Tanya Janca, aka SheHacksPurple, is the best-selling author of 'Alice and Bob Learn Secure Coding', 'Alice and Bob Learn Application Security’ and ‘Cards Against AppSec'. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member and... Read More →
In this talk, we will cover 30 tips for writing more secure JavaScript, emphasizing what to do, what NOT to do, and utilizing open-source tooling to enhance security. JavaScript is not only the most popular web programming language, but it also faces security threats like XSS and code injection, meaning we need to ensure our JavaScript is tough, rugged, and secure. We’ll touch only upon items that are specific to JavaScript, as opposed to agnostic topics that apply to all languages, such as encryption or authentication. By the end, you’ll gain insights into selecting the best framework, adopting secure coding practices, and leveraging tools for web application security, catering to both seasoned developers and beginners seeking practical guidance.
Tanya Janca, aka SheHacksPurple, is the best-selling author of 'Alice and Bob Learn Secure Coding', 'Alice and Bob Learn Application Security’ and ‘Cards Against AppSec'. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member and... Read More →
SVP/Distinguished Engineer − Generative AI Red Teaming, Guardrails & Explainability @ U.S.Bank Krishna is a Technologist with broader experience in AI, Data Science, Security and Networks. Working on building intelligence - may be even a JARVIS ! Love to write, teach and develop... Read More →
In today’s interconnected world, organizational silos pose a significant challenge to effective application security (AppSec). These silos—rooted in specialization, control structures, and cultural divides—impede communication and collaboration, weakening overall security efforts. This presentation will explore the causes and impacts of organizational silos on security programs and demonstrate how breaking these barriers can strengthen coordination and foster a unified security culture. Attendees will gain insights into why silos form, their detrimental effects on security initiatives, and actionable strategies to overcome them. Few Key Takeaways: Understanding Silos: How specialization and cultural divides create barriers. Impact on Security: The risks silos introduce to AppSec programs. Practical Strategies: Approaches such as cross-functional training, creating shared security visions, and initiating collaborative initiatives to dismantle silos. Building a Unified Culture: Empowering every team member, not just the security team, to contribute to application security.
Aruneesh Salhotra is a seasoned technologist and servant leader, renowned for his extensive expertise across cybersecurity, DevSecOps, AI, Business Continuity, Audit, Sales. His impactful presence as an industry thought leader is underscored by his contributions as a speaker and panelist... Read More →
Andra is a Principal Application Security Specialist at Sage, with over seven years of experience in the field of application security. She is responsible for implementing DevSecOps practices, conducting security assessments, and developing secure coding guidelines for software engineering... Read More →
Wendy Segura is a Security Engineer at Sage who specializes in building secure, scalable technology solutions. With over a decade of experience in cybersecurity, process optimization, and security client advisor she focuses on developing robust security frameworks, conducting comprehensive... Read More →
CEO, CISO, and “Hacker in Charge”, Arcanum Information Security
Jason Haddix AKA jhaddix is the CEO, CISO, and “Hacker in Charge” at Arcanum Information Security. Arcanum is a world class assessment and training company. Jason also holds the title of Field CISO for Flare.io a world class threat intelligence platform. Jason has had a distinguished... Read More →
Jason Gillam is Chief Information Officer (CIO) at Secure Ideas and an IANS faculty member. He has over 20 years of industry experience in enterprise software development, system architecture, and application security. Jason has spent most of his career in technical leadership roles... Read More →
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions... Read More →
In this lightning talk, we’ll explore some of the most frequent pitfalls Python developers encounter that can lead to security vulnerabilities. You'll learn how to quickly identify these issues and implement practical solutions to address them. We'll also showcase a selection of open-source tools and resources designed to streamline your development workflow and enhance the security of your projects. Whether you're a beginner or a seasoned developer, this talk will provide actionable insights to help you write better, safer Python code.
Guled Abdilahi has spent the past decade building and defending software systems across diverse industries, including fintech, telecommunications, media, and entertainment. From working hands-ons with developers to secure petabytes-scale data pipelines to directly securing millions... Read More →
Tamir Ishay Sharbat, Zenity, Software Engineer OWASP Certified Microsoft Copilot Studio is the technology that powers Microsoft's copilots, and the platform behind custom copilots built in the enterprise. The promise is that everyone can build a secure copilot, under the assumption that every bot will be secure by-default. Does it hold under scrutiny?
In this talk, we will show how Copilot Studio bots can easily be used to exfiltrate sensitive enterprise data circumventing existing controls like DLP. We will show how a combination of insecure defaults, over permissive plugins and wishful design thinking makes data leakage probable, not just possible. We will analyze how Copilot Studio puts enterprise data and operations in the hands of GenAI, and expose how this exacerbates the prompt injection attack surface, leading to a material impact on integrity and confidentiality.
Next, we will drop CopilotHunter, a recon and exploitation tool that scans for publicly accessible Copilots and uses fuzzing and GenAI to abuse them to extract sensitive enterprise data. We will share our findings targeting thousands of accessible bots, revealing sensitive data and corporate credentials.
Finally, we will offer a path forward by sharing concrete configurations and mistakes to avoid on Microsoft's platform, and generalized insights on how to build secure and reliable Copilots. Security at the speed of dev, making secure choices in design, and making security invisible and easy for developers for any size org
Cam Johnson, The Cyber Crew & Entertainment Technology Leader, Founder OWASP Certified
Cybersecurity organizations exist because of the technical innovations driven by the businesses they protect. For security to truly serve its purpose, engineers must understand their critical role in shaping the growth and effectiveness of these organizations.
As an engineer, you are uniquely positioned to be a catalyst for meaningful change. By embracing security as part of your process, you empower your organization to grow stronger and more resilient. Security is not just a requirement—it’s an opportunity to set higher standards. Challenge the status quo and demand excellence.
Key Points: 1. You Are the Change Agent • Cybersecurity supports the innovations you create. Own your role in leading the charge. 2. Own Security as Part of Your Job • Embrace it as an essential element, not an external responsibility. 3. Challenge Inefficiencies • Push for smarter, more effective ways to integrate security into workflows. 4. Inform and Engage Leadership • Your leaders own the risk. Make them aware of the challenges and opportunities. 5. Push Back with Purpose • Advocate for solutions that benefit both security and productivity. 6. Build Alliances • Find allies across teams who share your vision for a stronger, more secure organization.
Tanya Janca, aka SheHacksPurple, is the best-selling author of 'Alice and Bob Learn Secure Coding', 'Alice and Bob Learn Application Security’ and ‘Cards Against AppSec'. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member and... Read More →
Wednesday February 19, 2025 1:00pm - 1:25pm PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
Siri Varma Vegiraju, Microsoft, Senior Software Engineer
Maintaining robust network security in the cloud environment is more crucial than ever. This talk explores the design and implementation of a proactive network telemetry platform that strengthens infrastructure security. The platform collects and analyzes telemetry data from virtual machines to identify and scrutinize traffic patterns deviating from industry-standard baselines. By generating actionable insights and promptly notifying relevant teams of potential issues, it enables swift problem resolution. This proactive approach significantly reduces the attack surface, minimizes exposure to network attacks, and enhances overall cloud security.
Siri Varma Vegiraju is a seasoned professional in healthcare, cloud computing, and security. Currently, he focuses on securing Azure Cloud workloads, leveraging his extensive experience in distributed systems and real-time streaming solutions. Prior to his current role, Siri contributed... Read More →
Wednesday February 19, 2025 2:00pm - 2:25pm PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
This talk will dive into the fundamentals and best practices for API Security. By understanding the 3 Pillars of API Security, encompassing governance, testing and monitoring, attendees will gain a comprehensive understanding of the essential elements required to safeguard APIs. The session will conclude with practical insights, offering best practices and valuable do's and don'ts for implementing and maintaining secure APIs.
Why are APIs under attack? -83% of internet traffic are APIs -APIs are under-secured
How do APIs get attacked? Attackers look for APIs that are over-permissioned, return to much information, access unauthorized functions, and expose logic flaws. Attackers are able to bypass a web or mobile app and hit the API directly.
OWASP top 10!! #1-#4 are the biggest issues
More compliance regulations are including testing APIs. -PCI -HIPPA -GDPR -FedRAMP
Dan is a 20+ year cybersecurity veteran, having held exec positions at companies including Qualys, ArcSight, Anomali and APIsec. He founded APIsec University in 2022 to offer free, non-vendor training on API security. The site has grown to over 50,000 students in its first 6 months... Read More →
Wednesday February 19, 2025 2:30pm - 2:55pm PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
In this talk, we will cover 30 tips for writing more secure JavaScript, emphasizing what to do, what NOT to do, and utilizing open-source tooling to enhance security. JavaScript is not only the most popular web programming language, but it also faces security threats like XSS and code injection, meaning we need to ensure our JavaScript is tough, rugged, and secure. We’ll touch only upon items that are specific to JavaScript, as opposed to agnostic topics that apply to all languages, such as encryption or authentication. By the end, you’ll gain insights into selecting the best framework, adopting secure coding practices, and leveraging tools for web application security, catering to both seasoned developers and beginners seeking practical guidance.
Tanya Janca, aka SheHacksPurple, is the best-selling author of 'Alice and Bob Learn Secure Coding', 'Alice and Bob Learn Application Security’ and ‘Cards Against AppSec'. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member and... Read More →
Wednesday February 19, 2025 3:00pm - 3:25pm PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
Wednesday February 19, 2025 3:30pm - 3:55pm PST
VIRTUAL AI DevWorld Main Stagehttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
SVP/Distinguished Engineer − Generative AI Red Teaming, Guardrails & Explainability @ U.S.Bank Krishna is a Technologist with broader experience in AI, Data Science, Security and Networks. Working on building intelligence - may be even a JARVIS ! Love to write, teach and develop... Read More →
Thursday February 20, 2025 9:30am - 9:55am PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
In today’s interconnected world, organizational silos pose a significant challenge to effective application security (AppSec). These silos—rooted in specialization, control structures, and cultural divides—impede communication and collaboration, weakening overall security efforts. This presentation will explore the causes and impacts of organizational silos on security programs and demonstrate how breaking these barriers can strengthen coordination and foster a unified security culture. Attendees will gain insights into why silos form, their detrimental effects on security initiatives, and actionable strategies to overcome them. Few Key Takeaways: Understanding Silos: How specialization and cultural divides create barriers. Impact on Security: The risks silos introduce to AppSec programs. Practical Strategies: Approaches such as cross-functional training, creating shared security visions, and initiating collaborative initiatives to dismantle silos. Building a Unified Culture: Empowering every team member, not just the security team, to contribute to application security.
Aruneesh Salhotra is a seasoned technologist and servant leader, renowned for his extensive expertise across cybersecurity, DevSecOps, AI, Business Continuity, Audit, Sales. His impactful presence as an industry thought leader is underscored by his contributions as a speaker and panelist... Read More →
Thursday February 20, 2025 10:00am - 10:25am PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
Andra is a Principal Application Security Specialist at Sage, with over seven years of experience in the field of application security. She is responsible for implementing DevSecOps practices, conducting security assessments, and developing secure coding guidelines for software engineering... Read More →
Wendy Segura is a Security Engineer at Sage who specializes in building secure, scalable technology solutions. With over a decade of experience in cybersecurity, process optimization, and security client advisor she focuses on developing robust security frameworks, conducting comprehensive... Read More →
Thursday February 20, 2025 10:30am - 10:55am PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
CEO, CISO, and “Hacker in Charge”, Arcanum Information Security
Jason Haddix AKA jhaddix is the CEO, CISO, and “Hacker in Charge” at Arcanum Information Security. Arcanum is a world class assessment and training company. Jason also holds the title of Field CISO for Flare.io a world class threat intelligence platform. Jason has had a distinguished... Read More →
Thursday February 20, 2025 11:00am - 11:50am PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
Jason Gillam is Chief Information Officer (CIO) at Secure Ideas and an IANS faculty member. He has over 20 years of industry experience in enterprise software development, system architecture, and application security. Jason has spent most of his career in technical leadership roles... Read More →
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions... Read More →
Thursday February 20, 2025 1:00pm - 1:25pm PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
In this lightning talk, we’ll explore some of the most frequent pitfalls Python developers encounter that can lead to security vulnerabilities. You'll learn how to quickly identify these issues and implement practical solutions to address them. We'll also showcase a selection of open-source tools and resources designed to streamline your development workflow and enhance the security of your projects. Whether you're a beginner or a seasoned developer, this talk will provide actionable insights to help you write better, safer Python code.
Guled Abdilahi has spent the past decade building and defending software systems across diverse industries, including fintech, telecommunications, media, and entertainment. From working hands-ons with developers to secure petabytes-scale data pipelines to directly securing millions... Read More →
Thursday February 20, 2025 1:30pm - 1:55pm PST
VIRTUAL Dev Security Worldhttps://app.events.ringcentral.com/events/developerweek-productworld-ai-devworld-2025/reception
Tamir Ishay Sharbat, Zenity, Software Engineer OWASP Certified Microsoft Copilot Studio is the technology that powers Microsoft's copilots, and the platform behind custom copilots built in the enterprise. The promise is that everyone can build a secure copilot, under the assumption that every bot will be secure by-default. Does it hold under scrutiny?
In this talk, we will show how Copilot Studio bots can easily be used to exfiltrate sensitive enterprise data circumventing existing controls like DLP. We will show how a combination of insecure defaults, over permissive plugins and wishful design thinking makes data leakage probable, not just possible. We will analyze how Copilot Studio puts enterprise data and operations in the hands of GenAI, and expose how this exacerbates the prompt injection attack surface, leading to a material impact on integrity and confidentiality.
Next, we will drop CopilotHunter, a recon and exploitation tool that scans for publicly accessible Copilots and uses fuzzing and GenAI to abuse them to extract sensitive enterprise data. We will share our findings targeting thousands of accessible bots, revealing sensitive data and corporate credentials.
Finally, we will offer a path forward by sharing concrete configurations and mistakes to avoid on Microsoft's platform, and generalized insights on how to build secure and reliable Copilots. Security at the speed of dev, making secure choices in design, and making security invisible and easy for developers for any size org
