April Meetup
Details
Join us for the April Bay Area OWASP meetup, proudly sponsored by aliengiraffe.ai
Expect an evening filled with insightful security talks, engaging conversations, and great community networking all complemented by delicious food and drinks, generously provided by aliengiraffe.ai.
5:00 PM : Doors open, Networking, food and drinks
5.30 PM :- Chapter introductions
5.45-6.30 PM :- Hardening Coding Agents
6.30-7.15 PM :- The AppSec Career Nobody Trained You For
7.15-8.00 PM :- Regulations Roundup: Navigating SBOM and OSS Compliance Across the US, India, and Europe
Talk#1 Hardening Coding Agents
Description: This talk explores what it takes to safely operate autonomous coding agents that don’t just suggest code—but actively execute work across your SDLC. Using real-world lessons, this talk breaks down how modern agent systems interact with legacy workflows, manage codebases, and continuously generate, test, and ship code. It highlights the hidden risks—non-deterministic environments, dependency drift, prompt injection, and over-privileged execution—and introduces practical patterns like isolated worktrees, strict execution contracts, and built-in security checks that shift validation directly into the agent loop.
This talk is designed for engineering leaders, platform teams, and senior developers who are already experimenting with coding agents or evaluating how to bring them into production environments. If you're responsible for developer experience, CI/CD systems, or the integrity of your codebase, this session will give you a concrete framework to move beyond demos and into reliable, secure agent-driven development—without sacrificing control, reproducibility, or safety.
Nico is a CTO and founder with 20 years of experience building large-scale distributed systems, data platforms, and security-critical infrastructure. His work includes architecting high-throughput event processing for enterprise AI platforms, image optimization pipelines processing up to 10 million images per hour, and end-to-end data backends at AI companies trusted with Fortune 10 pharmaceutical data.
An architect by practice, Nico focuses on defensive software design, least-privilege access, and building systems that assume misuse as a baseline. Today, as co-founder and CTO of AlienGiraffe, he works on how AI fundamentally changes data access and exfiltration, and why traditional access controls fail; focusing on reducing unnecessary data exposure while still enabling productive use by humans and AI.
https://www.linkedin.com/in/nicobistolfi/
Talk#2 The AppSec Career Nobody Trained You For
Description: In 18 months, your job title probably won't change, but your actual job will be unrecognizable. AI is about to mass-produce both vulnerabilities and fixes faster than any human can review them. The people who figure out how to manage that pipeline will run application security. The ones who don't will be writing Jira tickets for an LLM.
Bruce Fram will walk through what the shift from "security engineer" to "automation manager" looks like in practice — what skills matter, what's becoming irrelevant, and what nobody in your org is preparing you for. He'll get into the real numbers on fix rates and backlog math, and why the gap between "doing AppSec" and "managing AI that does AppSec" is where careers split in the next two years.
Bruce is also recruiting contributors for an open source project vetting AI-generated fixes for 1,000+ SAST findings across open source projects. If you want to get your hands dirty with this stuff before it reshapes your day job, show up.
Attendees get a free copy of Bruce's book, The AI Security Advantage: Fix Code 10X Faster.
Bruce Fram is CEO of AppSecAI and the founding CEO of Contrast Security. He's run six enterprise software companies over 25+ years of technology shifts. He's more technical than most CEOs (he codes with AI daily) and recently wrote The AI Security Advantage: Fix Code 10X Faster.
Talk#3 Regulations Roundup: Navigating SBOM and OSS Compliance Across the US, India, and Europe
The landscape of global regulations around Software Bill of Materials (SBOM) and OSS compliance is changing rapidly. This talk offers a high-level exploration of the latest requirements and practical challenges, focusing on the US, Indian, and European contexts. Our expert presenters will demystify the CISA minimum SBOM elements, explain why usage information is increasingly vital for license compliance, and discuss the complexities of providing end-of-life data for open source and commercial components.
Attendees will gain insights into how Indian CERT-In and European Cyber Resilience Act (CRA) regulations are shaping supplier obligations, and how these changes impact US organizations working internationally. The session will highlight real-world strategies for managing support windows, responding to customer demands, and preparing for audits, whether you’re dealing with open source projects or commercial software.
Join us for a comprehensive “regulations roundup” that brings together perspectives from multiple regions, clarifies what’s mandated now, and offers practical advice for staying compliant and competitive in a global market.