OWASP 2025 Global AppSec EU

False positives are one of the biggest pain points in running a Static Application Security Testing (SAST) program. While SAST tools are valuable for identifying security issues in a codebase—flagging critical vulnerabilities like Remote Code Execution and SQL Injection—they often generate significant noise due to their lack of contextual awareness. SAST testing is relatively easy to set up, requires no accounts or credentials, and can uncover issues in multi-step processes that would be difficult to detect with dynamic security testing. However, the high volume of false positives leads to alert fatigue and demands considerable effort to triage, making it challenging to identify the relatively small number of true vulnerabilities.

This research addresses that challenge by combining Program Analysis with Large Language Models (LLMs) to simulate the manual triage process for SAST findings. Our approach leverages a carefully designed LLM agent that enhances context around vulnerable code, identifies conditions that make exploitation infeasible, and determines whether a clear execution path exists from a user-controlled input to the vulnerable line flagged by SAST.

We will demonstrate this novel approach in action, showcasing how it can be integrated with any SAST tooling to streamline triage. By reducing false positives and prioritizing actionable findings, this method allows security engineers and developers to focus on the vulnerabilities that truly matter.

This session will delve into the convergence of ransomware and Artificial Intelligence/Machine Learning (AI/ML) systems, providing attendees with a comprehensive understanding of the evolving ransomware landscape in AI environments. The presentation will cover:

The progression of ransomware from traditional attacks to AI-driven variants.
Vulnerabilities in AI/ML systems, such as supply chains, models, and training pipelines, that adversaries can exploit for ransomware attacks.
Real-world examples of potential ransomware exploits in predictive AI (e.g., OWASP ML06: 2023 ML Supply Chain Attacks) and generative AI (e.g., OWASP LLM06: Excessive Agency).
Practical strategies and AI-driven solutions to detect, protect against, and mitigate ransomware threats.

Attendees will gain actionable insights into adapting traditional ransomware defenses to safeguard modern AI infrastructures and explore open challenges in standardizing defenses for AI/ML systems. The session will also provide references to OWASP frameworks and insights from the OWASP AI Exchange.

When exploring the use of Large Language Models (LLMs) in application security, a new frontier emerges for Web Application Firewalls (WAFs). Traditionally, WAFs operate on structured rules to detect and block application attacks, but what if we could leverage the unique capabilities of an LLM? In this talk, we will delve into the potential of using LLMs as WAFs, evaluating their strengths, challenges, and implications.

During this talk attendees will learn how existing applications may need to evolve to align with LLM capabilities, as well as discussing how LLMs can not only help detect threats and reduce false positives but also adapt better to zero-day vulnerabilities.

Through live demonstrations and a practical breakdown of potential architectures, this talk will equip attendees with actionable insights into how LLMs can transform application security while addressing the challenges they bring to the table.

The Software Bill of Materials (SBOM) are in the limelight as the silver bullet for many things - open source license compliance, vulnerability management, copyright management, identifying technical debt and the path towards a healthy, secure and legislation-certified happy state of a binary life. But behind all this marketing and makeup is a fairly simple syntax and a lot of missing pieces in the puzzle. Let’s dive into the SBOM lifestyle together and look at the current status, the hopes and the vision for a toolset with less hype, but more real benefits for compliance, developers, product managers, with a chance of being a workhorse in risk management as well as the automatic vulnerability management toolchain. Help us make the SBOM dream come true, listen to the talk and then walk the SBOM walk!

GraphQL’s capability to fetch precisely what’s needed and nothing more, its efficient handling of real-time data, and its ease of integration with modern architectures make it a compelling choice for modern web and mobile applications. As developers seek more efficiency and better performance from their applications, GraphQL is increasingly becoming the go-to technology for API development. However, building and maintaining GraphQL applications requires careful consideration of security.

In this talk, security engineers will strengthen their GraphQL security skills by learning key techniques such as complexity management, batching, aliasing, sanitization, and depth limit enforcement. They will also learn to implement customizable middleware with their development team, like GraphQL Armor, for various GraphQL server engines.

Participants will explore different techniques and packages, and apply them to enhance the safety of their GraphQL applications. By the end of the talk, attendees will be equipped with practical knowledge to build secure and efficient GraphQL APIs.