Beat the rush and join us early for complimentary barista-made coffee and breakfast.

AI-assisted development is reshaping how software is built but it’s also introducing new risks across the SDLC, from generated code to autonomous workflows. This session explores how organisations are embedding Secure by Design principles and modern defensible architecture to maintain control, visibility, and trust as AI becomes part of everyday engineering.

You’ll learn how leading teams are evolving their security models to support speed without compromising resilience in an increasingly AI-driven environment.

• How to embed Secure by Design principles into AI-assisted development workflows
• What defensible architecture looks like when code is increasingly AI-generated
• Practical approaches to maintaining control, visibility, and trust as AI scales across the SDLC

‍

‍

While teams focus on improving model performance and speed, new AI-specific security risks are quietly entering production.

In this session Suganthi will cover:

• Where traditional security practices fall short in AI-driven development.
• Why existing approaches to application security need to evolve.
• How developers can identify and fix these issues early without slowing innovation down.

‍

Modern applications run on layered platforms, third-party extensions, and AI assisted development and tooling, each introducing dependencies that traditional supply chain controls struggle to track. Even with SBOMs and automated scanning, teams are seeing supply chain risk surface in production through transitive packages, platform abstractions, and components that weren’t visible at build time.

‍

This panel explores how supply chain risks are actually surfacing in real environments and what effective control looks like when dependency sprawl is structural, not accidental.

‍

We'll Cover

• Where SBOMs help in practice and where they still fall short
• How layered platforms, third-party extensions, and AI era tooling introduce new blind spots
• What transitive dependencies, dormant packages, and platform abstractions mean for real-world risk
• Practical approaches for regaining control without killing development velocity

In this innovative session, attendees will be faced with a series of scenarios that they may face in their roles. Attendees will discuss the possible courses of action with their peers to consider the ramifications of each option before logging their own course of action.

‍

Results will be tallied and analysed by our session facilitator and results will impact the way the group moves through the activity.

‍

Will we collectively choose the right course of action?

AI is changing how software gets written. Code is no longer produced line by line by a single developer. It is generated, refactored, and stitched together by AI tools at a speed traditional review processes were never designed to handle. Yet many AppSec programs are still relying on the same manual reviews, static rules, and approval gates built for a pre-AI era.

This keynote explores why secure code review is breaking down as AI becomes a core part of development, where existing practices create false confidence, and what needs to change to keep risk under control without slowing teams to a crawl.

‍

The speaker will cover:

• Why AI-generated code shifts risk from individual lines to system-level behaviour
• Where traditional code review and SAST fail in high-velocity, AI-assisted pipelines
• How leading teams are redesigning review around intent, context, and ownership
• Practical ways to evolve secure code review for AI-native development in the next 12 months

‍

Last year, our team faced a critical problem: every AI agent deployed required weeks of custom identity work before it could reach production. Authentication, authorisation, audit trails, compliance, all built from scratch.

In this hands-on session, I’ll show how we solved it by embedding identity directly into AI code generation from the start, not bolting it on later.

You’ll see the before and after: a slow, risky workflow replaced by identity-first generation with built-in governance. Through a live demo, I’ll show how we moved to production-ready agents in days, reclaimed 20% of dev capacity, and redirected it into higher-value work.

‍

Key Takeaways:

• Why custom identity code kills AI velocity and how to remove it
• How to reclaim dev capacity without sacrificing security or compliance
• A path to production-ready AI that doesn’t slow teams down

‍

Modern engineering teams move fast, and AppSec teams are constantly negotiating when to block, when to slow down, and when to accept risk to keep delivery on track. As exceptions, waivers, and temporary approvals become part of everyday workflows, many organisations struggle to understand what risks they’ve accepted, why they accepted them, and whether those decisions are still defensible months later. 

‍

This panel explores how high-performing teams balance speed with security, how they document and monitor accepted risk, and the frameworks that keep fast-moving environments accountable.

‍

The panel will cover:

• How teams decide when risk acceptance is justified and when it isn’t
• Practical approaches to tracking exceptions, waivers, and approvals over time
• Techniques for documenting context so decisions remain defensible later
• How AppSec and engineering collaborate to keep velocity without losing control

‍

Select a topic of discussion and engage in an interactive roundtable discussion with a group of your like-minded peers.

Put your knowledge to the test in this fast-paced quiz covering real-world trivia, key concepts, and emerging trends. Compete for bragging rights - and a travel voucher - as the top scorer takes the crown.

‍

Most security programs have matured around AI-generated code risks, but a critical gap remains: the injection surface introduced by autonomous AI agents. Gaurav Vikash, Head of Security and Risk, Apac at Axon presents hands-on testing across Claude Desktop with MCP tooling, browser-based agents, and document processing pipelines, with demos highlighting where trust models fail and where they still hold.  

Key Takeaways:

• Understand how second-order prompt injection emerges when agents retrieve and process external content.  
• See concrete examples of where trust boundaries break across common AI agent deployments.  
• Learn how to evaluate and strengthen trust models to mitigate these emerging risks.  

‍

APIs power every modern product, yet organisations continue to face the same breach patterns year after year: over-permissioned data exposure, zombie endpoints left running long after teams move on, and orphaned microservices no one remembers owning. As architectures become more distributed and engineering velocity accelerates, the real challenge isn’t building APIs, it’s controlling their sprawl. 

‍

This session explores why API security has fallen behind, why traditional controls haven’t kept pace, and what needs to change for teams to finally get ahead of the problem.

‍

The speaker will cover:

• Why API sprawl creates persistent security blind spots
• How over-permissioned data, zombie endpoints, and orphaned services become breach paths
• What leading teams are doing to regain visibility and ownership
• Practical steps to modernize API security in the next year

AppSec teams sit at the center of fast-moving engineering organisations, yet there’s still no consensus on how they should be structured, what they should own, or how much authority they should have to slow things down. 

‍

This interactive session puts those debates on the screen literally. The audience votes live on five core questions covering team design, ownership boundaries, blocking power, developer experience, and how AI is reshaping the AppSec operating model. We explore the results, debate the trade-offs, then vote again to see if perspectives shift in real time.

‍

This session will cover:

• How structure and ownership shape AppSec’s influence
• When blocking authority helps or harms engineering velocity
• How AI is forcing teams to rethink traditional operating models
• What leading organisations are learning about building developer-first AppSec

‍

Unwind with your peers for a couple of drinks on us!