OWASP 2025 Global AppSec EU

Have you ever been in a situation where you are looking at a map, but your surroundings look nothing like the map? And you are not even sure which direction you are facing? This is where many security teams find themselves when they begin their journey to build a product security program. Worse, like most startups, many security programs fail and never find their way to their stakeholders. While helpful roadmaps like OWASP SAMM, DSOMM, and other frameworks provide a good map, they cannot answer the question of how we actually get from A to B, or if it is even possible given the current state of our organization. We know we should have security gates, we know we should have threat modeling, we know we should have an active community of security champions, we know we should have a culture of security - but it doesn't exist, and hardly anyone supports our initiatives in the beginning. We know what needs to be done, we just don't know how to make it happen.

This talk is not about the technical challenges of building a product security program, but about the strategic, tactical, and organizational challenges. How do you build a security program when resources are limited and the organization around you does not provide an environment in which you can easily thrive? We will take a look at various challenges, our mission and understanding as a security team, possible solutions, and techniques to succeed even when the odds are stacked against us.