Topics include Supply Chain Security, Vulnerability Management, Neat Tricks, and Contributor insights.
Cybersecurity in software development is often treated as an afterthought, left to developers who must self-educate and experiment in their spare time. The #NoHobbyists movement challenges this status quo, advocating for a fundamental shift where cybersecurity is not a side project but a core discipline, fully integrated throughout the Software Development Lifecycle (SDLC). This presentation outlines a holistic approach to embedding security across people, process, technology, and culture. Instead of merely shifting security “left” in the SDLC, the proposal argues for shifting security everywhere, making it an inherent responsibility for all stakeholders, from developers to executives. Key strategies include the adoption of the Secure Software Development Framework (SSDF), threat modeling as a collaborative practice, and leveraging industry best practices such as OWASP, NIST SP 800-218, and secure coding standards. @tracylbannon
As software development ecosystems grow increasingly complex, the need for intelligent DevOps automation in script analysis and dependency management becomes critical. Join Jon Willis as he explores cutting-edge tools and techniques that leverage AI-driven code parsing and semantic analysis to enhance DevOps workflows. He will discuss the application of Large Language Models (LLMs) such as GPT-4, CodeBERT, and OpenAI Codex in parsing infrastructure and automation scripts, including Jenkinsfile, Dockerfile, Makefile, GitHub Actions, and Terraform. These models facilitate the identification of dependency installations (e.g., apt-get install, pip install, npm install) and pinpoint update points within scripts. @Botchagalupe
All times in Mountain Time
8:30 Beer and Donuts - Recognition Awards presented by Steve Taylor
9:00 - 9:30 Keynote with Tracy Bannon
9:30 - 10:00 Keynote with John Willis
10:15 - 10:45 Shifting Security Left—And Up, Down, and Across the Organization,
Jude Wellington and Kate Scarcella Panel Discussion
Security doesn’t start and end in the development environment. While secure coding practices are essential, true organizational security is built on a culture that extends beyond the IDE—into business decisions, leadership priorities, and everyday behaviors across all teams. In this panel session, we will share strategies and real-world examples of how organizations can move beyond a “security as an afterthought” mindset and instead embed security principles into their business process.
10:45-11:15 Hidden in the Code: Malicious Code Scanning for Open Source Packages,
Abhisek Datta, Co-Founder, SafeDep
Open Source package distributed with typosquatting and starjacking. Project X is compromised to deliver malware to its 100k+ user base. Sounds familiar? This talk will present our approach of using static code analysis, emulation & LLM inference to protect developers against malicious open source packages. We will share lessons learned while monitoring npm and PyPI registries for malicious packages and practical trade-offs made to balance performance, false positives & proactive guardrails in CI/CD.
11:15-11:45 Security Chaos Engineering to Avoid Payments Ransom Gangs,
Yury Niño Roa, Cloud Application Modernization Engineer, Google
Data breaches are growing in size and frequency, affecting even well-secured infrastructures. Cyberattacks are inevitable, and in some cases, victims must pay to recover their data. Experts say many organizations fail not because of weak security, but because they never test how long data recovery takes. That’s why tabletop exercises, red/blue team drills, and security gamedays are critical. Security Chaos Engineering is a discipline that deliberately injects false positives into production to test how systems respond to security failures. This talk will cover why Security Chaos Engineering is essential today, how it differs from penetration testing, and how organizations can use it to drill breach response plans through regular gamedays.
11:45 - 12:15 Unlocking Insights from SBOMs: Beyond Generation to Actionable Analytics,
Daniel Nebenzahl, Co-founder & CTO Scribe Security
Generating Software Bills of Materials (SBOMs) has gained widespread attention—but generating is just the beginning. These seemingly mundane, machine-readable documents hold valuable insights waiting to be unlocked. In this talk, we’ll explore practical and impactful use cases of SBOM analytics, from strategic decision-making tools for CISOs to actionable, hands-on utilities for practitioners. Join us to discover how to turn SBOMs into strategic assets that strengthen your organization’s software security posture.
12:15 - 12:30 Closing Comments Tracy Ragan DeployHub and Ortelius Community Organizer
Shift Left Security: Understand the importance of integrating security practices early in the software development lifecycle (SDLC) to identify and remediate vulnerabilities at the source code level.
Automation is Key: Learn the role of automation in DevSecOps, from automated security assurance and vulnerability scanning to automated compliance checks and policy enforcement, to improve efficiency and consistency.
Culture of Collaboration : Recognize the need to foster collaboration and shared responsibility among development, operations, and security teams to effectively implement DevSecOps practices.
Threat Intelligence and Risk Management: Explore the importance of leveraging threat intelligence and risk management frameworks to prioritize security efforts, allocate resources effectively, and mitigate emerging threats.
Compliance and Governance: Address the challenges of maintaining compliance with regulatory requirements, such as aggregated SBOMs, and industry standards in DevSecOps environments.