OWASP 2025 Global AppSec EU

The OWASP Core Rule Set (CRS) is one of the Foundation’s flagship projects—quietly powering Web Application Firewalls (WAFs) across the world, safeguarding applications large and small. But it’s been a while since CRS has shared a full update with the community. This talk changes that.
We’ll explore the full lifecycle of CRS—from its origins under Trustwave, through the pivotal leap to version 3, and into the challenges we’re addressing as we build toward version 4. Along the way, we’ll reflect on what it takes to maintain and evolve a high-impact open source project within a constantly shifting security landscape.
Attendees will get a clear picture of what CRS is today: a sophisticated, extensible, community-driven detection framework. You’ll hear how we’re doubling down on quality assurance, introducing a plugin architecture, and transitioning from traditional SecLang rules to a YAML-based format designed to make contributions easier and tooling more powerful.
This session is for anyone who works with WAFs, contributes to open source, or is curious about the future of web application defense. You’ll walk away with a deeper understanding of the CRS roadmap—and how you can be part of shaping what comes next.
Key Takeaways:

• What OWASP CRS is—and why it matters more than ever
  
• Lessons learned from building and maintaining a global ruleset
  
• The roadmap to CRS 4.0 and what’s next for the project
  
• How the community can get involved and contribute meaningfully
  

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the penetration testing community and was even included in the specialist Linux distribution for penetration testers and security researchers.

Nettacker can run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

As artificial intelligence advances, autonomous AI agents are becoming integral to modern applications, automating decision-making, problem-solving, and even interacting dynamically with users. However, this evolution brings new security challenges that traditional cybersecurity frameworks struggle to address. OWASP’s GenAI Security Project has identified Agentic Security Risks as a critical category of threats that can compromise AI-driven systems, leading to unintended actions, data leaks, model manipulation, and adversarial exploits.

This session will explore Agentic Security Risks—a unique class of vulnerabilities stemming from AI agents’ autonomy, adaptability, and ability to interact with complex environments. We’ll dissect how malicious actors can exploit these systems by influencing their decision-making processes, injecting harmful instructions, or leveraging prompt-based attacks to bypass safety constraints.

Through a deep dive into OWASP’s latest findings, attendees will gain practical insights into risk identification and mitigation strategies tailored for AI-driven agents. The talk will cover:

Understanding Agentic Security Risks: How autonomous AI agents process, reason, and act—and where vulnerabilities emerge.
Threat Modeling for AI Agents: Key security considerations when deploying AI-driven agents in enterprise and consumer applications.
Exploitable Weaknesses in AI Agents: Case studies on prompt injection, adversarial manipulation, data poisoning, and model exfiltration.
OWASP’s Mitigation Framework: Best practices for securing agentic AI systems, including robust validation, policy enforcement, access control, and behavioral monitoring.
Security by Design: How to integrate GenAI security principles into the development lifecycle to preemptively mitigate risks.
By the end of the session, attendees will have a structured approach to assessing and mitigating security risks in agentic AI systems. Whether you’re a developer, security professional, or AI architect, this session will equip you with actionable strategies to secure your AI-powered applications against emerging threats.

Join us to explore the cutting edge of AI security and ensure that autonomous agents work for us—not against us.

We are launching a brand-new version of OWASP Cornucopia with QR codes that will make threat modeling, security requirement gathering, and security design much easier! Each QR code will take you to a brand-new OWASP Cornucopia website, where you can explore each card and the security requirements and controls connected to them (see https://owaspcornucopia.org/ ). This will help scale secure design and requirement gathering activities for your development teams and empower them to do application security in a more agile way.

Coming soon!
Web store for you to buy OWASP Cornucopia card decks.

Call for contributors
We are looking for volunteers that would like to help us improve the new website and those who would like to help translate Cornucopia into various languages to ensure that developers who don't have English as their mother tongue, understand the requirements and controls presented to them. We are also looking for ideas and help in maintaining and improving the new website to ensure it becomes a valuable tool for everyone looking at solving application security challenges.

How often have you heard developers ask, "Where is Race Condition in OWASP?" or "Why aren’t business workflows part of the Top 10?"

These questions highlight a glaring gap: the OWASP lists often focus on technical implementation vulnerabilities while overlooking the fundamental flaws in business logic—the very backbone of applications. This is why we started the OWASP Business Logic Abuse Top 10 Project: to address the workflow bypasses, logic flaws, and design vulnerabilities that attackers exploit, regardless of whether you’re building a web app, API, firmware, or supply chain system.

This project's foundation in Turing machine principles makes it unique, where business logic is modeled as finite states, transitions, and memory operations. By breaking down vulnerabilities into their computational roots—data handling (tape), access mechanisms (head), workflows (states), and transitions—we not only classify these issues but also provide a clear framework for identifying and mitigating them. Whether it’s race conditions in financial systems or workflow skips in authentication processes, this approach brings business logic vulnerabilities to the forefront.

This Top 10 isn’t just another list; it’s a cross-domain framework that bridges gaps between OWASP categories and provides clarity for developers, architects, and security professionals. If you’ve ever wondered why logic abuse isn’t explicitly addressed in web apps, APIs, or mobile security, this project is your answer. Join us to explore real-world examples, understand the unique methodology, and discover how you can contribute to this open, repeatable framework that empowers teams to tame business logic abuse in any system.

OWASP Security Champions Guide Project was started to create an open-source, vendor-neutral guidebook for Application Security professionals to help them build and improve their own successful Security Champion programs.

In this talk, Aleksandra will describe the main elements of the project and will guide you through the key principles of a successful Security Champions Program.

Regarding Security Champions programs, one size will not fit all – and as such our Project allows managers, security professionals or team leaders to pick and choose the elements their organization can adopt or leverage to create their own customized program.

Our Project team interviewed security leaders, program coordinators, and security champions to establish what makes a successful program. Participants represent a range of company sizes, industries, geographies, and also different levels of security program maturity. We want to know what works, what doesn’t work, what promotes success, and what leads to failure.

The principles have been drawn from an initial series of in-depth interviews with Application Security leaders from across the globe as part of our wider goal to provide a comprehensive Security Champions playbook.

The Ten Key Principles of a Successful Security Champions Program:
1. Be passionate about security
2. Start with a clear vision for your program
3. Secure management support
4. Nominate a dedicated captain
5. Trust your champions
6. Create a community
7. Promote knowledge sharing
8. Reward responsibility
9. Invest in your champions
10. Anticipate personnel changes

More about the Project:
- Existing Project webpage: https://owasp.org/www-project-security-champions-guidebook/
- New Project webpage: https://securitychampions.owasp.org/

The OWASP Top 10 CI/CD Security Risks Project has been a cornerstone for securing CI/CD environments since its inception three years ago. This talk will explore how the CI/CD security landscape has evolved during this time, with a primary focus on the most significant developments over the past year. By revisiting the project’s original risks and comparing them to recent threats, including new breaches and innovative attack techniques, we will highlight how the field has adapted to a rapidly changing environment. Attendees will gain a comprehensive understanding of the progress made since the project’s release and actionable insights to fortify their pipelines against emerging risks.

As OWASP DefectDojo continues to grow and thrive, what are the most recent developments and what new challenges are ahead for the project. This project showcase talk will review the current state of the project highlighting some exciting developments including the new documentation site and documentation writer to make using DefectDojo even easier. Get caught up in the best DefectDojo has to offer and what to expect in the rest of 2025.