Larry Maccherone
Founder, Transformation.dev
Raleigh, North Carolina, United States
Actions
Larry Maccherone is a pioneer in Agile, Security, and Agentic AI Development.
At Comcast, Larry launched and scaled the DevSecOps Transformation program over five years, safely empowering 600 agile and DevOps teams to take ownership of their products' security.
Larry was a founding Director at Carnegie Mellon's CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA's Code Assessment Methodology Project, which wrote the book on evaluating application security tools, and received the Department of Energy's Los Alamos National Labs Fellow award.
Larry firmly believes in learning by doing, so in his spare time, he is the author of a dozen open-source projects, one of which gets a million downloads per month.
Most recently, he has launched Lumenize, which is a back-end as a service for vibe coding enterprise and B2B apps. He currently serves on the Model Context Protocol (MCP) transports working group.
Contact Larry on his LinkedIn page: https://LinkedIn.com/in/LarryMaccherone
Area of Expertise
Topics
The Coming Earthquake in App and API Security
The seismic activity has begun in App and API security.
The ground upon which your defense strategy is based is starting to crack, with these tectonic plates shifting underneath:
1. More sophisticated multi-faceted attacks, increasingly using AI and targeting application and API layer vulnerabilities
2. Accelerating pace of development driven by AI and DevOps
3. Shifting to both corporate AND EXECUTIVE liability without having to prove negligence for either vulnerabilities or bugs
Your current practices and defense philosophy were devised for a terrain map that is rapidly becoming outdated.
Join App and API Security Pioneer Larry Maccherone in this thought-provoking discussion on how to earthquake-proof your business and career.
Transformation Blueprint for Developer-Centric App and API Security
The traditional approach to quality assurance (QA) was disrupted when the Agile movement caused most development teams to start taking at least partial ownership of the quality of their products and involved fundamental changes to mindset, terminology, tools, metrics, roles, and practices. The cloud-native and DevOps movements similarly disrupted traditional IT Ops.
Now it's security's turn, but here's the rub.
NIST, SANS, OWASP, PCI, etc. provide lists of candidate application security practices, but the items in the list are unprioritized, target security specialists, and fail to specify adaptations needed for a developer-first approach. Attempting to shift these practices left without proper consideration of modern development practices and priorities is a recipe for frustration, resistance, and false starts.
You will come out of this workshop with a Transformation Blueprint for accomplishing the cultural shift to developer-centric application security at your organization. The approach is derived from the program that Larry has used to accomplish this shift for over 600 development teams. Since Larry is a developer, writing code every day, his program is perfectly suited to the way development teams really want to work, rather than how security folks assume they work.
Agentic Coding: The Earthquake that Topples the Software Factory
The tectonic plates beneath software development are shifting. They are moving too fast to predict what the landscape will look like when it hits. Still, we are sure that the coming earthquake will be on a scale that not only brings down the software factory but also changes the landscape so much that few landmarks on the current map will be identifiable afterwards.
In particular, as AI systems plan, generate, test, deploy, and operate software, roles that were redefined by agile will be entirely replaced by new ones. Domain experts and managers can now create and deploy systems without technical expertise.
This talk will help you identify if you or your organization is standing on any of these precarious fault lines:
• Roles that will emerge/disappear as builders move beyond factory walls
• Team and feedback boundaries failing under autonomous AI loops
• Governance and security models no longer apply to who and how software is built
BSidesSLC 2025 Sessionize Event
2025 Palmetto Cyber Conference Sessionize Event
The 4th Annual North Carolina Cybersecurity Symposium Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top