Singapore AppSec & DevSecOps Summit 2025

Arrive before 9:15am to enter the draw to win a $500 Travel Voucher!

External libraries and frameworks fuel modern application development. Equally, dependencies are a known source of security risk and often leave organisations vulnerable to breaches and compliance issues. Existing software composition analysis tools are stuck in the past. They overwhelm developers with false positives, interrupt their workflows, and otherwise make it difficult to keep up with the codeashians. In this talk, Cole Cornford will cover the latest innovations to reduce this toil and get you and your organisation up to date. Or at least to n-1. Key Takeaways include:

• The existing state of SCA and why we need to change
• How reachability and cross-correlation can reduce toil
• Streamlining the patching process and escaping circular dependencies
• Managing transitive risk with virtual patching
• Risks with adopting innovative tech

The risks in open-source AI models mirror those in traditional open-source libraries, including vulnerabilities, malicious code and licensing issues, while also introducing unique challenges when consuming the models. This talk will delve into the complexities of these risks, examining the challenges they pose and the importance of understanding them in today’s AI-driven landscape.

DevSecOps requires harmonising rapid development cycles with stringent security protocols. This panel brings together leaders to discuss best practices and hard lessons learned in achieving that equilibrium.

• Aligning developer, security, and operations goals
• Implementing guardrails without bottlenecks
• Case studies of successful (and unsuccessful) integrations
• Measuring the ROI of secure development

‍

In this innovative session, attendees will be faced with a series of scenarios that they may face in their roles. Attendees will discuss the possible courses of action with their peers to consider the ramifications of each option before logging their own course of action. 

Results will be tallied and analysed by our session facilitator and results will impact the way the group moves through the activity.

Will we collectively choose the right course of action?

We hear a lot about signing and attesting for open-source projects, but what if you’re an enterprise keeping your code under wraps? This session cuts through the hype and digs into practical strategies for securing proprietary source code—even if you’re hosting it in a cloud-based version control system. will walkthrough strategies to secure your source code and secrets used in CICD workflows

• Rolling out code signing across your organisation to prevent leaks
• Shielding valuable code assets in cloud-based VCS environments
• Highlighting the reality check on current “granular” secrets management
• Using serverless magic to plug holes and secure your tokens once and for all

This demonstration will  highlight the primary areas for application security scanning and testing phases so as to achieve an end-to-end DevSecOps workflow with a 360° view over the entire SDLC.

• Testing anywhere/everywhere using comprehensive testing technologies support
• Deliver a better insight on application posture and risk management
• Escalate the security testing across the organisation to make easier the time to market, and also enhance the security posture to comply with regulations and standards

As threats evolve, so must our defenses—anticipating the next wave of attacks is key to staying secure. This panel looks ahead to emerging vulnerabilities and how the industry can prepare.

• Shifting from reactive to predictive security models
• AI-powered threats and defenses
• The impact of quantum computing on encryption
• Regulatory and compliance pressures shaping security policies

Choose 1 topic to join on the day!

1. Continuous Security Testing
2. Shifting Security Left
3. Starting and Growing Your AppSec Program
4. AI-Driven Threat Detection

Enter our quiz throughout the day to win a $500 Travel Voucher... winners will be drawn after lunch!

Generative AI, data analytics, and cloud-native technologies are revolutionizing secure application engineering. As enterprises modernise their software stacks and shift towards agile, cloud-first models, there's an urgent need to ‘embed security deeply and intelligently’ throughout the development lifecycle. This session demonstrates how AI can serve as a force multiplier in DevSecOps - reducing complexity, accelerating delivery, and enabling continuous compliance across evolving cloud architectures.

• Leverage AI in DevSecOps: How AI and Analytics can proactively identify vulnerabilities, automate security testing, and enhance decision-making across the CI/CD pipeline
• Evolve Engineering Practices: Approaches for designing modern, AI-augmented engineering workflows that support fast iterations while embedding security by design
• Modernise Secure Architectures: Techniques for optimising cloud-native architectures to reduce cost and complexity—without sacrificing security or scalability
• Shift to Product Thinking: Moving from project-based oversight to a product-centric model that drives continuous improvement and sustained security posture
• Accelerate Cloud Transformation Securely: Best practices for aligning AI-enhanced DevSecOps with cloud migration strategies to ensure resilience, compliance, and agility

This session brings together perspectives from engineering, security leadership, and talent acquisition to debate some of the most pressing challenges in delivering AppSec and DevSecOps programs today. From talent pipelines to real-world implementation and risk management, our panel explores what it really takes to secure modern applications in the Singapore context.

• Can Singapore’s security talent market meet the pace of demand—or do we need to rethink how we build and buy capability?
• Is embedding security into development teams actually working—or do we need to recentralise to gain traction and maturity?
• Are automation tools and platforms solving talent shortages—or just shifting the risk to configuration and oversight?
• How do we balance innovation and experimentation with growing expectations around compliance and secure-by-design practices?
• Is the future of AppSec about upskilling existing teams—or attracting a whole new breed of security professionals?