From AI Risk to Identity Security — Key Insights from LASCON XV

Read full article here: https://blog.gitguardian.com/lascon-xv/?utm_source=nhimg

The fifteenth edition of the Lonestar Application Security Conference (LASCON XV) in Austin highlighted a pivotal evolution in modern cybersecurity. With over 450 attendees and 52 speakers, the event focused on how AppSec must adapt to the convergence of AI risk, identity-based threats, and production-context security. From Identity Threat Detection and Response (ITDR) to Model Context Protocol (MCP) and risk-based vulnerability management, the message was clear: security teams must shift from reactive defenses to contextual, identity-driven strategies.

Identity as the New Perimeter

In his session “Improving Account Security with ITDR,”  Bertold Kolics, Principal Quality Engineer at Imprivata, emphasized that identity—not endpoints—is now the security perimeter. He detailed how credential theft, session sharing, and account takeover dominate today’s threat landscape. Attackers increasingly log in rather than break in. To counter this, Kolics advocated for identity-based risk scoring, honeypot accounts, and contextual anomaly detection that includes both human and non-human identities (NHIs). The goal is to detect anomalies like impossible travel, shared sessions, and high-risk logins before they escalate into full-scale compromises.

Shifting Left With Context

Milind Daftari, Cybersecurity Engineer, and Akash Rajeev Bhatia, Governance, Risk and Compliance, both at VISA, explored how DevSecOps must evolve beyond “shift left” to embed contextual automation and shared accountability. Their talk, “DevSecOps as a Launchpad,” highlighted that automation without context leads to alert fatigue and developer mistrust. They called for smarter feedback loops, tighter integration between SAST, DAST, and secrets management, and developer-centric remediation workflows.

They also discussed the rise of Model Context Protocol (MCP)—an infrastructure layer designed to connect AI systems, orchestration tools, and code scanners. Rather than treating AI as a bolt-on feature, security teams must architect governance around it, ensuring that developer velocity and security posture move in harmony.

From Vulnerability Counts to Risk Context

In “Navigating the Challenges of Risk-Based Vulnerability Management,” Mauve Hed, Sr. Manager, Security Engineering & Operations at Bazaarvoice, and Francesco Cipollone, CEO & Co-Founder of Phoenix Security, argued that Continuous Threat Exposure Management (CTEM) is the next evolution of AppSec. The focus is no longer on how many vulnerabilities exist, but on how many business-relevant risks are mitigated. Their framework integrates asset ownership, exploitability, and code-to-cloud mapping, pushing teams to prioritize remediation over discovery. Security metrics, they stressed, should tell a business story, not just a technical one.

AI’s Automation Paradox

 Matt Tesauro, CTO at DefectDojo, delivered one of the most talked-about sessions—“AI, AppSec, and You: A Practitioner’s Diary.” He dissected the paradox of AI in AppSec: while AI expands scale and accelerates triage, it also introduces new risks such as prompt injection, data leakage, and brittle automation. Tesauro coined terms like “vibe coding” and “sloponomics” to describe the overreliance on generative AI without human governance. His core message: AI must augment human oversight, not replace it. He warned that LLMs operate probabilistically, and security programs built on deterministic assumptions must adapt to that reality.

Production Context Over Castle Theory

A recurring theme at LASCON XV was production-context awareness. Speakers agreed that AppSec must evolve from “castle-and-moat” isolation toward real-time observability, asset correlation, and data-driven prioritization. By tying vulnerabilities and alerts to live business assets, security teams can surface only what’s reachable, exploitable, and business-critical, rather than drowning in theoretical exposure lists.

This “production-first” approach also underscores that identity is the control point. Whether human users or NHIs, every identity is a potential attack vector, and ownership clarity, telemetry, and automated response are the new AppSec fundamentals.

The AI Reality Check

AI emerged as both the accelerator and adversary of the AppSec future. Speakers discussed how AI agents and automation pipelines, when governed through protocols like MCP, can accelerate code analysis, detection, and remediation. However, without strong oversight, they risk introducing supply-chain attacks, poisoned datasets, or malicious serialized files (.pkl). The consensus: AI raises the stakes, not the bar and organizations must embed trust boundaries into every AI-driven workflow.

Context Turns Noise Into Action

Across all sessions, one throughline resonated: context beats noise. Metrics must measure remediation and risk reduction, not just scan volume. Ownership must be explicit, and automation must serve human decision-making, not overwhelm it. Identity, especially non-human identities—is now the linchpin of cyber resilience. As attackers increasingly exploit access rather than vulnerabilities, the AppSec community must design for observability, resilience, and contextual automation.

The Takeaway

LASCON XV made clear that modern application security is converging with identity and AI governance. Protecting production systems today means treating identities as first-class assets, embedding context into every control, and aligning security metrics with business impact. The future of AppSec won’t be won by more alerts or tools—it will be defined by how effectively teams can translate AI-amplified risk signals into contextual, identity-driven defenses.