Name: How DevSecOps Automates the Way for Secure Open Source Usage
Start: 2019-05-30T22:00:00Z
End: 2019-05-30T22:00:36.000Z
Location: BrightTALK
Rating: 4

Mend.io offers the first AI native application security platform, empowering organizations to build and run a proactive AppSec program tuned for AI powered development. The unified platform secures AI generated code and embedded AI components, drives risk reduction through AI powered remediation, automates compliance, and provides a holistic enterprise scale view of risks and clear actions for developers across your entire codebase.
Learn more at www.mend.io

Amit Chita, Field CTO at Mend.io, explores how the rise of AI agents in the Software Development Lifecycle (SDLC) creates both challenges and opportunities. As developers adopt AI agents and embed LLMs into applications, the attack surface expands in ways traditional security can’t address. The path forward: applying a Zero Trust approach to your own AI models.

Join Ashish Rajan and Amit Chita as they dive into the new threats introduced by AI and share how to build a resilient security program for this new era.

Why Security Can Be Stricter: A Zero Trust Approach to AppSec with AI

“Secure-by-default” is no longer optional - it’s the new baseline. With AI-generated code, embedded AI components, and lightning-fast development cycles, traditional security gates are falling short. The solution lies in proactive defenses and practical auto-remediation that meets developers where they work.

In this episode, you’ll learn how to:

See practical auto-remediation in action across IDEs, pipelines, and workflows

Understand how AI-generated code reshapes threat models—and how to defend against it

Build secure-by-default systems in real organizations

Move beyond “shift-left” toward continuous, autonomous security

Watch the full conversation now and explore how auto-remediation is transforming AppSec.

How Auto-Remediation is Reshaping AppSec?

AI is moving faster than security teams can keep up, and its blind spots are multiplying. Unlike traditional applications, today’s LLMs, RAG pipelines, and autonomous agents can respond in endlessly varied ways to even slightly different inputs - making them impossible to test exhaustively like traditional code. That means new attack surfaces prompt injection, context  manipulation, multi-turn exploits, and tool misuse that static scanners and pen tests will never catch. 

This session cuts through the noise with a practical, step-by-step playbook for AI red teaming: what it is, why it matters now, and how to implement it without slowing delivery. We’ll contrast behavioral security with code security, show why SAST/DAST and classic pen tests miss prompt injection, context manipulation, jailbreaking, multi-turn exploits, and tool misuse - and map these risks across LLM apps, RAG systems, and agentic workflows. You’ll learn how to assess your exposure, choose the proper scope and objectives, balance manual creativity with automation, and operationalize continuous testing using the S-Curve maturity model - from first test to Level 3 continuous coverage.

Join us to learn how platforms like Mend AI Premium - Red Teaming can reduce risk identification and remediation time by up to 80% while meeting the rising expectations of both regulators and customers.

Key Takeaways:
-Identify AI-specific attack surfaces across LLM, RAG, and agentic systems.
-Design objective-driven red team exercises that uncover behavioral risks.
-Balance manual testing with automation for scale and regression coverage.
-Apply the S-Curve maturity model to move from ad-hoc to continuous testing.
-Translate findings into fixes, KPIs, and compliance evidence (e.g., NIST, EU AI Act).

Stop the Unknown Unknowns -  A Maturity Model for AI Red Teaming

In this session, hosted by AWS, our expert Bar-El Tayouri, talks about Mend.io’s holistic approach to AI application security addressing both component-level vulnerabilities in AI frameworks and models and application-specific contextual threats. Through AI Framework/Model Detection and Red-Teaming solutions, Mend.io provides comprehensive visibility and proactive risk mitigation for AI-powered systems.

AI-Powered Application Security: A Holistic Approach to Mitigating Modern Risks

AI is the ultimate accelerant for application development – fueling innovation at breakneck speed and making the impossible look easy. But here’s the catch: fire is a tool until it’s out of control.
In this session, we’re not just talking about AI risks – we’re playing with fire and watching what happens, straight from the terminal. We’ll exploit vulnerabilities, uncover adversarial tricks, and walk through real-world case studies that show just how easy it is to take advantage of AI risks (and how attackers are already doing it).
Expect technical code examples and a behind-the-scenes look at how attackers manipulate AI – from jailbreaking LLMs to creating AI-driven zero-days. More importantly, we’ll cover how to fight fire with fire by strengthening prompts, setting up guardrails, spotting rogue agents, and running AI-specific red team exercises.
Learn how to adapt to ensure AI delivers on its promise of a brighter future – instead of its burning threat of unforeseen risks.

Hacking & Securing AI Systems: Playing with Fire and Controlling the Flare of AI

Head from Bar-El Tayouri, Head of Mend AI at Mend.io, on the urgent need for a new approach to securing AI-driven applications. From understanding novel AI components and their risks to implementing a comprehensive AppSec program, this episode delivers actionable insights for organizations building with AI.

Beyond Traditional AppSec: Navigating the New Frontier of AI Security with Mend AI

In this episode, Bar-El Tayouri, Head of AI Security at Mend.io, discusses the rapidly evolving landscape of application and AI security - especially as multi-agent systems and fuzzy interfaces redefine the attack surface.

Topics covered include:

• Modern AppSec Meets AI Agents
How traditional AppSec falls short when it comes to AI-era components like agents, MCP servers, system prompts, and model artifacts - and why security now depends on mapping, monitoring, and understanding this entire stack.

• Threat Discovery, Simulation, and Mitigation
How Mend’s AI security suite identifies unknown AI usage across an organization, simulates dynamic attacks (like prompt injection via PDFs), and provides developers with precise, in-code guidance to reduce risk without slowing innovation.

• Why We’re Rethinking Identity, Risk, and Governance
Why securing AI systems isn’t just about new threats - it’s about re-implementing old lessons: identity access, separation of duties, and system modeling. And why every CISO needs to integrate security into the dev workflow instead of relying on blunt-force blocking.

Rethinking AppSec for the AI Era: Agents, Threat Simulation, and Smarter Risk Governance

What does it take to secure AI-based applications in the cloud? In this episode, host Ashish Rajan sits down with Bar-El Tayouri, Head of Mend AI at Mend.io, to dive deep into the evolving world of AI security. From uncovering the hidden dangers of shadow AI to understanding the layers of an AI Bill of Materials (AIBOM), Bar-el breaks down the complexities of securing AI-driven systems. Learn about the risks of malicious models, the importance of red teaming, and how to balance innovation with security in a dynamic AI landscape.
- What is an AIBOM and why it matters
- The stages of AI adoption: experimentation to optimization
- Shadow AI: A factor of 10 more than you think
- Practical strategies for pre- and post-deployment security
- The future of AI security with agent swarms and beyond

Securing AI Applications in the Cloud

Building AI agents that truly work in practice is no small feat. In this session, we’ll explore both sides of the challenge: how to design and develop agents that are effective and reliable, and how to secure them from the very beginning of the development process.

We’ll break down the core difficulties of building agentic systems - compound errors, business context, and performance trade-offs - and present a framework for structuring, planning, and evaluating agents. At the same time, we’ll examine the unique risks that surface during design and development, from architectural vulnerabilities to manipulation strategies, and demonstrate how to weave security directly into the lifecycle of agent creation.

Together, we’ll show how to move beyond theory to practice - building AI agents that are powerful, dependable, and resilient by design.

Designing and Defending AI Agents: A Practical Guide

It’s no secret that AI is transforming how we build and secure software requiring organizations to face a new set of critical questions. Is a general-purpose AI sufficient for implementing reliable security fixes, or do we need specialized models designed from the ground up with security in mind? And how can we adjust our established review and testing methods to an era where code, and even the models that generate it, may require new forms of examination?

Join our experts, Bar-El Tayouri and Amit Chita, for a dynamic discussion to explore if AppSec traditional approaches remain viable in the age of AI or whether we must reimagine our strategies and toolchains altogether:
-Harnessing AI for AppSec success: Learn how AI-driven innovations can enhance productivity, reduce risk, and create business value.
-Evolving team dynamics: Understand how AI reshapes roles and promotes collaboration between security, development, and operations teams.
-Addressing new vulnerabilities: Discover how AI-powered coding tools can inadvertently introduce risks into your codebase—and how to mitigate them effectively.
-Gain actionable insights into how cutting-edge AI capabilities are reshaping the future of AppSec, and walk away with a deeper understanding of the next steps in securing AI-driven development.

AI in the Spotlight: Exploring the Future of AppSec Evolution

Struggling to optimize your web application security tools while keeping pace with rapid updates?
In this session, our experts will guide you through the critical aspects of building a resilient application security (AppSec) program. Discover how to navigate the complex landscape of security solutions, implement effective scanning strategies, and balance security integrity with the need for agility.
Gain actionable insights as we explore the practical steps to fortify your web application security posture and elevate your AppSec program to maturity.
Join us to uncover the tools, techniques, and strategies that will transform your approach to web application. Key topics include:

-Unlocking the power of a holistic scanning approach, including SAST, SCA, DAST, IAST, API Security, AI Security, and Container Security to strengthen your defense strategy.
-Understanding the foundational components of a robust application security program, with a focus on comprehensive coverage and end-to-end app and API security.
-Overcoming common security challenges, such as integrating seamless hot-fixes into your pipeline without compromising security.

The Road to AppSec Maturity: Scanning, Coverage, and Agility

Conversational AIs powered by LLMs are everywhere now and present new and unique security, safety, and efficacy challenges that companies and their existing AppSec tools are ill-equipped to handle. Fortunately, new solutions help companies address these emerging risks without having to reinvent existing AppSec processes and best practices completely.

In this webinar, you'll discover:

-Conversational AI Risks: Understand the unique risks LLM-powered Conversational AI present.
-Beyond Traditional Security: Learn why standard tools fail to protect against these new risks.
-The Power of AI Red Teaming: Master proactive, automated testing to identify and mitigate Conversational AI risks.
-Beyond AppSec: Implement robust strategies to safeguard your Chatbots and LLMs against misuse, undesired behavior, and safety.

AI Red Teaming and the Future of LLM Security

Vulnerability detection isn’t the main problem - remediation is.
In today’s fast-paced development world, security teams are overwhelmed with alerts, while developers struggle to keep up with security tasks that feel disconnected from their workflow.
The real risk? Vulnerabilities that sit unaddressed in a growing backlog.
Join Daniel Wyrzykowski, Product Manager at Mend.io and Saoirse Hinksmon, Senior Product Marketing Manager at Mend.io as they explore:

-Why alert fatigue is now one of the biggest blockers to AppSec success
-How AI-generated code and AI-based systems have made traditional detection less effective - and remediation more urgent
-New approaches to automate, prioritize, and scale remediation
-Real-world remediation workflows that accelerate time-to-fix and reduce noise

Whether you’re planning an AppSec transformation or looking for smarter remediation strategies, this session will give you a practical blueprint to move from detection to defense - and fix faster.

The AppSec Bottleneck: Why Fixing is the New Finding

AI native development tools like Cursor, Devin, and GitHub Padawan are no longer just assistants - they’re becoming co-authors, architects, and in some cases, autonomous engineers. As these tools redefine how software is written and shipped, they raise critical questions about how we manage and secure modern codebases.
In this thought-provoking session, Amit Chita, Field CTO, and Daniel Wyrzykowski, Product Manager from Mend.io, will explore the rapidly evolving intersection of AI first software development and application security. With deep expertise in both domains, they’ll examine emerging patterns, hidden risks, and what the future might demand of security teams and engineering leaders.
Join us as we explore:
-The AI IDE revolution - how intelligent dev agents are rewriting the rules of software creation and pushing the SDLC into uncharted territory
-Code you didn’t write, but must secure - why AI generated code is forcing us to rethink trust, testing, and traditional review processes
-Security workflows on the edge - what breaks, what bends, and what survives when AI enters the pipeline
-Human vs. machine oversight - navigating the new power dynamic between developers, automation, and integrated toolchains
If you're building, breaking, or securing modern software, this is a conversation you won’t want to miss.

AI Is Writing the Code - Can Security Keep Up?

AI tools are rapidly infiltrating software development and many are being adopted without formal approval or security oversight. Developers, engineers, and data scientists are integrating various AI components such as Models, Agents, MCP servers, and more into workflows at unprecedented speed - often without informing AppSec or compliance teams. 
This decentralized adoption is efficient and can drive innovation, but it opens the door to hidden risks, blind spots, and a growing security debt, creating ideal conditions for breaches, data exposure, and compliance failures that could go undetected until it’s too late.
In this session, Mend.io EVP Product Management Nir Stern examines the security implications of Shadow AI and offers practical guidance for spotting and stopping the risks introduced by unapproved tools. 
From identifying visibility gaps and reducing governance friction to actionable mitigation strategies, you’ll walk away with a sharper understanding of how to protect your development lifecycle from AI-driven threats.

How to Spot and Stop Security Risks From Unmanaged AI Tools

In this technical webinar, Invicti and Mend.io will explore how their solutions work together to create a stronger AppSec strategy. Invicti, specializing in Dynamic Application Security Testing (DAST), will demonstrate how its real-time, black-box testing detects vulnerabilities without all the false positives. Mend.io, which  brings a broader approach to Application Security, incorporates Static Application Security Testing (SAST) and will showcase how its tools help detect and resolve security flaws early in the development lifecycle—across both proprietary  and open-source code.
Together, Invicti and Mend.io provide a comprehensive approach, addressing vulnerabilities at both runtime and code levels. Join us to learn how combining these tools strengthens application security, reduces risks, and enhances the overall software development process.

A Unified Approach to AppSec: Enhancing Security with DAST and SAST

Artificial intelligence systems are increasingly targeted by sophisticated cyberattacks that exploit their vulnerabilities. In this session, Amit Chita, Principal Software Engineer, Mend.io and Bar-el Tayouri , Head of Mend AI, Mend.io will discuss real-world examples of compromised AI systems, including the Samsung data leak via ChatGPT and the use of AI chatbots in phishing scams. They will analyze the attack methods and their impact on security and privacy and suggest strategies for strengthening AI systems against these threats.

This session will dive deeper into:

Real-world case studies of AI system breaches, including known corporate incidents;
Analysis of attack vectors unique to AI and machine learning pipelines;
Exploration of how prompt injection, model poisoning, and output manipulation are used by threat actors;
Discussion of regulatory and ethical implications for securing AI systems.

Exposing the Shadows: Real-World Attacks on AI Systems

Gone are the days where open source components were only used by individual developers, start-ups or small corporations. Today, even the biggest corporate giants have realized the numerous benefits open source usage brings, thereby openly embracing this as part of their software to help them focus their efforts and push more code out of the door faster. 

Join Shiri Ivtsan, Product Manager at WhiteSource, as she interviews WhiteSource’s customer, Stefan Gustafsson from SAP, to discuss:

- How SAP perceives open source usage, thereby discussing its benefits and challenges;
- SAP’s process of managing open source components before having an open source management solution in place; and
- How SAP managed to successfully integrate automated license compliance and security into their DevOps pipeline.

How SAP Integrates License Compliance & Security Into Their DevOps Pipeline

Is your organization ready to embrace a DevOps mindset? Receive a pragmatic view from an agent of chaos, who’s promoting the goal for a single continuous integration and delivery pipeline, shifting testing, security, code reviews, and other opportunities to improve information sharing and quality to the left, shifting configuration to the right, and most importantly, aiming to delight users with constant value. 

Join Willy-Peter Schaub, Software Engineer & Director at AJATO Transformations Limited, as he shares:

-The learnings and epiphanies gathered during DevOps transformations
-How practices such as Shift Left, Shift Right and progressive mindset affects the union of people, process and products

Lessons Learned by an Agent of Chaos From DevOps Transformations

DevSecOps has taken the world by storm. Ever since the DevSecOps philosophy stepped into the limelight in the past few years, a growing number of organisations are trying to ensure their businesses are set up with the security in mind (and practice) from the get-go.

In theory, the concept is great. In practice? Less so, given that the objectives and mindset of developers and security teams completely differ. While Security’s objectives are focused on ensuring secure SDLC from start to finish, developers are focused on software development and meeting their deadlines. Despite both aspects being equally important, these teams are struggling to find a common ground.

So how can these teams be better aligned? Join Simone Curzi, Principal Consultant at Microsoft, and Tom Shapira, Developer Team Lead at WhiteSource, as they discuss:

- What causes the gap between Security and Development teams with respect to Security objectives
- How Developers can embrace Security (and DevSecOps practices as a whole) in a way that will ultimately satisfy both teams

Security vs Developers: How to Make DevSecOps Work Together

All static analysis tools produce false positives, and often require developer context to determine exploitability of a security risk. Automating a static scan is usually straightforward but building automation workflows around SAST findings require that your Pipelines become smarter over time.  

Optimizing the data provided by SAST tools is an often overlooked aspect to integrating SAST tooling into the CI / CD pipeline but it is required to be successful.

Come learn from Jimmy Rabon, Senior Product Manager at Micro Focus, about best practices for DevSecOps / SAST integration and about how machine learning can help us predict the future, based on our past.

Do Your Pipelines Remember?They Must If You Want to Go Fast With Static Analysis

Containers are becoming more popular, but how do you deal with the security challenges of using containers? You have to secure the application, the code, the web server and the host itself. And how do you do this at the speed of DevSecOps? Join Tim Chase, Director of Information Security at Healthstream, as he talks about containers, why they are complex to secure and provides actionable insights on how to start the process of securing them.

Container Security at the Speed of DevOps

DevSecOps is often associated with securing a development pipeline in traditional CI/CD frameworks. Join this session, held by Henrik Johansson, Principal - Office of the CISO at AWS, as he discusses and shows:

-        how public cloud technology enables you to fully embrace security automation in your infrastructure 
-        how to account security using managed security services to detect incidents and risks at scale; as well as 
-        techniques like automated incident response actions and automated instance isolation.

DevSecOps in the Cloud Is More Than Just CI/CD

Many security specialists, especially at large organizations, believe that better security comes from robust independent gating. On the other hand, DevOps has proven that you can safely deploy orders of magnitude faster than human gating can achieve.

Similarly, security groups believe that policy enforcement is their biggest (only?) lever... "If we can just update the policies to be more consumable/relevant/context aware/etc and get developers to pay attention, then magic will happen." But, policy enforcement rarely moves the needle and it creates a tense relationship between development and security that can do more harm than good. 

This talk is a step-by-step framework for going from wherever you are now to getting on the path of DevSecOps cultural transformation. It addresses the mindset shift concerns for all relevant audiences. It addresses the mechanics of getting started and tracking progress. It's adaptable to any environment regardless of industry, technology, or maturity. Most importantly it's been proven in a highly diverse environment at Comcast.

Transforming from DevOps to DevSecOps at Scale

The DevSecOps Virtual Summit

Open source software has become the building block in the applications we interact with nowadays. 

The good? Thanks to the time and cost efficiency it brings, organizations are able to facilitate productivity and innovation at a faster pace than ever. The bad (or rather, less good)? Many organizations are grappling with the security aspect when it comes to their open source usage. In order to solve this, organizations should turn to practices such as DevSecOps.

Join Jeff McAffer, Sr. Dir. Product, GitHub, Rami Sass, CEO at WhiteSource, and Rami Elron, Senior Director of Product Management at WhiteSource, as they discuss:

-The challenges surrounding the security of open source code;
-Which role DevSecOps practices play with respect to your open source usage; as well as 
-How technologies such as Software Composition Analysis can help automate and shift left your open source security.

How DevSecOps Automates the Way for Secure Open Source Usage

DevSecOps

DevOps

Application Security

Information Security

IT Security

Application Monitoring

Open Source

Application Development

Cyber Security

Digital Transformation

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

How DevSecOps Automates the Way for Secure Open Source Usage

Presented by

About this talk

Mend.io