Secure360, May 2026
Slides - Notes - Conference link
Application Security is supposed to decrease the risk from software, but it too often has the side effect of increasing developers' misery. With endless scans, vague automated backlog injections, and "critical" findings on dead code, AppSec can come across less like a partner and more like a Vogon: "Not actually evil, but bad-tempered, bureaucratic, officious and callous." (Adams, 1979). Meanwhile, threats evolve faster than ever, and if AppSec and Development are at odds, the real risk isn’t the next zero-day -- it’s our inability to react and adapt to it quickly enough.
This talk explores the real (and completely fixable) reasons behind that friction -- cultural, operational, and technical -- and how it cripples our response to modern threats. We’ll look at how AppSec programs unintentionally sabotage themselves through poor communication, tooling overload, and unrealistic policies. We’ll discuss practical ways to rebuild trust and agility: integrating feedback loops, mapping tools to developer workflows, measuring success in dev-friendly terms, and replacing gatekeeping with enablement. We'll also touch on how unresolved friction compounds actual business risk, not just security debt, and how to frame risk in terms that resonate with engineering leadership, not just practitioners.
Whether you’re a developer tired of security theater or an AppSec lead wondering why your risk assessments are rushed through at 3x speed, you’ll leave with strategies that that make your AppSec program as adaptable as the threats it’s meant to defend against.
Adams, D. (1979). The Hitchhiker's Guide to the Galaxy. London: Pan Books.
Objectives:
- AppSec/Dev friction silently erodes an organization’s ability to adapt to risk
- Bad tools, poor communication, and misaligned incentives turn good intentions into resentment and operational drag
- Integrate security into dev workflows, improve trust, and work with Development to adapt quickly
Secure360, May 2025
Abstract: Working in the technology sector, especially in security, presents distinct and often overwhelming stresses. From the high stakes of defending against persistent threats to the mental strain of imposter syndrome and the relentless demands of working late nights and weekends, professionals in this field face challenges that go beyond technical expertise. These pressures are often exacerbated by arbitrary and shifting priorities, creating an environment of unpredictability and strain. This talk examines the root causes of stress in the field, including these unique challenges, and provides actionable strategies for both individuals and leaders to foster resilience and build a more balanced and productive team environment.
Secure360, May 2025
Abstract: The rise of large language models (LLMs) has enhanced software development, enabling developers to generate code quickly and efficiently. However, their integration into coding workflows presents significant risks. This talk explores the evolution of LLMs in software generation, focusing on their initial capabilities, the incorporation of security tools to improve code quality, and the development of guardrails to mitigate misuse, such as the creation of malware. Through real-world examples and a critical lens, this session highlights the ethical, technical, and security challenges inherent in using LLMs to write code, offering practical guidance for responsible adoption.
Secure360/Career360, May 2024
Abstract: A common refrain in the application security profession these days is to meet developers where they work by embedding security tools into the SDLC. But just how much effort does it take to do this? How confident can you be in recommending a course of action you have not tried? This talk details the path the speaker took in implementing and exercising free and open-source security tools, and will include a basic how-to as well as lessons learned so you can do the same (and yes, that means actual documentation). It will include what is sure to be an entertaining live demo.
This is a sequel to last year's talk, and focuses on the Continuous Delivery/Deployment side of the pipeline.
Secure360/Career360, May 2023
Abstract: A common refrain in the application security profession these days is to meet developers where they work by embedding security tools into the SDLC. But just how much effort does it take to do this? How confident can you be in recommending a course of action you have not tried? This talk details the path the speaker took in implementing and exercising free and open-source security tools, and will include a basic how-to as well as lessons learned so you can do the same (and yes, that means actual documentation). It will include what is sure to be an entertaining live demo.