OWASP 2025 Global AppSec EU

Static Application Security Testing faces a significant challenge: while current tools excel at identifying potential vulnerabilities in isolation, they struggle to understand the holistic context of how data flows between client and server components. This limitation leads to an overwhelming number of false positives, particularly in detecting Cross-Site Scripting (XSS) vulnerabilities, where the interaction between client and server components is crucial for determining genuine security risks.

In this presentation, we'll demonstrate how Large Language Models (LLMs) can revolutionize vulnerability detection by understanding complete codebases across client and server components. Through a series of practical experiments, we'll show how LLMs can:

- Track data flow paths between different application layers
- Identify genuine vulnerabilities while reducing false positives through context-aware analysis
- Provide detailed reasoning about vulnerability exploitability
- Handle real-world applications at scale

We'll share our findings from extensive research using LLMs, including successes and limitations in analyzing cross-component vulnerabilities. Attendees will learn how this approach could transform security testing and what challenges must be addressed for production implementation.