OWASP Global AppSec EU 2026 Vienna

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

1-Day Training: Tuesday, June 23
Trainer: Aram Hovsepyan
Level: All

Please note that this 1-day training course takes place on TUESDAY, not Wednesday like our other 1-day training courses. 

Application security has become synonymous with a vulnerability management program driven primarily by tools. This view is flawed. As many teams and organizations have already found out, tools often end up creating more problems than solutions. Any decent application security program starts with people knowing their roles and responsibilities. The team is then given friction-free processes to work with. Tools are brought in to streamline those processes and provide additional guardrails.

This is precisely what OWASP's Software Assurance Maturity Model (SAMM) provides as a high-level solution to build exactly this kind of program. This interactive training will give you a deep understanding of OWASP SAMM and show you how to apply it in real world scenarios. Through expert led sessions and hands-on exercises, you will learn how to embed security into every phase of the software development lifecycle. You will also gain a clear view of how SAMM naturally prepares you for upcoming regulations such as the EU Cyber Resilience Act. Finally, we will also cover some aspects of how using LLMs for writing code fits in the context of SAMM.

Participants will leave the training with:
- A comprehensive understanding of OWASP SAMM and its application in real-world organizations and teams.
- Experience performing OWASP SAMM assessments, setting improvement targets, and prioritizing those improvements.
- Insights into scoring and benchmarking to demonstrate progress and align efforts with organizational objectives.
- A practical understanding of how OWASP SAMM aligns with the expectations of the EU Cyber Resilience Act
- An interactive learning experience through hands-on exercises.
- What are the implications of using AI for writing code in the context of SAMM.

3-Day Training: June 22-24, 2026
Level: Introductory and Overview
Trainer: Fabio Cerullo

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Introduction
Modern organisations rely heavily on web applications, and attackers exploit their weaknesses daily.
As AI tools accelerate software development, code is being generated faster than ever before. Yet every line, human-written or AI-generated, still carries risk. This three-day instructor-led course gives participants the knowledge and practical experience to recognise vulnerabilities, understand how exploitation works, and assess potential impact.
Aligned with the latest OWASP Top 10 2025, the course provides an in-depth exploration of each key risk, illustrated through demonstrations and guided labs.
Participants will learn how attackers think, how vulnerabilities are introduced, and how to recognise and validate them, preparing participants to collaborate effectively with developers and security teams in future remediation work.

Format
You will begin by exploring common web application vulnerabilities before gaining access to a purpose-built lab environment containing the very bugs and coding errors discussed in class. This provides an ideal, safe setting to observe and exploit these vulnerabilities using open-source tools and techniques, bridging the gap between theory and real-world practice.
This practical approach builds the confidence and analytical skills needed to identify and assess security risks effectively. Sessions encourage active participation, group discussions, and collaboration, allowing you to share insights and learn from peers across disciplines.

Course Outline
1. Introduction to Web Application Security
2. Technologies Used in Web Applications
3. Tools Used During the Course
4. Critical Areas in Web Applications: OWASP Top 10 2025
5. Broken Access Control (A01:2025)
6. Security Misconfiguration (A02:2025)
7. Software Supply Chain Failures (A03:2025)