OWASP 2025 Global AppSec EU

Practical and usable advice on how to harness the power of AI to create secure React applications by using prompt engineering best practices. We will discuss practical methods for guiding AI models to produce safe, high-quality React code that reduces common vulnerabilities, such as cross-site scripting (XSS) and injection flaws.

Attendees will learn foundational techniques for crafting precise prompts, incorporating secure coding patterns, and validating AI-generated outputs.

By the end of this session, you will be equipped with actionable steps to integrate AI-driven development into your workflow and strengthen the overall security of your React and other software projects.

The OWASP Microservice Cheat Sheet makes a bold statement about the limitations of edge-level authorization architectures - implying that they cannot handle the complexities of modern microservices. But what if that’s no longer true?

Enter heimdall, an identity-aware proxy that redefines edge-level authentication and authorization. By integrating fine-grained access control with modern Zero Trust principles, heimdall overcomes the supposed weaknesses, providing scalability, flexibility, and performance without sacrificing security and team agility.

In this talk, I will challenge the OWASP Cheat Sheet’s view and demonstrate how heimdall addresses its concerns head-on. You’ll learn how edge-level authorization can scale to meet the demands of large, distributed systems while maintaining granular control over access. Through real-world examples and architecture insights, we’ll explore why the edge-level might just be the most effective place for secure access control.

Join me to see how heimdall blows away the perceived limitations of edge-level authorization and why it’s time to rethink this critical piece of microservice security.

Mobile applications are often developed in a cross-platform framework such as Flutter, React Native or Maui. These frameworks allow developers to design and implement the application once and then deploy to both Android and iOS.

While these frameworks save time during the development cycle, they pose unique challenges when securing them. In this talk, I will show you how mobile application security is a shared responsibility between the developer, the cross-platform framework and the native OS on which the application is running. Security needs to be addressed during the entire SDLC, so we will examine the impact on SAST, DAST and even manual penetration testing.

In the security industry, we often take well-established development practices, such as the DevOps infinity loop, add a layer of security, and label it "DevSecOps." However, this approach frequently overlooks a critical issue: layering complex security processes onto efficient development processes can create inefficiency. In this talk, I argue that true innovation in security comes not from tooling or automation alone, but from mastering the underlying process first. By drawing an analogy to simple machines — where incremental improvements led to the evolution of tools like levers, wheels, and pulleys — I will illustrate how optimizing foundational processes leads to scalable, effective security practices. Attendees will leave with practical insights on reducing inefficiencies and fostering consistent improvement in their security workflows.

So TypeScript has become the de facto industry standard for developing web applications these days and promising type security, but do developers properly understand the role it plays in securing applications and does the type safety promise hold true in face of real-world security threats?

Developers often mistake dev-time vs runtime security as well as confuse test cases for security guard rails. Can TypeScript actually provide you with code security benefits? In this session we will explore insecure TypeScript patterns, learn how HTTP parameter pollution vulnerabilities impact TypeScript code bases and witness first-hand how attackers employ prototype pollution attacks that cripple codebases even when developers use schema validation libraries like Zod. Through hands-on coding we’ll hack a TypeScript application and learn security best practices.

You have probably heard of success stories using Open Policy Agent for all kinds of authorization problems that focus on the technical merits and challenges. While it is relatively easy to get started when you look at single applications, the game changes as soon as you want to introduce authorization as a platform capability for thousands of applications maintained by hundreds of teams.

We will talk about how Zalando adopted Open Policy Agent and Styra DAS to provide this capability and will shed some light on how we enable enough governance to stay compliant, how to use organisational scale in our favour and how to balance central platform concerns with decentral application concerns.

We’ll touch on the technical integration points in our Platform via OSS Skipper, observability via OpenTelemetry and Styra DAS. We will also talk about the developer experience, the leverage we gain as security teams and how we structure our policies to enable complex business cases across multiple applications.

Despite our collective efforts, we haven’t managed to harmonize tools and processes. Several projects like ASVS, SAMM and others have attempted information harmony but only the now defunct Glue has attempted tool orchestration harmonization and for good reason, it is a hard problem to solve, almost impossible by volunteers alone.

This session introduces Smithy, the only open-source workflow engine for security tools. Smithy stands as a unifying force for building robust, scalable DevSecOps, and beyond, pipelines. Leveraging Smithy’s support for OCSF-native data formats, we centralized the outputs of disparate security tools into a cohesive data lake, unlocking actionable insights that improved vulnerability prioritization and resource allocation.

The talk will showcase real-world applications, including integrating OpenCRE, Cartography, AI-driven solutions and open-source resources to enhance vulnerability detection accuracy and reprioritization, for free, using ready made community resources.

Whether you're a tech lead, security engineer, or CISO, this presentation offers practical guidance for creating adaptable, data-driven security workflows without breaking the bank.

Formally announcing v5.0 of the Application Security Verification Standard (ASVS), the first major release in five years of one of OWASP’s flagship projects. But the project has not been sitting idle for years, it has been under development the entire time.

This talk will cover the big changes and improvements in this recently released version.

This includes:
- Defining and clarifying the scope of the ASVS, and expectations for requirements.
- Mandating documented security decisions to provide some flexibility on implementing and verifying security requirements, to match the differences between organizations and applications.
- Adding several new chapters and making important changes to existing chapters.
- Providing a two-way mapping to make it easier to migrate from v4.x to v5.
- Balancing the levels and reducing the barrier to entry into Level 1.

We will also talk about how you can use the standard more effectively in your organizations, the future plans for ASVS now that version 5.0 is out, and how you can be involved.

It’s time to move forward - start using ASVS v5.0 and come on board to develop it further.

How can we make threat modeling scalable, actionable, and accessible for all stakeholders?

Traditional threat modeling methodologies struggle to scale in agile environments. They often result in over-scoped, resource-heavy processes that lack actionable insights and rely on scarce security expertise, limiting adoption in large organizations.

This talk introduces Rapid Developer-Driven Threat Modeling (RaD-TM), a lightweight, tool-agnostic approach designed for developers to embed threat modeling into the SDLC without relying on security experts. RaD-TM focuses on targeted assessments of specific functionalities rather than application-wide models, enabling iterative and efficient risk mitigation.
Using Risk Templates, which are predefined collections of relevant risks and controls tailored to specific contexts, RaD-TM fosters collaboration among stakeholders to build a scalable threat modeling process. This session will offer real-world examples and step-by-step guidance on integrating RaD-TM into the development workflow.

During my career, I've had the opportunity to work with many financial institutions, payment processors, fintechs, and e-commerce operators. In recent years, the threat landscape for internet payments has changed significantly, since our smartphone has become the center of our digital life, financial transactions, and digital identity. Such concentration of power in a single asset has poor influence on overall security.

In my presentation, I will explore this dynamic threat landscape, show real-life vulnerabilities and threats, and discuss possible solutions to protect customers' funds. Additionally, I will examine the role of regulatory compliance in solving issues related to online payments.

My presentation will be divided into three parts.

In the first part of my presentation, I will show real-life threats and vulnerabilities affecting current transaction authorization processes, including technical and logical ones. I will present case studies of attacks that caused my relatives and friends to lose their money.

In the second part, I will discuss possible safeguards to raise the bar for attackers without compromising usability on many levels of user interaction:
- banking apps and systems, payments, fintechs
- e-commerce apps, social media apps, telecom operators
I will also demonstrate how developers, blue teams, and threat intelligence experts can cooperate to detect financial fraud at the application level and protect customers' funds.

In the third part, I will discuss whether current and upcoming financial sector regulations, such as DORA, PSD3, and PSR, address transaction authorization problems. I will also explore whether we as the IT security community can do more than just follow compliance rules.

In this session, we'll explore the development of an in-house threat modeling assistant that leverages Large Language Models through AWS Bedrock and Anthropic Claude. Learn how we're building a private solution that automates and streamlines the threat modeling process while keeping sensitive security data within our control. We'll demonstrate how this proof-of-concept tool combines LangChain and Streamlit to create an interactive threat modeling experience. Join us to see how modern AI technologies can enhance security analysis while maintaining data privacy.