Secure Vibe Coding: 5 Key Lessons | The AI Appsec Nightmare

Format:
Dual (2-talk) and Hybrid (in-person and online) event

In-person location:
Startuptive
123 Edward St, Suite 205 (2nd Floor), Toronto, ON, Toronto, ON M5G 1E2

Note: In-person attendance to 70 people, in a first-come, first-serve basis.
Doors will open at 6:00 PM, with the event will start at 6:30 PM (EDT).
For those who cannot attend in person, please join us virtually via the livestream!

Presentation #1: Secure Vibe Coding: 5 Key Lessons - Matt Brown

AI coding assistants like Cursor, Copilot, and Windsurf significantly increase productivity and assist with mundane coding tasks. But while powerful, these tools carry risks: trained on vast public datasets, they inherit bad patterns without necessarily ensuring secure application development. In this talk, we'll share five key lessons for security engineers and developers to improve code security:

• Implement guardrails
• Get real-time security signal
• Watch your dependency blast radius
• Compensate for non-determinism
• Invest in prompt engineering

Presentation #2: The AI Appsec Nightmare - Jerry Hoff

The era of AI-powered attackers is no longer theoretical. Autonomous and semi-autonomous tools are now capable of identifying, exploiting, and adapting to vulnerabilities at a scale and speed that surpass human capacity. This talk explores the implications of a world where AI-driven threats are a permanent part of the landscape.

We begin with a candid look at the current state of application security, where manual processes and outdated risk models struggle to keep pace with modern development. At the same time, AI-generated code is entering environments at an unprecedented rate, often with little to no review, expanding the attack surface in ways few organizations are prepared for.

Compounding the problem is a growing wave of global regulations pushing organizations to demonstrate security readiness, often without providing practical paths to achieve it. Within this context, the traditional approach of prioritizing and fixing only critical and high-severity issues is breaking down. Attackers, especially those leveraging AI, no longer view low or medium vulnerabilities as difficult hurdles. Most vulnerabilities should now be treated as easily exploitable.

This session offers a sharp, forward-looking assessment of the challenges ahead and outlines key shifts that application security teams must make to stay relevant and effective in the age of AI.