Application security is not getting easier. Despite better tools, more CVEs, and widespread “shift-left” adoption, vulnerabilities continue to scale with system complexity.
This talk distils 60 years of application security history—from early networked systems to modern cloud-native and AI-driven stacks—and connects it to what Python developers are facing today. Using real incidents, ecosystem data, and patterns observed across decades, the session explains why AppSec keeps failing in familiar ways and where the industry is heading next.
The goal is understanding which problems are structural, which are self-inflicted, and which approaches are finally worth investing in.
Based on my keynote delivered at OWASP AppSec Singapore 2025, this talk compresses six decades of application security evolution into actionable lessons for modern Python teams.
The session covers three phases:
The talk explains why tool-first security consistently underdelivers, why “shift-left” without engineering context fails, and what emerging approaches like predictive scanning and proactive threat modelling can realistically achieve.
Dr Pedram Hayati works at the intersection of software engineering and application security, with a focus on making security an engineering discipline.
He is the founder of SecDim, a developer security wargame, and has spent the last two decades working across both offensive security and application security. Since 2005, he has published more than 25 zero-day advisories, reported thousands of vulnerabilities to large technology organisations, and previously led the global penetration testing function at a major cybersecurity enterprise.
Pedram holds a PhD in Information Security and Machine Learning and lectures postgraduate cyber security at the University of New South Wales (UNSW ADFA). He also founded SecTalks.org, a non-profit security community with an international footprint. His work has been presented at conferences including Black Hat, DEF CON, FIRSTCon, NDC, and OWASP AppSec.
