Anitha Dakamarri
DFIN-Lead Security Engineer
Dallas, Texas, United States
Actions
I am Anitha Dakamarri, a seasoned IT professional with over 19 years of experience in the field of information security. Over the years, I have honed my skills in various domains, including threat modeling, application security assessments, and network security assessments. My work experience spans across reputable organizations like DFIN, USCELLULAR, and Syntel Inc., where I have led teams, developed security standards, and implemented robust security frameworks. hold several industry certifications like CISSP,CISM,CEH,CHFI, which reflect my commitment to continuous learning and professional growth. My passion for security extends beyond technical assessments; Im active speaker and volunteer at ISACA(CISM Exam development, Mentor ), ISC2(Exam development and UBK panel, 50*50 volunteer) OWASP(Contributor, CFP review), Women4Cyber (Mentor) and WiCys(Mentor), CSA(Contributor).
Area of Expertise
Topics
The Next Generation of Defense: Leveraging AI to Future-Proof Penetration Testing
Traditional penetration testing methods, often resource-intensive and reliant on human expertise, are struggling to keep pace with the scale and speed of modern adversaries, many of whom are already utilizing AI/ML in their attack tooling. We propose that integrating AI technologies, such as machine learning (ML) for vulnerability detection, natural language processing (NLP) for threat intelligence analysis, and reinforcement learning (RL) for autonomous attack path discovery, will fundamentally revolutionize the efficacy and efficiency of penetration testing. This AI-augmented approach promises to enable continuous, adaptive, and scalable security assessments that can proactively identify novel vulnerabilities, simulate complex, multi-stage attacks with greater fidelity, and significantly reduce the time between detection and remediation. Ultimately, leveraging AI is not just about automation, but about building an intelligent, predictive, and resilient defense capability capable of meeting the challenges posed by the next generation of cyber warfare.
Securing AI Applications in a Post-Quantum World
Artificial intelligence is rapidly becoming embedded in modern applications from fraud detection and identity verification to autonomous decision systems while quantum computing advances threaten the cryptographic foundations that protect these systems today. The convergence creates a new class of risk: AI applications that rely on vulnerable encryption, exposed training pipelines, and unprotected model assets may become prime targets in a post-quantum landscape.
This session examines how quantum computing impacts the security assumptions behind AI and machine learning systems, including TLS, digital signatures, key exchange, and data integrity mechanisms used across APIs, pipelines, and MLOps workflows. We translate these risks into practical attack scenarios such as model theft, training data exposure, supply-chain compromise, and long-term “harvest now, decrypt later” threats.
Participants will learn actionable strategies to future-proof AI deployments using post-quantum cryptography, crypto-agility, secure model lifecycle controls, and AI-driven threat detection. Through architecture patterns, tooling recommendations, and real-world use cases, this talk provides a pragmatic roadmap for AppSec, cloud security, and SOC teams to secure AI systems against both current and emerging quantum-era threats.
Attendees will leave with concrete steps to assess risk, modernize cryptography, and build resilient AI applications that remain secure as quantum capabilities mature.
Quantum Readiness: Preparing Today for Tomorrow’s Computing Revolution
Quantum computing is no longer a distant research topic, Infact it is an emerging business risk. Advances in quantum algorithms threaten to break the public key cryptography that secures today’s internet, from TLS and VPNs to digital signatures, identity systems, and software supply chains. The result is not just a future problem because adversaries are already using “harvest now, decrypt later” tactics, capturing encrypted data today to exploit once quantum capabilities mature.This session translates quantum risk into practical security action. Rather than focusing on physics or theory, we examine what quantum disruption means for real world enterprise environments and web applications. Attendees will learn how quantum threats impact authentication, PKI, APIs, certificates, code signing, and compliance obligations and why crypto agility is now a critical security capability.
Key Takeaways
A plain-language understanding of quantum threats without needing a physics background
A checklist to assess quantum exposure in their own organization
A starter framework for crypto inventory and risk classification
Practical guidance on where and how to pilot PQC today
Migration patterns for TLS, PKI, authentication, and application security
Secure by Design: Building Safe MCP-Enabled Applications
This talk explores how to design MCP‑enabled applications with security and privacy embedded from the earliest architectural decisions. We examine how MCP fundamentally reshapes trust boundaries by allowing AI systems to directly interact with APIs, databases, internal services, and third‑party tools often with elevated privileges. Traditional controls such as perimeter defenses, static IAM roles, and backend validation alone are insufficient when AI agents reason, decide, and act autonomously within live environments. Instead, security must shift left into context governance, capability scoping, and protocol‑level assurance.
Attendees will gain a practical understanding of the core threat model for MCP‑enabled systems, including prompt and context injection attacks, tool‑abuse escalation, malicious or compromised MCP servers, insecure plugin onboarding, and unintended data disclosures through over‑broad context sharing. We will demonstrate how these risks manifest across real‑world use cases such as developer copilots, customer support agents, data analysis assistants, and autonomous workflow orchestrators.
The session then presents a Secure by Design blueprint for MCP applications, covering:
• Principle of least privilege for tools and context, ensuring models receive only the minimum capabilities and data required per task.
• Context isolation and segmentation, preventing cross‑tool contamination and limiting blast radius.
• Strong identity, authentication, and authorization for MCP servers, clients, and tools, including workload identity and short‑lived credentials.
• Deterministic policy enforcement around tool invocation, data access, and output handling.
• Secure defaults and fail‑safe behavior, especially when models encounter ambiguous or malicious prompts.
• Observability, logging, and continuous assurance to detect misuse, drift, and anomalous agent behavior.
By grounding Secure by Design principles in MCP‑specific patterns, this session bridges the gap between traditional application security and emerging AI system architectures. Attendees will leave with actionable guidance to build MCP‑enabled applications that are resilient, auditable, and trustworthy by default, enabling innovation without sacrificing security, privacy, or user trust.
This talk is designed for application security engineers, platform architects, AI engineers, and security leaders who are building or governing AI‑powered systems and want to move beyond reactive controls toward proactive, protocol‑aware security for the age of autonomous AI.
Quantum Readiness: Preparing Today for Tomorrow’s Computing Revolution
Quantum computing is no longer a distant research topic, Infact it is an emerging business risk. Advances in quantum algorithms threaten to break the public key cryptography that secures today’s internet, from TLS and VPNs to digital signatures, identity systems, and software supply chains. The result is not just a future problem because adversaries are already using “harvest now, decrypt later” tactics, capturing encrypted data today to exploit once quantum capabilities mature.
Privacy in design (PbD) in DevSecOps
By systematically embedding privacy by design principles into DevSecOps, organizations can build more secure, compliant, and trustworthy applications and systems, ultimately benefiting both the business and its users.
Privacy by Design (PbD) is a fundamental approach to application security that ensures privacy is embedded into the design and architecture of IT systems, business practices, and networked infrastructure from the very beginning, rather than being an afterthought. It shifts the responsibility for data protection away from users and onto the organizations collecting, storing, and sharing the data.
Attack by Design: How Weak Privacy Fuels Cyber Warfare
Modern cyber warfare exploits systems never designed to protect privacy at scale. From location‑tracking apps to AI‑driven platforms, weak Privacy by Design turns civilian data into intelligence, influence, and weapons. This talk shows how poor data minimization, unsafe defaults, and opaque systems amplify cyber conflict and why embedding privacy into architecture is essential to prevent digital tools from becoming instruments of cyber war.
Attack by Design: How Weak Privacy Fuels Cyber Warfare
Modern cyber warfare exploits systems never designed to protect privacy at scale. From location‑tracking apps to AI‑driven platforms, weak Privacy by Design turns civilian data into intelligence, influence, and weapons. This talk shows how poor data minimization, unsafe defaults, and opaque systems amplify cyber conflict and why embedding privacy into architecture is essential to prevent digital tools from becoming instruments of cyber war.
AI-Driven Supply Chain Security: Using AI-BOM to Detect Hidden Vulnerabilities
The modern software supply chain has grown increasingly complex, incorporating thousands of dependencies, third party packages, and AI driven components. Traditional approaches to supply chain security, relying solely on manual review or static SBOMs (Software Bill of Materials), struggle to keep pace with rapid development cycles and evolving threats.
In short, SBOM gives you a complete, structured inventory of the code and libraries in your software, allowing for fast vulnerability response and license management. AIBOM takes this concept further, providing an inventory of the non-code components of an AI system, the models, training data, and configurations, to manage risks unique to artificial intelligence like bias, data leakage, and adversarial attacks.
AIBOM an AI powered extension of SBOM that automatically identifies hidden dependencies, analyzes risk relationships, and highlights potential vulnerabilities before they reach production. This session explores how AI BOM can revolutionize supply chain security by providing deep visibility into software artifacts, detecting malicious or compromised components, and enabling proactive mitigation strategies.
Closing the AI Visibility Gap: Why SBOM Alone is No Longer Enough
The shift toward Software Bill of Materials (SBOM) and its extension, the Artificial Intelligence Bill of Materials (AIBOM), is a fundamental change in how we manage risk, security, and compliance in the modern digital world. As an organization, adopting both of these frameworks doesn't just check a box, it provides a crucial, non-negotiable layer of transparency that is essential for both operational excellence and legal defense.
In short, SBOM gives you a complete, structured inventory of the code and libraries in your software, allowing for fast vulnerability response and license management. AIBOM takes this concept further, providing an inventory of the non-code components of an AI system, the models, training data, and configurations, to manage risks unique to artificial intelligence like bias, data leakage, and adversarial attacks.
Get ready for AI-Driven Cybersecurity!
I would like to discuss how integration of machine learning (ML), deep learning, natural language processing (NLP), and other AI techniques into cybersecurity tools and workflows to improve detect, prevent, respond to, and predict cyber threats more effectively than traditional methods. How contextualized detection and analysis will save time and increase efficiency and improve incidence response times.
I also wanted to discuss challenges and considerations like, Bias in training data can lead to mislead the threats and may increase false positives in some cases!
Get ready for AI-Driven Cybersecurity!
I would like to discuss how integration of machine learning (ML), deep learning, natural language processing (NLP), and other AI techniques into cybersecurity tools and workflows to improve detect, prevent, respond to, and predict cyber threats more effectively than traditional methods. How contextualized detection and analysis will save time and increase efficiency and improve incidence response times.
I also wanted to discuss challenges and considerations like, Bias in training data can lead to mislead the threats and may increase false positives in some cases!
Does AI enhances secure code reviews?
AI enhances source code reviews by automating tedious tasks, detecting complex issues beyond human capabilities, and providing objective, data-driven feedback. This streamlines the process, allowing human developers to focus on high-level architectural and logical decisions.AI tools excel at automatically flagging common, low-level issues that can consume a human reviewer's time. This frees up developers to concentrate on more significant aspects of the code.
Modern AI models can understand the context and flow of code, enabling them to uncover deeper, more complex problems that are easy for humans to miss.
I would like to discuss how AI improves developer experience for secure code reviews with less scan times, instant code fix suggestions and rapid feedback!
Privacy in design (PbD) in DevSecOps
Privacy by Design (PbD) in DevSecOps is a proactive approach that integrates privacy considerations into every stage of the software development lifecycle (SDLC), from initial design to deployment and operations. It ensures that privacy is not an afterthought, but a fundamental aspect of how systems and processes are built.
By systematically embedding privacy by design principles into DevSecOps, organizations can build more secure, compliant, and trustworthy applications and systems, ultimately benefiting both the business and its users.
Privacy by Design (PbD) is a fundamental approach to application security that ensures privacy is embedded into the design and architecture of IT systems, business practices, and networked infrastructure from the very beginning, rather than being an afterthought. It shifts the responsibility for data protection away from users and onto the organizations collecting, storing, and sharing the data.
SBOM adoptability in open source software scanning
Software developers always use open-source components to expedite the software development process. Though we have highest security applied for the proprietary code, these
open-source dependencies can expose us to a broad range of security and legal risks. We often see in the industry that security of Open-source libraries are just application security and
product teams responsibilities.
We often rely on application security team to perform SCA (Software composition analysis) to identify the vulnerabilities and communicate with product and engineering teams to work on
remediation. How ever we must adopt a holistic approach of dealing with open-source software.
We must have a policy of usage and policy of remediation at the organization level. We should have standards to specify how to set up and maintain repositories and libraries of open-source
software components that developers may utilize as part of a robustCI/CD pipeline.
SBOM adopatability in open source software scanning
Software developers always use open-source components to expedite the software
development process. Though we have highest security applied for the proprietary code, these
open-source dependencies can expose us to a broad range of security and legal risks. We often
see in the industry that security of Open-source libraries are just application security and
product teams responsibilities.
We often rely on application security team to perform SCA (Software composition analysis) to
identify the vulnerabilities and communicate with product and engineering teams to work on
remediation. How ever we must adopt a holistic approach of dealing with open-source software.
We must have a policy of usage and policy of remediation at the organization level. We should
have standards to specify how to set up and maintain repositories and libraries of open-source
software components that developers may utilize as part of a robust continuous
integration/continuous delivery (CI/CD) pipeline. We should have security awareness training
incorporated to prioritize the use of programming languages and frameworks that have built-in
guardrails to proactively mitigate common types of vulnerabilities. We should have a strong
change management discipline to clean-up the archived and decommissioned code
repositories.
CISA has an increase of adding vulnerabilities related to opensource libraries to the “Known
Exploited Vulnerabilities Catalog”. NIST has published the guidelines around open-source
security controls in supply chain attacks.
Hence, adopting the holistic approach of creating policy/standards and educating the
developers to use the trusted software components and having a robust application security
program which is baked into the Devops to identify and report the vulnerabilities. Having a
strong remediation policy to upgrade the outdated and vulnerable software packages will help to
reduce the attack surface and supply chain attacks.
Measuring What Matters: How to "Quantify Cyber Security Effectiveness"!
Information security metrics and key performance indicators (KPIs) are measurable values that track the effectiveness of cybersecurity efforts. These values provide insights into the overall organization security posture and also a quantifiable way see how an organization is preventing, detecting, and responding to the security attacks.
Security metrics are not limited to only incident response times, It must include all sub-team efforts of a CISO-team. Every sub-team of CISO team has goals that are aligned with the overall organizational goals. For example SOC2 certified or NIST CSF implementation and ISO certified.
So measuring goals via weekly, monthly and quarterly helps to track the progress and predict the road blocks.
Measuring What Matters: How to "Quantify Cyber Security Effectiveness"!
Information security metrics and key performance indicators (KPIs) are measurable values that track the effectiveness of cybersecurity efforts. These values provide insights into the overall organization security posture and also a quantifiable way see how an organization is preventing, detecting, and responding to the security attacks.
How AI will shape the shift-left in Appsec
AI significantly shapes the "shift left" approach in application security (AppSec) by enabling automated, real-time code analysis, identifying potential vulnerabilities early in the development lifecycle, providing context-aware recommendations to developers, and prioritizing critical security issues, effectively allowing developers to fix security problems as they code rather than waiting until later stages of development.AI willanalyze code context to better understand the intent behind code snippets, leading to more accurate vulnerability detection and reducing false positives in SAST and Open-source analysis.Most SCA scanning tools focus on manifest files which doesn't sync with source code and version-based vulnerability; hence we are 100% not sure if the engineering team uses the flagged version. .
I would like to present real time examples how AI can significantly enhance SAST/SCA/DAST/Vulscanning/Pentest (the important 5 pillars of software security).
How AI is perceived in shift left of Appsec
AI significantly shapes the "shift left" approach in application security (AppSec) by enabling automated, real-time code analysis, identifying potential vulnerabilities early in the development lifecycle, providing context-aware recommendations to developers, and prioritizing critical security issues, effectively allowing developers to fix security problems as they code rather than waiting until later stages of development.AI willanalyze code context to better understand the intent behind code snippets, leading to more accurate vulnerability detection and reducing false positives in SAST and Open-source analysis.Most SCA scanning tools focus on manifest files which doesn't sync with source code and version-based vulnerability; hence we are 100% not sure if the engineering team uses the flagged version. AI significantly enhance the perspective of SAST/SCA/DAST/Vulnerability scanning and Pentest in software security.
I would like to present real time examples how AI can significantly enhance SAST/SCA/DAST/Vulscanning/Pentest (the important 5 pillars of software security). I wanted to explain how AI algorithms can prioritize vulnerabilities based on their severity and potential impact, helping developers focus on the most critical security issues first. I also wanted to talk about skillset improvements.
DORA and TLPT
The Digital Operational Resilience Act is being enforced from January 17th 2025.It applies to 20 different kinds of financial entities and selected ICT service providers. DORA consists of multiple parts and one of those is mandatory Threat Led Penetration Testing (TLTP), which is essentially based on the TIBER-EU framework. I would like to present how to implement TLPT and highlight the differences between TLPT and a regular pentest. Talk about When and how internal pentesting team and external thid-party pentest teams will come under DORA and TIBER frameworks. explain about redteam/purple team/blue team under DORA act. Discuss how financial institutions will continue to adopt DORA by successfully implementing TLPT. Higher management buy-in for TLPT implementation.
i have strong and essential experience in implementing application security teams and red team practices. so i would like to personalize the content to make it more interactive for audience by adding the real time experiences for implementing TLPT. and also highlight the traditional pentest vs TLPT with real time examples.
Devnexus 2026 Sessionize Event
NHIcon 2026: The Rise of Agentic AI Security Sessionize Event
CodeMash 2026 Sessionize Event
2025 Secure Carolinas Conference Sessionize Event
BSides Colorado Springs 2025 Sessionize Event
OWASP LASCON 2025 Sessionize Event
The Commit Your Code Conference 2025! Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top