OWASP New Zealand Day 2022

With artificial intelligence (AI) and Large Language Models (LLMs) taking the world by storm, promising to revolutionize everything from customer service to code generation, you better hold onto your keyboards—because when your AI starts hallucinating, it's no laughing matter! Join us as we dive into the OWASP Top 10 AI & ML security risks, and some of the hilarious and not so funny things you need to be wary of when leveraging these tools for your engineering organizations. We'll cover everything from prompt injection attacks to model hallucination (think AI on a bad trip), and more. We'll share real-world code examples that highlight these risks in a way that may make you laugh, and possibly cry, but we will definitely keep it entertaining. Discover how to leverage the power of AI, while still keeping in mind its quirks and security risks, as the use of AI in our systems will only grow, and security is best integrated from as early as possible. Whether you're a developer, business leader, or just an AI enthusiast, join this talk to gain some insights into the evolving threats.

Traditional AppSec toolchains often feel like a patchwork of tools—each with its own setup, maintenance, and integration challenges. They can slow down development, overwhelm teams with alerts, and still leave gaps in security coverage. In this talk, we’ll explore how to set up a comprehensive DevSecOps chain using GitHub Actions integrated with best-in-class open-source tools for SAST, secrets detection, SCA, and DAST. Then, we’ll show how you can rethink this workflow using an AI agent powered by AWS Bedrock and Claude to review code, streamline processes, and deliver actionable insights. Through a live demo, you’ll see both approaches in action and learn how to overcome common pitfalls in building secure pipelines. By the end, you’ll gain practical knowledge to enhance your security practices, reduce friction in your workflows, and adopt modern tools with confidence. Whether you're a developer, security professional, or DevOps enthusiast, this talk will help you take your DevSecOps to the next level.

Traditional AppSec toolchains often feel like a patchwork of tools—each with its own setup, maintenance, and integration challenges. They can slow down development, overwhelm teams with alerts, and still leave gaps in security coverage. In this talk, we’ll explore how to set up a comprehensive DevSecOps chain using GitHub Actions integrated with best-in-class open-source tools for SAST, secrets detection, SCA, and DAST. Then, we’ll show how you can rethink this workflow using an AI agent powered by AWS Bedrock and Claude to review code, streamline processes, and deliver actionable insights. Through a live demo, you’ll see both approaches in action and learn how to overcome common pitfalls in building secure pipelines. By the end, you’ll gain practical knowledge to enhance your security practices, reduce friction in your workflows, and adopt modern tools with confidence. Whether you're a developer, security professional, or DevOps enthusiast, this talk will help you take your DevSecOps to the next level.

You cannot detach engineering processes and culture from the infrastructure.In this talk we will share from our experience of supporting and managing serverless production environments. We will discuss the not-so-obvious way it differs from managing other more common modern infrastructures and the impact it has on the operations methodology. we will discuss how it influences the developers day to day work and lessons learned.

Let's face it - now that we're a few years past the whole "shift left" trend, we can honestly say it has largely failed when considering security debt. Instead of solving issues earlier in the cycle, which was at the premise of the “shift left” promise, we mostly shifted the problem left. To date, security has largely been a source of friction between development and security teams––and fostering a proactive security culture among developers is still the holy grail a lot of companies are dreaming about without really managing to reach it. That's because this mindset needs a hard reset. We need to look at security completely differently. Security should not and cannot be decoupled from product quality - notably because developers are measured on code quality and velocity and not on how secure their code is. In the same way that our product's usability is a first-order engineering concern, security should be regarded in the exact same way. In this talk, I'll share some lessons learned and the way to bridge the gap between security and engineering, by changing the way it is viewed and implemented in current processes.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna