Program Schedule

Abstract:

Threat modeling by yourself is great - noone is there to tell you you're wrong. But if you want to discover nontrivial issues that you don't have on your checklist, you'll need to engage with others. Too often, though, we chase them away. One of the biggest traps is falling down a rabbit hole of technical details, without involving other stakeholders or considering their perspectives. This lack of context creates an inaccurate model of the system, misguided threats, and inefficient investment of security effort.

In this keynote, we will look at ways to make security more social and lightweight - how to productively engage with teammates, challenge your own assumptions, and drive actionable, high-value outcomes that make AppSec truly collaborative.

Abstract:

Artificial Intelligence (AI) technologies are impacting individuals and organisations, transforming the way we work. At the same time, threats related to the use of AI systems are evolving at the same pace. As stated in ENISA Threat Landscape Report 2025, the increased integration of AI systems into enterprise environments introduces a potentially vulnerable new attack surface.

This talk provides an inside look at the Commission’s journey in evaluating and selecting AI security frameworks, focusing on why the OWASP AI Top 10 was chosen as a reference point.

Abstract:

Operational Technology (OT) encompasses a wide variety of programmable systems and devices that have direct or indirect interactions with the physical environment. These technologies are integral to numerous sectors such as manufacturing, energy, transportation, medical, and utilities, where they play a crucial role in the operation and management of physical processes. As OT systems become more interconnected and integrated with Information Technology (IT) networks, they face increased vulnerability to large-scale cyber attacks. This integration, while beneficial for operational efficiency and data sharing, exposes OT systems to the same cyber threats that typically target IT environments.

The goal of the OWASP OT Top 10 is to raise awareness about the top security risks and vulnerabilities specific to OT environments. By providing actionable recommendations, we aim to improve the security posture of OT systems and protect critical infrastructure from cyber threats. This talk presents the new release of the initial OWASP OT Top 10 to a broader audience to achieve awareness if its existence, alignment with the state-of-the-art and applicability in the OT domain.

Abstract:

The society has given up on letting the IT industry handle cyber security by itself. The cost for society is going up, the number of incidents is rising all the time. The regulators are moving in across the globe, and we’re getting regulated. At the heart of many regulations is vulnerability management—keeping products secure during the lifetime in use. Olle will go through how it’s planned to work and the sad smelly truth about the state of the vulnerability management platforms today. From Software bill of materials over vulnerability databases to EU regulation. The main question in all of this is: Are you ready to be regulated?

Abstract:

Security teams love metrics. Beautiful dashboards, filled with vulnerability counts, alert volumes, SLA compliance for fix times, training hours logged, etc. However, do any of these metrics actually make organizations more secure? The uncomfortable truth is that most security metrics are questionable, at least from a scientific perspective.

In this talk, I will focus on the science behind meaningful security metrics. I will introduce a framework that helps define metrics based on organization-specific goals, as opposed to creating purpose around whatever metrics we have lying around. From there, I will break down what are the key qualities of a good metric. Finally, I will briefly present the different data analysis methods and the common validity threats when going from metric values back to supporting your goals.

"If you can't measure it, you can't improve it". However, if your security strategy is built on questionable metrics, you might not be improving the right things. This talk will challenge industry assumptions and provide scientific backing to the fact that many widely used security metrics in the industry might be vanity numbers.

Abstract:

The first major release in five years of one of OWASP’s flagship projects - the Application Security Verification Standard (ASVS) version 5 - was announced on the OWASP Global AppSecEU conference on May 30 this year (2025).

In this talk, Elar Lang, as one of the co-leaders and key authors of the concept for the version, introduces the project and points out key aspects from the latest release.

This includes:

• Defining and clarifying the scope of the ASVS, and expectations for requirements.
• Mandating documented security decisions to provide some flexibility on implementing and verifying security requirements, to match the differences between organizations and applications.
• Adding several new chapters, such as token validation, OAuth and OIDC.
• Providing a two-way mapping to make it easier to migrate from v4.x to v5.
• Balancing the levels and reducing the barrier to entry into Level 1.
• The release strategy.
• How you can contribute.

Abstract:

The first half of 2024 saw an entirely new category of threat against open source, one that rocked its trust-based system at its core: social engineering takeover attempt of critical open source projects.

These attacks uncovered a systemic gap in open source security management.

Up until now, the open source community wasn’t thought of as a potential cyber attack target. But when critical open source projects become stepping stones for industrial espionage, ransomware attacks, or cyberwarfare, maintainers need to adopt comparable security practices to those found in target organizations.

This creates a unique set of challenges for open source because of its highly distributed nature and volunteer-based model. Meaningfully improving security at scale while preserving the ethos, culture, and diversity of communities that characterize open source and that are largely responsible for its innovative potential isn't an easy task.

In this talk we'll do a post-mortem of the social engineering takeover attempt at the OpenJS Foundation. While preserving confidentiality, we'll outline industry gaps uncovered during this attack. We'll suggest ways to meaningfully improving security at scale while preserving the ethos, culture, and diversity of communities that characterize open source and that are largely responsible for its success.

Abstract:

The fast-evolving ecosystem of AI-enabled applications has exposed a complex interplay of vulnerabilities, some stemming from intrinsic pitfalls of data-driven AI and others arising from its unsafe integration into real-world applications. Integrating AI inevitably increases the threat landscape of a system, but the exact implications can be hard to predict. The goal of this talk is to raise awareness about the underlying principles and challenges of security and privacy of modern AI systems, including LLMs, and to review the ongoing mitigation efforts by both academic and industry players.