OWASP 2025 Global AppSec EU: Full Schedule

arrow_back View All Dates

8:15am CEST

Coffee/Tea

Thursday May 29, 2025 8:15am - 8:45am CEST

Area 1

Thursday May 29, 2025 8:15am - 8:45am CEST
Area 1

Meals provided by OWASP

8:15am CEST

Registration

Thursday May 29, 2025 8:15am - 6:00pm CEST

8:30am CEST

Speaker Ready Room

Thursday May 29, 2025 8:30am - 5:00pm CEST

Room 119

Open to all of our Global AppSec Speakers to prepare for their presentation.

Thursday May 29, 2025 8:30am - 5:00pm CEST
Room 119 CCIB

Speakers Only

9:00am CEST

Keynote:Nemo Resideo: Managing application security through rapid change

Thursday May 29, 2025 9:00am - 10:00am CEST

Room 116+117

In today's fast-paced technology landscape, the mantra "Nemo resideo" – "Leave no one behind" – takes on a critical new meaning. As organizations race to deliver software faster than ever, engineering teams often face immense pressure to prioritize speed over security. In fact, the 2024 CrowdStrike State of Application Security Report found that 60% of security professionals still struggle with prioritizing application vulnerabilities.

This keynote, "Nemo resideo: Managing application security through rapid change," will delve into the strategies and best practices that can help businesses maintain robust application security without compromising on delivery timelines.

Speakers

Sarah-Jane Madden

Director of Cyber Defense, Fortive

Sarah-Jane, the Director of Cyber Defense at Fortive, brings over 25 years of experience in the technology industry. With a robust background in technical operations and software engineering, she has held roles ranging from developer to CISO. Sarah-Jane is a passionate advocate for... Read More →

Thursday May 29, 2025 9:00am - 10:00am CEST
Room 116+117 CCIB

Keynote

9:00am CEST

OWASP Member Lounge

Thursday May 29, 2025 9:00am - 5:00pm CEST

Room 111

Come one OWASP member, come all! This room is open to all OWASP members and offers networking tables, working stations, and a gaming area!

Thursday May 29, 2025 9:00am - 5:00pm CEST
Room 111

BONUS TRACK

10:00am CEST

AM Break with Exhibitors

Thursday May 29, 2025 10:00am - 10:30am CEST

Area 1

Meals provided by OWASP

Thursday May 29, 2025 10:00am - 10:30am CEST
Area 1

Meals provided by OWASP

10:30am CEST

OWASP LCNC Securing the Future: AI Meets Low-Code, the New Security Frontier!

Thursday May 29, 2025 10:30am - 11:00am CEST

Room 131-132

Low-code and no-code (LCNC) development has transformed the way organizations build applications, enabling business users—often with little security expertise—to create powerful workflows, automations, and even AI-driven solutions. As these platforms increasingly integrate AI-powered copilots and automation tools, their adoption is skyrocketing, but so are security risks that traditional AppSec frameworks fail to address.

Recognizing this urgent gap, we established the OWASP Low-Code/No-Code Security Top 10 project to clarify the unique risks in these environments. In this session, we will share our journey—how we classified the Top 10 security risks in LCNC, what we have accomplished since the project’s inception, and how AI-driven low-code development introduces new attack vectors that security teams must prepare for.

Attendees will gain insights into:

* How LCNC security challenges have evolved, especially with the rise of AI-powered platforms.
* The OWASP Low-Code/No-Code Security Top 10, providing a much-needed framework for both citizen developers and security professionals.
* Real-world exploit scenarios, from insecure workflows and data exposure to AI-powered automation risks.
* The current state of low-code security and AI governance, key findings from our research, and what’s next for securing this fast-growing space.

As AI and low-code become inseparable in modern development, security teams must adapt quickly to prevent misuse, misconfigurations, and data exposure. This session is ideal for AppSec professionals, developers, security leaders, and platform owners looking to secure LCNC applications while enabling innovation.

Join us to explore the evolving threat landscape and gain actionable strategies to safeguard the next wave of AI-driven enterprise applications.

Speakers

Ziv Hagbi

Director of Product Management, Zenity

Ziv Daniel Hagbi, is a seasoned Security Expert with deep expertise in Low-Code/No-Code Security and AI-driven business development. As the co-leader of the OWASP Low-Code/No-Code Security Top 10 project, Ziv is dedicated to raising awareness and addressing the unique security risks... Read More →

Thursday May 29, 2025 10:30am - 11:00am CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

Audience Beginner

10:30am CEST

CfP/CfTs for the Newcomer: How To Write A Good Submission

Thursday May 29, 2025 10:30am - 11:15am CEST

Room 118

Ready to showcase your expertise? Don’t miss the chance to submit for a Call for Trainers or Call for Papers! Join the dynamic Izar Tarandach and Avi Douglen as they take you through the submission process and reveal insider tips on what the review team is looking for when selecting papers. This is your opportunity to shine and make a lasting impact—let’s make it happen!

Speakers

Izar Tarandach

Sr. Staff Engineer, Datadog

Izar Tarandach is a Sr. Staff Engineer at Datadog, formerly the Principal Security Architect at Squarespace. Before this, he was a Sr. Security Architect at a leading financial institution, Lead Product Security Architect at Autodesk, Inc., Security Architect for Enterprise Hybrid... Read More →

Avi Douglen

Founder and CEO, Bounce Security

Thursday May 29, 2025 10:30am - 11:15am CEST
Room 118 CCIB

BONUS TRACK

10:30am CEST

Leveraging AI for Secure React Development with Effective Prompt Engineering

Thursday May 29, 2025 10:30am - 11:15am CEST

Room 113

Practical and usable advice on how to harness the power of AI to create secure React applications by using prompt engineering best practices. We will discuss practical methods for guiding AI models to produce safe, high-quality React code that reduces common vulnerabilities, such as cross-site scripting (XSS) and injection flaws.

Attendees will learn foundational techniques for crafting precise prompts, incorporating secure coding patterns, and validating AI-generated outputs.

By the end of this session, you will be equipped with actionable steps to integrate AI-driven development into your workflow and strengthen the overall security of your React and other software projects.

Speakers

Jim Manico

Founder, Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices... Read More →

Thursday May 29, 2025 10:30am - 11:15am CEST
Room 113

Breakout: Builder Track

Audience Beginner

10:30am CEST

The Edge Strikes Back: Challenging OWASP's Take on Edge-Level Authorization

Thursday May 29, 2025 10:30am - 11:15am CEST

Room 116+117

The OWASP Microservice Cheat Sheet makes a bold statement about the limitations of edge-level authorization architectures - implying that they cannot handle the complexities of modern microservices. But what if that’s no longer true?

Enter heimdall, an identity-aware proxy that redefines edge-level authentication and authorization. By integrating fine-grained access control with modern Zero Trust principles, heimdall overcomes the supposed weaknesses, providing scalability, flexibility, and performance without sacrificing security and team agility.

In this talk, I will challenge the OWASP Cheat Sheet’s view and demonstrate how heimdall addresses its concerns head-on. You’ll learn how edge-level authorization can scale to meet the demands of large, distributed systems while maintaining granular control over access. Through real-world examples and architecture insights, we’ll explore why the edge-level might just be the most effective place for secure access control.

Join me to see how heimdall blows away the perceived limitations of edge-level authorization and why it’s time to rethink this critical piece of microservice security.

Speakers

Dimitrij Drus

Senior Consultant, INNOQ Germany GmbH

I work as a Senior Consultant at INNOQ Germany GmbH, focusing on security architecture and the design of secure distributed systems. With a strong passion for security, I regularly lead training sessions to help others address modern (web) security challenges. de.linkedin.com/in... Read More →

Thursday May 29, 2025 10:30am - 11:15am CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

10:30am CEST

False Positives, Begone! Harnessing AI for Efficient SAST Triage

Thursday May 29, 2025 10:30am - 11:15am CEST

Room 114

False positives are one of the biggest pain points in running a Static Application Security Testing (SAST) program. While SAST tools are valuable for identifying security issues in a codebase—flagging critical vulnerabilities like Remote Code Execution and SQL Injection—they often generate significant noise due to their lack of contextual awareness. SAST testing is relatively easy to set up, requires no accounts or credentials, and can uncover issues in multi-step processes that would be difficult to detect with dynamic security testing. However, the high volume of false positives leads to alert fatigue and demands considerable effort to triage, making it challenging to identify the relatively small number of true vulnerabilities.

This research addresses that challenge by combining Program Analysis with Large Language Models (LLMs) to simulate the manual triage process for SAST findings. Our approach leverages a carefully designed LLM agent that enhances context around vulnerable code, identifies conditions that make exploitation infeasible, and determines whether a clear execution path exists from a user-controlled input to the vulnerable line flagged by SAST.

We will demonstrate this novel approach in action, showcasing how it can be integrated with any SAST tooling to streamline triage. By reducing false positives and prioritizing actionable findings, this method allows security engineers and developers to focus on the vulnerabilities that truly matter.

Speakers

Elliot Ward

Staff Security Researcher, Snyk Security Labs

Elliot is a Staff security researcher at software security company Snyk. He has a background in software engineering and application security. securitylabs.snyk.io (blog)securitylabs.snyk.io (company... Read More →

Thursday May 29, 2025 10:30am - 11:15am CEST
Room 114

Breakout: Defender Track

Audience Intermediate

10:30am CEST

Human Buffer Overflow: How to Deal with Cognitive Load in High-Performing Teams

Thursday May 29, 2025 10:30am - 11:15am CEST

Room 115

High performing teams are a treasure for every organization. But what if cognitive load gets too high and creates a buffer overflow in a team’s working memory? Security adds an additional layer of complexity to the work of development teams and endangers their quality of work and solution finding capabilities as a team. We will show actionable remediation strategies like a Security Champions Program, automation for security scans and secure scrum with a real-life example.

Speakers

Juliane Reimann

Founder & Security Community Expert, Full Circle Security

Juliane Reimann works as cyber security consultant for large companies since 2019 with focus on DevSecOps and Community Building. Her expertise includes building security communities of software developers and establishing developer centric communication about secure software development... Read More →

Thursday May 29, 2025 10:30am - 11:15am CEST
Room 115

Breakout: Manager/Culture Track

Audience Intermediate

10:45am CEST

OWASP Certified Secure Developer Open Call

Thursday May 29, 2025 10:45am - 11:45am CEST

Room 133-134

Join Us in Shaping the Future of Secure Software Development

The OWASP Education and Training Committee is developing a certification program designed specifically for developers—and we need your expertise.

For the first time, this initiative will be showcased at OWASP Global AppSec EU 2025, and we’re inviting the community to help build the body of knowledge that will form the foundation of the certification curriculum.

If you're passionate about secure coding and developer education, this is your chance to contribute meaningfully to a global effort. Let’s build something that lasts—together.

Speakers

Shruti Kulkarni

Information Security Architect, 6point6

Shruti is an information security / enterprise security architect with experience in ISO27001, PCI-DSS, policies, standards, security tools, threat modelling, risk assessments. Shruti works on security strategies and collaborates with cross-functional groups to implement information... Read More →

Thursday May 29, 2025 10:45am - 11:45am CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Call for Contributors

Audience Advanced, Beginner, Intermediate

10:45am CEST

OWASP Web Application Honeypot Project - Creating Comprehensive Threat Intelligence Dataset

Thursday May 29, 2025 10:45am - 11:45pm CEST

Room 133-134

The OWASP Web Honeypot Project is an open-source (Proof of Concept PoC) initiative designed to deploy deceptive security mechanisms that lure, detect, and analyze cyber threats targeting web applications. It aims to provide security professionals with actionable intelligence on attack patterns, tools, and techniques used by adversaries.

The goal of the project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, we are leading the collection, storage and analysis of threat intelligence data.

The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them.

Originally the honeypots were VM, Docker or small computing profile based like Raspberry Pi, employed ModSecurity based Web Application Firewall (WAF) technology using OWASP’s Core Rule Set (CRS) pushing intelligence data back to a console to be converted to STIX/TAXII format for threat intelligence or pushed into ELK for visualisation.

Further enhancement and research-based work has been undertaken this year to enhance the container based approach (Docker) to introduce key features which include

• Capability of dynamically switching web server profiles to mimic popular platforms like WordPress and Drupal for example.

• Utilise an alternative approach to using mlogc log output pushed into Logstash/ELK for visualisation and threat intelligence formats with MiSP via JSON format.

• Creation of a publicly available dataset within an AWS S3 bucket of JSON to store web threat intelligence in. a searchable JSON format feed, allowing the use of tools like JSON Crack for pattern recognition.

The intention is to be able to deploy these enhanced honeypots within key locations in the Internet community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed.
Overall having an open rich standard format-based quality dataset with real threat intelligence-based information based on the lure for scanning detected “fake” vulnerabilities by industry standard tools (which can easily be dynamically changed or updated) available to the global security community, allows for better web application security and to be able predict evolving cyber threats.

Speakers

Kartik Adak

Cyber Security Graduate, University of Warwick

Kartik Adak is an experienced cybersecurity professional with over three years of expertise in information security, incident response, and penetration testing. Having obtained a Master’s in Cyber Security Management from the University of Warwick, he specializes in penetration... Read More →

Mukunthan Nagarajan

Cyber Security Graduate, University of Warwick

As a cybersecurity master's student at Warwick, I am passionate about learning and applying the latest techniques and tools to protect and secure information systems and networks. I have a strong background in information technology, with a bachelor's degree in computer applications... Read More →

Adrian Winckles

Cyber Security Academic, Security Researcher, Anglia Ruskin University

Adrian Winckles is an independent Cyber Security Academic, Security Researcher and IT Professional with over 32 years of experience in developing and implementing cyber security strategies and robust, resilient IT infrastructure solutions. A proven leader in driving digital transformation... Read More →

Thursday May 29, 2025 10:45am - 11:45pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

Audience Intermediate

11:00am CEST

OWASP ModSecurity in Motion: Evolving the Open Source WAF

Thursday May 29, 2025 11:00am - 11:30am CEST

Room 131-132

OWASP ModSecurity has long served as a foundational engine for web application firewalls, quietly defending thousands of applications in production environments worldwide.

This talk offers a technical and practical overview of where ModSecurity stands today. We'll cover the major updates and architectural improvements introduced over the past two years, including performance optimizations, expanded language bindings, improved logging and debugging tools, and better containerization support.

We’ll also address the community’s role in ModSecurity's ongoing maintenance and what the current roadmap looks like for key integrations and use cases—from NGINX and Apache to reverse proxies and API gateways.

Whether you're a seasoned user, a contributor, or just exploring WAFs for the first time, this session will help you better understand ModSecurity’s role in the modern security stack—and how to leverage its most recent improvements to meet the demands of today’s web.

What You’ll Learn:

A recap of ModSecurity’s core capabilities and architecture
Key improvements made since 2023, including performance and compatibility upgrades
New tooling and deployment patterns
Current challenges and open areas for contribution
How ModSecurity is being used today

Speakers

Ervin Hegedus

Project Co-Lead, OWASP ModSecurity

Ervin Hegedus is a system and software engineer. His open source contributions include ModSecurity since 2017, Coreruleset developer since 2019, OWASP member since 2021 and Ervin became the ModSecurity project co-lead in 2024.

Thursday May 29, 2025 11:00am - 11:30am CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

11:00am CEST

OWASP Juice Shop Demo: Your vitamin shot for security awareness & education

Thursday May 29, 2025 11:00am - 11:45am CEST

Room 133-134

In this 100% slide-free demo session you will embark on a journey through the popular OWASP Juice Shop vulnerable web application!

You will experience firsthand how easy it is to set up, get started, and solve your first hacking & coding challenges. In a quick mob-hacking session, you will gain your first points on Juice Shop's extensive score board!

The demo also includes a glimpse into Juice Shop's CTF tool and its multi-user hosting environment MultiJuicer! You will witness how fast a CTF event can be launched with OWASP Juice Shop, how great documentation really makes a difference, and even how to make
the application look like an in-house app of your own company.

Due to the nature of this small group demo session, you are welcome to ask questions during and between the different topics - ad libitum! There is time for clarification and dipping into special topics.

If time permits, this session can also cover interesting behind-the-scenes topics, such as cheat detection, start-up validations, webhook integrations, and a pro-level Grafana dashboard for observability!

Even if you know and have used OWASP Juice Shop yourself already, there's no chance you've already seen everything that will be covered in this session!

Speakers

Björn Kimminich

Product Group Lead, Kuehne+Nagel

Bjoern Kimminich works as Product Group Lead Application Ecosystem at Kuehne + Nagel, responsible – among other things – for the Application Security program in the corporate IT. He is an OWASP Lifetime Member, the project leader of the OWASP Juice Shop, and a co-chapter leader... Read More →

Thursday May 29, 2025 11:00am - 11:45am CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

Audience Advanced, Beginner, Intermediate, Overview
Subject CTF, OWASP Project

11:00am CEST

OWASP KubeFIM Securing Kubernetes from the Inside Out: File Integrity Monitoring with eBPF

Thursday May 29, 2025 11:00am - 11:45am CEST

Room 133-134

OWASP KubeFIM
Securing Kubernetes from the Inside Out: File Integrity Monitoring with eBPF

1. Introduction to Kubernetes Security & File Integrity Monitoring - The growing security challenges in Kubernetes.
- Why malicious containers inside clusters pose a huge risk.
- Real-world security incidents where attackers modified critical files (e.g., cryptojacking, rootkits).
- Why do traditional security tools fail in Kubernetes? (e.g., host-based FIM doesn’t work well).

2. What is OWASP KubeFIM & Why It Matters? - Overview of OWASP KubeFIM as an eBPF-based File Integrity Monitoring (FIM) solution.
- How eBPF helps detect file changes inside Kubernetes clusters without performance overhead.
- Use cases: Detecting malware, unauthorized file modifications, rootkit infections.

3. How OWASP KubeFIM WorksThe key components of KubeFIM:
- Kernel-level hooks
- Alerting system
- Policy-based file integrity monitoring

4. Setting Up KubeFIM in Your Cluster - Quick installation guide using Helm & Kubernetes YAML manifests.
- Configuring policies to monitor specific files (e.g., /bin, /etc, /var)
- Live demo of KubeFIM detecting unauthorized file changes.

5. Q&A + Discussion

Speakers

Abhijit Chatterjee

Co-Founder, Cyber Secure India

Abhijit is the Co-Founder of Cyber Secure India (CSI), a cybersecurity think tank focused on driving cybersecurity awareness, building a strong community through free education, sharing knowledge, and empowering young individuals to strengthen the digital infrastructure.

Thursday May 29, 2025 11:00am - 11:45am CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

11:30am CEST

OWASP Threat Library

Thursday May 29, 2025 11:30am - 12:00pm CEST

Room 131-132

Threat modeling is a cornerstone of cybersecurity, yet it remains manual, complex, and inaccessible to many teams. While AI-powered threat modeling holds immense promise, it faces challenges such as hallucinations, lack of structured outputs, low accuracy, and limited trustworthiness.

The critical gap lies in the availability of specialized datasets. We aim to enhance LLMs’ ability to identify threats and recommend effective controls by generating open-source curated datasets of real-world threat models with the OWASP Threat Library. This session explores the transformative potential of crowdsourced data to fine-tune LLMs, driving a significant leap forward for the cybersecurity community and industry - all under the wings of an OWASP Project.

Speakers

Petra Vukmirovic

Head of Information Security / Fractional Head of Product, Numan / Devarmor

Petra is a technology enthusiast, leader and public speaker. A former emergency medicine doctor and competitive volleyball athlete, she thrives in challenging environments and loves creating order from chaos. Initially pursuing a medical career, Petra's passion for technology led... Read More →

Thursday May 29, 2025 11:30am - 12:00pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

Audience Advanced, Beginner, Intermediate

11:30am CEST

Hacking Your Enterprise Copilot: A Direct Guide to Indirect Prompt Injections

Thursday May 29, 2025 11:30am - 12:15pm CEST

Room 113

Enterprise copilots, from Microsoft Copilot to Salesforce’s Einstein, are adopted by every major enterprise. Grounded into your personal enterprise data they offer major productivity gains. But what happens when they get compromised? And how exactly can that happen?

In this talk we will see how we can turn these trusted enterprise AI assistants into our own malicious insiders within the victim organization. Spreading misinformation, tricking innocent employees into making fatal mistakes, routing users to our phishing sites, and even directly exfiltrating sensitive data!

We’ll go through the process of building these attack techniques from scratch, presenting a mental framework for how to hack any enterprise copilot, no prior experience needed. Starting from system prompt extraction techniques to crafting reliable and robust indirect prompt injections (IPIs) using our extracted system prompt. Showing a step by step process of how we arrived at each of the results we’ve mentioned above, and how you can replicate them to any enterprise copilot of your choosing.

To demonstrate the efficacy of our methods, we will use Microsoft Copilot as our guinea pig for the session, seeing how our newly found techniques manage to circumvent Microsoft’s responsible AI security layer.

Join us to explore the unique attack surface of enterprise copilots, and learn how to harden your own enterprise copilot to protect against the vulnerabilities we were able to discover.

Speakers

Tamir Ishay Sharbat

Software Engineer and Security Researcher, Zenity

Tamir Ishay Sharbat is a software engineer and security researcher with a particular passion for AI security. His current focus is on identifying vulnerabilities in enterprise AI products such as Microsoft Copilot, Microsoft Copilot Studio, Salesforce Einstein, Google Gemini and more... Read More →

Thursday May 29, 2025 11:30am - 12:15pm CEST
Room 113

Breakout: Breaker Track

Audience Beginner

11:30am CEST

Securing cross-platform mobile applications

Thursday May 29, 2025 11:30am - 12:15pm CEST

Room 116+117

Mobile applications are often developed in a cross-platform framework such as Flutter, React Native or Maui. These frameworks allow developers to design and implement the application once and then deploy to both Android and iOS.

While these frameworks save time during the development cycle, they pose unique challenges when securing them. In this talk, I will show you how mobile application security is a shared responsibility between the developer, the cross-platform framework and the native OS on which the application is running. Security needs to be addressed during the entire SDLC, so we will examine the impact on SAST, DAST and even manual penetration testing.

Speakers

Jeroen Beckers

Mobile Solution Lead, NVISO

I am the mobile solution lead at NVISO, where I am responsible for quality delivery, innovation and methodology for all mobile assessments. I am actively involved in the mobile security community, and I try to share my knowledge through open-source tools, blogposts, trainings and... Read More →

Thursday May 29, 2025 11:30am - 12:15pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Beginner

11:30am CEST

Emerging Frontiers: Ransomware Attacks in AI Systems

Thursday May 29, 2025 11:30am - 12:15pm CEST

Room 114

This session will delve into the convergence of ransomware and Artificial Intelligence/Machine Learning (AI/ML) systems, providing attendees with a comprehensive understanding of the evolving ransomware landscape in AI environments. The presentation will cover:

The progression of ransomware from traditional attacks to AI-driven variants.
Vulnerabilities in AI/ML systems, such as supply chains, models, and training pipelines, that adversaries can exploit for ransomware attacks.
Real-world examples of potential ransomware exploits in predictive AI (e.g., OWASP ML06: 2023 ML Supply Chain Attacks) and generative AI (e.g., OWASP LLM06: Excessive Agency).
Practical strategies and AI-driven solutions to detect, protect against, and mitigate ransomware threats.

Attendees will gain actionable insights into adapting traditional ransomware defenses to safeguard modern AI infrastructures and explore open challenges in standardizing defenses for AI/ML systems. The session will also provide references to OWASP frameworks and insights from the OWASP AI Exchange.

Speakers

Behnaz Karimi

Senior Cyber Security Analyst, Accenture

Behnaz Karimi is a Senior Cyber Security Analyst at Accenture and a Co-Author and Co-Lead of OWASP AI Exchange, where she also serves as the Lead for AI Red Teaming. She has actively contributed to OWASP initiatives, including participating in the development of the GenAI Red Teaming... Read More →

Yuvaraj Govindarajulu

Head of Research, AIShield (Powered by Bosch)

Yuvaraj Govindarajulu is a dynamic technical leader with over a decade of experience in AI, Cybersecurity and Embedded Systems R&D. He is the Head of Research at AIShield, a startup of Bosch with a mission to secure AI systems of the world, from development to deployment. His key... Read More →

Thursday May 29, 2025 11:30am - 12:15pm CEST
Room 114

Breakout: Defender Track

Audience Intermediate

11:30am CEST

Your Security Dashboard Is Lying to You: The Science of Metrics

Thursday May 29, 2025 11:30am - 12:15pm CEST

Room 115

Security teams love metrics - dashboards filled with vulnerability counts, alert volumes, and training hours logged. But do any of these actually make organizations more secure? The uncomfortable truth is that most security metrics are just vanity numbers—impressive in reports but meaningless in practice.

In this talk, I will focus on the science behind meaningful security metrics—the ones that actually reduce risk instead of just filling reports. I will introduce a framework that helps define metrics based on real security goals, rather than setting goals around whatever data happens to be available. From there, I will break down what constitutes a good metric, examining its structure and the common pitfalls that undermine its validity.

If your security strategy is built on unreliable metrics, it’s time for a reality check. This talk challenges industry assumptions and provides scientific backing to the fact that many widely used security metrics in the industry only weakly correlate with actual risk.

Speakers

Aram Hovsepyan

CEO, Codific

Aram is the founder and the CEO of Codific. With over 15 years of application security experience, he has a proven track record in building complex software systems by explicitly focusing on quality.Aram has a PhD in cybersecurity from DistriNet KU Leuven. His contributions to the... Read More →

Thursday May 29, 2025 11:30am - 12:15pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Beginner

1:15pm CEST

Introducing Sunshine, the all new SBOM visualization tool by OWASP CycloneDX

Thursday May 29, 2025 1:15pm - 1:30pm CEST

Room 131-132

Introducing Sunshine, a first-of-its-kind visualization tool for CycloneDX files that can facilitate the adoption of CycloneDX by making SBOMs easily readable and more understandable by a broader audience.

Agenda

1. INTRODUCTION:
1.1 What is an SBOM and why it’s important
1.2 What is the OWASP CycloneDX project
1.3 Brief introduction to the CycloneDX JSON/XML format
1.4 The missing piece: an actionable visualization tool for CycloneDX files

2. OWASP CYCLONEDX SUNSHINE: MAIN BENEFITS AND MAIN FEATURES
2.1 Main benefits: visualize a CycloneDX file in an interactive and human-friendly way
2.2 Main feature #1: sunburst chart with dependencies, licenses and vulnerabilities (with live demo)
2.3 Main feature #2: table with dependencies, licenses and vulnerabilities (with live demo)

3. OWASP CYCLONEDX SUNSHINE: ADVANCED FEATURES
3.1 Advanced feature #1: chart refocus to see only dependencies and vulnerabilities of a single component (with live demo)
3.2 Advanced feature #2: automatic recovery of missing bom-refs (with live demo)
3.3 Advanced feature #3: automatic recovery of broken dependency references (with live demo)
3.4 Advanced feature #4: circular dependencies detection (with live demo)

4. OWASP CYCLONEDX SUNSHINE: HOW TO USE AND A BIT OF IMPLEMENTATION DETAILS
4.1 CLI version: pure python with no additional requirements (with live demo)
4.2 Web-based version: also the same python script, but it runs entirely inside the browser! (with live demo)

5. Q&A

Note: A longer Q&A session will be held in the Project Demo Lab, room 133-134 - check the schedule for details!

GitHub repo: https://github.com/CycloneDX/Sunshine/

Sunshine announcement: https://www.linkedin.com/posts/owasp-cyclonedx_github-cyclonedxsunshine-sunshine-sbom-activity-7277371020246663168-5WNx

Speakers

Luca Capacci

Senior security engineer / Maintainer CycloneDX, CryptoNet Labs / OWASP

Luca received his master's degree in Computer Engineering from the University of Bologna in 2014 and has been working in the cybersecurity field since then. He is a senior security engineer and R&D manager at CryptoNet Labs and has been a maintainer at OWASP CycloneDX since December... Read More →

Mattia Fierro

Head of Security Operations Center, Altermaind

He holds a degree in Computer Systems and Network Security and has developed a strong passion for vulnerability management and software security. Over the years, he has built his career in these areas and is currently working in the finance industry in Italy.

Thursday May 29, 2025 1:15pm - 1:30pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

1:15pm CEST

Beyond the Surface: Exploring Attacker Persistence Strategies in Kubernetes

Thursday May 29, 2025 1:15pm - 2:00pm CEST

Room 113

Kubernetes has been put to great use by a wide variety of organizations to manage their workloads, as it hides away a lot of the complexity of managing and scheduling containers. But with each added layer of abstraction, there can be new places for attackers to hide in darkened corners.

This talk will examine how attackers can (ab)use little known features of Kubernetes and the components that are commonly deployed as part of cloud-native containerized workloads to persist in compromised systems, sometimes for years at a time. We'll also pinpoint places where, if you don't detect the initial attack, it might be very difficult to spot the attacker lurking in your cluster.

rorym@mccune.org.uk
linkedin.com/in/rorym/
raesene.github.io (blog)
datadoghq.com (company)
infosec.exchange/@raesene (Mastodon)
bsky.app/profile/m... (Bluesky )

Speakers

Rory McCune

Senior Advocate, Datadog

Rory is a senior advocate for Datadog who has extensive experience with Cyber security and Cloud native computing. In addition to his work as a security reviewer and architect on containerization technologies like Kubernetes and Docker he has presented at Kubecon EU and NA, as well... Read More →

Thursday May 29, 2025 1:15pm - 2:00pm CEST
Room 113

Breakout: Breaker Track

Audience Intermediate

1:15pm CEST

Mastering Security through Simple Machines: How Consistency, Not Complexity, Drives Innovation

Thursday May 29, 2025 1:15pm - 2:00pm CEST

Room 116+117

In the security industry, we often take well-established development practices, such as the DevOps infinity loop, add a layer of security, and label it "DevSecOps." However, this approach frequently overlooks a critical issue: layering complex security processes onto efficient development processes can create inefficiency. In this talk, I argue that true innovation in security comes not from tooling or automation alone, but from mastering the underlying process first. By drawing an analogy to simple machines — where incremental improvements led to the evolution of tools like levers, wheels, and pulleys — I will illustrate how optimizing foundational processes leads to scalable, effective security practices. Attendees will leave with practical insights on reducing inefficiencies and fostering consistent improvement in their security workflows.

Speakers

Ken Toler

President, Asgard Security

Ken is a security professional that focuses on software security from applications, to cloud and web3 technologies. He is also the host and producer of Relating to DevSecOps, a podcast focused on cultivating security relationships in organizations. With 15+ years of experience in... Read More →

Thursday May 29, 2025 1:15pm - 2:00pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

1:15pm CEST

From Prompt to Protect: LLMs as Next-Gen WAF's

Thursday May 29, 2025 1:15pm - 2:00pm CEST

Room 114

When exploring the use of Large Language Models (LLMs) in application security, a new frontier emerges for Web Application Firewalls (WAFs). Traditionally, WAFs operate on structured rules to detect and block application attacks, but what if we could leverage the unique capabilities of an LLM? In this talk, we will delve into the potential of using LLMs as WAFs, evaluating their strengths, challenges, and implications.

During this talk attendees will learn how existing applications may need to evolve to align with LLM capabilities, as well as discussing how LLMs can not only help detect threats and reduce false positives but also adapt better to zero-day vulnerabilities.

Through live demonstrations and a practical breakdown of potential architectures, this talk will equip attendees with actionable insights into how LLMs can transform application security while addressing the challenges they bring to the table.

Speakers

Juan Berner

Principal Security Engineer, Booking.com

Juan Berner is a security researcher with over 13 years of experience in the field, currently working as a Principal Security Engineer at Booking.com, as SME for Application Security and Architect for security solutions.He has given talks in the past on how to build an open source... Read More →

Thursday May 29, 2025 1:15pm - 2:00pm CEST
Room 114

Breakout: Defender Track

Audience Intermediate

1:15pm CEST

Against all odds: Kickstarting your Product Security Program when things are not in your favour

Thursday May 29, 2025 1:15pm - 2:00pm CEST

Room 115

Have you ever been in a situation where you are looking at a map, but your surroundings look nothing like the map? And you are not even sure which direction you are facing? This is where many security teams find themselves when they begin their journey to build a product security program. Worse, like most startups, many security programs fail and never find their way to their stakeholders. While helpful roadmaps like OWASP SAMM, DSOMM, and other frameworks provide a good map, they cannot answer the question of how we actually get from A to B, or if it is even possible given the current state of our organization. We know we should have security gates, we know we should have threat modeling, we know we should have an active community of security champions, we know we should have a culture of security - but it doesn't exist, and hardly anyone supports our initiatives in the beginning. We know what needs to be done, we just don't know how to make it happen.

This talk is not about the technical challenges of building a product security program, but about the strategic, tactical, and organizational challenges. How do you build a security program when resources are limited and the organization around you does not provide an environment in which you can easily thrive? We will take a look at various challenges, our mission and understanding as a security team, possible solutions, and techniques to succeed even when the odds are stacked against us.

Speakers

Michael Helwig

Security Consultant and Founder, secureIO GmbH,

I am security consultant and founder of secureIO GmbH, a consulting company that focuses on building application security programs and consulting clients from different industries on secure software development. I am interested in DevSecOps, security testing, exploiting, vulnerability... Read More →

Thursday May 29, 2025 1:15pm - 2:00pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Advanced

1:15pm CEST

OWASP Cornucopia

Thursday May 29, 2025 1:15pm - 2:15pm CEST

Room 133-134

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic.

In this demo room session, we will learn to play the game in an all-new way as the gamemaster presents you with an interesting scenario...

Confronted with a grumpy old senior developer who refuses to shift-left due to too many hours working overtime on his incredibly sophisticated pet project, what will you do? Will you be able to teach him a lesson about why security is important, or will he be laughing all the way to his developer cave? Only skilled and passionate application security engineers will succeed!

Expect confetti, swag, (yes, you read right, swag, valued just below the corruption limit) and illegal bribes as you venture into the dark side of OWASP Cornucopia.

Speakers

Johan Sydseter - The guy with the long hair, not the long beard

Application Security Engineer, Admincontrol AS

Johan Sydseter is one of the co-leaders of OWASP Cornucopia and the co-creator of the OWASP Cornucopia Mobile App Edition. He is an Application Security engineer, developer, architect, and DevOps practitioner with 16 years of experience building and designing backend and frontend... Read More →

Thursday May 29, 2025 1:15pm - 2:15pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

1:15pm CEST

OWASP DefectDojo Demo

Thursday May 29, 2025 1:15pm - 2:15pm CEST

Room 133-134

Speakers

Matt Tesauro

Distinguished Engineer, Founder and AppSec guru, Noname Security

Matt Tesauro is a DevSecOps and AppSec guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement... Read More →

Thursday May 29, 2025 1:15pm - 2:15pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

1:15pm CEST

Meet the Mentor

Thursday May 29, 2025 1:15pm - 3:00pm CEST

Room 118

One more Global AppSec event.
You’re taking training, you’re running between sessions, you’re connecting with people over coffee or when talking to a vendor.

What if you could use the event to also meet a potential mentor, or mentee?
What if you could connect face to face with someone who may help take your career to the next level, or that you can help and make a difference with?

We are inviting you to an OWASP Lisbon Global AppSec activity, first of its kind in an OWASP event: Meet The Mentor! A speed-dating activity between potential mentors and mentees where you can come face to face and see if it “clicks”, start a conversation, and see if it is a match.

Thursday May 29, 2025 1:15pm - 3:00pm CEST
Room 118 CCIB

BONUS TRACK

1:45pm CEST

OWASP Mobile Application Security (MAS) Project Updates

Thursday May 29, 2025 1:45pm - 2:15pm CEST

Room 131-132

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments.

This session will provide key updates on the latest advancements in the Mobile Application Security (MAS) project, including the MASWE (Mobile Application Security Weakness Enumeration) and the MASTG v2 Beta. We’ll introduce new weaknesses, atomic tests, and demos designed to help developers and security researchers enhance their testing methodologies. Additionally, we’ll showcase the newly developed MAS test apps for Android and iOS, designed to streamline security research and improve the development of robust MAS tests.

A major highlight will be the MASTG demos, now available as APK and IPA files directly from the MAS website, which allow security professionals to learn and practice real-world vulnerability detection. We'll also cover critical updates to iOS 17+ testing for non-jailbroken devices, and demonstrate new techniques and methodologies using one of the latest MASTG demos. Whether you're a security researcher, developer, or just doing it for fun, this talk will equip you with the latest tools and insights to boost your mobile application security skills.

https://mas.owasp.org/

Speakers

Sven Schleier

Principal Security Consultant, Crayon

Sven is a Principal Security Consultant at Crayon, Austria and leads the professional services for cloud security. He also has extensive experience in offensive security engagements (penetration testing) and application security, specifically in guiding software development teams... Read More →

Carlos Holguera

Principal Mobile Security Research Engineer, NowSecure

Carlos is a principal mobile security research engineer working with NowSecure and one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS), the industry standard for mobile app... Read More →

Thursday May 29, 2025 1:45pm - 2:15pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

2:15pm CEST

OWASP Cumulus: Threat Modeling the Ops of DevOps

Thursday May 29, 2025 2:15pm - 2:45pm CEST

Room 131-132

In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects.

We will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enables DevOps teams to take the security responsibility for their project in a lightweight and engaging way.

Speakers

Christoph Niehoff

Senior Consultant, TNG Technology Consulting

In his role as a Senior Consultant at TNG Technology Consulting, Christoph Niehoff develops software products for his clients on a daily basis. As a full-stack developer, he lives and breathes DevOps, overseeing all steps of the development cycle. The security of the products is particularly... Read More →

Thursday May 29, 2025 2:15pm - 2:45pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

2:15pm CEST

Builders and Breakers: A Collaborative Look at Securing LLM-Integrated Apps

Thursday May 29, 2025 2:15pm - 3:00pm CEST

Room 113

As Large Language Models (LLMs) become an integral part of modern applications, they not only enable new functionalities but also introduce unique security vulnerabilities. In this collaborative talk, we bring together two perspectives: a builder who has experience developing and defending LLM-integrated apps, and a penetration tester who specialises in AI red teaming. Together, we’ll dissect the evolving landscape of AI security.

On the defensive side, we’ll explore strategies like prompt injection prevention, input validation frameworks, and continuous testing to protect AI systems from adversarial attacks. From the offensive perspective, we’ll showcase how techniques like data poisoning and prompt manipulation are used to exploit vulnerabilities, as well as the risks tied to generative misuse that can lead to data leaks or unauthorised actions.

Through live demonstrations and real-world case studies, participants will witness both the attack and defence in action, gaining practical insights into securing AI-driven applications. Whether you’re developing AI apps or testing them for weaknesses, you’ll leave this session equipped with actionable knowledge on the latest methods for protecting LLM systems. This collaborative session offers a comprehensive look into AI security, combining the expertise of two professionals with distinct backgrounds - builder and breaker.

Speakers

Javan Rasokat

Senior Application Security Specialist, Sage

Javan is a Senior Application Security Specialist at Sage, helping product teams enhance security throughout the software development lifecycle. On the side, he lectures Secure Coding at DHBW University in Germany. His journey as an ethical hacker began young, where he began to automate... Read More →

Rico Komenda

Senior Security Consultant, adesso SE

Rico is a senior security consultant at adesso SE. His main security areas are in application security, cloud security, offensive security and AI security.For him, general security intelligence in various aspects is a top priority. Today’s security world is constantly changing and... Read More →

Thursday May 29, 2025 2:15pm - 3:00pm CEST
Room 113

Breakout: Breaker Track

Audience Intermediate

2:15pm CEST

Friend or Foe? TypeScript Security Fallacies

Thursday May 29, 2025 2:15pm - 3:00pm CEST

Room 116+117

So TypeScript has become the de facto industry standard for developing web applications these days and promising type security, but do developers properly understand the role it plays in securing applications and does the type safety promise hold true in face of real-world security threats?

Developers often mistake dev-time vs runtime security as well as confuse test cases for security guard rails. Can TypeScript actually provide you with code security benefits? In this session we will explore insecure TypeScript patterns, learn how HTTP parameter pollution vulnerabilities impact TypeScript code bases and witness first-hand how attackers employ prototype pollution attacks that cripple codebases even when developers use schema validation libraries like Zod. Through hands-on coding we’ll hack a TypeScript application and learn security best practices.

Speakers

Liran Tal

GitHub Star | Director of Developer Advocacy, Snyk

Liran Tal is a software developer, and a GitHub Star, world-recognized for his activism in open source communities and advancing web and Node.js security. He engages in security research through his work in the OpenJS Foundation and the Node.js ecosystem security working group, and... Read More →

Thursday May 29, 2025 2:15pm - 3:00pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

2:15pm CEST

Living the SBOM life - the good, the bad and the evil parts

Thursday May 29, 2025 2:15pm - 3:00pm CEST

Room 114

The Software Bill of Materials (SBOM) are in the limelight as the silver bullet for many things - open source license compliance, vulnerability management, copyright management, identifying technical debt and the path towards a healthy, secure and legislation-certified happy state of a binary life. But behind all this marketing and makeup is a fairly simple syntax and a lot of missing pieces in the puzzle. Let’s dive into the SBOM lifestyle together and look at the current status, the hopes and the vision for a toolset with less hype, but more real benefits for compliance, developers, product managers, with a chance of being a workhorse in risk management as well as the automatic vulnerability management toolchain. Help us make the SBOM dream come true, listen to the talk and then walk the SBOM walk!

Speakers

Olle E. Johansson

Leader OWASP Project Koala, Edvina AB

Olle E. Johansson is an experienced and appreciated speaker, teacher as well as an Open Source developer and consultant. He is currently project lead for OWASP Project Koala - developing the Transparency Exchange API (TEA), member of the CycloneDX industry working group, the OWASP... Read More →

Anthony Harrison

Founder and Director, APH10

I am the Founder and Director of APH10 which helps organisations more efficiently manage software risks in their applications, in particular risks from vulnerabilities in 3rd party components and compliance with open-source licences.Has been an active member of the open source community... Read More →

Thursday May 29, 2025 2:15pm - 3:00pm CEST
Room 114

Breakout: Defender Track

Audience Beginner

2:15pm CEST

Beyond Best Practices: Uncovering the Organizational Roots of Software Security Vulnerabilities

Thursday May 29, 2025 2:15pm - 3:00pm CEST

Room 115

The exponentially growing number of software security vulnerabilities and data breaches highlights a persistent gap between the implementation of the secure development lifecycle and particularly secure coding practices and their intended outcomes. Despite significant financial investments in application security and the advancements in secure software development methodologies, the effectiveness of these practices remains inconsistent. Our session is based on a multi-phase and multi-year research, conducted in two global enterprise software companies and explores how a combination of developers' security education, organizational security climate, and metrics can enhance secure coding performance and reduce software vulnerabilities.

In December 2004, Steve Lipner introduced to the world the trustworthy computing security development lifecycle. A framework which included three main pillars: Requirements for repeatable secure development processes, requirements for engineers secure coding education and requirements for measurements and accountability for software security. Guided by this three-pillar framework , our research emphasizes the under-addressed areas of developer education and organizational accountability and measurements.

Through a series of three studies, conducted in two global software companies and led by the University of Haifa in Israel, this session will present the results of an academic research that made an attempt to identify the root cause for the ever increasing number of software security vulnerabilities and investigates the effectiveness of secure coding training, the impact of organizational security climate interventions, and the correlation between security climate and secure coding performance in order to evaluate whether the later two, which were prominently left in the shades, could provide a solution to the problem.

The first study evaluates the efficacy of secure coding training programs, revealing that while training improves knowledge, it fails to significantly to reduce newly introduced vulnerabilities. The second study demonstrates that targeted organizational interventions, including leadership communication and process improvements, significantly enhance organizational security climate. The final study found significant correlation between positive security climate and secure coding performance improvement, evidenced by a higher ratio of mitigated vulnerabilities.

This research provides actionable insights for both academia and industry. It underscores the importance of integrating secure coding education with organizational climate improvements to achieve measurable security outcomes. The findings offer a comprehensive approach to reducing cyber security risks while advocating for a dual focus on technical skills and cultural transformation within software development environments.

Speakers

Tomer Gershoni

Ex-CSO, ZoomInfo

Tomer Gershoni is a long-time Cybersecurity executive.Most recently, Mr. Gershoni led ZoomInfo’s information security team, as its Senior Vice President and Chief Security Officer. Overseeing physical and digital security and privacy efforts and leading ZoomInfo’s work to safeguard... Read More →

Thursday May 29, 2025 2:15pm - 3:00pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Intermediate
LinkedIn linkedin.com/in/tomergershoni/

2:15pm CEST

OWASP Demo Lab: See CycloneDX SBOMs Come to Life with Sunshine

Thursday May 29, 2025 2:15pm - 3:00pm CEST

Room 133-134

Ever looked at a CycloneDX file and thought, there’s gotta be a better way to read this? You're not alone. Introducing Sunshine — a first-of-its-kind visualization tool that transforms static CycloneDX SBOM files into intuitive, interactive experiences.
Join us for a hands-on walkthrough of Sunshine, where you’ll get to see it in action — not just slides. This live demo will show how Sunshine helps developers, security pros, and even less-technical stakeholders actually understand what's in a software bill of materials.
GitHub repo: https://github.com/CycloneDX/Sunshine/

Sunshine announcement: https://www.linkedin.com/posts/owasp-cyclonedx_github-cyclonedxsunshine-sunshine-sbom-activity-7277371020246663168-5WNx

Speakers

Luca Capacci

Senior security engineer / Maintainer CycloneDX, CryptoNet Labs / OWASP

Mattia Fierro

Head of Security Operations Center, Altermaind

Thursday May 29, 2025 2:15pm - 3:00pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

2:15pm CEST

OWASP GenAI Security Project

Thursday May 29, 2025 2:15pm - 3:00pm CEST

Room 133-134

The OWASP Top 10 for LLM and Generative AI Security Project, has rapidly expanded from its initial scope, of providing the Top 10 list of Risks and Mitigations, now to address the lifecycle of Generative AI Security through initiatives producing key industry guidance spanning, Secure AI adoption, Red Teaming, Agentic App security, Gen AI Security Solution Landscape, Gen AI Incident response guidance and more. The project's value in providing practical guidance was recognized by the UK Government's recent publication of the UK, AI Security Code of Practice and implementation guides which include multiple resources, and will be submitted as part of the UK's European Telecommunications Standards Institute ETSI standardization efforts.

In this session we will review recent publications, discuss key project findings, review the upcoming roadmap of guidance being delivered by the initiative working groups, provide an outlook on what best practices may influence and support upcoming standards of practice and outline how you too can participate in the project and contribute your expertise.

This is a great opportunity to meet the project board and lead contributors.

Speakers

Scott Clinton

OWASP

Scott, is a Board Member and the Co-chair of the OWASP GenAI Security Project (inc. the Top 10 for LLM and Gen AI) and leads strategy, operations, and growth. Scott has more than 20 years of industry executive leadership with 18 years of commercializing open-source technologies. An... Read More →

Thursday May 29, 2025 2:15pm - 3:00pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Call for Contributors

2:45pm CEST

OWASP Coraza in 2025: What next for the WAF you want to use?

Thursday May 29, 2025 2:45pm - 3:15pm CEST

Room 131-132

Discover OWASP Coraza, an open-source WAF written in Golang making it fast, secure, memory safe, and highly extensible. Built to integrate seamlessly with the CRS v4 ruleset, Coraza solves key issues like performance bottlenecks and limited customization in traditional WAFs.

This talk will explore how Coraza addresses modern web security challenges and preview upcoming features on its roadmap, including better rule management and DevOps integrations.

Key Takeaways:
- Why Coraza is ideal for developers and security teams
- How it improves WAF performance, memory safety, and flexibility
- What's next on the roadmap

If you're seeking a lightweight, scalable, and memory-safe WAF solution, Coraza is worth your attention!

Speakers

Soujanya Namburi

Security Research Engineer, Traceable Ai

I’m Soujanya Namburi, a Developer and Security Research Engineer. I specialize in WAF (Web Application Firewalls), anomaly detection, external surface scanners, and active security testing. I have extensive experience with open source security projects like OWASP Coraza and OWASP... Read More →

Thursday May 29, 2025 2:45pm - 3:15pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

3:00pm CEST

PM Break with Exhibitors

Thursday May 29, 2025 3:00pm - 3:30pm CEST

Area 1

Meals provided by OWASP

Thursday May 29, 2025 3:00pm - 3:30pm CEST
Area 1

Meals provided by OWASP

3:30pm CEST

To BI or Not to BI? Data Leakage Tragedies with Power BI Reports

Thursday May 29, 2025 3:30pm - 4:15pm CEST

Room 113

In this session, we will expose a major data leakage vulnerability in Microsoft Fabric (Power BI) that has already affected tens of thousands of reports, putting thousands of enterprises and organizations at risk. We’ll demonstrate how a Power BI report viewer, especially for reports published to the web, can access unintended data by manipulating API requests to reveal the underlying data model.

We will also showcase PBAnalyzer, an open-source tool to help organizations identify their exposure, and unveil a new attack vector: DAX Injection. This vulnerability stems from improper handling of variables in DAX queries, which we will demonstrate using a Power Automate flow that leaks sensitive data to an external anonymous user.

The session will conclude with actionable steps to secure Power BI reports and prevent unnecessary data exposure.

Speakers

Uriya Elkayam

Senior Security Researcher, Nokod Security

Uriya Elkayam is a senior security researcher at Nokod Security. His research focuses on application security aspects of low-code/ No-code platforms such as MS Power Platform, UiPath, and OutSystems. He has a passion for both finding vulnerabilities and new mitigation techniques... Read More →

Thursday May 29, 2025 3:30pm - 4:15pm CEST
Room 113

Breakout: Breaker Track

Audience Intermediate

3:30pm CEST

Policy as Code for Applications at Scale

Thursday May 29, 2025 3:30pm - 4:15pm CEST

Room 116+117

You have probably heard of success stories using Open Policy Agent for all kinds of authorization problems that focus on the technical merits and challenges. While it is relatively easy to get started when you look at single applications, the game changes as soon as you want to introduce authorization as a platform capability for thousands of applications maintained by hundreds of teams.

We will talk about how Zalando adopted Open Policy Agent and Styra DAS to provide this capability and will shed some light on how we enable enough governance to stay compliant, how to use organisational scale in our favour and how to balance central platform concerns with decentral application concerns.

We’ll touch on the technical integration points in our Platform via OSS Skipper, observability via OpenTelemetry and Styra DAS. We will also talk about the developer experience, the leverage we gain as security teams and how we structure our policies to enable complex business cases across multiple applications.

Speakers

Magnus Jungsbluth

Senior Principal Software Engineer, Zalando SE

Magnus has been working for two decades in software engineering with a strong focus on security and cryptography. At Bundesdruckerei he led a platform team for trust center applications and worked on Public Key Infrastructures for eID applications. Since joining Zalando he leads initiatives... Read More →

Thursday May 29, 2025 3:30pm - 4:15pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

3:30pm CEST

Current challenges of GraphQL security

Thursday May 29, 2025 3:30pm - 4:15pm CEST

Room 114

GraphQL’s capability to fetch precisely what’s needed and nothing more, its efficient handling of real-time data, and its ease of integration with modern architectures make it a compelling choice for modern web and mobile applications. As developers seek more efficiency and better performance from their applications, GraphQL is increasingly becoming the go-to technology for API development. However, building and maintaining GraphQL applications requires careful consideration of security.

In this talk, security engineers will strengthen their GraphQL security skills by learning key techniques such as complexity management, batching, aliasing, sanitization, and depth limit enforcement. They will also learn to implement customizable middleware with their development team, like GraphQL Armor, for various GraphQL server engines.

Participants will explore different techniques and packages, and apply them to enhance the safety of their GraphQL applications. By the end of the talk, attendees will be equipped with practical knowledge to build secure and efficient GraphQL APIs.

Speakers

Maxence Lecanu

Technical Lead, Escape

Maxence is Technical Lead at Escape, where, as a founding engineer, he played a key role in shaping the platform from the ground up—helping security teams detect and mitigate business logic vulnerabilities at scale. With over 6 years of experience across software engineering and... Read More →

Antoine Carossio

Cofounder & CTO, Escape.tech

Former pentester for the French Intelligence Services.Former Machine Learning Research @ Apple. linkedin.com/in/acarossio/ escape.tech (company) @iCarossio escape.tech (blog... Read More →

Thursday May 29, 2025 3:30pm - 4:15pm CEST
Room 114

Breakout: Defender Track

Audience Intermediate

3:30pm CEST

Kaizen for your appsec program: Turning big problems into small steps

Thursday May 29, 2025 3:30pm - 4:15pm CEST

Room 115

Organizations are transitioning in their use of OWASP SAMM. The use case evolves from an assessment model to a quality control program. Kaizen is an iterative improvement methodology popularized in the Japanese industry. As an operational philosophy it has influenced quality control systems worldwide. This talk highlights how Kaizen principles are applied in the industry by separating different streams from the OWASP SAMM model and managing each stream in a continuous improvement cycle. The talk is based on practical experience and 27 interviews with appsec program managers at a wide range of corporations on this journey. There are some recurring pitfalls in the implementation of OWASP that relate to the human aspect of change management, the pitfalls of gamification and challenges around fitting the generic framework to diverse contexts. Finally we distill from the successes and the failures of the industry the potential for Kaizen principles and OWASP SAMM to leverage participatory leadership, empowerment and intrinsic motivation. The conclusion is an optimistic picture of the future, where security is everyone's problem, jobs are meaningful and applications a little bit more secure.

Speakers

Dag Flachet

Co-Founder, Professor and Board Member, Codific

Dag Flachet has a doctorate degree in business administration specialized in organizational psychology. He is a co-founder of Codific, and a professor and board member at the Geneva Business School. Dag is an active member of the OWASP Barcelona Chapter. linkedin.com/in/dagf... Read More →

Thursday May 29, 2025 3:30pm - 4:15pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Beginner

3:30pm CEST

Automating OWASP ASVS with OWASP Nuclei: A Hands-On Walkthrough

Thursday May 29, 2025 3:30pm - 4:15pm CEST

Room 133-134

Tired of the slow, manual grind of ASVS assessments? This live demo introduces the OWASP ASVS Security Evaluation Templates—an open-source toolkit built on Nuclei to streamline and scale your web application security testing. Designed for security practitioners, this session walks through real-world use cases, showing how to plug these templates into your existing workflows for faster, more accurate ASVS evaluations.
We’ll cover customization, integration, and key considerations for operationalizing the templates—plus, how you can contribute back to the project. Whether you're looking to boost testing efficiency or reduce human error, this session gives you the tools to level up your appsec approach in a fraction of the time.

Speakers

AmirHossein Raeisi

Application Security Engineer

Hamed Salimian

Cybersecurity Auditor, OWASP Project Lead

Experienced cybersecurity auditor and penetration tester with a proven track record in securing systems for banking and industrial organizations. Adept at identifying vulnerabilities, ensuring compliance, and implementing robust security solutions. Proficient programmer with expertise... Read More →

Thursday May 29, 2025 3:30pm - 4:15pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

3:30pm CEST

Level Up Your AppSec Game: OWASP SAMM's Roadmap to Security Excellence

Thursday May 29, 2025 3:30pm - 4:15pm CEST

Room 133-134

Join OWASP project leader Sebastien for an engaging and interactive introduction and update on the OWASP Software Assurance Maturity Model (SAMM). We will cover SAMM's purpose and application in jumpstarting and accelerating your software assurance roadmap.

This session will provide valuable insights and practical knowledge on leveraging SAMM as secure development framework:

Tools and Assessment Guidance: Discover the range of SAMM tools available to support your software assurance efforts. We will explain the latest assessment guidance, providing you with the knowledge to utilize these tools to their fullest potential.

Mapping to Other Frameworks: Learn how SAMM maps to other frameworks, such as the NIST Secure Software Development Framework (SSDF) and OpenCRE. This will enable you to leverage SAMM for demonstrating compliance and enhancing your software security posture for any compliance requirement.

Benchmark yourself against peers: The OWASP SAMM Benchmark enables organizations to anonymously compare their software security practices against industry peers, providing insights to identify improvement areas, prioritize security efforts, and track progress over time.

Speakers

Sebastien Deleersnyder

CTO, Toreon

Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Thursday May 29, 2025 3:30pm - 4:15pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

3:35pm CEST

OWASP Domain Protect Project

Thursday May 29, 2025 3:35pm - 4:05pm CEST

Room 131-132

In 2022 we launched OWASP Domain Protect, a tool using serverless functions to automate scans of an enterprise’s DNS environments in AWS, GCP and Cloudflare, test for subdomains vulnerable to takeover, and create Slack and email alerts.

Since then, new features have been added, including a migration of OWASP Domain Protect to a public Terraform Module hosted on the Terraform and OpenTofu Registries. This approach makes it very straightforward for users to incorporate OWASP Domain Protect to their own cloud infrastructure, and easy to keep it updated.

In this presentation, I’ll review the basics of subdomain takeover, describe the system architecture of Domain Protect, detail recent improvements, and give a live demonstration of vulnerable domain detection followed by automated takeover.

Speakers

Paul Schwarzenberger

Cloud Security Engineer, Celidor

Paul Schwarzenberger is a cloud security architect and engineer, leading security engagements and cloud migration projects for customers across sectors including financial services and Government. He has in-depth enterprise experience and certifications across all three major cloud... Read More →

Thursday May 29, 2025 3:35pm - 4:05pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

Audience Intermediate

4:30pm CEST

Networking Reception in Expo Hall

Thursday May 29, 2025 4:30pm - 6:30pm CEST

Area 1

Come network with drinks and appetizers in the expo hall!

Thursday May 29, 2025 4:30pm - 6:30pm CEST
Area 1

Meals provided by OWASP

6:45pm CEST

Endor Lab's After Party

Thursday May 29, 2025 6:45pm - 8:30pm CEST

Purobeach Barcelona Rooftop Bar - Located in the Hilton

Rooftop Brews & AppSec Views
May 29th
6.30pm until 8.30pm
Purobeach Barcelona Rooftop Bar - Located in the Hilton (4 min walk from the OWASP Global AppSec)

Join Endor Labs after Day 1 of OWASP Global AppSec Europe for a free evening of cold beers, local bites, and chill conversations with fellow AppSec minds — all set against a stunning rooftop backdrop in Barcelona.

Spaces are limited, and you must register to attend here.

Thursday May 29, 2025 6:45pm - 8:30pm CEST
Purobeach Barcelona Rooftop Bar - Located in the Hilton Passeig del Taulat, 262 - 264 08019 Barcelona Spain

Exhibitor Networking Events & Receptions