OWASP Global AppSec EU 2026 Vienna

As organizations grow, application security often becomes more painful but not more effective. Vulnerabilities recur, engineers feel blocked, and security teams struggle to scale. These failures are rarely caused by careless engineers or missing tools — they are symptoms of broken systems.

In this talk, we examine why AppSec fails to scale, particularly in growing teams and startups, and why adding more guidelines, scanners, or training usually makes the problem worse. Instead, let's approach application security as a sociotechnical system shaped by incentives, defaults, ownership boundaries, and feedback loops.

In this session, you will hear about common failure modes such as compliance-driven security, misplaced responsibility, and metrics that reward activity instead of risk reduction. Then hear about practical strategies for fixing the system: shifting security into platforms and defaults, reducing cognitive load for engineers, and aligning AppSec goals with delivery pressure and business constraints.

If you’ve ever wanted to make AppSec relatable to your developers, your business stakeholders, etc…

If you want to hear an example of security flaws in a digital-physical system and how AppSec practices apply…

If you want to hear a funny story about my student-years shenanigans and maybe reminisce about your own…

Then this is the talk for you.

Security is often taught through theory, but some of the most powerful lessons come from lived experience even when that experience involves some very questionable ethics.

I will share with you the story of how I, a broke university student, reverse engineered and exploited a parking system to get free parking for a whole school year.

But this talk isn’t just a funny story, it’s about the lessons about AppSec that it taught me. And the realization that AppSec failures can have an impact on the physical world, and will even more so in the future as our physical environments become more intertwined with technology. The current example is minor and relatively harmless, but the implications of AppSec failures could have been far more serious in a different setting.

We’ll dissect this real-world exploit and how the vulnerabilities directly map to application security. Then each aspect will be mapped to the relevant CWEs, OWASP Top 10 categories and OWASP SAMM practices.

I will leave you with one activity that would have likely prevented the issues in the aforementioned system, and that I believe should be implemented in all organizations without exception.

Many AppSec programs fail because they try to run before they can walk. But in the world of ever changing attack surface, the truth is - Slow is smooth, smooth is fast, and 'smooth' is how we actually ship secure software at the speed of business.

This presentation outlines our multi-phased methodology for establishing an AppSec program. This approach emphasizes incremental, measurable, and sustainable goals throughout the journey. I will share ‘why, what and how’ of each major business-tailored adoption of frameworks like OWASP SAMM, Security Champions Guide and open source solutions. This talk will cover both cultural and technical aspects of the program, ranging from pushback from development to customization of language-specific-SAST policies to measuring the value with KPIs.

Application security practitioners will be able to use the strategy shared in this talk to build and scale the AppSec program aligned with their business goals.

Application Security engineers face a critical challenge: information overload from disparate security tools create “decision paralysis”. How do you balance design reviews, threat modeling, code reviews, monitoring alerts and managing your bug bounty program in an intentional instead of ad-hoc or reactive way?

This presentation demonstrates a novel approach using AI agents combined with Model Context Protocol (MCP) servers to automate work discovery and prioritize intelligently. Through practical examples, I'll show how Claude Code integrates with existing enterprise infrastructure—including issue tracking systems, content management platforms, Cloud Security Posture Management (CSPM) tools, and version control systems—to create an autonomous triage and prioritization engine.

You'll see how AI agents can pull together security data from all your different tools, figure out what actually matters based on your business context and threat intel, and spit out a prioritized to-do list that makes sense. I'll walk through real examples showing how this approach cuts down remediation times and helps you cover more ground with the same resources.

Agile software development and IT security share the goal of delivering reliable, robust software, yet they often collide in practice. Security validation is still frequently deferred to the end of the development lifecycle, producing findings too late to be effectively addressed. Under delivery pressure, this can lead to defensive reactions toward security activities and tools. This talk explores why security issues are detected yet may not be processed soon and shows how integrating security early and continuously can transform friction into collaboration.