OWASP Global AppSec EU 2026 Vienna

Come visit our table in the Expo Hall for books, games, and merch

Welcome to the OWASP Global AppSec EU 2026 conference! We are excited you are with us, not only to attend this amazing event, but also to celebrate our 25th anniversary!

Don't miss the opening remarks for the event as we welcome you and provide a few key details to provide you with a roadmap to a successful time with us!

In security, it is important to understand the whole chain: from regulation to business risk, to requirement, to code example, to vulnerability, to test method, to tool configurations. However, so far there hasn’t been a solid way to interconnect standards, documentation, and tooling. Standards writers often work in isolation, and tooling authors rightly focus on quality results instead of comprehensive information about those results.

The open source initiative OpenCRE.org connects all these sources of information: It links topics across multiple standards, including the Top 10, ASVS, Pro-active controls, Testing guide, Cheat sheets, SAMM, SSDF, ISO27001, CSA CCMv3, CWE, CAPEC, PCI-DSS, NIST 800-53 and 63b. It further links code samples and offensive tooling configurations or rules. That way it serves as a universal translator, to connect every role involved: executive, compliance officer, procurement, architect, developer,and tester.

This talk takes you through how openCRE.org works, how we have brought all these standards together, how we used AI in a revolutionary way, and how you can benefit in your work as a manager, builder, breaker, buyer, or standard maker!

The intended audience for this talk is anyone involved with Application Security and looking for an easy-to-use guide, mapping standards to regulations to code and configurations.

One more Global AppSec event.
You’re taking training, you’re running between sessions, you’re connecting with people over coffee or when talking to a vendor.

What if you could use the event to also meet a potential mentor, or mentee?
What if you could connect face to face with someone who may help take your career to the next level, or that you can help and make a difference with?

We are inviting you to an OWASP Global AppSec activity: Meet The Mentor! A speed-dating activity between potential mentors and mentees where you can come face to face and see if it “clicks”, start a conversation, and see if it is a match.

Mobile application penetration tests can be challenging. In order to find vulnerabilities in the OWASP MAS Testing Profile L2, security testers have to simulate attacks on compromised devices. When apps protect themselves with advanced static and dynamic hardening techniques, security testers often rely on instrumentation in order to assess the security of the app at runtime.

This talk will present some of these challenges as seen in real world mobile apps and then present “frooky”, a Frida-powered hook runner based on structured I/O. This tool was consolidated together with OWASP MAS leadership and released as a standalone project for OWASP MASTG. We will show you what it can do, how it was developed and how you can use it for any mobile app penetration testing efforts in general.

This talk presents the OWASP AI Testing Guide as a practical extension of traditional application security methodologies for AI and LLM-based systems. It shows how AppSec engineers can systematically identify, model, and test AI-specific risks using an OWASP-aligned approach, rather than relying on ad hoc assessments or vendor claims.

The session starts with an architecture-driven threat modeling process for AI systems, decomposing LLM applications into application, model, data, and infrastructure layers. Using OWASP LLM Top 10 and threat modeling of AI System and Agent AI architectures, the talk demonstrates how AI attack surfaces and threat scenarios can be identified and mapped to concrete security risks. These threats are then mapped to testable hypotheses using the OWASP AI Testing Guide, bridging the gap between threat modeling and hands-on security testing.

Through real-world examples, the talk explores how common AI vulnerabilities manifest in practice, including prompt injection, jailbreak techniques, sensitive data exposure, model misalignment, hallucinations, RAG pipeline abuse, and agent workflow exploitation.
The audience will see how these issues can be tested in LLM-based applications using OWASP AITG test cases, OWASP LLM Top 10 payloads, and common AppSec and AI toolings.

The session concludes by showing how AI security testing can be integrated into MLSecOps. It highlights how organizations can move from intuition-based AI security to evidence-based risk validation, positioning OWASP AITG as a foundational methodology for securing AI systems within modern application security programs.

The key message of the talk is that trustworthy AI is not achieved through design assumptions or policy statements, but through systematic, repeatable testing aligned with OWASP principles.

AI systems face threats that traditional application security standards weren't built to address. This includes prompt injection, training data poisoning, model extraction, agentic autonomy risks, and more. The OWASP AI Security Verification Standard (AISVS) provides 400+ testable requirements across 14 chapters, covering everything from input validation and model lifecycle management to MCP protocol security and autonomous agent controls. This lightning talk introduces the standard's structure, its three verification levels, and how security teams can use it today to assess and harden AI-powered applications. We'll show where AISVS fits alongside existing frameworks like ASVS, NIST AI RMF, and ISO 42001 and where it deliberately doesn't overlap.

This talk introduces a new Frida frontend for macOS and iOS, designed as an interactive, persistent environment for exploring live processes.

It supports local and remote targets, long-lived sessions that survive crashes, and saved documents you can return to later. Built around this core model are a REPL, a code tracer, a powerful editor with completion and inline documentation, a persistent notebook, package management, and built-in collaboration.

We’ll walk through the motivation and architecture behind the frontend, and demo how a more stateful, GUI-driven approach opens up new workflows for dynamic instrumentation—without naming names (yet).

In this session, I´ll show you how to sreamline the identification of security requirements associated with user stories in agile methodologies Using OWASP Cornucopia. Here you´ll se how to integrate User Stories with Cornucopia Cards and with ASVS as an security requirements and the defects that may arise if the security requirements are not properly considered or implemented. At the beginning ,we will explore two concepts I used to create this different way of playing OWASP Cornucopia and scaling it in agility, complementing the architecture-based threat model: Evil User Stories Modeling and Secure Scrum. All of this to apply the principle Security Just in Time for design a single product backlog that integrates security functionalities and controls into user stories avoiding the creation of a cybersecurity parallel backlog.

OWASP's flagship project, AI Exchange, is the world's AI security guide.

300+ pages of free, constantly-evolving, practical guidance on securing AI systems. It covers the fundamentals and represents the closest publicly available alignment of global expert consensus, feeding directly into the AI Act and ISO standards through a unique SDO partnership.

Come mingle with attendees and exhibitors AND have the chance to win prizes during OWASP Jeopardy with Jerry Hoff!