OWASP 2025 Global AppSec EU

In today's fast-paced technology landscape, the mantra "Nemo resideo" – "Leave no one behind" – takes on a critical new meaning.   As organizations race to deliver software faster than ever, engineering teams often face immense pressure to prioritize speed over security. In fact, the 2024 CrowdStrike State of Application Security Report found that 60% of security professionals still struggle with prioritizing application vulnerabilities.

This keynote, "Nemo resideo: Managing application security through rapid change," will delve into the strategies and best practices that can help businesses maintain robust application security without compromising on delivery timelines.

The OWASP Microservice Cheat Sheet makes a bold statement about the limitations of edge-level authorization architectures - implying that they cannot handle the complexities of modern microservices. But what if that’s no longer true?

Enter heimdall, an identity-aware proxy that redefines edge-level authentication and authorization. By integrating fine-grained access control with modern Zero Trust principles, heimdall overcomes the supposed weaknesses, providing scalability, flexibility, and performance without sacrificing security and team agility.

In this talk, I will challenge the OWASP Cheat Sheet’s view and demonstrate how heimdall addresses its concerns head-on. You’ll learn how edge-level authorization can scale to meet the demands of large, distributed systems while maintaining granular control over access. Through real-world examples and architecture insights, we’ll explore why the edge-level might just be the most effective place for secure access control.

Join me to see how heimdall blows away the perceived limitations of edge-level authorization and why it’s time to rethink this critical piece of microservice security.

Mobile applications are often developed in a cross-platform framework such as Flutter, React Native or Maui. These frameworks allow developers to design and implement the application once and then deploy to both Android and iOS.

While these frameworks save time during the development cycle, they pose unique challenges when securing them. In this talk, I will show you how mobile application security is a shared responsibility between the developer, the cross-platform framework and the native OS on which the application is running. Security needs to be addressed during the entire SDLC, so we will examine the impact on SAST, DAST and even manual penetration testing.

In the security industry, we often take well-established development practices, such as the DevOps infinity loop, add a layer of security, and label it "DevSecOps." However, this approach frequently overlooks a critical issue: layering complex security processes onto efficient development processes can create inefficiency. In this talk, I argue that true innovation in security comes not from tooling or automation alone, but from mastering the underlying process first. By drawing an analogy to simple machines — where incremental improvements led to the evolution of tools like levers, wheels, and pulleys — I will illustrate how optimizing foundational processes leads to scalable, effective security practices. Attendees will leave with practical insights on reducing inefficiencies and fostering consistent improvement in their security workflows.

So TypeScript has become the de facto industry standard for developing web applications these days and promising type security, but do developers properly understand the role it plays in securing applications and does the type safety promise hold true in face of real-world security threats?

Developers often mistake dev-time vs runtime security as well as confuse test cases for security guard rails. Can TypeScript actually provide you with code security benefits? In this session we will explore insecure TypeScript patterns, learn how HTTP parameter pollution vulnerabilities impact TypeScript code bases and witness first-hand how attackers employ prototype pollution attacks that cripple codebases even when developers use schema validation libraries like Zod. Through hands-on coding we’ll hack a TypeScript application and learn security best practices.

You have probably heard of success stories using Open Policy Agent for all kinds of authorization problems that focus on the technical merits and challenges. While it is relatively easy to get started when you look at single applications, the game changes as soon as you want to introduce authorization as a platform capability for thousands of applications maintained by hundreds of teams.

We will talk about how Zalando adopted Open Policy Agent and Styra DAS to provide this capability and will shed some light on how we enable enough governance to stay compliant, how to use organisational scale in our favour and how to balance central platform concerns with decentral application concerns.

We’ll touch on the technical integration points in our Platform via OSS Skipper, observability via OpenTelemetry and Styra DAS. We will also talk about the developer experience, the leverage we gain as security teams and how we structure our policies to enable complex business cases across multiple applications.