SecAppDev 2025 lecture details
Break things, but not security: CI/CD done right
Learn how to secure your CI/CD pipeline without slowing down. We cover risks, best practices, essential tools, real-world attacks, and how to justify your security investments.
Tuesday June 3th, 11:00 - 12:30
Room Lemaire
Abstract
This session explores how to build fast, secure CI/CD pipelines without compromising on velocity. We dive into the dangers of over-automation, like supply chain attacks and secret leaks, and show how embedding security early mitigates these risks. Supported by real-world attack examples, we learn which tools are must-haves and which can wait. We will also examine the economics of security tooling: comparing built-in, open-source, and vendor solutions, so you can make smart, secure choices at scale.
Key takeaway
Secure CI/CD is achievable without sacrificing speed: start with key tools, embed best practices, and scale smart.
Content level
Deep-dive
Target audience
DevOps engineers, security engineers, and engineering leads
Prerequisites
Familiarity with CI/CD concepts, pipelines (GitHub/GitLab), and basic DevOps knowledge
Join us for SecAppDev. You will not regret it!
Grab your seat now
Gijs Van Laer
CTO, XFA
Expertise: Information security strategies, application security, and (applied) cryptography
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Reviewing 3rd party libraries security using Scorecards
Introductory lecture by Niels Tanis in room West Wing
Tuesday June 3th, 14:00 - 15:30
We rely on 3rd party libraries which results in security risks. OpenSSF’s Scorecard helps assess package security. This session explores its checks and additional insights to strengthen supply-chain security.
Key takeaway: Understanding how to leverage the OpenSSF Scorecard to review used 3rd party libraries more easily.
Using WebAssembly to run, extend, and secure your app
Introductory lecture by Niels Tanis in room West Wing
Tuesday June 3th, 09:00 - 10:30
In this session we'll dig into WASM, how it works, it's security features and how we can use it to host, extend and secure our applications by running it the WebAssembly System Interface (WASI).
Key takeaway: Understanding WASM, it's security features and how leverage those by integrating it into your application/software.
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk..Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.