OWASP 2025 Global AppSec EU

Static Application Security Testing faces a significant challenge: while current tools excel at identifying potential vulnerabilities in isolation, they struggle to understand the holistic context of how data flows between client and server components. This limitation leads to an overwhelming number of false positives, particularly in detecting Cross-Site Scripting (XSS) vulnerabilities, where the interaction between client and server components is crucial for determining genuine security risks.

In this presentation, we'll demonstrate how Large Language Models (LLMs) can revolutionize vulnerability detection by understanding complete codebases across client and server components. Through a series of practical experiments, we'll show how LLMs can:

- Track data flow paths between different application layers
- Identify genuine vulnerabilities while reducing false positives through context-aware analysis
- Provide detailed reasoning about vulnerability exploitability
- Handle real-world applications at scale

We'll share our findings from extensive research using LLMs, including successes and limitations in analyzing cross-component vulnerabilities. Attendees will learn how this approach could transform security testing and what challenges must be addressed for production implementation.

Security champion programs are all the rage right now, but they aren’t a magic bullet; they are a lot of work and more than half of them fail. We want to scale our security programs and improve security culture and communication, but what happens when are champions are less-than-enthused? There’s no support from management? We can’t get enough buy in? Let’s look at when things go WRONG with security champions programs, with this list of WORST practices, and how to avoid each one.

Security teams increasingly take a collaborative, partnership-based approach to securing their applications and organizations. Scaling these efforts requires thoughtfully distributing awareness and ownership of security risk. Scorecarding is used at leading companies to make security posture visible, actionable, and engaging across the entire organization.

In this session, we’ll dive into how companies like Netflix, Chime, GitHub, and DigitalOcean use scorecarding to distribute security ownership, drive continuous improvement, and align risk management with business goals. You’ll walk away with practical, tool-agnostic strategies for implementing your own scorecarding program that not only enhances security posture but fosters a culture of shared responsibility and proactive risk management.

“What gets measured, gets managed” is perhaps an over-simplification, but the quote has its merits. In terms of building an effective application security Program, measurement and metrics go a long way, and by collecting, observing, and presenting actionable AppSec metrics, you can bridge the gap between Security Engineering and leadership’s strategic priorities.

In this session, we will start by speaking about different types of metrics, both qualitative and quantitative, and how these metrics can be categorised to align better with frameworks defining application security Metrics as a required control.
From there, we will start to look at what metrics we should use and how they can be visualised. By visualising these metrics, we can come to conclusions around whether or not the application security program is effective and what we should do to drive improvement.

Last, but not least, we’ll talk about how the data and visualisations can support us in our communication with leadership by supporting our requests and recommendations based on data and looking at trends.

In many areas of life—application security included—what gets measured can be proven, and what gets proven can be improved.

Listen in on how a big energy company from Norway runs a Security Champion Network with 250+ members! Ever wondered about the struggles of managing a 3-year-old network?

This light-hearted talk will give you context on:
- What the AppSec team does in Equinor.
- How our Security Champion program is structured.
- What we've learned so far.
- What challenges we've faced and how we have tried to solve them.
- Our gamification strategy.
- Key take-aways.

You will (hopefully) gain inspiration to bring home on how to run or improve your own Security Champion Network.