OWASP 2025 Global AppSec EU

Low-code and no-code (LCNC) development has transformed the way organizations build applications, enabling business users—often with little security expertise—to create powerful workflows, automations, and even AI-driven solutions. As these platforms increasingly integrate AI-powered copilots and automation tools, their adoption is skyrocketing, but so are security risks that traditional AppSec frameworks fail to address.

Recognizing this urgent gap, we established the OWASP Low-Code/No-Code Security Top 10 project to clarify the unique risks in these environments. In this session, we will share our journey—how we classified the Top 10 security risks in LCNC, what we have accomplished since the project’s inception, and how AI-driven low-code development introduces new attack vectors that security teams must prepare for.

Attendees will gain insights into:

* How LCNC security challenges have evolved, especially with the rise of AI-powered platforms.
* The OWASP Low-Code/No-Code Security Top 10, providing a much-needed framework for both citizen developers and security professionals.
* Real-world exploit scenarios, from insecure workflows and data exposure to AI-powered automation risks.
* The current state of low-code security and AI governance, key findings from our research, and what’s next for securing this fast-growing space.

As AI and low-code become inseparable in modern development, security teams must adapt quickly to prevent misuse, misconfigurations, and data exposure. This session is ideal for AppSec professionals, developers, security leaders, and platform owners looking to secure LCNC applications while enabling innovation.

Join us to explore the evolving threat landscape and gain actionable strategies to safeguard the next wave of AI-driven enterprise applications.

OWASP ModSecurity has long served as a foundational engine for web application firewalls, quietly defending thousands of applications in production environments worldwide.

This talk offers a technical and practical overview of where ModSecurity stands today. We'll cover the major updates and architectural improvements introduced over the past two years, including performance optimizations, expanded language bindings, improved logging and debugging tools, and better containerization support.

We’ll also address the community’s role in ModSecurity's ongoing maintenance and what the current roadmap looks like for key integrations and use cases—from NGINX and Apache to reverse proxies and API gateways.

Whether you're a seasoned user, a contributor, or just exploring WAFs for the first time, this session will help you better understand ModSecurity’s role in the modern security stack—and how to leverage its most recent improvements to meet the demands of today’s web.

What You’ll Learn:

• A recap of ModSecurity’s core capabilities and architecture
• Key improvements made since 2023, including performance and compatibility upgrades
• New tooling and deployment patterns
• Current challenges and open areas for contribution
• How ModSecurity is being used today

Threat modeling is a cornerstone of cybersecurity, yet it remains manual, complex, and inaccessible to many teams. While AI-powered threat modeling holds immense promise, it faces challenges such as hallucinations, lack of structured outputs, low accuracy, and limited trustworthiness.

The critical gap lies in the availability of specialized datasets. We aim to enhance LLMs’ ability to identify threats and recommend effective controls by generating open-source curated datasets of real-world threat models with the OWASP Threat Library. This session explores the transformative potential of crowdsourced data to fine-tune LLMs, driving a significant leap forward for the cybersecurity community and industry - all under the wings of an OWASP Project.

Introducing Sunshine, a first-of-its-kind visualization tool for CycloneDX files that can facilitate the adoption of CycloneDX by making SBOMs easily readable and more understandable by a broader audience.

Agenda

1. INTRODUCTION:
1.1 What is an SBOM and why it’s important
1.2 What is the OWASP CycloneDX project
1.3 Brief introduction to the CycloneDX JSON/XML format
1.4 The missing piece: an actionable visualization tool for CycloneDX files

2. OWASP CYCLONEDX SUNSHINE: MAIN BENEFITS AND MAIN FEATURES
2.1 Main benefits: visualize a CycloneDX file in an interactive and human-friendly way
2.2 Main feature #1: sunburst chart with dependencies, licenses and vulnerabilities (with live demo)
2.3 Main feature #2: table with dependencies, licenses and vulnerabilities (with live demo)

3. OWASP CYCLONEDX SUNSHINE: ADVANCED FEATURES
3.1 Advanced feature #1: chart refocus to see only dependencies and vulnerabilities of a single component (with live demo)
3.2 Advanced feature #2: automatic recovery of missing bom-refs (with live demo)
3.3 Advanced feature #3: automatic recovery of broken dependency references (with live demo)
3.4 Advanced feature #4: circular dependencies detection (with live demo)

4. OWASP CYCLONEDX SUNSHINE: HOW TO USE AND A BIT OF IMPLEMENTATION DETAILS
4.1 CLI version: pure python with no additional requirements (with live demo)
4.2 Web-based version: also the same python script, but it runs entirely inside the browser! (with live demo)

5. Q&A

Note: A longer Q&A session will be held in the Project Demo Lab, room 133-134 - check the schedule for details!

GitHub repo: https://github.com/CycloneDX/Sunshine/

Sunshine announcement: https://www.linkedin.com/posts/owasp-cyclonedx_github-cyclonedxsunshine-sunshine-sbom-activity-7277371020246663168-5WNx

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments.

This session will provide key updates on the latest advancements in the Mobile Application Security (MAS) project, including the MASWE (Mobile Application Security Weakness Enumeration) and the MASTG v2 Beta. We’ll introduce new weaknesses, atomic tests, and demos designed to help developers and security researchers enhance their testing methodologies. Additionally, we’ll showcase the newly developed MAS test apps for Android and iOS, designed to streamline security research and improve the development of robust MAS tests.

A major highlight will be the MASTG demos, now available as APK and IPA files directly from the MAS website, which allow security professionals to learn and practice real-world vulnerability detection. We'll also cover critical updates to iOS 17+ testing for non-jailbroken devices, and demonstrate new techniques and methodologies using one of the latest MASTG demos. Whether you're a security researcher, developer, or just doing it for fun, this talk will equip you with the latest tools and insights to boost your mobile application security skills.

https://mas.owasp.org/

In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects.

We will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enables DevOps teams to take the security responsibility for their project in a lightweight and engaging way.

Discover OWASP Coraza, an open-source WAF written in Golang making it fast, secure, memory safe, and highly extensible. Built to integrate seamlessly with the CRS v4 ruleset, Coraza solves key issues like performance bottlenecks and limited customization in traditional WAFs.

This talk will explore how Coraza addresses modern web security challenges and preview upcoming features on its roadmap, including better rule management and DevOps integrations.

Key Takeaways:
- Why Coraza is ideal for developers and security teams
- How it improves WAF performance, memory safety, and flexibility
- What's next on the roadmap

If you're seeking a lightweight, scalable, and memory-safe WAF solution, Coraza is worth your attention!

In 2022 we launched OWASP Domain Protect, a tool using serverless functions to automate scans of an enterprise’s DNS environments in AWS, GCP and Cloudflare, test for subdomains vulnerable to takeover, and create Slack and email alerts.

Since then, new features have been added, including a migration of OWASP Domain Protect to a public Terraform Module hosted on the Terraform and OpenTofu Registries. This approach makes it very straightforward for users to incorporate OWASP Domain Protect to their own cloud infrastructure, and easy to keep it updated.

In this presentation, I’ll review the basics of subdomain takeover, describe the system architecture of Domain Protect, detail recent improvements, and give a live demonstration of vulnerable domain detection followed by automated takeover.

The OWASP Core Rule Set (CRS) is one of the Foundation’s flagship projects—quietly powering Web Application Firewalls (WAFs) across the world, safeguarding applications large and small. But it’s been a while since CRS has shared a full update with the community. This talk changes that.
We’ll explore the full lifecycle of CRS—from its origins under Trustwave, through the pivotal leap to version 3, and into the challenges we’re addressing as we build toward version 4. Along the way, we’ll reflect on what it takes to maintain and evolve a high-impact open source project within a constantly shifting security landscape.
Attendees will get a clear picture of what CRS is today: a sophisticated, extensible, community-driven detection framework. You’ll hear how we’re doubling down on quality assurance, introducing a plugin architecture, and transitioning from traditional SecLang rules to a YAML-based format designed to make contributions easier and tooling more powerful.
This session is for anyone who works with WAFs, contributes to open source, or is curious about the future of web application defense. You’ll walk away with a deeper understanding of the CRS roadmap—and how you can be part of shaping what comes next.
Key Takeaways:

• What OWASP CRS is—and why it matters more than ever
  
• Lessons learned from building and maintaining a global ruleset
  
• The roadmap to CRS 4.0 and what’s next for the project
  
• How the community can get involved and contribute meaningfully
  

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the penetration testing community and was even included in the specialist Linux distribution for penetration testers and security researchers.

Nettacker can run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

As artificial intelligence advances, autonomous AI agents are becoming integral to modern applications, automating decision-making, problem-solving, and even interacting dynamically with users. However, this evolution brings new security challenges that traditional cybersecurity frameworks struggle to address. OWASP’s GenAI Security Project has identified Agentic Security Risks as a critical category of threats that can compromise AI-driven systems, leading to unintended actions, data leaks, model manipulation, and adversarial exploits.

This session will explore Agentic Security Risks—a unique class of vulnerabilities stemming from AI agents’ autonomy, adaptability, and ability to interact with complex environments. We’ll dissect how malicious actors can exploit these systems by influencing their decision-making processes, injecting harmful instructions, or leveraging prompt-based attacks to bypass safety constraints.

Through a deep dive into OWASP’s latest findings, attendees will gain practical insights into risk identification and mitigation strategies tailored for AI-driven agents. The talk will cover:

Understanding Agentic Security Risks: How autonomous AI agents process, reason, and act—and where vulnerabilities emerge.
Threat Modeling for AI Agents: Key security considerations when deploying AI-driven agents in enterprise and consumer applications.
Exploitable Weaknesses in AI Agents: Case studies on prompt injection, adversarial manipulation, data poisoning, and model exfiltration.
OWASP’s Mitigation Framework: Best practices for securing agentic AI systems, including robust validation, policy enforcement, access control, and behavioral monitoring.
Security by Design: How to integrate GenAI security principles into the development lifecycle to preemptively mitigate risks.
By the end of the session, attendees will have a structured approach to assessing and mitigating security risks in agentic AI systems. Whether you’re a developer, security professional, or AI architect, this session will equip you with actionable strategies to secure your AI-powered applications against emerging threats.

Join us to explore the cutting edge of AI security and ensure that autonomous agents work for us—not against us.

We are launching a brand-new version of OWASP Cornucopia with QR codes that will make threat modeling, security requirement gathering, and security design much easier! Each QR code will take you to a brand-new OWASP Cornucopia website, where you can explore each card and the security requirements and controls connected to them (see https://owaspcornucopia.org/ ). This will help scale secure design and requirement gathering activities for your development teams and empower them to do application security in a more agile way.

Coming soon!
Web store for you to buy OWASP Cornucopia card decks.

Call for contributors
We are looking for volunteers that would like to help us improve the new website and those who would like to help translate Cornucopia into various languages to ensure that developers who don't have English as their mother tongue, understand the requirements and controls presented to them. We are also looking for ideas and help in maintaining and improving the new website to ensure it becomes a valuable tool for everyone looking at solving application security challenges.

How often have you heard developers ask, "Where is Race Condition in OWASP?" or "Why aren’t business workflows part of the Top 10?"

These questions highlight a glaring gap: the OWASP lists often focus on technical implementation vulnerabilities while overlooking the fundamental flaws in business logic—the very backbone of applications. This is why we started the OWASP Business Logic Abuse Top 10 Project: to address the workflow bypasses, logic flaws, and design vulnerabilities that attackers exploit, regardless of whether you’re building a web app, API, firmware, or supply chain system.

This project's foundation in Turing machine principles makes it unique, where business logic is modeled as finite states, transitions, and memory operations. By breaking down vulnerabilities into their computational roots—data handling (tape), access mechanisms (head), workflows (states), and transitions—we not only classify these issues but also provide a clear framework for identifying and mitigating them. Whether it’s race conditions in financial systems or workflow skips in authentication processes, this approach brings business logic vulnerabilities to the forefront.

This Top 10 isn’t just another list; it’s a cross-domain framework that bridges gaps between OWASP categories and provides clarity for developers, architects, and security professionals. If you’ve ever wondered why logic abuse isn’t explicitly addressed in web apps, APIs, or mobile security, this project is your answer. Join us to explore real-world examples, understand the unique methodology, and discover how you can contribute to this open, repeatable framework that empowers teams to tame business logic abuse in any system.

OWASP Security Champions Guide Project was started to create an open-source, vendor-neutral guidebook for Application Security professionals to help them build and improve their own successful Security Champion programs.

In this talk, Aleksandra will describe the main elements of the project and will guide you through the key principles of a successful Security Champions Program.

Regarding Security Champions programs, one size will not fit all – and as such our Project allows managers, security professionals or team leaders to pick and choose the elements their organization can adopt or leverage to create their own customized program.

Our Project team interviewed security leaders, program coordinators, and security champions to establish what makes a successful program. Participants represent a range of company sizes, industries, geographies, and also different levels of security program maturity. We want to know what works, what doesn’t work, what promotes success, and what leads to failure.

The principles have been drawn from an initial series of in-depth interviews with Application Security leaders from across the globe as part of our wider goal to provide a comprehensive Security Champions playbook.

The Ten Key Principles of a Successful Security Champions Program:
1. Be passionate about security
2. Start with a clear vision for your program
3. Secure management support
4. Nominate a dedicated captain
5. Trust your champions
6. Create a community
7. Promote knowledge sharing
8. Reward responsibility
9. Invest in your champions
10. Anticipate personnel changes

More about the Project:
- Existing Project webpage: https://owasp.org/www-project-security-champions-guidebook/
- New Project webpage: https://securitychampions.owasp.org/

The OWASP Top 10 CI/CD Security Risks Project has been a cornerstone for securing CI/CD environments since its inception three years ago. This talk will explore how the CI/CD security landscape has evolved during this time, with a primary focus on the most significant developments over the past year. By revisiting the project’s original risks and comparing them to recent threats, including new breaches and innovative attack techniques, we will highlight how the field has adapted to a rapidly changing environment. Attendees will gain a comprehensive understanding of the progress made since the project’s release and actionable insights to fortify their pipelines against emerging risks.

As OWASP DefectDojo continues to grow and thrive, what are the most recent developments and what new challenges are ahead for the project. This project showcase talk will review the current state of the project highlighting some exciting developments including the new documentation site and documentation writer to make using DefectDojo even easier. Get caught up in the best DefectDojo has to offer and what to expect in the rest of 2025.