Whether you’re a security engineer, developer, or product manager, threat modeling is essential for identifying potential threats in whatever you're working on. We’re bringing in threat modeling expert Adam Shostack (author of Threats: What Every Engineer Should Learn from Star Wars) to share how his Four Question Framework promotes inclusive, collaborative security discussions. You’ll learn how to use each of the questions:

• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good job?

In this session, you’ll get an inside look at how a DevSecOps team is using AI/ML to revolutionize their WAF rule management program. Ammar Alim (Senior Manager, DevSecOps @ Adobe) shares how they’re leveraging existing resources to dynamically create, deploy, and refine WAF rules without requiring new tools or increased budget.

• Use ML and a LLM to analyze traffic and dynamically generate new WAF rules
• Store rules and outcomes in a RAG to inform future analyses 
• Create MCP servers to bring in WAF and Terraform docs, and AppSec scanning
• Where to keep a human in the loop

When you’re researching new tools, it can be hard to separate hype from reality. In this session, analyst Katie Norton (Research Manager @ IDC) talks about how you can use an analyst as part of your research strategy, and we’ll confirm or bust common myths about analysts, including:

• Are they truly unbiased?
• Do they just exist to coin new categories?
• How do they know if a product actually works?

‍