OWASP Global AppSec EU 2026 Vienna

The OWASP Top Ten has been one of the most influential resources in application security for more than two decades — shaping training, security programs, and procurement decisions around the world. In this session, we’ll unveil the newest edition of the OWASP Top Ten Critical Risks to Web Applications, explain how it was built through community input and real-world data, and show what these changes mean for you.

We will cover all ten risks, focusing more time on the new and expanded items, as well as covering 3 ‘honourable mentions’ (#11, #12, and one that we do not have data to support). We’ll wrap up with practical guidance on how to use the Top Ten in your own programs (not as a compliance checklist, but as a strategic awareness tool).

Whether you’re an application security engineer, developer, or in management, this is your chance to get ahead of the curve and help shape the conversation: the writing is open for comment, and your feedback will make a difference.

If you’ve ever wanted to make AppSec relatable to your developers, your business stakeholders, etc…

If you want to hear an example of security flaws in a digital-physical system and how AppSec practices apply…

If you want to hear a funny story about my student-years shenanigans and maybe reminisce about your own…

Then this is the talk for you.

Security is often taught through theory, but some of the most powerful lessons come from lived experience even when that experience involves some very questionable ethics.

I will share with you the story of how I, a broke university student, reverse engineered and exploited a parking system to get free parking for a whole school year.

But this talk isn’t just a funny story, it’s about the lessons about AppSec that it taught me. And the realization that AppSec failures can have an impact on the physical world, and will even more so in the future as our physical environments become more intertwined with technology. The current example is minor and relatively harmless, but the implications of AppSec failures could have been far more serious in a different setting.

We’ll dissect this real-world exploit and how the vulnerabilities directly map to application security. Then each aspect will be mapped to the relevant CWEs, OWASP Top 10 categories and OWASP SAMM practices.

I will leave you with one activity that would have likely prevented the issues in the aforementioned system, and that I believe should be implemented in all organizations without exception.

This is a review of recent mobile app security incidents I work on day to day. We’ll walk through concrete cases from banking, food delivery, and e-commerce to break down how the breaches happened.

By the end, you’ll have a clearer sense of which security practices hold up in modern mobile apps and which ones fail in practice. You’ll also learn what commonly introduces vulnerabilities and where to find secure practices that actually work.

Whichever public cloud you use, there are literally hundreds of assignable permissions — and while everyone quotes the ideal of “least privilege,” just when the deadline looms it becomes far too tempting to grant “just one more permission.” Before you know it, your developer teams and service accounts are swimming in high privileges.

In this session we’ll start from the basics of structured permission management, then go deeper — all the way to time-limited access, rule-based privileged-access workflows, and on-demand role elevation. We won’t rehash each cloud provider’s security guide; instead, we’ll deliver pragmatic, maintainable, and flexible guidelines that balance solid permission hygiene with the realities of tight deadlines.

This talk is targeted at security engineers, cloud engineers or anyone just looking for a point to start organizing and structuring their permission approach.

AI is becoming increasingly embedded in threat modeling processes. Some organizations now claim that threat modeling can be performed entirely by AI. This appears to be a natural progression, given the growing use of AI in software development itself.

Before the current wave of AI adoption, the Threat Modeling Manifesto (TMM) was developed, drawing inspiration from the Agile Manifesto. It distilled years of practitioner experience in application security into a short, actionable document. The TMM emphasizes values such as a culture of finding and fixing design issues, people and collaboration over tools, and a journey of understanding rather than a static security snapshot.

This talk examines how AI-assisted threat modeling can diverge from these values through five recurring anti-patterns. These include treating AI as the hero threat modeler, de-emphasizing human collaboration and input, prioritizing snapshots over the journey of understanding, delegating creativity to AI, and favoring exhaustive enumeration over deliberate discussion.

The session then explores three silent failure modes that frequently emerge in the presence of these anti-patterns: hallucination, automation bias, and the illusion of completeness. Together, they produce threat models that appear finished and authoritative, while concealing subtle errors, weakening shared understanding and ownership, and failing to create the motivation needed for people to act.

Finally, the talk synthesizes emerging best practices observed across real-world AppSec teams. These include using AI as a facilitator rather than an authority, designing explicitly for disagreement and multiple viewpoints, and structuring processes that increase meaningful human participation and understanding.

Attendees will leave with a practical framework for adopting AI-assisted threat modeling that helps teams avoid silent failures, preserve human judgment and collaboration, and use AI to generate output that gets understood and acted upon.