Secure Software by Design 2025 brings experts together to shape the future of cybersecurity engineering

CyLab is collaborating with Carnegie Mellon University’s Software Engineering Institute (SEI) to convene leaders and practitioners in secure software development for the Third Annual Secure Software by Design event, to be held in Arlington, Va. on August 19th and 20th.

Set against the backdrop of a rapidly evolving digital landscape, Secure Software by Design 2025 continues Carnegie Mellon’s mission to shift the paradigm of cybersecurity thinking, emphasizing that security must be baked into software from the very beginning, not tacked on as an afterthought. The event promotes a “shift left” strategy: tackling vulnerabilities early in the development lifecycle to prevent costly fixes and strengthen software integrity from day one.

Over the course of two days of presentations and panel discussions, attendees will explore how secure software can—and should—be the product of deliberate, intentional engineering practices. Topics span the full software lifecycle, including threat modeling, security requirements, software architecture, DevSecOps, secure coding, testing, assurance, and more.

Secure Software by Design will feature experts from across government, academia, and industry who are leading efforts to embed security into every phase of software development.

“CyLab is excited to collaborate on the Secure Software by Design Conference because we’re seeing growing momentum around secure-by-design practices, both from federal agencies and industry partners,” said Jason Griess, CyLab associate director of partnerships.

The 2025 event will feature a keynote presentation by N. Luke Thomas, chief product security engineer for the Rolls-Royce Group. Rolls-Royce is a CyLab strategic partner, and Thomas will deliver the talk titled, "Cheap Complexity, Classic Videogames, and Binary Sandcastles."

In addition to the main program, three optional days of in-person training offer attendees the opportunity to deepen their practical skills in specialized areas of secure software engineering.

The event’s six in-person training workshops, beginning August 18th, will be led by SEI researchers, and cover the following topics:

• Data Science for Cybersecurity—Devin Cortese, Emil Mathew, David Schulker, Ed Wang
• Secure Coding in C/C++—David Svoboda
• Zero Trust and DevSecOps—Elias Miller, Tim Morrow, McKinley Sconiers-Hasan
• Designing Cybersecurity Using Model-Based Systems Engineering—Natasha Shevchenko
• Open Source Software Transparency—Scott Hissam, Carol Woody
• APIs and Zero Trust—Elias Miller, Tim Morrow, McKinley Sconiers-Hasan

Participants will also earn Continuing Education Units (CEUs), which may count toward professional certification requirements in cybersecurity and software engineering.

For Griess, who will be attending the event, Secure Software by Design reflects CyLab’s leadership in the national conversation about making security a foundational part of software development.

“Secure-by-design principles represent a perspective shift for the cybersecurity industry, from remediation to prevention. As the cost of security failures continues to rise and attackers become more sophisticated with AI tools, secure-by-design is more than just a best practice—it’s a business imperative,” said Griess. “This conference is a timely opportunity to showcase how our research at SEI and CyLab is leading the charge in this shift.”

Secure Software by Design 2025 will be held exclusively in person, with no streaming or remote participation available. Space is limited, so early registration is encouraged.

To register to attend the event or sign up for workshops, visit the Secure Software by Design 2025 website.