Melbourne AppSec & DevSecOps Summit 2025

Examine best practices for establishing a robust production security program that minimises risk and accelerates incident response. Attendees will learn how to align security operations with DevOps practices and implement proactive monitoring across live environments.

• Defining roles and responsibilities to ensure clear ownership and accountability in ProdSec teams
• Integrating security monitoring and response into CI/CD pipelines for continuous protection
• Leveraging threat modeling and automated controls to detect and mitigate runtime vulnerabilities

Despite the abundance of tools in application security, many core challenges remain unresolved—especially around developer engagement and program effectiveness.

• Persistent AppSec challenges include misaligned priorities, tool sprawl, and limited developer involvement
• A comparison of two financial institutions reveals how shifting from traditional to dev-first security approaches led to improved outcomes
• Securing developer buy-in is often the missing link in solving some of AppSec’s toughest, most persistent problems

This debate challenges two schools of thought: "Control-first defenders" vs "Exploit-first breakers"—exploring how far each philosophy should go, what trade-offs they create, and where real-world teams should focus their limited resources.

• What creates more security ROI: building airtight controls or breaking things to expose flaws?
• Should red teaming be embedded into the SDLC—or remain separate for objectivity?
• Are tools like SBOMs and SLSA frameworks meaningful or just compliance theatre?
• Can DevSecOps teams be trusted to police their own supply chains—or do we need centralised oversight?
• Is it ever acceptable to ship insecure components in the name of velocity?

In the world of software updates, we often find ourselves overwhelmed by constant patching of code we don’t even use. Imagine cutting down that needless effort by removing 80% of unused code. This session dives into how purpose-built, minimal container images and modern supply chain security practices can drastically reduce vulnerability management headaches. Drawing on years of experience with containers, Kubernetes, and CNAPP tools, you will learn how to shrink your container attack surface, reduce CVEs by 80%, and ease the burden on engineering teams.

• Reduce Vulnerabilities by Design: Learn how purpose-built minimalist container images can cut your container OS packages by 80%, drastically reducing the attack surface and CVEs upfront
• Simplify Vulnerability Management: See how fewer packages and fewer vulnerabilities lead to a manageable volume of security alerts, enabling your teams to focus on what matters instead of being overwhelmed
• Build with Supply Chain Security: Understand the importance of hardened build environments and signing with short-lived keys to trust the container images you deploy—bringing real supply chain security to your cloud-native apps

‍

An interactive session where attendees collaborate to handle a simulated security breach in a live application, focusing on rapid response and mitigation.

Explore how application security challenges often stem from developer experience issues in security services and how improving DevX can lead to stronger security outcomes. Attendees will learn practical strategies to integrate security more smoothly into development workflows without compromising productivity.

• How friction in the developer experience leads to security workarounds and vulnerabilities
• Techniques for bringing security insights into IDEs and CI/CD pipelines to streamline DevX
• Measuring success: key metrics and feedback loops that align security goals with developer productivity

Transform compliance from a development bottleneck into an acceleration engine. This session provides actionable strategies for implementing unified compliance within your DevSecOps pipeline.

You'll learn how to:

• Shift compliance left - Integrate policy checks into development workflows from day one
• Automate policy enforcement - Build compliance gates that catch issues before production
• Create audit-ready evidence - Generate compliance documentation automatically through your pipeline
• Establish cross-team alignment - Get security, development, and compliance teams working together effectively

‍

This panel convenes security leaders to discuss how software assurance has evolved from periodic testing to continuous, integrated validation throughout the development lifecycle. Participants will explore emerging tools, standards, and cultural shifts that redefine how organisations ensure software trustworthiness today.

• How has the adoption of DevOps and CI/CD pipelines transformed traditional software assurance practices, and what new skills do teams need?
• In what ways are automation and shift-left testing changing when and how assurance activities are performed?
• How are emerging frameworks impacting software assurance strategies and investments?
• What role do runtime monitoring and continuous verification play in complementing pre-release security checks, and how can teams balance speed with thoroughness?

Select a topic of discussion and engage in an interactive roundtable discussion with a group of your like-minded peers.

Put your cloud security knowledge to the test in this fast-paced quiz covering real-world threats, key concepts, and emerging trends. Compete for bragging rights—and a travel voucher—as the top scorer takes the crown.

Enterprise application security programs are traditionally measured on their capability to address specific aspects of the technology stack, and then the coverage for rolling that out across the enterprise. While this sounds effective, it's anything but as can be seen by the proliferation of ASPM and AI-AST based products and their subsequent wringing in the markets.

So what should modern product security functions aim for? In this talk I'll outline a different Five I's that defines the baseline for an effective ProdSec function and how you can take quick steps as either a scale-up business or enterprise to align and move forward.

This interactive session brings security, engineering, and product professionals together to unpack the big issues shaping the future of AppSec and DevSecOps. We’ll explore emerging threats, evolving team models, and the growing role of AI—highlighting both the risks and the opportunities. Expect honest takes, practical insights, and a healthy dose of forward-thinking debate.

• What’s the most pressing challenge we’ll face by 2026?
• Is AI accelerating our work—or introducing new risks?
• How can we keep AI training data secure and trustworthy?
• Are our teams prepared to defend against deepfake-style threats?