Singapore AppSec & DevSecOps Summit 2025

External libraries and frameworks fuel modern application development. Equally, dependencies are a known source of security risk and often leave organisations vulnerable to breaches and compliance issues. Existing software composition analysis tools are stuck in the past. They overwhelm developers with false positives, interrupt their workflows, and otherwise make it difficult to keep up with the codeashians. In this talk, Cole Cornford will cover the latest innovations to reduce this toil and get you and your organisation up to date. Or at least to n-1. Key Takeaways include:

• The existing state of SCA and why we need to change
• How reachability and cross-correlation can reduce toil
• Streamlining the patching process and escaping circular dependencies
• Managing transitive risk with virtual patching
• Risks with adopting innovative tech

‍

‍

The risks in open-source AI models mirror those in traditional open-source libraries, including vulnerabilities, malicious code and licensing issues, while also introducing unique challenges when consuming the models. This talk will delve into the complexities of these risks, examining the challenges they pose and the importance of understanding them in today’s AI-driven landscape.

As threats evolve, so must our defenses—anticipating the next wave of attacks is key to staying secure. This panel looks ahead to emerging vulnerabilities and how the industry can prepare.

• Shifting from reactive to predictive security models
• AI-powered threats and defenses
• The impact of quantum computing on encryption
• Regulatory and compliance pressures shaping security policies

‍

In this innovative session, attendees will be faced with a series of scenarios that they may face in their roles. Attendees will discuss the possible courses of action with their peers to consider the ramifications of each option before logging their own course of action. 

Results will be tallied and analysed by our session facilitator and results will impact the way the group moves through the activity.

Will we collectively choose the right course of action?

‍

We hear a lot about signing and attesting for open-source projects, but what if you’re an enterprise keeping your code under wraps? This session cuts through the hype and digs into practical strategies for securing proprietary source code—even if you’re hosting it in a cloud-based version control system. will walkthrough strategies to secure your source code and secrets used in CICD workflows

• Rolling out code signing across your organisation to prevent leaks
• Shielding valuable code assets in cloud-based VCS environments
• Highlighting the reality check on current “granular” secrets management
• Using serverless magic to plug holes and secure your tokens once and for all

This demonstration will  highlight the primary areas for application security scanning and testing phases so as to achieve an end-to-end DevSecOps workflow with a 360° view over the entire SDLC.

• Testing anywhere/everywhere using comprehensive testing technologies support
• Deliver a better insight on application posture and risk management
• Escalate the security testing across the organisation to make easier the time to market, and also enhance the security posture to comply with regulations and standards

‍

DevSecOps requires harmonising rapid development cycles with stringent security protocols. This panel brings together leaders to discuss best practices and hard lessons learned in achieving that equilibrium.

• Aligning developer, security, and operations goals
• Implementing guardrails without bottlenecks
• Case studies of successful (and unsuccessful) integrations
• Measuring the ROI of secure development

‍

Choose 1 topic to join on the day!

Topics will be made available closer to the event

‍

As applications scale faster than ever, building security in from the start is essential to prevent vulnerabilities. This session explores how teams can integrate security measures into every step of the software development lifecycle.

• Using Secure by Design principles in architecture and code
• Balancing rapid development with thorough security reviews
• Identifying critical security checkpoints in DevOps workflows

‍

As businesses in Singapore drive digital transformation, application security (AppSec) and DevSecOps have become critical. This interactive session sparks debate around five provocative questions that challenge traditional security mindsets and practices in a regulated yet rapidly evolving market.

• Is shift-left enough, or must security apply everywhere?
• Can automated testing replace manual reviews entirely?
• Do third-party dependencies empower us, or create hidden risks?
• Is Zero Trust ultimate, or do perimeters still matter?
• Do regulations hinder innovation or spur safer development?

‍