SecAppDev 2025 - Governance
SecAppDev 2025 offers three days of in-depth lectures and two days of hands-on workshops. Use the buttons below to navigate between the topics. The full schedule shows all sessions.
AI / ML security
Threat modeling
OWASP top 10
Authorization
Architecture
Secure Coding
Supply chain security
API security
Web security
Governance
Application Security
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk..Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.
OpenAPI as a security tool, not just documentation
Deep-dive lecture by Philippe De Ryck in room Lemaire
Monday June 2rd, 16:00 - 17:30
OpenAPI specs are more than docs—they can drive API security. Learn how to use them in spec/code-first workflows to find vulnerabilities, guide audits, and power security tools for testing, attacks, and runtime protection.
Key takeaway: A well-crafted OpenAPI spec can uncover security issues, guide audits, and power tools for testing, making it a key asset in your API security strategy.
The Bug Bounty Effect: From DevSecOops to Success!
Deep-dive lecture by Emil Vaagland in room Lemaire
Tuesday June 3th, 09:00 - 10:30
Discover how bug bounty programs outperforms traditional AppSec tools by uncovering more vulnerabilities at lower cost. We share real-world examples, strategies, and challenging takes on conventional security practices.
Key takeaway: Bug bounty programs are essential and should be the key ingredient in modern AppSec programs.
The Engineer’s Guide to Data Privacy
Deep-dive lecture by Vera Rimmer in room Lemaire
Wednesday June 4th, 14:00 - 15:30
In this session we will walk through the engineer’s toolbox for protecting different types of data against common privacy threats. The talk is informed by existing practical tools as well as by modern research on data privacy.
Key takeaway: Privacy is an engineering responsibility, not only a legal or design issue. Privacy-preserving techniques are accessible and implementable today.
Reviewing 3rd party libraries security using Scorecards
Introductory lecture by Niels Tanis in room West Wing
Tuesday June 3th, 14:00 - 15:30
We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.
Key takeaway: Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.
Value Driven Security - A Roadmap to Business Alignment
Introductory lecture by Avi Douglen in room West Wing
Wednesday June 4th, 14:00 - 15:30
Much of security today is generic best practices and checkbox olympics. Shame to waste resources on stuff noone really cares about! Better to map out the business' value streams, and invest efforts in protecting what is actually important.
Key takeaway: Strategic planning requires understanding your environment, your goals, and your challenges. Value-driven mapping techniques help you get there.