OWASP 2025 Global AppSec EU

High performing teams are a treasure for every organization. But what if cognitive load gets too high and creates a buffer overflow in a team’s working memory? Security adds an additional layer of complexity to the work of development teams and endangers their quality of work and solution finding capabilities as a team. We will show actionable remediation strategies like a Security Champions Program, automation for security scans and secure scrum with a real-life example.

Security teams love metrics - dashboards filled with vulnerability counts, alert volumes, and training hours logged. But do any of these actually make organizations more secure? The uncomfortable truth is that most security metrics are just vanity numbers—impressive in reports but meaningless in practice.

In this talk, I will focus on the science behind meaningful security metrics—the ones that actually reduce risk instead of just filling reports. I will introduce a framework that helps define metrics based on real security goals, rather than setting goals around whatever data happens to be available. From there, I will break down what constitutes a good metric, examining its structure and the common pitfalls that undermine its validity.

If your security strategy is built on unreliable metrics, it’s time for a reality check. This talk challenges industry assumptions and provides scientific backing to the fact that many widely used security metrics in the industry only weakly correlate with actual risk.

Have you ever been in a situation where you are looking at a map, but your surroundings look nothing like the map? And you are not even sure which direction you are facing? This is where many security teams find themselves when they begin their journey to build a product security program. Worse, like most startups, many security programs fail and never find their way to their stakeholders. While helpful roadmaps like OWASP SAMM, DSOMM, and other frameworks provide a good map, they cannot answer the question of how we actually get from A to B, or if it is even possible given the current state of our organization. We know we should have security gates, we know we should have threat modeling, we know we should have an active community of security champions, we know we should have a culture of security - but it doesn't exist, and hardly anyone supports our initiatives in the beginning. We know what needs to be done, we just don't know how to make it happen.

This talk is not about the technical challenges of building a product security program, but about the strategic, tactical, and organizational challenges. How do you build a security program when resources are limited and the organization around you does not provide an environment in which you can easily thrive? We will take a look at various challenges, our mission and understanding as a security team, possible solutions, and techniques to succeed even when the odds are stacked against us.

The exponentially growing number of software security vulnerabilities and data breaches highlights a persistent gap between the implementation of the secure development lifecycle and particularly secure coding practices and their intended outcomes. Despite significant financial investments in application security and the advancements in secure software development methodologies, the effectiveness of these practices remains inconsistent. Our session is based on a multi-phase and multi-year research, conducted in two global enterprise software companies and explores how a combination of developers' security education, organizational security climate, and metrics can enhance secure coding performance and reduce software vulnerabilities.

In December 2004, Steve Lipner introduced to the world the trustworthy computing security development lifecycle. A framework which included three main pillars: Requirements for repeatable secure development processes, requirements for engineers secure coding education and requirements for measurements and accountability for software security. Guided by this three-pillar framework , our research emphasizes the under-addressed areas of developer education and organizational accountability and measurements.

Through a series of three studies, conducted in two global software companies and led by the University of Haifa in Israel, this session will present the results of an academic research that made an attempt to identify the root cause for the ever increasing number of software security vulnerabilities and investigates the effectiveness of secure coding training, the impact of organizational security climate interventions, and the correlation between security climate and secure coding performance in order to evaluate whether the later two, which were prominently left in the shades, could provide a solution to the problem.

The first study evaluates the efficacy of secure coding training programs, revealing that while training improves knowledge, it fails to significantly to reduce newly introduced vulnerabilities. The second study demonstrates that targeted organizational interventions, including leadership communication and process improvements, significantly enhance organizational security climate. The final study found significant correlation between positive security climate and secure coding performance improvement, evidenced by a higher ratio of mitigated vulnerabilities.

This research provides actionable insights for both academia and industry. It underscores the importance of integrating secure coding education with organizational climate improvements to achieve measurable security outcomes. The findings offer a comprehensive approach to reducing cyber security risks while advocating for a dual focus on technical skills and cultural transformation within software development environments.

Organizations are transitioning in their use of OWASP SAMM. The use case evolves from an assessment model to a quality control program. Kaizen is an iterative improvement methodology popularized in the Japanese industry. As an operational philosophy it has influenced quality control systems worldwide. This talk highlights how Kaizen principles are applied in the industry by separating different streams from the OWASP SAMM model and managing each stream in a continuous improvement cycle. The talk is based on practical experience and 27 interviews with appsec program managers at a wide range of corporations on this journey. There are some recurring pitfalls in the implementation of OWASP that relate to the human aspect of change management, the pitfalls of gamification and challenges around fitting the generic framework to diverse contexts. Finally we distill from the successes and the failures of the industry the potential for Kaizen principles and OWASP SAMM to leverage participatory leadership, empowerment and intrinsic motivation. The conclusion is an optimistic picture of the future, where security is everyone's problem, jobs are meaningful and applications a little bit more secure.