AppSec & DevSecOps Sydney schedule

In this 10-minute networking session, the goal is to connect with three new people. Let the questions on the screen spark your conversation. Enjoy the opportunity to expand your network!  

DevSecOps has moved beyond its early focus on culture change and tool adoption. The next stage is about making security intrinsic to software delivery embedding it into agile workflows, automating compliance, and demonstrating measurable business outcomes. This keynote explores where DevSecOps is headed, tracing its evolution from culture shift to embedded practice, to automation, and ultimately to measurable outcomes. Explore how security by design is becoming central to innovation, trust, and resilience. 

Too often security is still a final gate. Shifting to SSDLC means embedding security into every sprint and backlog item. This panel explores how organisations are approaching the shift and what it takes to make it stick.

• What does embedding security into agile delivery look like at different maturity levels?
• How can friction between security and development be reduced?
• What cultural or organisational shifts are most critical to sustain SSDLC?

Panellists:

Akella Divyatej Senior Application Security Engineer Endeavour Group

Nina Juliadotter Application Security Practice Lead Westpac

Dhiraj Matlani Director Enterprise Architecture National Disability Insurance Agency 

As software delivery accelerates, compliance can’t be an afterthought. This session explores how leading teams embed automated controls into CI/CD pipelines, translating governance into code. Learn practical approaches to scaling compliance across DevSecOps workflows—without slowing innovation or compromising security. 

Shifting from DevOps to DevSecOps is rarely straightforward. Organisations often encounter cultural resistance, tool sprawl, and uncertainty about what maturity really looks like. This session explores how teams navigated these challenges, what slowed them down, and the turning points that helped security become part of their development DNA.

 This session examines how automation and policy-as-code frameworks enable continuous assurance, from code to production. Discover how teams are replacing manual reviews with self-enforcing security guardrails that bring consistency, visibility, and speed to application security governance. 

As applications become increasingly API-driven, the traditional notion of a network perimeter has dissolved. APIs now serve as the entry points to critical data and services, and attackers are quick to exploit them. Securing this new perimeter requires a shift in mindset, where API security is woven into the DevSecOps pipeline from design through deployment. This session explores how leading teams are tackling API threats, embedding security controls into CI/CD workflows, and ensuring that innovation does not outpace protection.

 AI is transforming the way organisations approach offensive security. Rather than relying solely on periodic, human-led exercises, AI can simulate adversaries at scale and in real time, continuously probing for weaknesses that traditional methods may miss. This session will explore how AI is being applied to red teaming, the opportunities it creates for faster feedback within DevSecOps pipelines, and the safeguards required to ensure these simulations remain accurate, ethical, and effective. 

Compliance alone doesn’t prove security’s value. Executives want clear measures of risk reduction, business enablement and resilience. This panel explores how to link DevSecOps to business impact and communicate it in terms that matter to decision-makers.

• Which metrics and frameworks resonate with senior management the most?
• How can security leaders frame their impact in business terms rather than cost?
• What reporting practices have worked in helping organisations secure greater buy-in and investment?

Panellists:

Didar Chy Information Technology Security Architect Reserve Bank of Australia

Richard Hawkes Senior Manager, DevSecOps & Platform Engineering ASX  

 This session highlights how AI-powered code assistants enhance secure coding practices, reduce review fatigue, and surface high-risk issues earlier in development. Explore use cases and lessons on integrating intelligent tooling into developer workflows for more proactive, efficient security assurance. 

Plugins and extensions accelerate development and connect the modern toolchain but they’re also unvetted third-party code that can introduce hidden risks. Attackers are increasingly targeting them as weak links in the software supply chain.

• Should plugins and extensions be treated as part of the software supply chain and if so, who owns their security?
• How do we balance developer freedom to install tools with the need for governance and risk control?
• What practical steps can teams take to detect, manage, and update vulnerable or malicious plugins/extensions before attackers exploit them?

Panellists:

Anmolpreet Kaur Infrastructure Security Engineer Culture Amp  

As generative AI tools slip into daily workflows, much of their use happens outside formal security or governance controls. Unapproved, unmonitored, but widely adopted “shadow AI” raises critical questions about risk, compliance, and productivity. This is an open discussion for everyone to share experiences and strategies for balancing innovation with oversight.

• How can organisations discover and track AI usage happening outside official channels?
• What risks does shadow AI introduce and where might it actually drive positive outcomes?
• What policies, training, or guardrails are realistic without stifling adoption?