&D Engineer @ Escape. As computer science enthusiast, he loves to craft new technologies, tools & applications for the open-source community. He has also shared his expertise at various security and tech conferences like BSides Berlin, engaging with a broader audience.
With over 18 years of experience in application and product security, Alekh Gadekaris a seasoned cybersecurity leader currently serving as a Senior Application Security Manager. His expertise spans risk assessment, threat modeling, and secure SDLC, with a strong focus on the banking, finance, and fintech sectors. Throughout his career, he has driven the design and implementation of robust security strategies, led cross-functional teams, and ensured alignment with industry standards and regulatory requirements.
Maxwell Zhou
Founding partner at PolarStar Cybersecurity Group
Speaker bio
Coming soon...
Coming soon...
Speaker bio
Coming soon...
Coming soon...
Speaker bio
Max Zhou is a founding partner at PolarStar Cybersecurity Group, where he helps product security leaders in highly regulated industries translate technical execution into measurable business value. PolarStar combines the program management discipline with deep technical expertise to mature product security programs, strengthen control assurance, and frame security outcomes in terms the business can understand and measure. Risk reduction, control effectiveness, and return on investment. Previously, Max served as a Senior Staff Security Engineer at Greenlight, where he built and led the Product Security practice, supporting over seven million active users. His background is rooted in offensive application security, having begun his career as a professional pentester at Visa before advising Fortune 100 enterprises and hyper-growth startups as a security consultant.
Coming soon...
Coming soon...
Day 1
Explore what’s broken in AppSec and how to fix it. This track is full of bold insights and spicy takes that challenge the status quo.
Tanya Janca
Keynote: Crushed by the Backlog: The DevSecOps Problem No One Wants to Admit
9:05 AM - 9:35 AM
Abstract
Kim Wuyts
Compliance is overrated
9:40 AM - 10:10 AM
Abstract
Cassie Crossley
Accountability in Application Development
10:15 AM - 10:45 AM
Abstract
We were promised that DevSecOps and “shifting left” would help us catch security issues early, fix them faster, and reduce risk at scale. But what we got instead was... backlog overload.Teams are drowning in security findings—tens of thousands of alerts, many of them meaningless. Tools have multiplied, context has disappeared, and developers have started ignoring the warnings altogether. We're automating vulnerability detection faster than we can address even 1% of it.In this talk, we’ll examine what went wrong: why DevSecOps created more noise than clarity, how “security at scale” turned into “overwhelm at scale,” and why prioritizing based on raw CVSS or tool output is setting us up to fail. Then we’ll look at several ways to do better.You'll learn how to:Reduce your backlog to vulnerabilities that actually matterAlign security signals with real business riskAvoid the DevSecOps trap of "more automation = more security"Evaluate which tools deserve to stay—and which need to goDesign a smarter, smaller, risk-based AppSec pipelineBecause a nation-state doesn’t care about your t-shirt company’s TLS version—and neither should you.
Privacy has been gaining more attention since the GDPR and other data protection legislations have been requiring organizations to invest in it. Where did that compliance run got us so far, and, is it enough?
Developers are rarely given time to fix defects and vulnerabilities, thus the products they create are more susceptible to attacks as the code ages. Why isn't more time given to teams for maintenance and improvements? Whose fault is it when a product is not maintained? This presentation challenges the topic of "duty of care" for application owners and developers.
Akira Brand
Mycelium as the Path: How the Fungi Kingdom Guides us Toward Resilience in Our Cyber Programs
10:50 AM - 11:20 AM
Abstract
Chris Romeo
Why the 'Secure by Design' pledge won't save us from AppSec failures
11:25 AM - 11:55 AM
Abstract
Dustin Lehr
Building a Proactive Developer Security Culture - Can We Actually Make it Work?
12:00 PM - 12:25 PM
Abstract
This talk is about cyber resilience in the face of emerging geo-political, climate, and economic threats. Drawing inspiration from the fungi kingdom, this short course examines how the fantastical mushroom world informs us on effective communication, symbiosis with different departments, elegantly responding to stress, and repairing breached environments. Come hear the lessons of the earth to inform our cyber strategy and tactics. Gain a fresh perspective on how to draw inspiration from the natural environment and integrate it into your cyber organization.
Since the dawn of software, a simple goal has existed: make software resilient against threats and protect the personal information it stores. CISA has been at the forefront of Secure by Design, producing guidance, alerts, and a pledge. The problem with the pledge is that it won’t move our industry forward.
Real meaning exists through implementing secure and private by design with real products and applications. Examine tactics for designing software that incorporates a secure, private-by-design mindset and how to implement these tactics at scale. Then, discover how they converge with threat modeling as the vehicle for discovering and mitigating threats.
Walk away with an understanding of tactics for applying these concepts, best practice tips for actionable threat modeling, and a roadmap for building a solid and successful threat modeling and secure and private by design program. Oh yeah, and why you can ignore the meaningless pledge.
No, it's not enough to simply satisfy minimal "check the box" compliance requirements, react to incidents, or fix security vulnerabilities after they're in production. Focusing only on the "right side" of the process is a recipe for eventual disaster, and is ultimately costly to pursue. You need to focus on shifting habits and behaviors to proactively address issues long before they reach production. You need to build a culture that is full of security best practices: training, threat modeling, architecture reviews, and so on.
But HOW? In this talk, we'll discuss techniques for shifting your culture and motivating your employees to make the right choices by incentivizing and rewarding their behaviors. We'll focus on the "people" side, and use proven techniques from the fields of behavioral science and psychology to bring your awareness and appsec game to the next level. Security takes more than just tech and this is the piece you've been missing to make a lasting difference in your company's security posture.
Jacob Salassi
Shift left sucks for SWEs: AppSec is a structured data problem
1:05 PM - 1:35 PM
Abstract
Panel:
Mel Reyes, Ariel Shin, and Alina Yakubenko
The Challenge of Scaling AppSec: Why It's Harder Than You Think
1:40 PM - 2:10 PM
Abstract
Aravind Sreenivasa
My mistakes in building an AppSec team
2:15 PM - 2:45 PM
Abstract
If you think getting every single developer in your organization to threat model every single feature using a repeatable, easy, on-rails process could be a terrible idea: you're right. If you think appsec is fundamentally structured data problem being approached as an unstructured train wreck: you're right. If you think these two problems might be related and there must be engineering solutions to it: you're right.
Scaling AppSec is often seen as the ultimate solution to secure growing organizations, but the reality is much more complex. In this panel, seasoned experts from leading companies will discuss the often-overlooked challenges that make scaling security harder than it seems. From limited resources to the cultural obstacles within leadership and engineering teams, our speakers will share their opinions on what might work best in your organization. Discover what it really takes to build a scalable AppSec program and whether the pursuit of perfect scalability can be realistic.
Most talks in security spaces are about best practices and cool new exploits. But most of the security journey is failing three times before succeeding once. Inspired by the failure resumes, I’ll share the mistakes I made while building my first security team. These mistakes occurred despite following security best practices to fault and taking cognisance of every threat vector. I will be sharing the lessons these mistakes taught me so you can avoid them. This talk is about how I fell short of building the most effective security team in pursuit of the “best security team”.
Track 2 - Focus on AppSec Tools
This track is perfect for those who want to hear speakers' specific takes on different AppSec tooling. You can expect roasts of tools’ features, examples of nonsensical marketing, and of course, several mentions of how XYZ is dead.
James Berthoty
A future of Security free from CNAPP
9:05 AM - 9:35 AM
Abstract
Panel:
Sandesh Mysore Anand, Antoine Carossio, and Amit Bismut
Can we actually measure the effectiveness of AI in cybersecurity?
9:40 AM - 10:10 AM
Abstract
Ran Ne'man
Is PAM Dead?! Long live Just-in-time Access!
10:15 AM - 10:45 AM
Abstract
As cloud-native architectures grow more complex, the limitations of CNAPPs are becoming more obvious. Although CNAPPs promise comprehensive security through a unified platform, they often fall short, especially in delivering detailed protections needed for environments like Kubernetes. This talk will look at the future of security beyond CNAPPs, suggesting that specialized point solutions can be more effective than all-in-one platforms. I'll dive into the key shortcomings of CNAPPs, particularly in runtime protection and developer integration, and show how in some cases targeted solutions can provide stronger, more adaptable security.
Feeling uneasy about AI taking over cybersecurity, or are you already relying on it too much? AI's promises sound incredible, but how can we really tell if it's living up to the hype and measure its real impact? In this expert panel, you'll hear from security, technical, and product leaders, each bringing a unique viewpoint to the table. They’ll tackle the challenges of evaluating AI performance in cybersecurity tools, discuss the metrics that matter, and share real-world successes and failures. Join us for a lively discussion on whether AI is truly enhancing application security
Let’s face it PAM (AKA privileged access management) was built for servers from circa 20 years ago. The cloud-native ecosystem has evolved significantly since its early days, in tandem with the increased sophistication of modern threat actors and the exploit landscape. This begs the question, why are organizations still protecting their most sensitive assets and accounts with access control that is optimized for legacy systems? In this talk we’ll walk through the evolution from on-prem to the modern cloud, focusing on the four core elements that impact your security posture when it comes to privileged cloud resources: connectivity, authentication, fine-grained authorization (FGA), and visibility.
We’ll demonstrate through real examples where PAM breaks down and just-in-time access comes in to level up your cloud security. We’ll wrap up with better practices when it comes to access control for modern cloud environments. You’ll come away from this session with practical ways to de-escalate unnecessary privileges, lower costs, reduce man-in-the-middle (MITM) as well as single points of failure, and hopefully provide you with some peace of mind when it comes to your cloud security.
Swan Beaujard
DAST is dead, or is it?
10:50 AM - 11:20 AM
Abstract
Tristan Kalos
We have been doing API security wrong
11:25 AM - 11:55 AM
Abstract
Jeevan Singh
Most Security Tools are expensive paperweights: How to get your money’s worth
12:30 PM - 1:00 PM
Abstract
"DAST is dead." It’s a phrase that’s been making the rounds on social media, but what if 2024 is the year it becomes reality? For the past decade, DAST has been a cornerstone of application security testing, but it’s time to step aside for the next generation—Business Logic Security Testing. As the industry evolves, so do the challenges, and today’s most critical security issues go beyond what traditional tools can detect. Many security engineers remain skeptical that any tool can truly understand the business logic of applications. But why is mastering business logic security more important than ever? In this talk, I’ll explore exactly why—and how it can reshape your approach to application security.
For the past decade, API security has centered around traffic monitoring, relying on deep integrations with applications, gateways, and reverse proxies. This approach overlooked a critical issue: API development within most enterprises is decentralized, leaving security teams unaware of how many APIs they need to secure, where those APIs are deployed, or their business criticality. As a result, adoption has been slow, coverage incomplete, and investments in API security difficult to gauge.
In this talk, I’ll explore why traditional approaches, such as API-centric DAST and runtime API protection, have failed to scale and deliver the expected results. And how shifting our overall AppSec strategy might improve the way enterprises secure their APIs.
Many organizations invest heavily in security tools that end up being costly and not useful. In this talk, we’ll explore why most security tools fail to deliver on their promises, focusing on issues like misalignment with real needs, poor integration, and ineffective utilization.
We’ll dissect common pitfalls that lead to wasted resources and reduced security effectiveness, using real-world examples to illustrate these failures. You’ll learn why your current tools might not be working as expected and how to address these challenges.
Finally, we’ll provide practical strategies to optimize your security tools, ensuring they integrate well into your existing systems and deliver tangible value. Discover how to turn these investments into powerful components of your security strategy.
Kyle Kelly
The Dumpster Fire of Software Supply Chain Security
1:05 PM - 1:35 PM
Abstract
Munawar Hafiz
Our SAST Tools Have Failed Us
1:40 PM - 2:10 PM
Abstract
Anmol Agarwal
AI in AppSec: Why We Need To Prioritize Security
2:15 PM - 2:45 PM
Abstract
Buckle up for some hot takes as we dive into the frustratingly unclear world of software supply chain security. We’ll call out the tools that can’t properly identify components and spotlight ecosystems getting little to no love (looking at you, C/C++). Expect a deep dive into the glaring gaps in security disclosures for open-source software and the dismal rates of transparency across the board. We’ll also break down the confusing, overly complex, and completely unenforced vulnerability reporting processes that are leaving everyone exposed. If you thought supply chain security was under control, think again.
Our SAST tools cannot detect critical bugs. Instead they generate a lot of noise and waste our time. We have a gut feeling that the observations stated above are correct. But do we know exactly how bad the situation is? The SAST tools and the industry need to start talking about metrics that they have conveniently bypassed so far. Some suggested metrics are as follows: an account of false negatives and false positives against benchmark data, the percentage of false warnings on real applications, the percentage of reports that lead to an actionable security issue fix, the effectiveness of remediation advices provided now, etc. In this talk, we will explore these metrics for leading SAST tools. We will identify the gaps that should be filled by SAST 2.0. SAST 1.0 is dead, Long Live SAST 2.0 !
AI is now being used to enhance AppSec. It is a powerful tool that is used for data analytics. While innovators are quick to adopt AI for its benefits, many tend to overlook the security concerns that AI brings. Unfortunately, discussions around AI security are often too high level or complex for wider industry understanding. I’m here to explain why that is - and how we can change it.
In this presentation, you will learn about why more importance needs to be placed on securing AI in AppSec and strategies the audience can use to secure AI.
%20(1).png){kind=logo}
