The HP Storage in Palo Alto is remembered because the “Birthplace of Silicon Valley.” It was a one-car workspace the place Invoice Hewlett and Dave Packard turned a technical experiment into an organization that helped outline an trade. Know-how typically begins in rooms too small for the implications it creates. A fast prototype turns into a product with hundreds of customers, with assist expectations. An experiment in constructing software program turns into the infrastructure that a variety of the web is dependent upon.
This made the Bay Space metropolis the proper place to carry the San Francisco Safe Software program and AppSec Summit 2026. Utility safety is as soon as once more standing close to the storage door, watching experiments harden into methods earlier than the governance mannequin has caught up.
The occasion introduced collectively over 100 safety practitioners, product safety leaders, founders, and enterprise AppSec groups collectively for a practitioner-heavy day targeted on safe software program, AI-driven growth, provide chain threat, and operational maturity. All through the occasion, AI was by no means handled as a magic layer, however as an accelerant, one which makes architectural debt, identification shortcuts, weak possession, and lifecycle gaps more durable to disregard.
Listed here are just some highlights from the occasion.
The Agent within the Hoodie
Within the opening keynote session “Securing Autonomous AI Brokers: The New Assault Floor No One Is Prepared For,” Aaron Brown, Head of Safety and IT at Mercor, plainly defined that immediate injection is unfair instruction execution in softer clothes. Each agent enter ought to be handled as untrusted code, and each reminiscence write as a possible persistent payload. Now we have seen this reactive sample earlier than, as SQL injection pressured parameterized queries, and cross-site scripting pressured content material safety controls. When untrusted enter can steer execution, permissions alone won’t prevent.
The manufacturing threat is the untrusted content material brokers now devour from e-mail, internet pages, steady integration builds, guidelines information, and shared information bases. Aaron’s stated entry to non-public information, publicity to untrusted content material, and exterior communication kind an exploitable agent trifecta. There isn’t a sturdy immediate injection filter prepared to unravel that drawback. Not at the moment and never on any near-term roadmap. He emplored us all to “cease constructing citadel partitions and begin constructing blast doorways.” This seems like functionality scoping per invocation, sandboxed execution, egress allowlisting, no ambient credentials, and human approval gates for actions that can’t be undone.
Aaron stated the following step is to deal with brokers like interns with root entry: onboard them, scope them, audit them, and offboard them. Which means giving each agent its personal revocable identification, logging each device invocation, and trusting system calls over agent explanations. The dangers already touchdown in manufacturing, together with sub-agent fan out, Mannequin Context Protocol provide chain publicity, and shared-memory injection, all level to the identical conclusion: the management aircraft is the blast radius. He left us with the sensible recommendation that “You’ll not out-prompt the attacker. You possibly can out-engineer them.”
Kill the Server Earlier than It Kills You
Within the session from Mike Wilkes, Subject CISO at Aikido, known as “Shutting It Down: Decommissioning as an AppSec Management,” he defined that in his expertise, the software program growth lifecycle tends to obsess over what will get constructed, shipped, and maintained, however it typically goes quiet when methods ought to die. That silence has a value. Each orphaned app, stale server, forgotten license, unmanaged certificates, and deserted integration turns into infrastructure for another person. Previous methods don’t patch themselves.
Decommissioning will not be, and cannot, be owned by safety alone. It’s a cross-functional retirement course of that requires enterprise approval, entry elimination, information retention selections, and post-shutdown verification, amongst different fundamental necessities. Good asset administration is dependent upon mature tagging, infrastructure as code, and steady discovery as a result of the configuration administration database is just as correct as its final replace. Mike pushed the viewers to deal with infrastructure as cattle, not pets.
He stated we have to “Give cloud belongings a demise date. Have a good time shutdown as a part of the lifecycle.” Then show it occurred with proof that groups can use in an audit. We additionally have to cease solely asking what new methods are being deployed and begin discovering the methods the group is courageous sufficient to close down.Forgotten methods should not innocent muddle. They’re loaded weapons pointed on the enterprise.
SBOMs, Herds, and the Dependency Actuality Test
Within the session panel dialogue “The Evolving Provide Chain Danger Panorama: What’s Truly Breaking in Manufacturing,” a gaggle of seasoned consultants offered a grounded view of provide chain safety that challenged a number of snug assumptions. It began with a query from the moderator, Mike Shema, Host of Utility Safety Weekly, in regards to the effectiveness of SBOMs in AppSec.
Ankur Chakraborty, Senior Director of Platform Safety at Field, was blunt that software program payments of supplies (SBOMs) should not lowering manufacturing threat by themselves. Ankit Agrawal, Senior Supervisor, Utility Safety at Webflow, gave them a narrower lane, saying they’re helpful for federal compliance and a few stock use instances, however not a vulnerability prevention mechanism. David Holmes, Utility Safety Chief Know-how Officer at Thales, added that figuring out whether or not you’ve gotten a susceptible bundle nonetheless issues, however AppSec groups mustn’t confuse consciousness with management. Gursev Singh Kalra, Vice President, Product Safety at Salesforce, introduced the priority ahead into AI-assisted growth, the place instruments don’t naturally pause to ask whether or not a dependency is secure. They fulfill the immediate.
The panel stored returning to the purpose that the listing of dependencies will not be the management. Ankur argued for system-level guardrails as a result of fashionable bundle ecosystems can break clear stock assumptions shortly. Ankit pointed to controls round dependency consumption, threat scoring, and pipeline-specific coverage enforcement, noting that overly inflexible software program growth lifecycle guidelines can push builders into workarounds. Gursev emphasised parallel safety assessment for machine-generated code, with automated checks operating as code is created, not after it’s already in manufacturing. David pushed on the human drawback beneath the tooling, that organizations nonetheless want expert individuals to outline what brokers can do, the place they need to be constrained, and when automation has exceeded its authority.
AI-generated code difficult the dialogue. The panelists noticed that coding brokers don’t naturally pause to ask whether or not a dependency is secure. They fulfill prompts. Which means dependency governance has to maneuver nearer to the act of creation, with paved paths, steady coverage checks, and guardrails that apply persistently throughout people, brokers, and pipelines. The lesson was not that provide chain safety wants a brand new slogan. It wants enforcement factors that work at machine velocity with out forcing builders into workarounds.
AppSec Strikes Nearer to the Structure
The panel “The Way forward for AppSec: What Adjustments, What Stays, and What Will get Changed” opened by separating AI usefulness from AI theater. Ken Johnson, Co-Founder and CTO at DryRun Safety, known as “AI expertise” overhyped when they aren’t tied to sturdy enterprise instances or clear mannequin decisions. Simon Harloff, Chief Product Safety Officer at Dam Safe, pushed again on the concept that AI merely replaces people. Seth Legislation, Founding father of Redpoint Safety, warned about overdependence on instruments like Claude Code, particularly when junior practitioners are pushed into senior-level work earlier than they perceive the implications. Cole Cornford, Chief Govt Officer, Galah Cyber, pointed to a deeper threat that base fashions age shortly, and what seems helpful at the moment can change into out of date because the mannequin, context, and enterprise case change.
AppSec assessment is transferring away from individuals studying each pull request and towards methods that form, constrain, and confirm work earlier than manufacturing. Panelists argued that guide code assessment is not the first management, and the true query is how AI-generated work modifications system structure. We had been challenged to consider what “code proprietor” means when AI can modify giant parts of a codebase, then predicted that conventional DevSecOps approval workflows will fade as brokers feed outcomes into pipelines.
The group tied the shift again to produce chain threat, noting that AI pushes groups additional into software program they didn’t straight write. Legacy controls like internet software firewalls and software program composition evaluation could also be headed for a dinosaur second as AppSec blends into software engineering and common safety. AppSec will not be disappearing. It’s being redistributed, automated, and pushed nearer to structure.
AppSec Is Turning into Management Airplane Engineering
AppSec is shifting from discovering safety points to engineering the management aircraft round how software program will get constructed, modified, retired, and delegated to brokers. Accountability is the aim. Not simply who discovered the danger, however what system constrained it, who owned it, and the way the group proved it was dealt with.
AppSec Is Shedding the Consolation of Human Scale
For years, AppSec assumed people may keep shut sufficient to the work to know it. A human wrote the code and reviewed the pull request. A human permitted the waiver. That mannequin was already strained, and AI makes the pressure far more seen.
Software program now strikes quicker than human consideration can function the first safety boundary. Brokers can generate code, select dependencies, name instruments, spawn sub-agents, and write reminiscence quicker than groups can examine every determination. People nonetheless matter, however their work strikes upstream into intent, structure, constraints, and exception dealing with. Machine-speed work wants machine-enforced boundaries.
Possession Is the Scarce Useful resource
Many periods had been actually about possession. Who owns the agent’s permissions? Who owns a stale system after the enterprise stopped utilizing it? Who owns a dependency pulled by a coding assistant? Who owns the danger when a launch ships with a waiver?
Most AppSec failures should not failures of detection. They’re failures of accountable closure. The group could know the problem exists, however not who could make it go away. That’s the reason asset stock, agent identification, threat registers, paved paths, and decommissioning stored exhibiting up.
Reversibility Is the New Safety Boundary
One attention-grabbing takeaway was “reversibility.” The outdated intuition was to ask whether or not one thing was allowed. The higher query is whether or not it may be safely undone. If an agent suggests a code change, it may be reviewed and reverted. If it deletes buyer information, sends credentials externally, modifications manufacturing state, or writes persistent directions into shared reminiscence, the danger modifications. Decommissioning is managed reversibility for infrastructure.
Human-in-the-loop gating issues most the place the motion can’t be cleanly unwound. The longer term AppSec management mannequin is much less about what AI can do and extra about which actions are secure to automate as a result of the blast radius is bounded.
The Work Of AppSec Is Shifting Down a Layer
The following model of AppSec won’t be judged by how loudly it warns, what number of findings it opens, or how typically it says no. Will probably be judged by what it makes unattainable by default. The groups that adapt will cease treating safety as a assessment perform bolted onto software program and begin treating it as a part of the working mannequin beneath software program. They may implement identities that expire, methods that may die cleanly, brokers that inherit intent reasonably than entry, and threat selections that go away a hint.
AppSec will not be disappearing into AI, automation, or developer tooling. It’s transferring down a layer, nearer to the locations the place software program turns into actual. The longer term belongs to groups that may flip judgment into guardrails, guardrails into defaults, and defaults into methods that maintain even when no one is watching.
