OWASP 2025 Global AppSec EU

Low-code and no-code (LCNC) development has transformed the way organizations build applications, enabling business users—often with little security expertise—to create powerful workflows, automations, and even AI-driven solutions. As these platforms increasingly integrate AI-powered copilots and automation tools, their adoption is skyrocketing, but so are security risks that traditional AppSec frameworks fail to address.

Recognizing this urgent gap, we established the OWASP Low-Code/No-Code Security Top 10 project to clarify the unique risks in these environments. In this session, we will share our journey—how we classified the Top 10 security risks in LCNC, what we have accomplished since the project’s inception, and how AI-driven low-code development introduces new attack vectors that security teams must prepare for.

Attendees will gain insights into:

* How LCNC security challenges have evolved, especially with the rise of AI-powered platforms.
* The OWASP Low-Code/No-Code Security Top 10, providing a much-needed framework for both citizen developers and security professionals.
* Real-world exploit scenarios, from insecure workflows and data exposure to AI-powered automation risks.
* The current state of low-code security and AI governance, key findings from our research, and what’s next for securing this fast-growing space.

As AI and low-code become inseparable in modern development, security teams must adapt quickly to prevent misuse, misconfigurations, and data exposure. This session is ideal for AppSec professionals, developers, security leaders, and platform owners looking to secure LCNC applications while enabling innovation.

Join us to explore the evolving threat landscape and gain actionable strategies to safeguard the next wave of AI-driven enterprise applications.

OWASP ModSecurity has long served as a foundational engine for web application firewalls, quietly defending thousands of applications in production environments worldwide.

This talk offers a technical and practical overview of where ModSecurity stands today. We'll cover the major updates and architectural improvements introduced over the past two years, including performance optimizations, expanded language bindings, improved logging and debugging tools, and better containerization support.

We’ll also address the community’s role in ModSecurity's ongoing maintenance and what the current roadmap looks like for key integrations and use cases—from NGINX and Apache to reverse proxies and API gateways.

Whether you're a seasoned user, a contributor, or just exploring WAFs for the first time, this session will help you better understand ModSecurity’s role in the modern security stack—and how to leverage its most recent improvements to meet the demands of today’s web.

What You’ll Learn:

• A recap of ModSecurity’s core capabilities and architecture
• Key improvements made since 2023, including performance and compatibility upgrades
• New tooling and deployment patterns
• Current challenges and open areas for contribution
• How ModSecurity is being used today

Threat modeling is a cornerstone of cybersecurity, yet it remains manual, complex, and inaccessible to many teams. While AI-powered threat modeling holds immense promise, it faces challenges such as hallucinations, lack of structured outputs, low accuracy, and limited trustworthiness.

The critical gap lies in the availability of specialized datasets. We aim to enhance LLMs’ ability to identify threats and recommend effective controls by generating open-source curated datasets of real-world threat models with the OWASP Threat Library. This session explores the transformative potential of crowdsourced data to fine-tune LLMs, driving a significant leap forward for the cybersecurity community and industry - all under the wings of an OWASP Project.

Introducing Sunshine, a first-of-its-kind visualization tool for CycloneDX files that can facilitate the adoption of CycloneDX by making SBOMs easily readable and more understandable by a broader audience.

Agenda

1. INTRODUCTION:
1.1 What is an SBOM and why it’s important
1.2 What is the OWASP CycloneDX project
1.3 Brief introduction to the CycloneDX JSON/XML format
1.4 The missing piece: an actionable visualization tool for CycloneDX files

2. OWASP CYCLONEDX SUNSHINE: MAIN BENEFITS AND MAIN FEATURES
2.1 Main benefits: visualize a CycloneDX file in an interactive and human-friendly way
2.2 Main feature #1: sunburst chart with dependencies, licenses and vulnerabilities (with live demo)
2.3 Main feature #2: table with dependencies, licenses and vulnerabilities (with live demo)

3. OWASP CYCLONEDX SUNSHINE: ADVANCED FEATURES
3.1 Advanced feature #1: chart refocus to see only dependencies and vulnerabilities of a single component (with live demo)
3.2 Advanced feature #2: automatic recovery of missing bom-refs (with live demo)
3.3 Advanced feature #3: automatic recovery of broken dependency references (with live demo)
3.4 Advanced feature #4: circular dependencies detection (with live demo)

4. OWASP CYCLONEDX SUNSHINE: HOW TO USE AND A BIT OF IMPLEMENTATION DETAILS
4.1 CLI version: pure python with no additional requirements (with live demo)
4.2 Web-based version: also the same python script, but it runs entirely inside the browser! (with live demo)

5. Q&A

Note: A longer Q&A session will be held in the Project Demo Lab, room 133-134 - check the schedule for details!

GitHub repo: https://github.com/CycloneDX/Sunshine/

Sunshine announcement: https://www.linkedin.com/posts/owasp-cyclonedx_github-cyclonedxsunshine-sunshine-sbom-activity-7277371020246663168-5WNx

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments.

This session will provide key updates on the latest advancements in the Mobile Application Security (MAS) project, including the MASWE (Mobile Application Security Weakness Enumeration) and the MASTG v2 Beta. We’ll introduce new weaknesses, atomic tests, and demos designed to help developers and security researchers enhance their testing methodologies. Additionally, we’ll showcase the newly developed MAS test apps for Android and iOS, designed to streamline security research and improve the development of robust MAS tests.

A major highlight will be the MASTG demos, now available as APK and IPA files directly from the MAS website, which allow security professionals to learn and practice real-world vulnerability detection. We'll also cover critical updates to iOS 17+ testing for non-jailbroken devices, and demonstrate new techniques and methodologies using one of the latest MASTG demos. Whether you're a security researcher, developer, or just doing it for fun, this talk will equip you with the latest tools and insights to boost your mobile application security skills.

https://mas.owasp.org/

In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects.

We will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enables DevOps teams to take the security responsibility for their project in a lightweight and engaging way.

Discover OWASP Coraza, an open-source WAF written in Golang making it fast, secure, memory safe, and highly extensible. Built to integrate seamlessly with the CRS v4 ruleset, Coraza solves key issues like performance bottlenecks and limited customization in traditional WAFs.

This talk will explore how Coraza addresses modern web security challenges and preview upcoming features on its roadmap, including better rule management and DevOps integrations.

Key Takeaways:
- Why Coraza is ideal for developers and security teams
- How it improves WAF performance, memory safety, and flexibility
- What's next on the roadmap

If you're seeking a lightweight, scalable, and memory-safe WAF solution, Coraza is worth your attention!

In 2022 we launched OWASP Domain Protect, a tool using serverless functions to automate scans of an enterprise’s DNS environments in AWS, GCP and Cloudflare, test for subdomains vulnerable to takeover, and create Slack and email alerts.

Since then, new features have been added, including a migration of OWASP Domain Protect to a public Terraform Module hosted on the Terraform and OpenTofu Registries. This approach makes it very straightforward for users to incorporate OWASP Domain Protect to their own cloud infrastructure, and easy to keep it updated.

In this presentation, I’ll review the basics of subdomain takeover, describe the system architecture of Domain Protect, detail recent improvements, and give a live demonstration of vulnerable domain detection followed by automated takeover.