OWASP 2025 Global AppSec EU

As Large Language Models (LLMs) become integral to modern applications, securing them at the code level is critical to preventing prompt injection attacks, poisoned models, unauthorized modifications, and other vulnerabilities. This talk delves into common pitfalls and effective mitigations when integrating LLMs into software systems, whether working with cloud vendors or hosting your own models. By focusing on LLM security from a developer's perspective rather than runtime defenses, we emphasize a shift-left approach—embedding security early in the software development lifecycle to proactively mitigate threats and minimize risks before deployment.

We'll examine practical security challenges faced during LLM integration, including input sanitization, output validation, and model pinning. Through detailed code examples and a live demonstration of model tampering, attendees will witness firsthand how attackers can exploit inadequate security controls to compromise LLM systems. The demonstration will showcase a real-world scenario where a legitimate model is swapped with a malicious one, highlighting the critical importance of robust model integrity verification and secure deployment practices.

Participants will learn concrete implementation patterns and security controls that can prevent such attacks, with practical code samples they can apply to their own projects. The session will cover essential defensive techniques including proper API key management, secure model loading and validation, and safe handling of sensitive data in prompts. Whether you're building applications using cloud-based LLM services or deploying your own models, you'll leave with actionable code-level strategies to enhance your application's security posture and protect against emerging AI-specific threats.

Everybody talks about problems with the width of CVE space - too many, coming too fast, how to prioritise them. This talk takes the problem into 3D - let’s talk about the depth of the space!

How a single medium risk CVE can consume crazy amounts of time of an AppSec team?

We will look into couple of examples of CVEs in a product that my team protects and trace their journey through the ecosystem. On the journey we will meet various dragons, hydras, and other dangerous creatures:

- LLM-empowered scanners hallucinating CVSS scores, packages, versions, anything;
- Good research teams making mistakes translating between different versions of CVSS
- Glory-chasing “research teams” writing their own advisories for no apparent reason
- Consensus based approach in CVE ecosystem guarantees security team cannot sleep until EVERY scanner has calmed down;
- And my favourite troll under the bridge: customers saying “I don’t care it’s not reachable in your context, I can’t deploy your product until my scanner is happy”.

The soundtrack for the quest is provided by the vendors continuously messaging you with fantastic promises to solve everything.

Can your character survive the quest and what loot do you need?

This talk is primarily aimed at AppSec practitioners, DevOps & SecOps Engineers as well as Makers and Breakers. If this is not you but you have a professional interest in CI/CD and Security then we’d love you to join us.

Modern software development practices rely entirely on CI/CD systems to deliver change at scale and speed. These systems are highly privileged environments with many actors and entities ( internal, external, human, machine ), and known attack vectors. The risk of compromise is severe because attacks can easily go undetected for extended dwell times resulting in an exponential blast radius. Just ask SolarWinds.

Now that we’ve set the scene it’s time to buckle up because we’re going to share what we’ve learnt, what can be done and what is the art of the possible. And what might the future look like.

This talk will focus on what good security looks like for CI/CD systems and lessons from the field. Spoiler: It’s challenging at scale because security solutions aren’t keeping pace. We will talk about our journey navigating complex CI/CD setups, where we recognise ways these systems can be exploited, and propose ways to tackle with some of the challenges. We’ll also see how signing could get us closer to securing the DevOps environment.

We’ll talk about the need to balance security with engineering imperatives. Enhancing your security posture is an investment that draws down on precious engineering resource, acting as a drag on productivity and cadence. Therefore, expect engineering functions to challenge it, hard and rightly so. Being able to influence key stakeholders so that they are onboard and committed is a must – we’ll show you how we approach this.

This talk will help you prepare for those tough conversations. At the end of the talk we want you to understand how to build a business case for CI/CD Security adoption in your organisation including how to implement in your workplace. The starting point is knowing how much risk your organisation’s build environment is exposed to and how much is tolerable.

As Large Language Models (LLMs) become integral to various applications, securing them against evolving threats—such as **information leakage, jailbreak attacks, and prompt injection—**remains a critical challenge. This presentation provides a comparative analysis of open-source vulnerability scanners—Garak, Giskard, PyRIT, and CyberSecEval—that leverage red-teaming methodologies to uncover these risks. We explore their capabilities, limitations, and design principles, while conducting quantitative evaluations that expose key gaps in their ability to reliably detect attacks.

However, vulnerability detection alone is not enough. Proactive security measures, such as AI guardrails, are essential to mitigating real-world threats. We will discuss how guardrail mechanisms—including **input/output filtering, policy enforcement, and real-time anomaly detection—**can complement scanner-based assessments to create a holistic security approach for LLM deployments. Additionally, we present a preliminary labeled dataset, aimed at improving scanner effectiveness and enabling more robust guardrail implementations.

Beyond these tools, we will share our experience in developing a comprehensive GenAI security framework at Fujitsu, designed to integrate both scanning and guardrail solutions within an enterprise AI security strategy. This framework emphasizes multi-layered protection, balancing LLM risk assessments, red-teaming methodologies, and runtime defenses to proactively mitigate emerging threats.

Finally, based on our findings, we will provide strategic recommendations for organizations looking to enhance their LLM security posture, including:

Selecting the right scanners for red-teaming and vulnerability assessments
Implementing guardrails to ensure real-time policy enforcement and risk mitigation
Adopting a structured framework for securing GenAI systems at scale
This session aims to bridge theory and practice, equipping security professionals with actionable insights to fortify LLM deployments in real-world environments.

Current methods for evaluating the safety of Large Language Models (LLMs) risk creating a false sense of security. Organizations deploying generative AI often rely on automated “judges” to detect safety violations like jailbreak attacks, as scaling evaluations with human experts is impractical. These judges—typically built with LLMs—underpin key safety processes such as offline benchmarking and automated red-teaming, as well as online guardrails designed to minimize risks from attacks. However, this raises a crucial question of meta-evaluation: can we trust the evaluations provided by these evaluators?

In this talk, we examine how popular LLM-as-judge systems were initially evaluated—typically using narrow datasets, constrained attack scenarios, and limited human validation—and why these approaches can fall short. We highlight two critical challenges: (i) evaluations in the wild, where factors like prompt sensitivity and distribution shifts can affect performance, and (ii) adversarial attacks that target the judges themselves. Through practical examples, we demonstrate how minor changes in data or attack strategies that do not affect the underlying safety nature of the model outputs can significantly reduce a judge’s ability to assess jailbreak success.

Our aim is to underscore the need for rigorous threat modeling and clearer applicability domains for LLM-as-judge systems. Without these measures, low attack success rates may not reliably indicate robust safety, leaving deployed models vulnerable to unseen risks.