Lessons from a Real World Campaign Using Web Apps — Kade Morton

The tone shifted from AI to geopolitics with a case study that felt more like an intelligence briefing than a technical talk. The focus was on Iranian cyber operations and how they continue to blur the line between surveillance, profiling, and offensive activity.

The story centred on a campaign run by the Islamic Revolutionary Guard Corps. The infrastructure was unremarkable at first glance, just another domain registered in February. But the site itself was crafted to look like a German model agency, complete with fabricated profiles and staged images. To the casual visitor it seemed legitimate enough, yet behind the front page was a set of carefully designed scripts.

Obfuscated JavaScript code quietly fingerprinted browsers and packaged the results into JSON files for exfiltration. What made it noteworthy was the precision. The false positive rate was under one percent, allowing the operators to build highly accurate profiles of who was visiting. The data was not sent directly to suspicious servers, but routed through advertising trackers to mask its intent.

The purpose was not to compromise systems immediately but to identify and follow people of interest. Activists, journalists, opposition figures and anyone the regime considered worth monitoring. That is the part that resonates. The technical craft was interesting, but the strategy was chilling. The campaign was not about volume or noise. It was about patience, persistence, and building dossiers.

It is easy to forget that a web application does not have to deliver malware to be a threat. Sometimes the application itself is the weapon, collecting information silently in the background. Watching this case laid out was a reminder that application security is not just about patching flaws or fixing logic errors. It is also about recognising when a perfectly functional site is being used for purposes that have nothing to do with commerce or content delivery.

Credential Management API — Matt Cotterell (CyberCX)

The session shifted to something more experimental. The Credential Management API aims to simplify logins by moving credential handling into the browser itself, rather than leaving every site to reinvent the wheel. In theory, the browser prompts the user, retrieves the stored password, token, or key, and passes it on securely.

The demo did not run smoothly (as is tradition, no shade on the presenter), which was fitting for a technology still in development. Chrome shows the most promise, but cross-browser support is uneven. For now, it remains a work in progress. The potential is clear though. If the API matures, it could strip away entire categories of weak custom login forms and blunt some phishing attempts before they even begin.

For more information on how this API works, please see: https://developer.chrome.com/blog/credential-management-api/.

Making Security a Business Priority with Rapid Threat Modelling — Michael Matthee (CyberCX)

The session itself carried a different tone from some of the more technical talks. Rather than diving into exploits or proofs of concept, the focus was on bringing security conversations closer to where business decisions are actually made. The message was clear: threat modelling will only stick if it produces outputs that leaders care about, not just artefacts for security teams to file away.

It was also striking how practical the advice was. Instead of a heavyweight process or a toolkit that nobody has time to learn, the framework boiled things down to questions anyone can understand. Business stakeholders could walk away with a sense that they had contributed real insight, while technical teams still had space to map threats into familiar models like STRIDE. The simplicity of the approach made it feel usable, not aspirational.

The framework presented was designed to cut through the overhead that often makes threat modelling feel like an academic exercise. It distilled the process down to four guiding questions, each tied to business priorities.

1. What are we working on?

   The first step is clarity. Define the project, product, or process in terms that the business recognises. This avoids diving straight into technical abstractions and instead anchors the discussion in what the organisation is actually trying to deliver.

2. What can go wrong?

   This is where the imagination comes in. For business stakeholders, the exercise works best as an open brainstorming session that surfaces concerns in accessible language. For technical teams, more structured approaches such as STRIDE help classify risks with greater precision.

3. What are we going to do about it?

   The aim is not to generate an endless list of vulnerabilities but to make decisions. Which mitigations matter most? Which risks map to the organisation’s critical value streams? At this stage, Matthee emphasised value stream mapping as a way to show how threats intersect with suppliers, processes, and business outcomes.

4. Did we do a good job?

   The final question is about validation. Were the identified risks addressed in subsequent design and implementation? Did the process genuinely help improve outcomes, or did it just generate paperwork?

The lesson was that threat modelling need not be heavy, exclusive, or a box-ticking exercise. By keeping it tied to these four questions, teams can adapt the approach for both business and technical audiences, while ensuring the outputs are directly relevant to organisational priorities.

Insights from a Year of Security Testing — Ian Peters (CyberCX)

Some talks give you new tools, others remind you of what the data has been quietly saying for years. This one fell into the latter camp. With more than 2,500 penetration tests conducted across Australia and Aotearoa New Zealand in a year, the patterns are hard to ignore. Ninety percent of issues still trace back to the same familiar culprits: weak application security practices, identity flaws, and misconfigurations.

The message was not that attackers have suddenly become less inventive, but that defenders are still leaving the same doors open. Multi-factor authentication does not stop business email compromise at scale. Endpoint detection does not always stop extortion outcomes. And phishing remains the workhorse of intrusion, aided by kits-for-hire that anyone can buy.

What struck me was how maturity changes the shape of the work. The clients who have been around this cycle a few times are moving away from simply running tests and fixing issues. Instead, they are embedding security into the developer pipeline, building paved roads, and using threat modelling to decide where to spend effort. For them, pen testing becomes validation rather than discovery.

It was also a reminder that the data we get back from adversaries is incomplete. Stolen data does not always appear on the dark web. Espionage intrusions linger far longer before detection. And the infrastructure for command and control is shifting away from big telltale servers to living-off-the-land techniques that blend into ordinary traffic.

The overall impression was that progress is real, but slow. The industry knows what the root causes are. The question is whether organisations will stop treating penetration tests as an annual compliance ritual and start using the findings as fuel for structural change.

SecDim AI Mentor Demo

Disclaimer: I have no relationship with SecDim. These are simply my impressions of the demo and how it connects to common gaps I have seen in assessments.

Having assessed dozens of environments over the years, one theme shows up almost every time. Application security is a category where organisations might have policies and tools, but they rarely invest in role based cybersecurity training for their IT staff. I am not talking about annual CBT modules or phishing click tests. I mean structured secure code workshops and practical training that reinforces security in the actual day to day work.

First, SecDim mentioned some of their own findings:

The Good: AI lets developers work at a speed that was not possible before. Code changes are generated in seconds, and tools like Copilot can accelerate routine fixes or help explore new patterns. With the right oversight, this velocity can free up time for design, testing, and more strategic security work.

The Bad: SecDim observed that many developers are now pushing AI generated code straight into production without proper review. The result is speed at the cost of safety. They highlighted findings that around 40 percent of Copilot generated code contains flaws, meaning vulnerabilities and broken logic can be shipped just as quickly as working features.

Their platform takes a developer’s existing GitHub repos, maps them against the OWASP Top 10, and then builds tailored challenges to address specific weaknesses. The vendor stated that the goal is not to lecture developers about security for its own sake, but to improve the quality of their code in a way that feels relevant.

At the heart of the demo was their AI powered secure code mentor, Dr. SecDim. It aims to go beyond giving answers by providing real time feedback as developers work, explaining why a fix failed or how to apply defensive patterns. The intent, as SecDim described it, is to teach both secure coding and how to spot LLM mistakes, which they claim is becoming just as important as writing the code itself. They positioned this as encouraging analytical and creative thinking, rather than memorising static solutions.

More about their approach is published in their own post: https://discuss.secdim.com/t/why-we-ve-introduced-an-ai-powered-secure-code-learning-mentor/9222.

• Not just about code fixes. SecDim claims Dr. SecDim is designed to train developers in two parallel skills: secure coding and recognising LLM mistakes. That combination is important, because AI will happily generate insecure fixes if unchecked.

• Mentorship style. Instead of spoon-feeding a single “correct” answer, it aims to guide developers through exploration and context, helping them understand why a fix works and how to apply secure design patterns.

• Real-time feedback. It is said to analyse each code change as the developer works, giving immediate guidance on why a solution failed or how to improve it, mimicking how developers actually learn.

• Prompt engineering as a skill. SecDim emphasised that developers must not only learn secure coding but also become adept at crafting prompts that drive better AI outputs, because working with LLMs is part of the future workflow.

• Mindset shift. The tool aims to help move developers away from bug patching toward resilient design thinking, building habits that stick beyond any single lab or challenge.

That is important, because the reality is clear. Developers are already pushing AI generated code into production, and much of it contains vulnerabilities or is simply broken. SecDim highlighted their own findings that around 40 percent of Copilot generated code has flaws, and the frustration of repeated trial and error often leads teams to push unsafe code just to move forward. This is “Stack Overflow 2.0”, faster but with vulnerabilities baked in.

The vendor’s stance was refreshingly pragmatic. Rather than barking at developers to take secure coding training as a compliance checkbox, SecDim positioned its tool as a way to raise quality while meeting developers where they are. They also make a portion of their challenges freely available at https://play.secdim.com.

Not all the content is free, but a good chunk of it is, and they recommend cloning the repositories so you can take them with you. In my view, it would be even more powerful if it extended beyond developers into other IT roles, but starting with development does fill a very obvious gap.

As with any vendor platform, these claims need to be validated in practice. The demo showed promise, but the proof will be in how well it scales in real environments.

Securing the Future of AI: Introducing the OWASP GenAI Security Project and the LLM Top 10 — Kento Stewart (Gallagher Security)

They kept the focus tight and resisted the temptation to argue about whether AI is good or bad. The real point was that the security community already has a shared language for the risks. The OWASP Top 10 for LLM applications exists, it has evolved since the early drafts, and it now comes with concrete examples that line up with what teams are seeing in actual products. That framing landed well because it connected directly to the prompt injection concerns and agent overreach patterns raised in earlier sessions, making the conversation feel less like theory and more like a catalogue of lived problems.

Some of the examples shared during the session included:

• Hidden instructions embedded in résumés or documents.

• Untrusted outputs being placed directly into live code paths.

• Agents receiving more permission than the task at hand requires.

• Retrieval pipelines surfacing tampered or hostile content.

Each story carried the same lesson: treat LLM outputs as untrusted input, place guardrails outside the model, enforce tight permissions, and test your own systems with the same creativity that an adversary would bring. Here is a brief Summary of the Top 10 for LLM can be found below but for more information, check it out at: https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/

Epic Fails in AppSec: How Not to Set Up an AppSec Program — Iqbal Singh

The talk opened with a reminder that tooling does not equal maturity. Singh described environments where multiple vendors were piled on top of each other, each with its own dashboards, billing cycles, and promises of visibility. The result was not control but confusion. Alerts outpaced remediation, developers disengaged, and security teams felt buried in noise. Instead of reducing risk, the extra tools became friction-ware.

The “OnlyScans” trap

Singh described the organisations that believe security is solved by running scanners. Reports are dumped on developers without context, often filled with false positives or issues with no clear business impact. It alienates the very people who need to fix the problems. Penetration testing remains necessary to find logic flaws that scanners miss, and without that balance the programme devolves into box ticking.

When blocking becomes breaking

Another common failure is the push to enforce “block mode” in CI/CD. Builds are forced to fail if a vulnerability is detected, severity thresholds are set by management, and automated pull requests attempt upgrades. In practice, the builds break, the pull requests do not merge cleanly, and exceptions pile up until the team gives up. Instead of shifting left, the process shifts frustration.

Responding to zero-days with blind spots

Singh also pointed to the gap exposed during zero-day events. SCA tools might detect affected libraries in source repositories, but they cannot confirm if those libraries are in active production paths. Runtime tools can see affected containers, but the link between code and workload is missing. Teams scramble, debt builds, and the illusion of coverage is revealed.

The CVE doom cycle

Perhaps the most sobering trap is what Singh called the CVE doom cycle. Under pressure, organisations buy more tools, run more scans, chase more SLAs, and patch more libraries. Yet they never step back to change the system. Baseline vulnerabilities accumulate, exceptions become permanent, and the team ends up in a loop of debt that looks busy but achieves little.

Callout: Singh’s Maturity Ladder

To build resilience without falling into the traps, Singh suggested pacing the journey deliberately.

• Crawl. Start with the basics by building an accurate inventory of applications, libraries, and infrastructure. This stage is about visibility and knowing what exists, rather than chasing every vulnerability. Without this foundation, every later step is built on sand.

• Walk. Integrate secure defaults and early developer guardrails. This is where paved road approaches matter such as hardened container images, golden AMIs, service control policies, and tagging policies that keep teams on a safer path without slowing them down.

• Run. Begin automating the most repetitive checks and link results back into developer workflows. At this stage, consistency and coverage are more important than volume, and the focus should be on scaling without overwhelming teams with noise.

• Fly. Make secure design the expected standard, not the exception. Threat modelling, automated testing, and design reviews become embedded into delivery pipelines, so that risk decisions are made as part of the build rather than after it.

• Scale. Only once the earlier phases are embedded should organisations add advanced tooling and layered processes. At this point, metrics can drive investment decisions, and security can expand across multiple teams and business units without collapsing under its own weight.

  The session closed with a simple reminder. AppSec programmes fail when they become tool-driven instead of culture-driven. Maturity is not about stacking products, it is about pacing improvements, focusing on secure defaults, and creating guardrails that help rather than hinder development.