AppSec & DevSecOps Sydney schedule

In this 10-minute networking session, the goal is to connect with three new people. Let the questions on the screen spark your conversation. Enjoy the opportunity to expand your network!  

Too often security is still a final gate. Shifting to SSDLC means embedding security into every sprint and backlog item. This panel explores how organisations are approaching the shift and what it takes to make it stick.

• What does embedding security into agile delivery look like at different maturity levels?
• How can friction between security and development be reduced?
• What cultural or organisational shifts are most critical to sustain SSDLC?

Moderator: 
Tim Pollock Head of Cyber Security Operations Beyond Bank Australia

Panellists:

Akella Divyatej Senior Application Security Engineer Endeavour Group

Nina Juliadotter Application Security Practice Lead Westpac

Amith Raj Head of Information Security Fluent Commerce 

As applications become increasingly API-driven, the traditional notion of a network perimeter has dissolved. APIs now serve as the entry points to critical data and services, and attackers are quick to exploit them. Securing this new perimeter requires a shift in mindset, where API security is woven into the DevSecOps pipeline from design through deployment. This session explores how leading teams are tackling API threats, embedding security controls into CI/CD workflows, and ensuring that innovation does not outpace protection. 

DevSecOps thrives on shared context, but modern security needs more than traditional observability. In this session, we’ll show how combining APM, real-user monitoring, traces, code-level vulnerability detection, and cloud configuration checks offers both sides of the house what they need. Alongside this, we’ll hear real-world experience from Benjamin Norris, General Manager of Product & Technology at Fone Dynamics, on how unifying observability and security has helped accelerate security compliance while maintaining clear visibility across their threat landscape. DevSecOps ensures secure design, while SecOps detects threats in production. We’ll connect these worlds—from preventing misconfigurations to spotting suspicious activity—showing how shared telemetry enables security operations and DevSecOps teams to collaborate seamlessly.

Speakers:

Matthew Moore Principal Observability Strategist APJ Datadog

Benjamin Norris General Manager of Product & Technology Fone Dynamics

Shifting from DevOps to DevSecOps is rarely straightforward. Organisations often encounter cultural resistance, tool sprawl, and uncertainty about what maturity really looks like. This session explores how teams navigated these challenges, what slowed them down, and the turning points that helped security become part of their development DNA.

What does the future hold for software supply chain security in 2026? As the types and volume of software entering organisations continue to evolve, DevSecOps teams face increasingly complex challenges, including:

• How can organisations effectively manage what enters their systems?
• How can remediation be accelerated without sacrificing accuracy?
• How will the rise of AI reshape our threat landscape, and can DevOps and security unite without adding friction?

In this session, we will explore key insights into the looming challenges of software supply chain security and how they will transform operational practices. By analysing recent high-profile supply chain attacks in npm, we will expose malicious threats and offer practical, actionable solutions to mitigate both current and emerging risks. As our attack surfaces shift alongside evolving technologies, join us to discover innovative strategies and capabilities that seamlessly reintegrate security into DevSecOps. 

Compliance alone doesn’t prove security’s value. Executives want clear measures of risk reduction, business enablement and resilience. This panel explores how to link DevSecOps to business impact and communicate it in terms that matter to decision-makers.

• Which metrics and frameworks resonate with senior management the most?
• How can security leaders frame their impact in business terms rather than cost?
• What reporting practices have worked in helping organisations secure greater buy-in and investment?

Moderator: 
Neha Boora DevOps Manager Class

Panellists:

Join this session as Abdullah and Malik share insights on aligning Software Engineering and Application Security to secure the full application lifecycle, powered by DevOps1. Drawing on real-world experience from highly regulated environments, this session explores how organisations are shifting security left through practical threat modelling, automated risk detection, and policy-driven exemption handling embedded directly into delivery pipelines. The discussion also covers the use of smart guardrails to protect sensitive and regulated data while enabling teams to deliver critical services at pace, without compromising compliance or operational outcomes.

Abdullah Muhammad Application Defence Manager, Technology Security Bupa

Malik Ayub Principal Consultant DevOps1

Vibecoding is the ultimate productivity rush, but it often leaves security as an afterthought. This talk demonstrates how to give your AI agent a "security conscience" by leveraging MCP servers and rules to inject real-time vulnerability intelligence directly into the LLM’s reasoning loop. You’ll walk away with a practical framework for automated remediation rules that force AI to scan, identify and fix its own bugs before the code ever leaves the chat.

Plugins and extensions accelerate development and connect the modern toolchain but they’re also unvetted third-party code that can introduce hidden risks. Attackers are increasingly targeting them as weak links in the software supply chain.

• Should plugins and extensions be treated as part of the software supply chain and if so, who owns their security?
• How do we balance developer freedom to install tools with the need for governance and risk control?
• What practical steps can teams take to detect, manage, and update vulnerable or malicious plugins/extensions before attackers exploit them?

Panellists:

Anmol Atkin Infrastructure Security Engineer Culture Amp

Tim Pettersen Head of Developer Experience Atlassian 

James Green Manager DevSecOps NSW Education Standards Authority 

As generative AI tools slip into daily workflows, much of their use happens outside formal security or governance controls. Unapproved, unmonitored, but widely adopted “shadow AI” raises critical questions about risk, compliance, and productivity. This is an open discussion for everyone to share experiences and strategies for balancing innovation with oversight.

• How can organisations discover and track AI usage happening outside official channels?
• What risks does shadow AI introduce and where might it actually drive positive outcomes?
• What policies, training, or guardrails are realistic without stifling adoption?