Given web applications are the main entry point for breaches, as found in Verizon’s 2024 DBIR, securing those applications and APIs is more critical than ever. That’s why, in this edition of the Cyber Risk Series, we’ll dive into application security. We’ll discuss the latest web application and API security trends, confront emerging threats, and uncover advanced techniques to stay ahead.
APIs are also increasingly becoming a target for sophisticated attacks, so this series will highlight practical strategies to protect these essential connectors that underpin modern applications. From navigating hybrid and multi-cloud environments to integrating AI and embracing DevSecOps, our discussions will address the real-world challenges of modern application security while emphasizing the critical role of API security.
Wednesday, March 12, 2025
Virtual
Featured Speakers
Mike Shema
Product Security, Block, Inc.
Host, Application Security Weekly
Katie Norton
Research Manager, DevSecOps & Software Supply Chain
IDC
Robert Hansen
Managing Director, Grossman Ventures
Host, The RSnake Show
Corey J. Bell
Senior Manager,
Pen Testing,
Moss Adams, Author Hacking APIs
Jerry Hoff
CEO
SightGain
Dilip Bachwani
CTO and EVP
Enterprise TruRisk Platform
Qualys
Asma Zubair
Director, Product Management, AppSec, API & Web App Security
Qualys
Key topics:
- Emerging Threats and Advanced Attacks on Applications and APIs
- Securing APIs: The Silent Risk
- User Privacy & Compliance: PCI, GDPR, CCPA, and Beyond
- Security in the Software Supply Chain
Agenda
9:00 AM PT
AppSec in 2025: Navigating Risks, Threats, and Innovation
Mike Shema
Product Security, Block, Inc. Host, Application Security Weekly
Mike Shema kicks off the Cyber Risk Series: AppSec Edition with an insightful look at the evolving application security landscape. He’ll outline key challenges, emerging threats, and strategies shaping AppSec today.
9:15 AM PT
Bringing It All Together: What Industry Data Says about Securing APIs
Katie Norton
Research Manager, DevSecOps & Software Supply Chain IDC
APIs power the digital experiences that customers and partners increasingly expect, yet their rapid growth and expanding threat landscape pose urgent security challenges that no organization can afford to overlook. In this data-driven presentation, Katie Norton, an industry analyst at IDC, explores the rapidly evolving landscape of API security and why it has become a critical priority for modern organizations. Drawing on IDC research and real-world breach examples, she will highlight the expansive role of APIs in connecting systems, fueling innovation, and shaping user experiences—while also expanding the potential attack surface for malicious actors. She also will examine how emerging trends such as generative AI and AI agents transform the threat landscape by introducing new complexities. Finally, she will underscore the importance of a holistic, end-to-end security strategy—spanning tool convergence, DevSecOps practices, and a robust security culture—to ensure that businesses not only comply with evolving regulations but also thrive in an increasingly connected digital world.
9:45 AM PT
API Security: Beyond The Scan
Corey J. Ball
Author, Hacking APIs Founder & CEO, hAPI Labs
Many organizations rely on vulnerability management tools that do not scan for API vulnerabilities effectively. Using data from breaches, industry reports, and his own experience, Corey will make the case for a holistic approach to API security. APIs must be tested for insecure authorization, authentication, and trust boundary weaknesses. To ensure comprehensive testing in these areas, Corey will provide practical guidance for API security testing.
10:15 AM PT
At the Risk of CVE
Robert Hansen
Managing Director, Grossman Ventures Host, The RSnake Show
We know CVEs are in everything – VM programs, red teams, asset management, compliance mandates, etc. But they are not well understood and there are a lot of nuances that have made it difficult and cumbersome to use. RSnake will do a deep drive into the issues, and hopefully shed new light on the thing we all use and will likely use for a very long time.
10:45 AM PT
The Breaking Point: Can Security Keep Up with the Web’s Accelerating Complexity?
Jerry Hoff
CEO, Maru Security Former Executive Information Security Officer, Sony Electronics
The field of application security is evolving at an unprecedented rate. Modern browsers have become full-fledged execution environments with rapidly expanding capabilities. JavaScript continues to grow in scope, enabling more complex applications while simultaneously introducing new attack vectors. Traditional security controls are increasingly being bypassed by emerging protocols and evolving exploitation techniques.
At the same time, artificial intelligence is reshaping the software development lifecycle by accelerating code generation, automating workflows, and increasing deployment velocity. This surge in automation is driving exponential growth in applications and functionality, but it is also expanding and diversifying the attack surface. Security measures that were once effective are now struggling to keep pace with the speed and complexity of modern development environments.
Automation is no longer optional but rather it is a fundamental requirement for securing applications at scale. Security teams must rethink their approach to stay ahead of emerging threats. This talk will examine the evolution of attacker techniques in response to increasing browser capabilities, the security challenges posed by AI-driven code proliferation, the next phase of application security, and the necessity of automation in securing evolving architectures.
11:15 AM PT
Securing APIs at Scale: How Qualys Secures Its Own Stack
Dilip Bachwani
CTO Qualys
Discover how Qualys’ engineering team secures its own APIs using Qualys TotalAppSec. Qualys CTO shares real-world insights on leveraging continuous security testing, risk-based prioritization, and automation to safeguard APIs at scale—ensuring resilience and compliance while accelerating innovation. Learn best practices you can apply to secure your applications.
11:35 AM PT
Unifying Web App & API Security to Safeguard the Modern Application Ecosystem
Asma Zubair
Director, Product Management, AppSec, API & Web App Security Qualys
In today’s interconnected world, ensuring the security of APIs is crucial for safeguarding sensitive data and maintaining system integrity. This session will explore various approaches to API security, diving into their benefits and potential drawbacks, providing a balanced view to help you make informed decisions for your security strategy.
Additionally, Asma will cover selecting the right API security testing tool for your organization to protect your digital ecosystem. Whether you’re a security specialist, information security leader, or developer, this webinar will equip you with the knowledge needed to enhance your API security strategy effectively.
Sumedh Thakar
President and CEO, Qualys
As President and CEO, Sumedh leads the company’s vision, strategic direction and implementation. He joined Qualys in 2003 in engineering and grew within the company, taking various leadership roles focused on helping Qualys deliver on its platform vision. From 2014 to 2021, he served as Qualys’ Chief Product Officer, where he oversaw all things product, including engineering, development, product management, cloud operations, DevOps, and customer support. A product fanatic and engineer at heart, he is a driving force behind expanding the platform from Vulnerability Management into broader areas of security and compliance, helping customers consolidate their security stack. This includes the rollout of the game-changing VMDR (Vulnerability Management, Detection and Response) that continually detects and prevents risk to their systems, Multi-Vector EDR, which focuses on protecting endpoints as well as Container Security, Compliance and Web Application Security solutions. Sumedh was also instrumental in the build-up of multiple Qualys sites resulting in a global 24x7 follow-the-sun product team.
Sumedh is a long-time proponent of SaaS and cloud computing. He previously worked at Intacct, a cloud-based financial and accounting software provider. He also worked at Northwest Airlines developing complex algorithms for its yield and revenue management reservation system. Sumedh has a bachelor’s degree in computer engineering with distinction from the University of Pune.
Eran Livne
Senior Director, Endpoint Remediation, Qualys
Eran Livne is Senior Director, Endpoint Remediation at Qualys, leading a team tasked with helping customers improve their security posture through cross-platform vulnerability remediation. He has more than 20-years of product management and computer science experience working in diverse IT and security markets. In 2014, Eran founded mobile security company, LetMobile, acquired by Ivanti. Following the acquisition, he drove Ivanti’s enterprise security and endpoint security and management solutions. Eran holds a bachelor’s degree in computer science from Tel Aviv University and an MBA in high-tech business administration from Technion - Israel Institute of Technology.
Jonathan Trull
CISO & SVP Security Solution Architecture, Qualys
Jonathan Trull is a longtime security practitioner and CISO & SVP Security Solution Architecture with over 18 years of experience in the cybersecurity industry and is currently the Senior Vice President of Customer Solutions Architecture and Engineering at Qualys. His career has spanned operational CISO and infosec roles with the State of Colorado, Qualys, Optiv, and Microsoft. While at Microsoft, Jonathan led the Microsoft Detection and Response Team (DART) whose mission was to respond to cyber security incidents around the globe ranging from cyber espionage initiated by nation-state actors to ransomware attacks and included the investigation of and response to the NOBELIUM threat actor campaign which leveraged the SolarWinds supply chain. Jonathan also serves as an advisor to several security startups and venture capital firms and supports the broader security community through his work with the Cloud Security Alliance, Center for Internet Security, and IANS. He is also an adjunct faculty member at Carnegie Mellon University where he mentors and coaches those attending the CISO Executive Education Program. Jonathan is a frequent speaker at industry conferences such as BlackHat, RSA, and SANS and holds several industry certifications including the CISSP, OSCP, CCSP, and GCFA. Jonathan is a veteran of the U.S. Navy finishing his career as a Lieutenant Commander supporting the Information Warfare Domain.