2026-04-25 –, Track 1
Security vulnerabilities are expensive to fix in production but cheap to catch early. ASH (Automated Security Helper) is a free, open-source security orchestration engine that integrates multiple scanning tools—SAST, SCA, IaC, and secrets detection—into a single, unified workflow. In this session, you'll discover how ASH leverages lightweight tools like Bandit, Semgrep, Checkov, and Grype, presenting them as a single unified solution, to identify security issues across Python, JavaScript, Terraform, CloudFormation, and more. We'll explore two of ASH's execution modes (local, container), its new Python-based architecture with UV package management, and how to use it to scan files, directories, or entire projects. Whether you're a developer, DevOps engineer, or security professional, you'll leave with practical knowledge to implement automated security scanning in your projects today.
Security scanning shouldn't be an afterthought—it should be built into every stage of development. This talk introduces ASH (Automated Security Helper), an extensible open-source security orchestration engine that makes comprehensive security scanning accessible, automated, and actionable.
What You'll Learn:
ASH integrates multiple best-in-class open-source security tools into a unified scanning platform. We'll cover how ASH orchestrates SAST scanners (Bandit, Semgrep), Infrastructure-as-Code analyzers (Checkov, cfn-nag, cdk-nag), Software Composition Analysis tools (Grype, npm-audit), secrets detection (detect-secrets), and SBOM generation (Syft)—all through a single command.
Key Topics:
• Tool Overview: ASH utilizes a complete suite of tools including SAST scanners, IaC analyzers, SCA tools, secrets detection, and SBOM creation, all helpful security tools to build and maintain a secure platform
• Multiple Execution Modes: Learn when to use local mode (fast Python scans) and container mode (comprehensive multi-language scanning) for comprehensive codebase analysis with live demonstrations of both approaches
• Modern Architecture: Discover ASH v3's complete Python rewrite featuring UV package management for faster dependency resolution, pluggable scanner architecture, and comprehensive validation systems
• Unified Reporting: Explore ASH's standardized output formats including SARIF, JUnit XML, HTML, Markdown, and CSV—making results consumable by humans and CI/CD systems alike
Real-World Applications:
We'll demonstrate scanning a multi-language project containing Python, JavaScript, and Cloudformation code, showing how ASH identifies vulnerabilities across all layers—from hardcoded secrets to insecure CloudFormation configurations to vulnerable dependencies. You'll see how this information is fed back to the user in real time, and reports are created for vulnerability triage and mitigation.
Who Should Attend:
This session is ideal for developers wanting to shift security left, DevOps engineers building secure platforms, and security professionals seeking automation tools. No prior security expertise required—just bring curiosity about making your code more secure.
Pujita Sahni is a Delivery Consultant specializing in cloud security, risk, and compliance at AWS. In her role, she is responsible for architecting IAM governance frameworks and security automation solutions that enable organizations to implement secure cloud migrations and shift security left within enterprise environments.
She brings a broad technical background across identity and access management, vulnerability management, infrastructure-as-code security, and DevSecOps practices, providing a comprehensive view of how security platforms are built, automated, and maintained across enterprise cloud environments.
Jerry Jones IV is an Associate Delivery Consultant - Security at Amazon Web Services, where he specializes in helping customers architect and implement secure, compliant cloud solutions. With extensive experience spanning federal cybersecurity, cloud security architecture, and AI/ML implementations, Jerry brings a unique perspective on building resilient systems that meet rigorous regulatory requirements.
Prior to joining AWS, Jerry served as an Information System Security Officer at the U.S. Department of Education, where he led complex Authorization to Operate (ATO) efforts for mission-critical systems, successfully navigating the transition from NIST 800-53 rev4 to rev5 and managing cybersecurity operations for systems with budgets exceeding $5 million. His federal service also includes roles at the Federal Deposit Insurance Corporation, where he administered the agency's Cyber Security Assessment and Management (CSAM) tool and guided authorization efforts across 19 diverse divisions, and the U.S. Department of Agriculture, where he contributed to cloud migration strategies and high-value asset protection.
Jerry's technical expertise spans cloud architecture, security automation, and AI/ML integration. He has designed and deployed enterprise-grade solutions including centralized backup and logging strategies for AWS Organizations, multi-account governance frameworks, and automated security baselines that ensure consistent compliance across distributed environments.