OWASP 2025 Global AppSec EU

High performing teams are a treasure for every organization. But what if cognitive load gets too high and creates a buffer overflow in a team’s working memory? Security adds an additional layer of complexity to the work of development teams and endangers their quality of work and solution finding capabilities as a team. We will show actionable remediation strategies like a Security Champions Program, automation for security scans and secure scrum with a real-life example.

Security teams love metrics - dashboards filled with vulnerability counts, alert volumes, and training hours logged. But do any of these actually make organizations more secure? The uncomfortable truth is that most security metrics are just vanity numbers—impressive in reports but meaningless in practice.

In this talk, I will focus on the science behind meaningful security metrics—the ones that actually reduce risk instead of just filling reports. I will introduce a framework that helps define metrics based on real security goals, rather than setting goals around whatever data happens to be available. From there, I will break down what constitutes a good metric, examining its structure and the common pitfalls that undermine its validity.

If your security strategy is built on unreliable metrics, it’s time for a reality check. This talk challenges industry assumptions and provides scientific backing to the fact that many widely used security metrics in the industry only weakly correlate with actual risk.

Have you ever been in a situation where you are looking at a map, but your surroundings look nothing like the map? And you are not even sure which direction you are facing? This is where many security teams find themselves when they begin their journey to build a product security program. Worse, like most startups, many security programs fail and never find their way to their stakeholders. While helpful roadmaps like OWASP SAMM, DSOMM, and other frameworks provide a good map, they cannot answer the question of how we actually get from A to B, or if it is even possible given the current state of our organization. We know we should have security gates, we know we should have threat modeling, we know we should have an active community of security champions, we know we should have a culture of security - but it doesn't exist, and hardly anyone supports our initiatives in the beginning. We know what needs to be done, we just don't know how to make it happen.

This talk is not about the technical challenges of building a product security program, but about the strategic, tactical, and organizational challenges. How do you build a security program when resources are limited and the organization around you does not provide an environment in which you can easily thrive? We will take a look at various challenges, our mission and understanding as a security team, possible solutions, and techniques to succeed even when the odds are stacked against us.

The exponentially growing number of software security vulnerabilities and data breaches highlights a persistent gap between the implementation of the secure development lifecycle and particularly secure coding practices and their intended outcomes. Despite significant financial investments in application security and the advancements in secure software development methodologies, the effectiveness of these practices remains inconsistent. Our session is based on a multi-phase and multi-year research, conducted in two global enterprise software companies and explores how a combination of developers' security education, organizational security climate, and metrics can enhance secure coding performance and reduce software vulnerabilities.

In December 2004, Steve Lipner introduced to the world the trustworthy computing security development lifecycle. A framework which included three main pillars: Requirements for repeatable secure development processes, requirements for engineers secure coding education and requirements for measurements and accountability for software security. Guided by this three-pillar framework , our research emphasizes the under-addressed areas of developer education and organizational accountability and measurements.

Through a series of three studies, conducted in two global software companies and led by the University of Haifa in Israel, this session will present the results of an academic research that made an attempt to identify the root cause for the ever increasing number of software security vulnerabilities and investigates the effectiveness of secure coding training, the impact of organizational security climate interventions, and the correlation between security climate and secure coding performance in order to evaluate whether the later two, which were prominently left in the shades, could provide a solution to the problem.

The first study evaluates the efficacy of secure coding training programs, revealing that while training improves knowledge, it fails to significantly to reduce newly introduced vulnerabilities. The second study demonstrates that targeted organizational interventions, including leadership communication and process improvements, significantly enhance organizational security climate. The final study found significant correlation between positive security climate and secure coding performance improvement, evidenced by a higher ratio of mitigated vulnerabilities.

This research provides actionable insights for both academia and industry. It underscores the importance of integrating secure coding education with organizational climate improvements to achieve measurable security outcomes. The findings offer a comprehensive approach to reducing cyber security risks while advocating for a dual focus on technical skills and cultural transformation within software development environments.

Organizations are transitioning in their use of OWASP SAMM. The use case evolves from an assessment model to a quality control program. Kaizen is an iterative improvement methodology popularized in the Japanese industry. As an operational philosophy it has influenced quality control systems worldwide. This talk highlights how Kaizen principles are applied in the industry by separating different streams from the OWASP SAMM model and managing each stream in a continuous improvement cycle. The talk is based on practical experience and 27 interviews with appsec program managers at a wide range of corporations on this journey. There are some recurring pitfalls in the implementation of OWASP that relate to the human aspect of change management, the pitfalls of gamification and challenges around fitting the generic framework to diverse contexts. Finally we distill from the successes and the failures of the industry the potential for Kaizen principles and OWASP SAMM to leverage participatory leadership, empowerment and intrinsic motivation. The conclusion is an optimistic picture of the future, where security is everyone's problem, jobs are meaningful and applications a little bit more secure.

The exponentially growing number of software security vulnerabilities and data breaches highlights a persistent gap between the implementation of the secure development lifecycle and particularly secure coding practices and their intended outcomes. Despite significant financial investments in application security and the advancements in secure software development methodologies, the effectiveness of these practices remains inconsistent. Our session is based on a multi-phase and multi-year research, conducted in two global enterprise software companies and explores how a combination of developers' security education, organizational security climate, and metrics can enhance secure coding performance and reduce software vulnerabilities.

In December 2004, Steve Lipner introduced to the world the trustworthy computing security development lifecycle. A framework which included three main pillars: Requirements for repeatable secure development processes, requirements for engineers secure coding education and requirements for measurements and accountability for software security. Guided by this three-pillar framework , our research emphasizes the under-addressed areas of developer education and organizational accountability and measurements.

Through a series of three studies, conducted in two global software companies and led by the University of Haifa in Israel, this session will present the results of an academic research that made an attempt to identify the root cause for the ever increasing number of software security vulnerabilities and investigates the effectiveness of secure coding training, the impact of organizational security climate interventions, and the correlation between security climate and secure coding performance in order to evaluate whether the later two, which were prominently left in the shades, could provide a solution to the problem.

The first study evaluates the efficacy of secure coding training programs, revealing that while training improves knowledge, it fails to significantly to reduce newly introduced vulnerabilities. The second study demonstrates that targeted organizational interventions, including leadership communication and process improvements, significantly enhance organizational security climate. The final study found significant correlation between positive security climate and secure coding performance improvement, evidenced by a higher ratio of mitigated vulnerabilities.

This research provides actionable insights for both academia and industry. It underscores the importance of integrating secure coding education with organizational climate improvements to achieve measurable security outcomes. The findings offer a comprehensive approach to reducing cyber security risks while advocating for a dual focus on technical skills and cultural transformation within software development environments.

Security champion programs are all the rage right now, but they aren’t a magic bullet; they are a lot of work and more than half of them fail. We want to scale our security programs and improve security culture and communication, but what happens when are champions are less-than-enthused? There’s no support from management? We can’t get enough buy in? Let’s look at when things go WRONG with security champions programs, with this list of WORST practices, and how to avoid each one.

Security teams increasingly take a collaborative, partnership-based approach to securing their applications and organizations. Scaling these efforts requires thoughtfully distributing awareness and ownership of security risk. Scorecarding is used at leading companies to make security posture visible, actionable, and engaging across the entire organization.

In this session, we’ll dive into how companies like Netflix, Chime, GitHub, and DigitalOcean use scorecarding to distribute security ownership, drive continuous improvement, and align risk management with business goals. You’ll walk away with practical, tool-agnostic strategies for implementing your own scorecarding program that not only enhances security posture but fosters a culture of shared responsibility and proactive risk management.

“What gets measured, gets managed” is perhaps an over-simplification, but the quote has its merits. In terms of building an effective application security Program, measurement and metrics go a long way, and by collecting, observing, and presenting actionable AppSec metrics, you can bridge the gap between Security Engineering and leadership’s strategic priorities.

In this session, we will start by speaking about different types of metrics, both qualitative and quantitative, and how these metrics can be categorised to align better with frameworks defining application security Metrics as a required control.
From there, we will start to look at what metrics we should use and how they can be visualised. By visualising these metrics, we can come to conclusions around whether or not the application security program is effective and what we should do to drive improvement.

Last, but not least, we’ll talk about how the data and visualisations can support us in our communication with leadership by supporting our requests and recommendations based on data and looking at trends.

In many areas of life—application security included—what gets measured can be proven, and what gets proven can be improved.

Listen in on how a big energy company from Norway runs a Security Champion Network with 250+ members! Ever wondered about the struggles of managing a 3-year-old network?

This light-hearted talk will give you context on:
- What the AppSec team does in Equinor.
- How our Security Champion program is structured.
- What we've learned so far.
- What challenges we've faced and how we have tried to solve them.
- Our gamification strategy.
- Key take-aways.

You will (hopefully) gain inspiration to bring home on how to run or improve your own Security Champion Network.