OWASP 2025 Global AppSec EU: Full Schedule

arrow_back View All Dates

8:15am CEST

Coffee/Tea

Friday May 30, 2025 8:15am - 9:00am CEST

Area 1

Meals provided by OWASP. Come join us in the Expo Hall

Friday May 30, 2025 8:15am - 9:00am CEST
Area 1

Meals provided by OWASP

8:15am CEST

Registration

Friday May 30, 2025 8:15am - 6:00pm CEST

8:30am CEST

Speaker Ready Room

Friday May 30, 2025 8:30am - 5:00pm CEST

Room 119

Open to all of our Global AppSec Speakers to prepare for their presentation.

Friday May 30, 2025 8:30am - 5:00pm CEST
Room 119 CCIB

Speakers Only

9:00am CEST

Keynote: Outside the Ivory Tower: Connecting Practice and Science

Friday May 30, 2025 9:00am - 10:00am CEST

Room 116+117

Speakers

Kate Labunets

Assistant Professor in the Department of Information and Computing Sciences, Utrecht University in the Netherlands

Dr. Kate Labunets is an Assistant Professor in the Department of Information and Computing Sciences at Utrecht University in the Netherlands. Before joining Utrecht University, she was a cyber security postdoc for the VSNU Digital Society track on Safety and Security and H2020 CYBECO... Read More →

Friday May 30, 2025 9:00am - 10:00am CEST
Room 116+117 CCIB

Keynote

9:00am CEST

OWASP Member Lounge

Friday May 30, 2025 9:00am - 5:00pm CEST

Room 111

Come one OWASP member, come all! This room is open to all OWASP members and offers networking tables, working stations, and a gaming area!

Friday May 30, 2025 9:00am - 5:00pm CEST
Room 111

BONUS TRACK

10:00am CEST

AM Break with Exhibitors

Friday May 30, 2025 10:00am - 10:30am CEST

Area 1

Meals provided by OWASP

Friday May 30, 2025 10:00am - 10:30am CEST
Area 1

Meals provided by OWASP

10:00am CEST

Bob the Breaker CTF - The Reunion. The No-code/Low-code Hacking Saga Continues.

Friday May 30, 2025 10:00am - 2:00pm CEST

Room 118

At a reunion, Bob's fame for hacking into corporate secrets spreads quickly.
Soon, his pals seek a "little help from a friend."
Join forces with Bob and make sure his buddies get hold of the data they need.

Sponsors

NoKod Security

Friday May 30, 2025 10:00am - 2:00pm CEST
Room 118 CCIB

BONUS TRACK

10:30am CEST

Beyond the Rules: The Past, Present, and Future of OWASP CRS

Friday May 30, 2025 10:30am - 11:00am CEST

Room 131-132

The OWASP Core Rule Set (CRS) is one of the Foundation’s flagship projects—quietly powering Web Application Firewalls (WAFs) across the world, safeguarding applications large and small. But it’s been a while since CRS has shared a full update with the community. This talk changes that.
We’ll explore the full lifecycle of CRS—from its origins under Trustwave, through the pivotal leap to version 3, and into the challenges we’re addressing as we build toward version 4. Along the way, we’ll reflect on what it takes to maintain and evolve a high-impact open source project within a constantly shifting security landscape.
Attendees will get a clear picture of what CRS is today: a sophisticated, extensible, community-driven detection framework. You’ll hear how we’re doubling down on quality assurance, introducing a plugin architecture, and transitioning from traditional SecLang rules to a YAML-based format designed to make contributions easier and tooling more powerful.
This session is for anyone who works with WAFs, contributes to open source, or is curious about the future of web application defense. You’ll walk away with a deeper understanding of the CRS roadmap—and how you can be part of shaping what comes next.
Key Takeaways:

What OWASP CRS is—and why it matters more than ever
Lessons learned from building and maintaining a global ruleset
The roadmap to CRS 4.0 and what’s next for the project
How the community can get involved and contribute meaningfully

Speakers

Felipe Zipitria

Senior Engineer II, Security, Life360

Felipe Zipitria is an expert in computer security, graduated with an MSc from the Universidad de la República in Uruguay. With over 20 years of experience in SRE, DevOps, and SysAdmin roles, Felipe has transitioned into specialized areas, dedicating the past 5 years to AppSec and... Read More →

Friday May 30, 2025 10:30am - 11:00am CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

10:30am CEST

Doors of (AI)pportunity: The Front and Backdoors of LLMs

Friday May 30, 2025 10:30am - 11:15am CEST

Room 113

The question “What is AI security?” followed by “No, not image classification, LLMs!” has become a frequent conversation for us at conferences around the world. So, we decided to answer the real question.

Having spent the last year actively trying to break LLMs as attackers and defenders, as external entities, and as insider threats, we have gathered and created many techniques to jailbreak, trick, and control LLMs, and have distilled previously complex techniques in a way everyone can understand. We will teach you how to exploit control tokens, much like when we hacked Google’s Gemini for Workspace. You will see how to get an LLM to pop a shell with an image of a seashell, and we’ll even provide the tools to automatically extract pop-culture exploits for your very own KROP gadgets. We will reveal how an insider threat could implant hidden logic or backdoors into your LLM, enabling an attacker to control outputs, change inputs, or even make the LLM refuse to say the word “OWASP”. We will enable you to take full control over their local LLMs, even demonstrating how an LLM can be fully and permanently jailbroken in minutes with a CPU rather than with dozens of hours on multiple GPUs. By the end, our audience will be able to make any LLM say whatever they want.

Speakers

Kasimir Schulz

Principal Security Researcher, HiddenLayer,

Kasimir Schulz, Principal Security Researcher at HiddenLayer, is a leading expert in uncovering zero-day exploits and supply chain vulnerabilities in AI. His work has been featured in BleepingComputer and Dark Reading, and he has spoken at conferences such as FS-ISAC and Black Hat... Read More →

Kenneth Yeung

AI Threat Researcher, HiddenLayer

Kenneth Yeung is an AI Threat Researcher at HiddenLayer, specializing in adversarial machine learning and AI security. He is known for identifying LLM vulnerabilities in AI systems like Google Gemini, and his work has been featured in publications like Forbes and DarkReading. Kenneth... Read More →

Friday May 30, 2025 10:30am - 11:15am CEST
Room 113

Breakout: Breaker Track

Audience Beginner

10:30am CEST

A completely pluggable DevSecOps programme, for free, using community resources

Friday May 30, 2025 10:30am - 11:15am CEST

Room 116+117

Despite our collective efforts, we haven’t managed to harmonize tools and processes. Several projects like ASVS, SAMM and others have attempted information harmony but only the now defunct Glue has attempted tool orchestration harmonization and for good reason, it is a hard problem to solve, almost impossible by volunteers alone.

This session introduces Smithy, the only open-source workflow engine for security tools. Smithy stands as a unifying force for building robust, scalable DevSecOps, and beyond, pipelines. Leveraging Smithy’s support for OCSF-native data formats, we centralized the outputs of disparate security tools into a cohesive data lake, unlocking actionable insights that improved vulnerability prioritization and resource allocation.

The talk will showcase real-world applications, including integrating OpenCRE, Cartography, AI-driven solutions and open-source resources to enhance vulnerability detection accuracy and reprioritization, for free, using ready made community resources.

Whether you're a tech lead, security engineer, or CISO, this presentation offers practical guidance for creating adaptable, data-driven security workflows without breaking the bank.

Speakers

Spyros Gasteratos

Security Engineer & Architect, OWASP

Spyros has over 15 years of experience in the security world. Since the beginning of his career he has been an avid supporter and contributor of open source software and an OWASP volunteer. Currently he is interested in the harmonization of security tools and information and is currently... Read More →

Friday May 30, 2025 10:30am - 11:15am CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

10:30am CEST

Think Before You Prompt: Securing Large Language Models from a Code Perspective

Friday May 30, 2025 10:30am - 11:15am CEST

Room 114

As Large Language Models (LLMs) become integral to modern applications, securing them at the code level is critical to preventing prompt injection attacks, poisoned models, unauthorized modifications, and other vulnerabilities. This talk delves into common pitfalls and effective mitigations when integrating LLMs into software systems, whether working with cloud vendors or hosting your own models. By focusing on LLM security from a developer's perspective rather than runtime defenses, we emphasize a shift-left approach—embedding security early in the software development lifecycle to proactively mitigate threats and minimize risks before deployment.

We'll examine practical security challenges faced during LLM integration, including input sanitization, output validation, and model pinning. Through detailed code examples and a live demonstration of model tampering, attendees will witness firsthand how attackers can exploit inadequate security controls to compromise LLM systems. The demonstration will showcase a real-world scenario where a legitimate model is swapped with a malicious one, highlighting the critical importance of robust model integrity verification and secure deployment practices.

Participants will learn concrete implementation patterns and security controls that can prevent such attacks, with practical code samples they can apply to their own projects. The session will cover essential defensive techniques including proper API key management, secure model loading and validation, and safe handling of sensitive data in prompts. Whether you're building applications using cloud-based LLM services or deploying your own models, you'll leave with actionable code-level strategies to enhance your application's security posture and protect against emerging AI-specific threats.

Speakers

Yaron Avital

Security Researcher, Palo Alto Networks

Yaron Avital is a seasoned professional with a diverse background in the technology and cybersecurity fields. Yaron's career has spanned over 15 years in the private sector as a software engineer and team lead at global companies and startups.Driven by a passion for cybersecurity... Read More →

Tomer Segev

Security Researcher, Palo Alto Networks

Tomer Segev is a cybersecurity professional with a strong background in software development and security research. He began his career at 17 as a developer before serving as a cyber researcher in the top cyber unit of the IDF, where he gained hands-on experience in the most advanced... Read More →

Friday May 30, 2025 10:30am - 11:15am CEST
Room 114

Breakout: Defender Track

Audience Intermediate

10:30am CEST

LLMs vs. SAST: How AI Delivers Accurate Vulnerability Detection and Reduces False Positives

Friday May 30, 2025 10:30am - 11:15am CEST

Room 115

The exponentially growing number of software security vulnerabilities and data breaches highlights a persistent gap between the implementation of the secure development lifecycle and particularly secure coding practices and their intended outcomes. Despite significant financial investments in application security and the advancements in secure software development methodologies, the effectiveness of these practices remains inconsistent. Our session is based on a multi-phase and multi-year research, conducted in two global enterprise software companies and explores how a combination of developers' security education, organizational security climate, and metrics can enhance secure coding performance and reduce software vulnerabilities.

In December 2004, Steve Lipner introduced to the world the trustworthy computing security development lifecycle. A framework which included three main pillars: Requirements for repeatable secure development processes, requirements for engineers secure coding education and requirements for measurements and accountability for software security. Guided by this three-pillar framework , our research emphasizes the under-addressed areas of developer education and organizational accountability and measurements.

Through a series of three studies, conducted in two global software companies and led by the University of Haifa in Israel, this session will present the results of an academic research that made an attempt to identify the root cause for the ever increasing number of software security vulnerabilities and investigates the effectiveness of secure coding training, the impact of organizational security climate interventions, and the correlation between security climate and secure coding performance in order to evaluate whether the later two, which were prominently left in the shades, could provide a solution to the problem.

The first study evaluates the efficacy of secure coding training programs, revealing that while training improves knowledge, it fails to significantly to reduce newly introduced vulnerabilities. The second study demonstrates that targeted organizational interventions, including leadership communication and process improvements, significantly enhance organizational security climate. The final study found significant correlation between positive security climate and secure coding performance improvement, evidenced by a higher ratio of mitigated vulnerabilities.

This research provides actionable insights for both academia and industry. It underscores the importance of integrating secure coding education with organizational climate improvements to achieve measurable security outcomes. The findings offer a comprehensive approach to reducing cyber security risks while advocating for a dual focus on technical skills and cultural transformation within software development environments.

Speakers

Jonathan Santilli

Software Engineer and AI practitioner, Snyk

Jonathan Santilli defines himself as a problem solver, or at least he tries. With over 20 years of experience working for various tech companies, Jonathan has played different roles, from Team lead developer to Product manager and, of course, problem solver. Jonathan is mainly interested... Read More →

Kirill Efimov

Security R&D Team Lead, Mobb.ai

As a seasoned security researcher, I've led teams at Snyk and now helm security research at Mobb. With a wealth of publications and speaking engagements, I've delved deep into the intricacies of cybersecurity, unraveling vulnerabilities and crafting solutions. From pioneering research... Read More →

Friday May 30, 2025 10:30am - 11:15am CEST
Room 115

Breakout: Manager/Culture Track

Audience Intermediate

10:45am CEST

GenAI Security Project Getting down to business: practical & tactical Project Management

Friday May 30, 2025 10:45am - 11:45am CEST

Room 133-134

Friday May 30, 2025 10:45am - 11:45am CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

10:45am CEST

OWASP KubeFIM Advanced Threat Detection & Security Automation

Friday May 30, 2025 10:45am - 11:45am CEST

Room 133-134

1. Recap of Day 1 + What’s Next?
- Quick summary of how KubeFIM detects file changes in Kubernetes.
- Why KubeFIM is unique compared to traditional FIM solutions.

2. Advanced Use Cases: Detecting Real-World Threats - Detecting tampered application binaries & unauthorized config changes.
- Show how KubeFIM detects & alerts security teams in real time.

3. Integrating KubeFIM into Security Workflows - How to forward alerts to SIEM tools (Splunk, ELK Stack, OpenSearch)
- Using KubeFIM with SOAR platforms (automating threat response).
- Best practices for using KubeFIM in production Kubernetes clusters.

4. Roadmap & Future Improvements - What’s next for KubeFIM?

5. Closing Remarks & Q&A

Speakers

Abhijit Chatterjee

Co-Founder, Cyber Secure India

Abhijit is the Co-Founder of Cyber Secure India (CSI), a cybersecurity think tank focused on driving cybersecurity awareness, building a strong community through free education, sharing knowledge, and empowering young individuals to strengthen the digital infrastructure.

Friday May 30, 2025 10:45am - 11:45am CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

11:00am CEST

OWASP Nettacker

Friday May 30, 2025 11:00am - 11:30am CEST

Room 131-132

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the penetration testing community and was even included in the specialist Linux distribution for penetration testers and security researchers.

Nettacker can run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Speakers

Sam Stepanyan

OWASP Nettacker Project Leader, OWASP

Sam Stepanyan is an OWASP Global Board member and an OWASP London Chapter Leader, and an Independent Application Security Consultant and Security Architect with over 20 years of experience in the IT industry with a background in software engineering and web application development... Read More →

Friday May 30, 2025 11:00am - 11:30am CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

11:00am CEST

Level Up Your AppSec Game: OWASP SAMM's Roadmap to Security Excellence

Friday May 30, 2025 11:00am - 11:45am CEST

Room 133-134

Join OWASP project leader Sebastien for an engaging and interactive introduction and update on the OWASP Software Assurance Maturity Model (SAMM). We will cover SAMM's purpose and application in jumpstarting and accelerating your software assurance roadmap.

This session will provide valuable insights and practical knowledge on leveraging SAMM as secure development framework:

Tools and Assessment Guidance: Discover the range of SAMM tools available to support your software assurance efforts. We will explain the latest assessment guidance, providing you with the knowledge to utilize these tools to their fullest potential.

Mapping to Other Frameworks: Learn how SAMM maps to other frameworks, such as the NIST Secure Software Development Framework (SSDF) and OpenCRE. This will enable you to leverage SAMM for demonstrating compliance and enhancing your software security posture for any compliance requirement.

Benchmark yourself against peers: The OWASP SAMM Benchmark enables organizations to anonymously compare their software security practices against industry peers, providing insights to identify improvement areas, prioritize security efforts, and track progress over time.

Speakers

Sebastien Deleersnyder

CTO, Toreon

Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Friday May 30, 2025 11:00am - 11:45am CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

11:00am CEST

OWASP Certified Secure Developer Open Call

Friday May 30, 2025 11:00am - 11:45am CEST

Room 133-134

Join Us in Shaping the Future of Secure Software Development

The OWASP Education and Training Committee is developing a certification program designed specifically for developers—and we need your expertise.

For the first time, this initiative will be showcased at OWASP Global AppSec EU 2025, and we’re inviting the community to help build the body of knowledge that will form the foundation of the certification curriculum.

If you're passionate about secure coding and developer education, this is your chance to contribute meaningfully to a global effort. Let’s build something that lasts—together.

Speakers

Shruti Kulkarni

Information Security Architect, 6point6

Shruti is an information security / enterprise security architect with experience in ISO27001, PCI-DSS, policies, standards, security tools, threat modelling, risk assessments. Shruti works on security strategies and collaborates with cross-functional groups to implement information... Read More →

Friday May 30, 2025 11:00am - 11:45am CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Call for Contributors

Audience Advanced, Beginner, Intermediate

11:30am CEST

Navigating Agentic AI Security Risks: OWASP’s GenAI Guidance for Securing Autonomous AI Agents

Friday May 30, 2025 11:30am - 12:00pm CEST

Room 131-132

As artificial intelligence advances, autonomous AI agents are becoming integral to modern applications, automating decision-making, problem-solving, and even interacting dynamically with users. However, this evolution brings new security challenges that traditional cybersecurity frameworks struggle to address. OWASP’s GenAI Security Project has identified Agentic Security Risks as a critical category of threats that can compromise AI-driven systems, leading to unintended actions, data leaks, model manipulation, and adversarial exploits.

This session will explore Agentic Security Risks—a unique class of vulnerabilities stemming from AI agents’ autonomy, adaptability, and ability to interact with complex environments. We’ll dissect how malicious actors can exploit these systems by influencing their decision-making processes, injecting harmful instructions, or leveraging prompt-based attacks to bypass safety constraints.

Through a deep dive into OWASP’s latest findings, attendees will gain practical insights into risk identification and mitigation strategies tailored for AI-driven agents. The talk will cover:

Understanding Agentic Security Risks: How autonomous AI agents process, reason, and act—and where vulnerabilities emerge.
Threat Modeling for AI Agents: Key security considerations when deploying AI-driven agents in enterprise and consumer applications.
Exploitable Weaknesses in AI Agents: Case studies on prompt injection, adversarial manipulation, data poisoning, and model exfiltration.
OWASP’s Mitigation Framework: Best practices for securing agentic AI systems, including robust validation, policy enforcement, access control, and behavioral monitoring.
Security by Design: How to integrate GenAI security principles into the development lifecycle to preemptively mitigate risks.
By the end of the session, attendees will have a structured approach to assessing and mitigating security risks in agentic AI systems. Whether you’re a developer, security professional, or AI architect, this session will equip you with actionable strategies to secure your AI-powered applications against emerging threats.

Join us to explore the cutting edge of AI security and ensure that autonomous agents work for us—not against us.

Speakers

John Sotiropoulos

Head of AI Security / OWASP GenAI Security Project (Top 10 for LLM & Agentic Security Co-Lead), Kainos

John Sotiropoulos is the head of AI Security at Kainos where he is responsible for AI security and securing national-scale systems in government, regulators, and healthcare. John has gained extensive experience in building and securing systems in previous roles as developer, CTO... Read More →

Friday May 30, 2025 11:30am - 12:00pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

Audience Intermediate, Advanced

11:30am CEST

Restless Guests: From Subscription to Backdoor Intruder

Friday May 30, 2025 11:30am - 12:15pm CEST

Room 113

Through novel research our team uncovered a critical vulnerability in Azure's guest user model, revealing that guest users can create and own subscriptions in external tenants they've joined—even without explicit privileges. This capability, which is often overlooked by Azure administrators, allows attackers to exploit these subscriptions to expand their access, move laterally within resource tenants, and create stealthy backdoor identities in the Entra directory. Alarmingly, Microsoft has confirmed real-world attacks using this method, highlighting a significant gap in many Azure threat models. This talk will share the findings from this first of its kind research into this exploit found in the wild.

We'll dive into how subscriptions, intended to act as security boundaries, make it possible for any guest to create and control a subscription undermines this premise. We'll provide examples of attackers leveraging this pathway to exploit known attack vectors to escalate privileges and establish persistent access, a threat most Azure admins do not anticipate when inviting guest users. While Microsoft plans to introduce preventative options in the future, this gap leaves organizations exposed to risks they may not even realize exist––but should definitely know about!

Speakers

Simon Maxwell-Stewart

Security Researcher and Data Scientist, BeyondTrust

Simon Maxwell-Stewart is a seasoned data scientist with over a decade of experience in big data environments and a passion for pushing the boundaries of analytics. A Physics graduate from the University of Oxford, Simon began his career tackling complex data challenges and has since... Read More →

Friday May 30, 2025 11:30am - 12:15pm CEST
Room 113

Breakout: Breaker Track

Audience Intermediate

11:30am CEST

Introducing the 5.0 release of the ASVS

Friday May 30, 2025 11:30am - 12:15pm CEST

Room 116+117

Formally announcing v5.0 of the Application Security Verification Standard (ASVS), the first major release in five years of one of OWASP’s flagship projects. But the project has not been sitting idle for years, it has been under development the entire time.

This talk will cover the big changes and improvements in this recently released version.

This includes:
- Defining and clarifying the scope of the ASVS, and expectations for requirements.
- Mandating documented security decisions to provide some flexibility on implementing and verifying security requirements, to match the differences between organizations and applications.
- Adding several new chapters and making important changes to existing chapters.
- Providing a two-way mapping to make it easier to migrate from v4.x to v5.
- Balancing the levels and reducing the barrier to entry into Level 1.

We will also talk about how you can use the standard more effectively in your organizations, the future plans for ASVS now that version 5.0 is out, and how you can be involved.

It’s time to move forward - start using ASVS v5.0 and come on board to develop it further.

Speakers

Elar Lang

OWASP ASVS co-lead, Pentester/researcher/lecturer at Clarified Security, Clarified Security

Elar Lang is a web application security specialist and enthusiast who has been working for more than 13 years in different aspects of web application security. A full-time security tester, training architect, and web application security developer educator (close to 3000 hours of... Read More →

Friday May 30, 2025 11:30am - 12:15pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Beginner

11:30am CEST

Surviving prioritisation when CVE stands for “Customer Very Enthusiastic"

Friday May 30, 2025 11:30am - 12:15pm CEST

Room 114

Everybody talks about problems with the width of CVE space - too many, coming too fast, how to prioritise them. This talk takes the problem into 3D - let’s talk about the depth of the space!

How a single medium risk CVE can consume crazy amounts of time of an AppSec team?

We will look into couple of examples of CVEs in a product that my team protects and trace their journey through the ecosystem. On the journey we will meet various dragons, hydras, and other dangerous creatures:

- LLM-empowered scanners hallucinating CVSS scores, packages, versions, anything;
- Good research teams making mistakes translating between different versions of CVSS
- Glory-chasing “research teams” writing their own advisories for no apparent reason
- Consensus based approach in CVE ecosystem guarantees security team cannot sleep until EVERY scanner has calmed down;
- And my favourite troll under the bridge: customers saying “I don’t care it’s not reachable in your context, I can’t deploy your product until my scanner is happy”.

The soundtrack for the quest is provided by the vendors continuously messaging you with fantastic promises to solve everything.

Can your character survive the quest and what loot do you need?

Speakers

Irene Michlin

Application Security Lead, Neo4j

Irene Michlin is an application security lead at Neo4j. Before going into application security, Irene worked as software engineer, architect, and technical lead at companies ranging from startups to corporate giants. Her professional interests include securing development life-cycles... Read More →

Friday May 30, 2025 11:30am - 12:15pm CEST
Room 114

Breakout: Defender Track

Audience Intermediate

11:30am CEST

Security Champion Worst Practices

Friday May 30, 2025 11:30am - 12:15pm CEST

Room 115

Security champion programs are all the rage right now, but they aren’t a magic bullet; they are a lot of work and more than half of them fail. We want to scale our security programs and improve security culture and communication, but what happens when are champions are less-than-enthused? There’s no support from management? We can’t get enough buy in? Let’s look at when things go WRONG with security champions programs, with this list of WORST practices, and how to avoid each one.

Speakers

Tanya Janca

Staff DevRel, Semgrep

Tanya Janca, aka SheHacksPurple, is the best-selling author of 'Alice and Bob Learn Secure Coding', 'Alice and Bob Learn Application Security’ and the ‘AppSec Antics’ card game. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member... Read More →

Friday May 30, 2025 11:30am - 12:15pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Advanced

1:15pm CEST

OWASP Cornucopia: Scaling secure design & requirement gathering activities

Friday May 30, 2025 1:15pm - 1:45pm CEST

Room 131-132

We are launching a brand-new version of OWASP Cornucopia with QR codes that will make threat modeling, security requirement gathering, and security design much easier! Each QR code will take you to a brand-new OWASP Cornucopia website, where you can explore each card and the security requirements and controls connected to them (see https://owaspcornucopia.org/ ). This will help scale secure design and requirement gathering activities for your development teams and empower them to do application security in a more agile way.

Coming soon!
Web store for you to buy OWASP Cornucopia card decks.

Call for contributors
We are looking for volunteers that would like to help us improve the new website and those who would like to help translate Cornucopia into various languages to ensure that developers who don't have English as their mother tongue, understand the requirements and controls presented to them. We are also looking for ideas and help in maintaining and improving the new website to ensure it becomes a valuable tool for everyone looking at solving application security challenges.

Speakers

Johan Sydseter - The guy with the long hair, not the long beard

Application Security Engineer, Admincontrol AS

Johan Sydseter is one of the co-leaders of OWASP Cornucopia and the co-creator of the OWASP Cornucopia Mobile App Edition. He is an Application Security engineer, developer, architect, and DevOps practitioner with 16 years of experience building and designing backend and frontend... Read More →

Friday May 30, 2025 1:15pm - 1:45pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

1:15pm CEST

Abusing misconfigurations in CI/CD to hijack apps and clouds

Friday May 30, 2025 1:15pm - 2:00pm CEST

Room 113

Writing and maintaining secure applications is hard enough, and in today's paradigm with DevOps and CI/CD developers are often tasked with integrating and automating a full code-to-cloud pipeline. This introduces new control plane to application risks. Some of these instances can lead to full compromise if exploited by a threat actor.

In this talk we will break down the core components of a modern CI/CD-workflow such as OIDC, GitHub Actions and Workload Identities. Then we will describe the security properties of these components, and present a threat model for the code-to-cloud flow. Based on this we will showcase and demonstrate common flaws that could lead to full application and cloud compromise.

To increase the capacity of organizations to detect such flaws we will release an open source tool, developed by the presenters, to discover and triage these issues. In the session the tool will be demonstrated and discussed. Attendees will get actionable knowledge and tooling that can be applied when leaving the room. The talk and tool is based on findings and experiences from cloud and application security assessment conducted by the presenters.

Speakers

Håkon Nikolai Stange Sørum

Principal Security Architect and Partner, O3 Cyber

Håkon has extensive knowledge on implementing secure software development practices for modern DevOps teams, designing and implementing cloud security architectures, and securely operating cloud infrastructure. Håkon offers industry insights into the implementation of secure design... Read More →

Karim El-Melhaoui

Principal Security Architect at O3 Cyber, Microsoft Security MVP, O3 Cyber

Karim is a seasoned and renowned thought leader within cloud security. At O3 Cyber, he conducts research and development and works with our clients, primarily in Financial Industry. Karim has a background in building and operating platform services for security on private and public... Read More →

Friday May 30, 2025 1:15pm - 2:00pm CEST
Room 113

Breakout: Breaker Track

Audience Intermediate

1:15pm CEST

Scaling Threat Modeling with a Developer-Centric Approach

Friday May 30, 2025 1:15pm - 2:00pm CEST

Room 116+117

How can we make threat modeling scalable, actionable, and accessible for all stakeholders?

Traditional threat modeling methodologies struggle to scale in agile environments. They often result in over-scoped, resource-heavy processes that lack actionable insights and rely on scarce security expertise, limiting adoption in large organizations.

This talk introduces Rapid Developer-Driven Threat Modeling (RaD-TM), a lightweight, tool-agnostic approach designed for developers to embed threat modeling into the SDLC without relying on security experts. RaD-TM focuses on targeted assessments of specific functionalities rather than application-wide models, enabling iterative and efficient risk mitigation.
Using Risk Templates, which are predefined collections of relevant risks and controls tailored to specific contexts, RaD-TM fosters collaboration among stakeholders to build a scalable threat modeling process. This session will offer real-world examples and step-by-step guidance on integrating RaD-TM into the development workflow.

Speakers

Andrew Hainault

Managing Director, Aon Cyber Solutions

Andrew has over 25 years’ experience working in Information Security, Information Technology and Software Engineering, for public and private sector organisations in many sectors - including financial services / fintech, energy utilities, media, entertainment and insurance. With... Read More →

Andrea Scaduto

Secure coding, threat modeling, and ethical hacking

With a strong foundation in cybersecurity, Andrea holds an MSc in Computer Engineering, multiple IT Security certifications, and more than a decade of industry experience. His expertise spans breaking, building, and securing web, mobile, and cloud applications, with extensive knowledge... Read More →

Friday May 30, 2025 1:15pm - 2:00pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

1:15pm CEST

Signing is Sassy, but CI/CD Security Pays the Bills

Friday May 30, 2025 1:15pm - 2:00pm CEST

Room 114

This talk is primarily aimed at AppSec practitioners, DevOps & SecOps Engineers as well as Makers and Breakers. If this is not you but you have a professional interest in CI/CD and Security then we’d love you to join us.

Modern software development practices rely entirely on CI/CD systems to deliver change at scale and speed. These systems are highly privileged environments with many actors and entities ( internal, external, human, machine ), and known attack vectors. The risk of compromise is severe because attacks can easily go undetected for extended dwell times resulting in an exponential blast radius. Just ask SolarWinds.

Now that we’ve set the scene it’s time to buckle up because we’re going to share what we’ve learnt, what can be done and what is the art of the possible. And what might the future look like.

This talk will focus on what good security looks like for CI/CD systems and lessons from the field. Spoiler: It’s challenging at scale because security solutions aren’t keeping pace. We will talk about our journey navigating complex CI/CD setups, where we recognise ways these systems can be exploited, and propose ways to tackle with some of the challenges. We’ll also see how signing could get us closer to securing the DevOps environment.

We’ll talk about the need to balance security with engineering imperatives. Enhancing your security posture is an investment that draws down on precious engineering resource, acting as a drag on productivity and cadence. Therefore, expect engineering functions to challenge it, hard and rightly so. Being able to influence key stakeholders so that they are onboard and committed is a must – we’ll show you how we approach this.

This talk will help you prepare for those tough conversations. At the end of the talk we want you to understand how to build a business case for CI/CD Security adoption in your organisation including how to implement in your workplace. The starting point is knowing how much risk your organisation’s build environment is exposed to and how much is tolerable.

Speakers

Patricia R.

Root

Automation, innovation and correctness. Three principles constantly on my mind.Working in security consultancy and engineering, endeavoring in exciting projects. Strive to deliver impact and change in the realms of cloud (security), identity and architecture. @ytimyno linkedin.co... Read More →

Chris Snowden

Enterprise Security Architect

Accidental Application Security Architect! Software Engineer by trade. linkedin.com/in/csn0wden/

Friday May 30, 2025 1:15pm - 2:00pm CEST
Room 114

Breakout: Defender Track

Audience Advanced

1:15pm CEST

Scale Security Programs with Scorecarding

Friday May 30, 2025 1:15pm - 2:00pm CEST

Room 115

Security teams increasingly take a collaborative, partnership-based approach to securing their applications and organizations. Scaling these efforts requires thoughtfully distributing awareness and ownership of security risk. Scorecarding is used at leading companies to make security posture visible, actionable, and engaging across the entire organization.

In this session, we’ll dive into how companies like Netflix, Chime, GitHub, and DigitalOcean use scorecarding to distribute security ownership, drive continuous improvement, and align risk management with business goals. You’ll walk away with practical, tool-agnostic strategies for implementing your own scorecarding program that not only enhances security posture but fosters a culture of shared responsibility and proactive risk management.

Speakers

Rami McCarthy

Principal Security Researcher, Wiz

Rami is a practitioner with expertise in cloud security and building impactful security programs for startups and high-growth companies. In past roles, he helped build the Infrastructure Security program at Figma and scale security at Cedar, a health-tech unicorn. Rami regularly blogs... Read More →

Friday May 30, 2025 1:15pm - 2:00pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Intermediate

1:15pm CEST

OWASP ASVS Nuclei

Friday May 30, 2025 1:15pm - 2:15pm CEST

Room 133-134

Tired of the slow, manual grind of ASVS assessments? This live demo introduces the OWASP ASVS Security Evaluation Templates—an open-source toolkit built on Nuclei to streamline and scale your web application security testing.

Designed for security practitioners, this session walks through real-world use cases, showing how to plug these templates into your existing workflows for faster, more accurate ASVS evaluations. We’ll cover customization, integration, and key considerations for operationalizing the templates—plus, how you can contribute back to the project.

Whether you’re looking to boost testing efficiency or reduce human error, this session gives you the tools to level up your appsec approach in a fraction of the time.

Speakers

AmirHossein Raeisi

Application Security Engineer

Hamed Salimian

Cybersecurity Auditor, OWASP Project Lead

Experienced cybersecurity auditor and penetration tester with a proven track record in securing systems for banking and industrial organizations. Adept at identifying vulnerabilities, ensuring compliance, and implementing robust security solutions. Proficient programmer with expertise... Read More →

Friday May 30, 2025 1:15pm - 2:15pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

1:15pm CEST

OWASP DefectDojo

Friday May 30, 2025 1:15pm - 2:15pm CEST

Room 133-134

Speakers

Matt Tesauro

Distinguished Engineer, Founder and AppSec guru, Noname Security

Matt Tesauro is a DevSecOps and AppSec guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement... Read More →

Friday May 30, 2025 1:15pm - 2:15pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

1:45pm CEST

OWASP Top 10 for Business Logic Abuse

Friday May 30, 2025 1:45pm - 2:15pm CEST

Room 131-132

How often have you heard developers ask, "Where is Race Condition in OWASP?" or "Why aren’t business workflows part of the Top 10?"

These questions highlight a glaring gap: the OWASP lists often focus on technical implementation vulnerabilities while overlooking the fundamental flaws in business logic—the very backbone of applications. This is why we started the OWASP Business Logic Abuse Top 10 Project: to address the workflow bypasses, logic flaws, and design vulnerabilities that attackers exploit, regardless of whether you’re building a web app, API, firmware, or supply chain system.

This project's foundation in Turing machine principles makes it unique, where business logic is modeled as finite states, transitions, and memory operations. By breaking down vulnerabilities into their computational roots—data handling (tape), access mechanisms (head), workflows (states), and transitions—we not only classify these issues but also provide a clear framework for identifying and mitigating them. Whether it’s race conditions in financial systems or workflow skips in authentication processes, this approach brings business logic vulnerabilities to the forefront.

This Top 10 isn’t just another list; it’s a cross-domain framework that bridges gaps between OWASP categories and provides clarity for developers, architects, and security professionals. If you’ve ever wondered why logic abuse isn’t explicitly addressed in web apps, APIs, or mobile security, this project is your answer. Join us to explore real-world examples, understand the unique methodology, and discover how you can contribute to this open, repeatable framework that empowers teams to tame business logic abuse in any system.

Speakers

Ivan Novikov

Wallarm

Ivan Novikov is the CEO and co-founder of Wallarm and an "ethical hacker" security professional with over 12 years of experience in security services and products. He is an inventor of memcached injection and SSRF exploit class (as well as author of the SSRF bible), and the recipient... Read More →

Friday May 30, 2025 1:45pm - 2:15pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

Company Wallarm
Audience Advanced
Subject OWASP Project
Twitter @test

2:15pm CEST

OWASP Security Champions Guide Project

Friday May 30, 2025 2:15pm - 2:45pm CEST

Room 131-132

OWASP Security Champions Guide Project was started to create an open-source, vendor-neutral guidebook for Application Security professionals to help them build and improve their own successful Security Champion programs.

In this talk, Aleksandra will describe the main elements of the project and will guide you through the key principles of a successful Security Champions Program.

Regarding Security Champions programs, one size will not fit all – and as such our Project allows managers, security professionals or team leaders to pick and choose the elements their organization can adopt or leverage to create their own customized program.

Our Project team interviewed security leaders, program coordinators, and security champions to establish what makes a successful program. Participants represent a range of company sizes, industries, geographies, and also different levels of security program maturity. We want to know what works, what doesn’t work, what promotes success, and what leads to failure.

The principles have been drawn from an initial series of in-depth interviews with Application Security leaders from across the globe as part of our wider goal to provide a comprehensive Security Champions playbook.

The Ten Key Principles of a Successful Security Champions Program:
1. Be passionate about security
2. Start with a clear vision for your program
3. Secure management support
4. Nominate a dedicated captain
5. Trust your champions
6. Create a community
7. Promote knowledge sharing
8. Reward responsibility
9. Invest in your champions
10. Anticipate personnel changes

More about the Project:
- Existing Project webpage: https://owasp.org/www-project-security-champions-guidebook/
- New Project webpage: https://securitychampions.owasp.org/

Speakers

Aleksandra Kornecka

Security Engineer

Aleksandra is a security engineer with a global citizen mindset, unafraid to explore diverse destinations—both mentally and geographically. With a background in software testing and cognitive science, she brings a unique blend of technical and soft skills to the table.As a member... Read More →

Friday May 30, 2025 2:15pm - 2:45pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

Audience Intermediate

2:15pm CEST

Compromised at the Source: Supply Chain Risks in Open-Source AI

Friday May 30, 2025 2:15pm - 3:00pm CEST

Room 113

Step into the shadowy world of AI tools and ask yourself: How secure are they? This session dives deep into the architecture of AI models, exposing their most vulnerable points. Moreover, you will learn how malicious actors can weaponize AI, turning powerful tools into threats based on an example of a ‘Malicious Copilot’ IDE plugin. It will reveal how a code-completion model can be trained to embed harmful behavior, target victims, and execute attacks. Finally, you will take home actionable strategies for organizations leveraging generative AI and LLMs, ensuring security isn’t left to chance.

Speakers

Tal Folkman

Security Research Team Lead, Checkmarx

Tal brings over 8 years of experience to her role as a supply chain security research team lead within Checkmarx Supply Chain Security group. She is in charge of detecting tracking and stopping Opensource attacks. linkedin.com/in/tal-folkman/ medium.com/@tal.folk... (blog... Read More →

Friday May 30, 2025 2:15pm - 3:00pm CEST
Room 113

Breakout: Breaker Track

Audience Beginner

2:15pm CEST

Transaction authorization pitfalls – How to improve current financial, payment, and e-commerce apps?

Friday May 30, 2025 2:15pm - 3:00pm CEST

Room 116+117

During my career, I've had the opportunity to work with many financial institutions, payment processors, fintechs, and e-commerce operators. In recent years, the threat landscape for internet payments has changed significantly, since our smartphone has become the center of our digital life, financial transactions, and digital identity. Such concentration of power in a single asset has poor influence on overall security.

In my presentation, I will explore this dynamic threat landscape, show real-life vulnerabilities and threats, and discuss possible solutions to protect customers' funds. Additionally, I will examine the role of regulatory compliance in solving issues related to online payments.

My presentation will be divided into three parts.

In the first part of my presentation, I will show real-life threats and vulnerabilities affecting current transaction authorization processes, including technical and logical ones. I will present case studies of attacks that caused my relatives and friends to lose their money.

In the second part, I will discuss possible safeguards to raise the bar for attackers without compromising usability on many levels of user interaction:
- banking apps and systems, payments, fintechs
- e-commerce apps, social media apps, telecom operators
I will also demonstrate how developers, blue teams, and threat intelligence experts can cooperate to detect financial fraud at the application level and protect customers' funds.

In the third part, I will discuss whether current and upcoming financial sector regulations, such as DORA, PSD3, and PSR, address transaction authorization problems. I will also explore whether we as the IT security community can do more than just follow compliance rules.

Speakers

Wojciech Dworakowski

OWASP Poland Chapter Co-leader, Managing Partner, SecuRing

An IT Security Consultant with over 20 years of experience in the field. A Managing Partner at SecuRing. He has led multiple security assessments and penetration tests especially for financial services, payment systems, SaaS, and startups. A lecturer at many security conferences... Read More →

Friday May 30, 2025 2:15pm - 3:00pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

2:15pm CEST

GenAI Security - Insights and Current Gaps in OS LLM Vulnerability scanners and Guardrails

Friday May 30, 2025 2:15pm - 3:00pm CEST

Room 114

As Large Language Models (LLMs) become integral to various applications, securing them against evolving threats—such as **information leakage, jailbreak attacks, and prompt injection—**remains a critical challenge. This presentation provides a comparative analysis of open-source vulnerability scanners—Garak, Giskard, PyRIT, and CyberSecEval—that leverage red-teaming methodologies to uncover these risks. We explore their capabilities, limitations, and design principles, while conducting quantitative evaluations that expose key gaps in their ability to reliably detect attacks.

However, vulnerability detection alone is not enough. Proactive security measures, such as AI guardrails, are essential to mitigating real-world threats. We will discuss how guardrail mechanisms—including **input/output filtering, policy enforcement, and real-time anomaly detection—**can complement scanner-based assessments to create a holistic security approach for LLM deployments. Additionally, we present a preliminary labeled dataset, aimed at improving scanner effectiveness and enabling more robust guardrail implementations.

Beyond these tools, we will share our experience in developing a comprehensive GenAI security framework at Fujitsu, designed to integrate both scanning and guardrail solutions within an enterprise AI security strategy. This framework emphasizes multi-layered protection, balancing LLM risk assessments, red-teaming methodologies, and runtime defenses to proactively mitigate emerging threats.

Finally, based on our findings, we will provide strategic recommendations for organizations looking to enhance their LLM security posture, including:

Selecting the right scanners for red-teaming and vulnerability assessments
Implementing guardrails to ensure real-time policy enforcement and risk mitigation
Adopting a structured framework for securing GenAI systems at scale
This session aims to bridge theory and practice, equipping security professionals with actionable insights to fortify LLM deployments in real-world environments.

Speakers

Roman Vainshtein

Head of the GenAI Trust, Fujitsu Research of Europe

I am the Head of the Generative AI Trust and Security Research team at Fujitsu Research of Europe, where I lead efforts to enhance the security, trustworthiness, and resilience of Generative AI systems. My work focuses on bridging the gap between AI security, red-teaming methodologies... Read More →

Friday May 30, 2025 2:15pm - 3:00pm CEST
Room 114

Breakout: Defender Track

Audience Intermediate

2:15pm CEST

Metrics That Matter: Driving AppSec Success with Data-Driven Insights

Friday May 30, 2025 2:15pm - 3:00pm CEST

Room 115

“What gets measured, gets managed” is perhaps an over-simplification, but the quote has its merits. In terms of building an effective application security Program, measurement and metrics go a long way, and by collecting, observing, and presenting actionable AppSec metrics, you can bridge the gap between Security Engineering and leadership’s strategic priorities.

In this session, we will start by speaking about different types of metrics, both qualitative and quantitative, and how these metrics can be categorised to align better with frameworks defining application security Metrics as a required control.
From there, we will start to look at what metrics we should use and how they can be visualised. By visualising these metrics, we can come to conclusions around whether or not the application security program is effective and what we should do to drive improvement.

Last, but not least, we’ll talk about how the data and visualisations can support us in our communication with leadership by supporting our requests and recommendations based on data and looking at trends.

In many areas of life—application security included—what gets measured can be proven, and what gets proven can be improved.

Speakers

David Andersson

Senior Engineering Manager, Grafana Labs

David Andersson is an information security professional with 20 years experience from both private companies and government agencies. He is a senior engineering manager at Grafana Labs, responsible for the Security Engineering team and specialises in building a strong application... Read More →

Friday May 30, 2025 2:15pm - 3:00pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Beginner

2:15pm CEST

Let's Play! OWASP Cumulus

Friday May 30, 2025 2:15pm - 3:00pm CEST

Room 133-134

Join us for an engaging session where we'll demonstrate OWASP Cumulus, a card game tailored for threat modeling the Ops of DevOps. Dive into a cloud scenario with us and uncover potential threats while having fun.

Let's play and explore the intricacies of DevOps security together!

Speakers

Christoph Niehoff

Senior Consultant, TNG Technology Consulting

In his role as a Senior Consultant at TNG Technology Consulting, Christoph Niehoff develops software products for his clients on a daily basis. As a full-stack developer, he lives and breathes DevOps, overseeing all steps of the development cycle. The security of the products is particularly... Read More →

Friday May 30, 2025 2:15pm - 3:00pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

2:15pm CEST

OWASP Juice Shop Demo: Your vitamin shot for security awareness & education

Friday May 30, 2025 2:15pm - 3:00pm CEST

Room 133-134

In this 100% slide-free demo session you will embark on a journey through the popular OWASP Juice Shop vulnerable web application!

You will experience firsthand how easy it is to set up, get started, and solve your first hacking & coding challenges. In a quick mob-hacking session, you will gain your first points on Juice Shop's extensive score board!

The demo also includes a glimpse into Juice Shop's CTF tool and its multi-user hosting environment MultiJuicer! You will witness how fast a CTF event can be launched with OWASP Juice Shop, how great documentation really makes a difference, and even how to make
the application look like an in-house app of your own company.

Due to the nature of this small group demo session, you are welcome to ask questions during and between the different topics - ad libitum! There is time for clarification and dipping into special topics.

If time permits, this session can also cover interesting behind-the-scenes topics, such as cheat detection, start-up validations, webhook integrations, and a pro-level Grafana dashboard for observability!

Even if you know and have used OWASP Juice Shop yourself already,
there's no chance you've already seen everything that will be covered in this session!

Speakers

Björn Kimminich

Product Group Lead, Kuehne+Nagel

Bjoern Kimminich works as Product Group Lead Application Ecosystem at Kuehne + Nagel, responsible – among other things – for the Application Security program in the corporate IT. He is an OWASP Lifetime Member, the project leader of the OWASP Juice Shop, and a co-chapter leader... Read More →

Friday May 30, 2025 2:15pm - 3:00pm CEST
Room 133-134

Breakout: OWASP Project Demo Lab, Demo

2:45pm CEST

OWASP Top 10 for CI/CD Security: Evolution Since the Top 10 Project’s Inception

Friday May 30, 2025 2:45pm - 3:15pm CEST

Room 131-132

The OWASP Top 10 CI/CD Security Risks Project has been a cornerstone for securing CI/CD environments since its inception three years ago. This talk will explore how the CI/CD security landscape has evolved during this time, with a primary focus on the most significant developments over the past year. By revisiting the project’s original risks and comparing them to recent threats, including new breaches and innovative attack techniques, we will highlight how the field has adapted to a rapidly changing environment. Attendees will gain a comprehensive understanding of the progress made since the project’s release and actionable insights to fortify their pipelines against emerging risks.

Speakers

Omer Gil

Senior Research Manager & Co-Author of the "OWASP Top 10 CI/CD Security Risks", Palo Alto Networks

Omer is an application and cloud security expert with 15 years of experience across multiple security disciplines. An experienced researcher and public speaker, Omer discovered the Web Cache Deception attack vector in 2017, co-authored the "OWASP Top 10 CI/CD Security Risks" project... Read More →

Friday May 30, 2025 2:45pm - 3:15pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

3:00pm CEST

PM Break with Exhibitors

Friday May 30, 2025 3:00pm - 3:30pm CEST

Area 1

Meals provided by OWASP

Friday May 30, 2025 3:00pm - 3:30pm CEST
Area 1

Meals provided by OWASP

3:30pm CEST

When Regulation Backfires: How a Vulnerable Plugin Led to an XSS Pandemic

Friday May 30, 2025 3:30pm - 4:15pm CEST

Room 113

What began as a simple WAF bypass challenge on a single website turned into the discovery of a vulnerability affecting thousands of organizations. Join us in the journey of how an accessibility plugin, mandated by regulation, became the perfect vehicle for a widespread XSS vulnerability. We’ll explore the real-world impact of compromised sensitive systems, from government and military to healthcare and finance, showing how a single regulatory requirement led to an ecosystem-wide security breach.

We’ll also analyze the plugin’s source code to understand how and why this XSS vulnerability occurs, along with a behavior analysis that suggests the plugin may also be tracking users without consent, indicating potential malicious intent. Additionally, we’ll share the methodology and tools used to uncover and validate these vulnerabilities at scale.

Speakers

Eilon Cohen

Security Analyst, Checkmarx Research

That kid who took apart all his toys to see how they worked.Currently breaking (and fixing) things in the Research group at Checkmarx. Educational spans from Mechanical Engineering and Robotics to Computer science, but a self-made security personnel. Ex-IBM as a security engineer... Read More →

Ori Ron

Senior AppSec Researcher, Checkmarx

Ori Ron is a Senior Application Security Researcher at Checkmarx with over 8 years of experience. He works to find and help fix security vulnerabilities and enjoys sharing security knowledge through talks and write-ups. linkedin.com/in/ori-ron-40099912b/ checkmarx.com/author/or... Read More →

Friday May 30, 2025 3:30pm - 4:15pm CEST
Room 113

Breakout: Breaker Track

Audience Intermediate

3:30pm CEST

LLM-Powered private Threat Modeling

Friday May 30, 2025 3:30pm - 4:15pm CEST

Room 116+117

In this session, we'll explore the development of an in-house threat modeling assistant that leverages Large Language Models through AWS Bedrock and Anthropic Claude. Learn how we're building a private solution that automates and streamlines the threat modeling process while keeping sensitive security data within our control. We'll demonstrate how this proof-of-concept tool combines LangChain and Streamlit to create an interactive threat modeling experience. Join us to see how modern AI technologies can enhance security analysis while maintaining data privacy.

Speakers

Murat Zhumagali

Principal Security Engineer, Progress ShareFile

Master in CS from University of Southern California 2013 - 2016Security intern at IBM summer 2016Security engineer at IBM 2017 - 2021Senior Security engineer at Fiddler AI 2021 - 2023Lead Security engineer at Jukebox 2023 - 2024Principal Security engineer at Progress ShareFile 2024... Read More →

Friday May 30, 2025 3:30pm - 4:15pm CEST
Room 116+117 CCIB

Breakout: Builder Track

Audience Intermediate

3:30pm CEST

Know Thy Judge: Uncovering Vulnerabilities of AI Evaluators

Friday May 30, 2025 3:30pm - 4:15pm CEST

Room 114

Current methods for evaluating the safety of Large Language Models (LLMs) risk creating a false sense of security. Organizations deploying generative AI often rely on automated “judges” to detect safety violations like jailbreak attacks, as scaling evaluations with human experts is impractical. These judges—typically built with LLMs—underpin key safety processes such as offline benchmarking and automated red-teaming, as well as online guardrails designed to minimize risks from attacks. However, this raises a crucial question of meta-evaluation: can we trust the evaluations provided by these evaluators?

In this talk, we examine how popular LLM-as-judge systems were initially evaluated—typically using narrow datasets, constrained attack scenarios, and limited human validation—and why these approaches can fall short. We highlight two critical challenges: (i) evaluations in the wild, where factors like prompt sensitivity and distribution shifts can affect performance, and (ii) adversarial attacks that target the judges themselves. Through practical examples, we demonstrate how minor changes in data or attack strategies that do not affect the underlying safety nature of the model outputs can significantly reduce a judge’s ability to assess jailbreak success.

Our aim is to underscore the need for rigorous threat modeling and clearer applicability domains for LLM-as-judge systems. Without these measures, low attack success rates may not reliably indicate robust safety, leaving deployed models vulnerable to unseen risks.

Speakers

Francisco Girbal Eiras

Machine Learning Research Scientist, DynamoAI

Francisco is an ML Research Scientist at Dynamo AI, a leading startup building enterprise solutions that enable private, secure, and compliant generative AI systems. He earned his PhD in trustworthy machine learning from the University of Oxford as part of the Autonomous Intelligent... Read More →

Eliott Zemour

Senior ML Research Engineer, Dynamo AI

linkedin.com/in/eliott-zemour/

Dan Ross

Head of AI Compliance Strategy, Dynamo AI

Dan Ross, Head of AI Compliance Strategy at Dynamo AI, focuses on aligning artificial intelligence, policy, risk and security management, and business application. Prior to Dynamo, Dan spent close to a decade at Promontory Financial Group, a premier risk and regulatory advisory firm... Read More →

Friday May 30, 2025 3:30pm - 4:15pm CEST
Room 114

Breakout: Defender Track

Audience Intermediate

3:30pm CEST

An AppSec Tale: From Zero to Champions

Friday May 30, 2025 3:30pm - 4:15pm CEST

Room 115

Listen in on how a big energy company from Norway runs a Security Champion Network with 250+ members! Ever wondered about the struggles of managing a 3-year-old network?

This light-hearted talk will give you context on:
- What the AppSec team does in Equinor.
- How our Security Champion program is structured.
- What we've learned so far.
- What challenges we've faced and how we have tried to solve them.
- Our gamification strategy.
- Key take-aways.

You will (hopefully) gain inspiration to bring home on how to run or improve your own Security Champion Network.

Speakers

Even Tillerli

Application Security, Equinor

Developer gone AppSec. He found security could be fun and went with it.no.linkedin.com/in/even-tillerli-b38bab8b onlydev.art (Development art... Read More →

Nicole Silva

Application Security Engineer, Equinor

Nicole comes from Portugal, she started out as a Full Stack Developer, but a growing interest for cybersecurity led her to Equinor where she is part of the AppSec team. no.linkedin.com/in/nicole-silva-b614b41bb... Read More →

Friday May 30, 2025 3:30pm - 4:15pm CEST
Room 115

Breakout: Manager/Culture Track

Audience Beginner

3:35pm CEST

OWASP DefectDojo - What's next?

Friday May 30, 2025 3:35pm - 4:05pm CEST

Room 131-132

As OWASP DefectDojo continues to grow and thrive, what are the most recent developments and what new challenges are ahead for the project. This project showcase talk will review the current state of the project highlighting some exciting developments including the new documentation site and documentation writer to make using DefectDojo even easier. Get caught up in the best DefectDojo has to offer and what to expect in the rest of 2025.

Speakers

Matt Tesauro

Distinguished Engineer, Founder and AppSec guru, Noname Security

Friday May 30, 2025 3:35pm - 4:05pm CEST
Room 131-132

Breakout: OWASP Project Showcase Track, Lightning Talk

4:30pm CEST

Closing Ceremony and Raffle

Friday May 30, 2025 4:30pm - 5:30pm CEST

Room 116+117

Come wrap up the conference with us, hear special annoucements, and win prizes!

Friday May 30, 2025 4:30pm - 5:30pm CEST
Room 116+117 CCIB

BONUS TRACK