Hello everyone. Thank you for joining. My name is NH Kku ti and I'm a cybersecurity professional with experience in securing cloud platforms, data protection applications, APIs, and AI workloads. Over the past decade, I've been deeply involved in securing enterprise scale systems across multicloud AWS Azure and GC. P. Over the years I've specialized in embedding security directly into the development and deployment process, what we now call DevSecOps. I've had the opportunity to design and implement automated security pipelines where these pipelines that deliver compliance checks, vulnerability scanning. Real time threat detection and robust data security controls. My work has focused on making security scalable and repeatable so that controls are not dependent on manual checks, are manual reviews, but are codified into CSCD pipelines, giving faster feedbacks feedback while maintaining exactly this. Strong compliance and protection. My work has focused not just on vulnerability reduction or vulnerability remediation, but also on ensuring data protection and privacy compliance, aligning within the frameworks we use PCI or CIS benchmarks, or NIST and GDPR, et cetera. I've also contributed to API and data security initiatives within Akamai. Defining strategies for sensitive data handling, tokenization, safeguarding privacy safeguards while onboarding workloads for continuous monitoring. I've also worked on ai security initiatives applying policies and maintaining monitoring to safeguard AI models and protecting AI models and data and workloads from a new or evolving or emerging threats. Today's talk building pro proof pipelines, security as code for platform engineering. It focuses on a challenge. I have repeatedly encountered security, data protection and privacy too often treated as a final gate instead of being embedded from the start. That's why I have been passionate about the promoting security as code, a cultural and technical shift where policy scans. Data protection and compliance checks are codified and automated inside the pipeline. This not only improves security postures and privacy controls, but also a accelerates innovation, making security an enabler, not a not instead of a blocker. So that's a bit about who I am. And why this topic matters to me. Let's take a quick look at what we'll cover today. So you know exactly where we had added the dual L mandate of platform engineering. Platform Engineering teams today feels a dual responsibility delivering infrastructure and applications at scale with speed while ensuring security and compliance. Business stakeholders demands rapid innovation, faster development deployments and continuous delivery. Whereas while regulators and security and customers expect secure compliant and resilient platforms, this tension creates a friction. Developers want agility, and while security teams emphasize control, security as a code aims to bridge this gap, I have one use case. Consider a service deployment pipeline where applications needs to scale on demand. By embedding security scanning directly into the CSCD workflow teams can identify vulnerabilities in AWS Lambda or Azure functions before they release to the production. This entire thing, allowss development teams to maintain team deliver speed while still adhering to the compliance frameworks like NIST or CIS, et cetera. The third slide, let's go to the check on the security As a code proven transformation security. As code changes the paradigm, security becomes an enabler, not a blocker. If you look at the slide, there is a 65% reduction in vulnerabilities reaching production. 50% faster time to market, 45% improvement in compliance scores. The data shows 78% of organizations accelerate remediation when adopting security as score word the problem. Security as an afterthought. Traditional security approaches rely heavily on manual checks or manual reviews and late stage testing. By the time vulnerabilities are discovered, the code is nearly production ready, leading to expensive work. Security and development teams often operate in silos with different priorities, creating delays and friction. The results vulnerability is reached. Production remediation cycles are extended, and compliance postures are weakened. I wanna give you one example in one of my pipelines, we used we used to rely on manual security sign-offs at the end of the release cycle. This meant vulnerabilities in terraform infrastructure or container based images caught too late causing production delays. By the time fixes were made, release timelines had already slipped, creating frustration for both developers and security teams. This is one example. So how do we make this real? Let's break it down into the core pillars of security as a core. If we look at the slide. A comprehensive approach that integrates security at every stage of the development life cycle. These are the core pillars the holistic framework. It covers automated security integration, server security, infrastructure security, intelligent risk management, secrets management. Each of these pillars ensures security is continuous, automated and developer friendly. Let's deep. Let's dive deeper into the first pillar. Automated security integration shifts security from manual checks or manual reviews to continuous protection. Detect 85% of critical vulnerabilities before release compared to just 23% with manual checks. Tools. You could see that on the right side. GitLab, security scanning, Azure DevOps, security, 45 AWS Inspector, et cetera. If you look at the, from reactive to proactive security, there are two things. Traditional approach and security as a code approach. Traditional approach security is being as a final gate, lengthy remediation cycles, deployment delays. Security was a development, always tension. Whereas security as a code approach would make a lot of difference. There's security at every stage, real time feedback loops, automated remediation collaborative security cultures. Now let's look at how this applies to serverless and cloud infrastructure. This is pillar two, serverless and infrastructure security. Serverless adoption is surging, but function level protection is critical. Security as a code enables vulnerability detection in serverless functions. Automated policy enforcement, real-time validation during deployment policy as a code. Frameworks prevent 92% of common cloud misconfigurations. But embedded scans is alone is not enough. Teams often face alert fatigue. That's where intelligent risk management comes in. Pillar three. Risk management and secrets protection. A smart alerting and contextual risk scoring, reduced noise by 60%. Secret scanning stops 99.7% of hardcoded secrets before it gets into the production. Tools you could use actually car Wal AWS, secrets Manager, nyk, or Gate Guardian, et cetera. I would like to give one example here in one, one of, in one integration we used Git Guardian to detect Hardcoded Secrets in GitLab re reports. Findings were piped into ServiceNow CV workflow, where contextual prioritizations helped us fix critical exposures immediately while ignoring low risk noise. I now, let's see how real enterprises are already proving the value of security as code. The real world enterprise, case studies, financial services, integrated fortify, and ways or prisma for reduced remediation time from weeks to hours. Healthcare. They, some of them used Azure DevOps plus policy as a code. That led to 70% fewer HIPA audits, audit failures coming in retail AWS Inspector in Serverless that led to 50% reduction in incidents during peak season. I Beyond security wins. What's the business value? Let's talk our why. Measuring success, ROI of security as code security as code delivers measurable business outcomes, faster delivery, stronger compliance complaints like. SOC two PCI dss hipaa, GDPR, et cetera. Lower costs audit prep, patching, rollbacks, and all this includes, and cost savings come from fever brand breaches, right? Unless less rework. For example, when we automated Prisma, serialized scannings or any security solution, scannings compliance teams cut audit preparation time by 50%, saving hundreds of hours, and ensuring PCI evidence was always up to date. So how do organizations actually implement this? Let's look at the roadmap, implementation roadmap. There are four phases. Phase one foundation where it gives pipeline scanning, baselines, trainings, phase two integration. Policy as a code secrets detection feedback, hope loops, phase three, optimization. Intelligent. Risk dashboards, automated remediation, phase four, maturity, continuous improvement, chaos, engineering, threat modeling, automation, et cetera. Of course, the journey does not stop here. The future of security code is even more exciting. Let's look at the next slide. The future of platform engineering with security has core. You could see on the slides emerging trends, platform engineering evolution. Emerging trend trends would be, AI powered vulnerability prediction, automated threat modeling, zero trust, pipeline architecture, runtime application, self protection. These will further reduce manual work and strengthen resilience, whereas platform engineering evolution, but security as code represents the natural conversions of DevOps velocity with enterprise grade resilience and empowering. With platform engineering, DevOps, security architects, infrastructure leads. I have one example I would like to share it. We have already piloting AI driven anomaly detection for API traffic in aka it helps differentiate normal versus suspicious API behavior, reducing false positive use and strength in data privacy safeguards. Let's wrap this up with a big takeaway. Conclusion. Security can no longer be bolted on. It must be owned into pipeline of benefits. With this faster delivery, fewer vulnerabilities in production, stronger communi compliance brochure, measurable cost of savings. Final example. I would say closing example. By embedding security across serverless APIs, containers, IAC and AI workloads, organization, organizations, or organizations can innovate at scale without sacrificing compliance or data protection. Finally, for enterprises striving for both speed and safety, security as code is no longer optional. It's essential. Thank you.