OWASP 2025 Global AppSec EU

Join Us in Shaping the Future of Secure Software Development

The OWASP Education and Training Committee is developing a certification program designed specifically for developers—and we need your expertise.

For the first time, this initiative will be showcased at OWASP Global AppSec EU 2025, and we’re inviting the community to help build the body of knowledge that will form the foundation of the certification curriculum.

If you're passionate about secure coding and developer education, this is your chance to contribute meaningfully to a global effort. Let’s build something that lasts—together.

In this 100% slide-free demo session you will embark on a journey through the popular OWASP Juice Shop vulnerable web application!

You will experience firsthand how easy it is to set up, get started, and solve your first hacking & coding challenges. In a quick mob-hacking session, you will gain your first points on Juice Shop's extensive score board!

The demo also includes a glimpse into Juice Shop's CTF tool and its multi-user hosting environment MultiJuicer! You will witness how fast a CTF event can be launched with OWASP Juice Shop, how great documentation really makes a difference, and even how to make
the application look like an in-house app of your own company.

Due to the nature of this small group demo session, you are welcome to ask questions during and between the different topics - ad libitum! There is time for clarification and dipping into special topics.

If time permits, this session can also cover interesting behind-the-scenes topics, such as cheat detection, start-up validations, webhook integrations, and a pro-level Grafana dashboard for observability!

Even if you know and have used OWASP Juice Shop yourself already, there's no chance you've already seen everything that will be covered in this session!

Threat modeling is a cornerstone of cybersecurity, yet it remains manual, complex, and inaccessible to many teams. While AI-powered threat modeling holds immense promise, it faces challenges such as hallucinations, lack of structured outputs, low accuracy, and limited trustworthiness.

The critical gap lies in the availability of specialized datasets. We aim to enhance LLMs’ ability to identify threats and recommend effective controls by generating open-source curated datasets of real-world threat models with the OWASP Threat Library. This session explores the transformative potential of crowdsourced data to fine-tune LLMs, driving a significant leap forward for the cybersecurity community and industry - all under the wings of an OWASP Project.

Have you ever been in a situation where you are looking at a map, but your surroundings look nothing like the map? And you are not even sure which direction you are facing? This is where many security teams find themselves when they begin their journey to build a product security program. Worse, like most startups, many security programs fail and never find their way to their stakeholders. While helpful roadmaps like OWASP SAMM, DSOMM, and other frameworks provide a good map, they cannot answer the question of how we actually get from A to B, or if it is even possible given the current state of our organization. We know we should have security gates, we know we should have threat modeling, we know we should have an active community of security champions, we know we should have a culture of security - but it doesn't exist, and hardly anyone supports our initiatives in the beginning. We know what needs to be done, we just don't know how to make it happen.

This talk is not about the technical challenges of building a product security program, but about the strategic, tactical, and organizational challenges. How do you build a security program when resources are limited and the organization around you does not provide an environment in which you can easily thrive? We will take a look at various challenges, our mission and understanding as a security team, possible solutions, and techniques to succeed even when the odds are stacked against us.