Melbourne AppSec & DevSecOps Summit 2025

Examine best practices for establishing a robust production security program that minimises risk and accelerates incident response. Attendees will learn how to align security operations with DevOps practices and implement proactive monitoring across live environments.

• Defining roles and responsibilities to ensure clear ownership and accountability in ProdSec teams
• Integrating security monitoring and response into CI/CD pipelines for continuous protection
• Leveraging threat modeling and automated controls to detect and mitigate runtime vulnerabilities

Despite ongoing advancements in tools and processes, application security still encounters persistent gaps that leave organisations exposed. This keynote will highlight broad challenges and discuss avenues for future improvement.

• Ongoing visibility issues in complex architectures, where many vulnerabilities remain undetected by existing scanning and testing approaches
• Persistent risks from third-party and open-source components, including gaps in tracking and verifying all dependencies
• Difficulties in measuring and communicating true security impact, as simple vulnerability counts often fail to inform strategic decisions

This panel brings together security leaders to explore how adversaries compromise software supply chains and how organisations can defend against such threats. Attendees will learn from both attacker-focused tactics and practical defensive measures to strengthen their development pipelines.

• What are the most common entry points attackers exploit in modern software supply chains, and how can teams proactively identify these weaknesses?
• How can red teaming and adversary simulation be used to validate the effectiveness of existing supply chain security controls?
• Which defensive techniques provide the greatest impact with minimal disruption to development velocity?
• How should organisations balance rapid software delivery with rigorous supply chain security, and what governance models ensure accountability across Dev, Sec, and Ops teams?

Join Cole Cornford as he explores the successes and missteps that defined application security in 2025, highlighting real-world case studies and emerging industry best practices. Attendees will gain actionable insights on how to anticipate evolving threats, avoid common pitfalls, and build more resilient AppSec programs moving forward.

• How AI-driven attacks outpaced traditional defenses and adaptive mitigation strategies that proved effective
• A deep dive into a major breach “fail,” examining the root causes and the rapid course corrections that minimised impact
• Success stories: teams that mastered shift-left security at scale and the cultural changes that enabled their wins
• Building continuous assurance: practical approaches to integrating runtime monitoring and automated remediation into CI/CD pipelines

‍

An interactive session where attendees collaborate to handle a simulated security breach in a live application, focusing on rapid response and mitigation.

Explore how application security challenges often stem from developer experience issues and how improving DevX can lead to stronger security outcomes. Attendees will learn practical strategies to integrate security seamlessly into development workflows without compromising productivity.

• How friction in the developer experience leads to security workarounds and vulnerabilities
• Techniques for embedding security tools and checks into IDEs and CI/CD pipelines to streamline DevX
• Measuring success: key metrics and feedback loops that align security goals with developer productivity

‍

Even the most capable developers can fall prey to hidden pitfalls when integrating cryptography into applications. This demo session shines a spotlight on common missteps—from poorly implemented encryption libraries to dangerous key management shortcuts—and illustrates how to prevent these errors in your own code.

• Identifying classic cryptographic mistakes that put data at risk
• Pinpointing faulty assumptions in encryption key management and usage
• Demonstrating real-world consequences of cryptographic misconfigurations
• Sharing proven best practices to embed robust encryption throughout the development cycle

‍

This panel convenes security leaders to discuss how software assurance has evolved from periodic testing to continuous, integrated validation throughout the development lifecycle. Participants will explore emerging tools, standards, and cultural shifts that redefine how organisations ensure software trustworthiness today.

• How has the adoption of DevOps and CI/CD pipelines transformed traditional software assurance practices, and what new skills do teams need?
• In what ways are automation and shift-left testing changing when and how assurance activities are performed?
• How are emerging frameworks impacting software assurance strategies and investments?
• What role do runtime monitoring and continuous verification play in complementing pre-release security checks, and how can teams balance speed with thoroughness?

Select a topic of discussion and engage in an interactive roundtable discussion with a group of your like-minded peers.

Learn how AI and machine learning are transforming application security by automating threat detection, vulnerability assessment, and remediation. Attendees will gain insights into real-world use cases and practical considerations for integrating AI-driven tools into existing AppSec workflows.

• How AI-powered scanning and fuzzing are uncovering complex vulnerabilities faster than traditional methods
• The role of machine learning in prioritising findings and reducing false positives for security teams
• Ethical and practical challenges when relying on AI models—data quality, model drift, and explainability considerations

A lively debate on the effectiveness of automated security tools versus manual testing methods in ensuring application security.