Integrating cybersecurity and project management can significantly enhance project efficiency, preventing security issues from becoming bottlenecks in project timelines. This presentation will demonstrate how to embed cybersecurity reviews throughout the Software Development Life Cycle (SDLC), especially by implementing preventive security measures during requirement definition, design, and development phases to ensure smooth project progression. For vulnerability remediation, we will discuss rapid risk assessment and priority-setting within project management frameworks, using tools such as Gantt charts and agile Kanban boards to allocate resources effectively, ensuring remediation processes align with timeline planning.

Additionally, practical experiences using project management tools such as JIRA and Confluence will be shared to enhance transparency in remediation progress and improve cross-departmental collaboration. The presentation will also focus on real-world project experiences, highlighting solutions for overcoming interdepartmental communication barriers and resource allocation challenges, along with introducing practical response strategies.

This topic emphasizes a bidirectional integration between cybersecurity and project management, embedding security measures into each project phase and sharing practical insights from multiple large-scale projects. Participants will gain actionable strategies to effectively integrate cybersecurity into their daily project management practices, thereby achieving more efficient security management and project execution.

When fixing SAST issues, developers need to know how to apply generic security recommendations to fix issues in their system context. This talk demonstrates how to combine SAST issue fix experience with RAG technology to create an intelligent security advisor that understands your system context. We'll explore building a knowledge base of fix patterns. Through practical examples, we'll show how this system operates in CI pipelines to help teams efficiently resolve SAST findings, and share methods for capturing fix experience to build an intelligent advisor that provides precise, context-aware security recommendations.

The security of an app is a crucial concern for developers. Without proper protection mechanisms, attackers can easily use reverse engineering to analyze the application's structure and functionality, leading to actions that compromise the developer's interests, such as bypassing paid features, stealing sensitive data, or even injecting malicious code for distribution. This talk will explore how compilers can be leveraged to protect app code and increase the difficulty of reverse engineering. Attendees will gain insights into modern compiler design principles, fundamental knowledge of Clang/LLVM, code protection techniques implementable in compilers, open-source solutions, and experiences and challenges in developing compiler-based protection mechanisms at ICEshell.

This talk explores seamlessly integrating AI compliance into DevSecOps, balancing technological innovation and regulatory adherence. As AI adoption grows, the EU AI Act, the world’s first AI regulation, imposes strict requirements on technology development and risk governance, significantly raising compliance thresholds for businesses.

We will deconstruct the AI Act, tracing its evolution from the AI White Paper → Trustworthy AI → AI Act, and incorporate ISO 42001 methodologies to examine risk management, governance, process management, data governance, AI algorithms, system architecture, and input-output processes for comprehensive AI compliance.

Additionally, this session will explore embedding compliance into the DevSecOps lifecycle, covering security and privacy, ethical standards, legal risk management, and continuous improvement. Ultimately, we aim to help businesses build human-centric, trustworthy AI, ensuring they stay competitive in the rapidly evolving AI regulatory landscape.

In traditional software development workflows, developers often prioritize creating functionalities while relegating system protection and code scanning to the final stages. This approach is feasible because, during development, the environment remains isolated. However, when developing services on public clouds, resources are immediately exposed to internet threats upon creation. The consequences can be far more severe than expected if the development environment is compromised.

In this section, we will explore the potential threats facing cloud development environments and the necessary protections to mitigate these risks.

With the rise of DevOps, integrating security into the development process has become crucial, and continuous testing is an essential part of it. In CI/CD, various tests are conducted, and from a DevSecOps perspective, DAST is an important security testing method. However, in practice, DAST often requires specialized knowledge and can be challenging to integrate into pipelines. Common issues include long scanning times and difficulty in effectively identifying vulnerabilities. This session will start with an overview of security testing, provide an in-depth analysis of DAST web vulnerability scanning, and explore how to properly and efficiently integrate DAST into CI/CD pipelines to achieve continuous testing.

This session will share practical experiences in implementing DevSecOps and automated security testing, demonstrating how to integrate security checks into agile development workflows. We'll show that security and efficiency can go hand in hand. Attendees will learn actionable methods and understand how to shift their team's perspective on traditional security testing approaches.

With new standards rapidly emerging, cybersecurity for regulated technologies like GMP, digital health, SaMD (Software as a Medical Device), and IoMT (Internet of Medical Things) now demands advanced approaches to security risk management.

We invite developers, software quality professionals, and security specialists to join us for Regulated Software Threat Modeling: A Practical Walk-Through, where we will explore strategies to meet and extend the guidance from the MITRE Playbook for Threat Modeling Medical Devices. Using practical frameworks, tips, and tools—such as MITRE CWE, DFD, STRIDE, CVSS, and more—we’ll cover best practices for conducting thorough, defensible, and compliant software security risk assessments, from identification and analysis to mitigation and evaluation for your application or digital system.