OWASP Global AppSec EU 2026 Vienna: Full Schedule

arrow_back View All Dates

8:30am CEST

Coffee/tea

Friday June 26, 2026 8:30am - 9:00am CEST

Expo Hall X1

Friday June 26, 2026 8:30am - 9:00am CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

9:00am CEST

Opening Remarks

Friday June 26, 2026 9:00am - 9:15am CEST

Hall D (Level -2)

Welcome to the OWASP Global AppSec EU 2026 conference! We are excited you are with us, not only to attend this amazing event, but also to celebrate our 25th anniversary!

Don't miss the opening remarks for the event as we welcome you and provide a few key details to provide you with a roadmap to a successful time with us!

Friday June 26, 2026 9:00am - 9:15am CEST
Hall D (Level -2)

Keynote

Audience All

9:15am CEST

Keynote: We Live in the Future: The Death and Rebirth of Application Security

Friday June 26, 2026 9:15am - 10:00am CEST

Hall D (Level -2)

Speakers

Gadi Evron

Founder and CEO, Knostic

Gadi Evron is Founder and CEO at Knostic, an AI agent security company, CISO-in-Residence for AI at CSA, and chairs the [un]prompted conference. Previously, he founded Cymmetria (acquired), was the Israeli National Digital Authority CISO, founded the Israeli CERT, and headed PwC's... Read More →

Friday June 26, 2026 9:15am - 10:00am CEST
Hall D (Level -2)

Keynote

Audience All

10:00am CEST

AM Break in Expo Hall

Friday June 26, 2026 10:00am - 10:30am CEST

Expo Hall X1

Friday June 26, 2026 10:00am - 10:30am CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

10:00am CEST

Bob the Breaker: Welcome to the Jungle! (Sponosored by Nokod Security)

Friday June 26, 2026 10:00am - 2:00pm CEST

TBA

The jungle is thick, the paths are tangled, and Bob the Breaker is already deep inside.

Behind polished apps and smooth workflows lies a wild terrain of permissions, hidden data, andnewly unleashed AI agents roaming freely through the system.

Vines of automation twist everywhere, secrets hide beneath the canopy, and Bob has beenswinging from one weak spot to the next, uncovering what was never meant to be found.

Follow Bob into the canopy, capture the flags, and out-hack the competition.

Swing by the Nokod booth Thursday June 24 (10:15, 13:00, 16:00) to catch livevulnerability demos and grab clues to help you navigate the CTF jungle

Friday June 26, 2026 10:00am - 2:00pm CEST
TBA

Bonus Track

Audience All

10:00am CEST

OWASP Official Store: Come explore books, games and merch (or Explore CyberSec Games, OWASP books and official merch)

Friday June 26, 2026 10:00am - 4:00pm CEST

Come visit our table in the Expo Hall for books, games, and merch

Friday June 26, 2026 10:00am - 4:00pm CEST

Bonus Track

Audience All

10:30am CEST

When Museums Get Hacked: OWASP Top 10 Lessons from Heists

Friday June 26, 2026 10:30am - 11:00am CEST

Room -2.82 (Level 2)

Historically (pun intended) the OWASP Top 10 has been a standard awareness document for developers and web application security. However its mitigation strategies can transcend history and be applied to critical infrastructures under attack, *exempli gratia* museums.

In this talk, we’ll explore the newest OWASP Top 10 (released in November MMXXV) through the lens of famous Museum heists (Louvre, you are not alone) — a narrative journey through security blind spots, sneaky exploits, and lack of awareness.

Speakers

Jose Carlos Chávez

Security Software Engineer, Okta

José Carlos Chávez is a Security Software Engineer at Okta, an OWASP Coraza co-leader and a Mathematics student at the University of Barcelona. He enjoys working in Security, compiling to WASM, designing APIs and building distributed systems. While not working with code, you can... Read More →

Friday June 26, 2026 10:30am - 11:00am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Project Link https://owasp.org/Top10/2025/

10:30am CEST

From ASVS to APVS: What Changes When You Treat Privacy as a System Property?

Friday June 26, 2026 10:30am - 11:15am CEST

Hall D (Level -2)

Privacy is increasingly expected to be “built in by design”, yet most privacy guidance remains legal, abstract, or disconnected from how systems are actually designed and reviewed. As a result, privacy is still treated as a compliance exercise rather than an engineering discipline.

In this talk, we share early lessons from the OWASP Privacy Project and our work on the Application Privacy Verification Standard (APVS). Drawing on familiar AppSec concepts such as ASVS, threat modeling, and weakness classification, we explore what changes when privacy is treated as a system property rather than a checkbox.

We discuss where traditional security controls fall short, how privacy risks can exist without attackers or breaches, and how we are translating high-level privacy principles into actionable guidance for architects and developers. This is not a finished standard, but a candid look at what works, what doesn’t, and where practitioner feedback is essential as the project evolves.

Speakers

Matthew Coles

Product Security Architect/Technologist

Matthew Coles is a Product Security Architect and Technologist with 20+ years experience working with business leaders and developers to secure hardware and software systems and processes. He is a technical contributor to community standard initiatives such as OpenSSF and OWASP, a... Read More →

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Dr. Kim Wuyts is a leading privacy engineer with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy threat modeling... Read More →

Avi Douglen

Software Security Consultant, Bounce Security

Avi Douglen is the founder and CEO at Bounce Security, a boutique consultancy specializing in software security, where he spends a lot of time with development teams of all sizes. He helps them integrate security methodologies and products into their development processes, and often... Read More →

Friday June 26, 2026 10:30am - 11:15am CEST
Hall D (Level -2)

Planning and Design

Audience All

10:30am CEST

Keep It Between Us: Manipulating Humans for Better AppSec (Ethically)

Friday June 26, 2026 10:30am - 11:15am CEST

Hall K2 (Level -2)

Most AppSec programs fail not because people disagree with security, but because security competes with habits that are already winning. Developers don’t wake up wanting to threat-model or review alerts - they wake up wanting to ship.

In this talk, we’ll stop trying to “convince” people to care about security and instead learn how to design AppSec activities so they naturally stick. Using proven techniques from behavioural science, you’ll learn how to create a quiet, behind-the-scenes plan that turns security tasks into habits - without mandates, enforcement, or friction-heavy processes.

We’ll explore how to reduce friction, align incentives, and embed security into existing workflows, so secure behavior becomes the default. This is not about more policies or awareness training. It’s about building a deliberate, ethical “secret plan” that makes AppSec activities feel wanted, automatic, and hard to avoid - in the best possible way.

Speakers

Nariman Aga-Tagiyev

Founder & AppSec Architect, SecureHabits

Founder & AppSec Architect at SecureHabits, OWASP SAMM core team member, ISO/IEC 27034 working group liaisonNariman Aga-Tagiyev is an Application Security Architect with 20+ years of experience in software development. Since 2016, he has focused on advancing SSDLC maturity and building... Read More →

Friday June 26, 2026 10:30am - 11:15am CEST
Hall K2 (Level -2)

Process and Culture

Audience All

10:30am CEST

Hands-On AI Security Assessment with OWASP AISVS (Workshop)

Friday June 26, 2026 10:30am - 12:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group Session

How do you actually verify that an AI system is secure? In this workshop, the AISVS project leads walk through practical assessment scenarios using the OWASP AI Security Verification Standard. We'll work through real requirements from chapters on prompt injection defense, agentic action security, RAG/vector database hardening, and output safety controls, showing what "verify that" looks like in practice against running systems. Participants will leave with a working understanding of how to scope an AI security assessment, select appropriate verification levels, and apply AISVS requirements to LLM-based applications, autonomous agents, and MCP-connected tool ecosystems. Bring a laptop if you want to follow along.

Speakers

Jim Manico

Founder and CEO, Manicode Security

Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like 10Security, MergeBase, Nucleus Security... Read More →

Rico Komenda

Senior Security Consultant

Rico is a senior product security engineer. His main security areas are in application security, cloud security, offensive security and AI security.

For him, general security intelligence in various aspects is a top priority. Today’s security world is constantly changing and you... Read More →

Otto Sulin

Head of Security, Supermetrics

Russ Memisyazici

Aras “Russ” Memişyazıcı, M.Sc. is a senior technology and architecture leader specializing in AI security, cloud transformation, application security, and enterprise modernization. He currently serves as a Global Head of Reference Architecture at Aon, where his work focuses... Read More →

Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject AI
Project Link https://owasp.org/www-project-artificial-intelligence-security-verification-standard-aisvs-docs/

11:00am CEST

From Maturity to Mastery: Accelerating Software Security with OWASP SAMM

Friday June 26, 2026 11:00am - 11:30am CEST

Room -2.82 (Level 2)

Are you looking to strengthen your organization’s software assurance program, prove compliance with industry frameworks, or simply level up your AppSec game? Join OWASP project leaders Sebastien and Aram for an engaging introduction and the latest updates on OWASP Software Assurance Maturity Model (SAMM) — the open, community-driven standard for building and measuring software security practices.

This session will highlight how SAMM helps organizations jumpstart, assess, and accelerate their software assurance roadmap, with practical takeaways you can apply right away:

• Tools and Assessment Guidance – Learn about the growing ecosystem of SAMM tools and the latest assessment techniques that make measuring and improving your maturity more approachable than ever.
• Framework Mapping – See how SAMM connects with industry standards like the NIST Secure Software Development Framework (SSDF) and OpenCRE, helping you demonstrate compliance and align with external requirements while maintaining a developer-friendly approach.
• Benchmarking with Peers – Discover the OWASP SAMM Benchmark, which allows organizations to compare their security practices against peers and industry trends anonymously—helping you spot strengths, identify gaps, and track progress over time.

Whether you’re new to SAMM or already using it, you’ll gain actionable strategies, practical insights, and a clear roadmap to achieving security excellence.

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Aram Hovsepyan

Founder and CEO, Codific

For the past 15 years Aram has been involved in application security as a researcher, industry expert, and core contributor to the OWASP SAMM project.

Aram is the founder and CEO of Codific, a Belgian cybersecurity product firm. At Codific, he works at the intersection of software... Read More →

Friday June 26, 2026 11:00am - 11:30am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject CRA, SSDLC
Project Link https://owaspsamm.org

11:30am CEST

Using OWASP SAMM and OWASP DSOMM together in practice

Friday June 26, 2026 11:30am - 12:00pm CEST

Room -2.82 (Level 2)

Security is widely recognized as one of the top global risks, yet many organizations struggle managing that risk effectively. One of the key reasons is that application security efforts often consist of fragmented tools and isolated practices rather than a coherent program focused on people, processes, and tools.
Within the OWASP community, two mature models exist to support application security programs, OWASP Software Assurance Maturity Model (SAMM) and OWASP DevsSecOps Maturity Model (DSOMM). However, practitioners frequently struggle to understand how these models differ, where they overlap, and how they should be applied in practice. As a result, SAMM and DSOMM are often perceived as competing frameworks. Moreover, their breadth and depth can be overwhelming for teams encountering them for the first time, reinforcing the myth that they must choose one or the other.

This talk provides a structured, high level introduction to both OWASP SAMM and OWASP DSOMM, focusing on their shared principles as well as their key differences. By introducing a simple taxonomy of security scopes, the session explains why multiple security frameworks are necessary and clarifies where SAMM and DSOMM each fit. SAMM is positioned as a model focused on organizational security capabilities and application program maturity, supporting management and strategic decision making, while DSOMM focuses on DevSecOps implementation and operational practices, providing concrete guidance for technical teams and engineering workflows.

This session concludes with a practical case study of a SaaS organization, illustrating how SAMM and DSOMM can be used together to create a coherent improvement roadmap. The case study demonstrates how organizations can start small, avoid boiling the ocean, and use both models in tandem to achieve structured, practical, and sustainable improvements in application security.

Speakers

Aram Hovsepyan

Founder and CEO, Codific

Timo Pagel

Security architect, DevSecOps Consultant, DevSecOps Strategist

Timo has been in the IT industry for over twenty years. After being a system administrator and web developer in his early times, he became involved in OWASP. He now advises his clients on DevOps security, either as a strategist, hands on or as a trainer, with the focus on security... Read More →

Friday June 26, 2026 11:30am - 12:00pm CEST
Room -2.82 (Level 2)

Audience All
Subject CRA
Project Link https://owasp.org/www-project-devsecops-maturity-model/

11:30am CEST

Enforcing Application Security Policies at Scale: Lessons from an Enterprise Rollout

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall K2 (Level -2)

Enforcing security policies at enterprise scale is challenging, and it's becoming more so with rapid delivery cycles and AI-assisted development. Many organisations adopt policy-as-code to improve security and compliance but realise that, despite the solution’s technical soundness, exceptions multiply and teams quietly work around enforcement to meet delivery targets, with little real improvement in security outcomes.

This talk shares a real-world story of rolling out policy-as-code enforcement across an organisation with several thousand developers. It highlights not only the technical architecture of the enforcement system but also the organisational changes required to ensure its sustainability.

You’ll find out how security policies were defined, versioned, and consistently enforced across CI/CD pipelines. This talk also covers how enforcement points were designed and how feedback loops were built and embedded in the organisation to reduce friction. The session also explores how bypasses and exceptions were handled consistently at scale, and how validation was treated as an organisational assurance problem rather than just a tooling concern.

The talk offers vendor-neutral solutions and practical patterns, lessons learned, and design principles that attendees can adapt to their own environments.

Speakers

Mehran Koushkebaghi

Head of Product Security, Nationwide Building Society

Mehran is a Chartered Engineer with over 18 years of experience across software, security, and civil engineering. He approaches application security as a systemic concern, using a systems-thinking lens to understand how technical controls, organisational structures, and human behaviour... Read More →

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall K2 (Level -2)

Process and Culture

Audience All

12:15pm CEST

Lunch in Expo Hall

Friday June 26, 2026 12:15pm - 1:15pm CEST

Expo Hall X1

Friday June 26, 2026 12:15pm - 1:15pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

1:15pm CEST

OWASP Mobile Application Security (MAS) Project Updates

Friday June 26, 2026 1:15pm - 1:45pm CEST

Room -2.82 (Level 2)

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments.

This session will provide key updates on the latest advancements in the Mobile Application Security (MAS) project, including the MASWE (Mobile Application Security Weakness Enumeration) Beta and the MASTG (Mobile Application Security Testing Guide) v2. We’ll share the progress on the creation of new weaknesses, atomic tests, and demos designed to help developers and security researchers enhance their testing methodologies.

A major highlight will be a new Frida-based tool for dynamic analysis of Android and iOS apps. It is based on JSON hook files which allows a consistent and simple test approach of the OWASP MAS demos and during assessments.

Whether you're a security researcher, developer, or just doing it for fun, this talk will equip you with the latest tools and insights to boost your mobile application security skills to stay ahead in mobile security!

Speakers

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Carlos is a principal mobile security research engineer working with NowSecure and one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS), the industry standard for mobile app... Read More →

Sven Schleier

Co-Founder, Bai7 GmbH

Sven is a co-founder of Bai7 GmbH in Austria, which is specialized in trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications... Read More →

Friday June 26, 2026 1:15pm - 1:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Mobile Security
Project Link https://mas.owasp.org

1:15pm CEST

Security Champions: Lessons from Opposite Trenches

Friday June 26, 2026 1:15pm - 2:00pm CEST

Hall K2 (Level -2)

Have you heard about “security champions programs” that seem to be gaining popularity these days? Maybe your company is running such a program, yet you doubt its effectiveness, wondering if it’s worth sustaining? The thing is, you might not be the only one asking these questions. Let’s hear from security and champions alike.

Mireia is a security engineer focused on application security who has created and run security champions programs, and has seen them both fail and succeed. Lisi worked in development teams for a long time, became a security champion and later switched gears to security engineering. Both of us were in the trenches, on opposite sides - and both of us tried to build a strong bridge between security and engineering teams.

In this talk, we’ll have our two perspectives merge and draw lessons from our attempts. Both security engineers and champions need clarity on what’s expected from them to sustain the program. Both benefit from nurturing a strong community to increase resilience. Both need to dare to be vulnerable in acknowledging what’s wrong in our systems and processes so we can grow.

None of us can operate effectively alone. Tossing a rope from security to development teams is not enough to establish security champions. Instead, let’s build this bridge together from both ends to make it strong, sustainable and scalable.

Speakers

Lisi Hocke

Security Engineer, DocuWare GmbH

Lisi found tech as her place to be in 2009 and has grown as a specialized generalist ever since. Building great products that deliver value together with great people motivates her and lets her thrive. As a security engineer, she’s now fully focusing on all things product security... Read More →

Mireia Cano

Application Security Engineer, PPRO

I am a security engineer focused on application security, with over 7 years of experience. I have helped companies build their application security programs both as a consultant and as an in-house security engineer. I am passionate about fostering collaboration between development... Read More →

Friday June 26, 2026 1:15pm - 2:00pm CEST
Hall K2 (Level -2)

Process and Culture

Audience All

1:15pm CEST

CHAMELEON-REN: Advancing the OWASP Web Application Honeypot Project with Adaptive, Education-Sector (Workshop)

Friday June 26, 2026 1:15pm - 3:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 2

The OWASP Web Application Honeypot Project provides foundational tooling to observe attacker activity against simulated web interfaces. CHAMELEON-REN extends this work with a stimulus-driven, Dockerised honeypot framework that dynamically adapts its identity, exposed paths, and technology stack in response to probing behaviours. By rotating realistic education-sector personas — including virtual learning environments, student records, finance/ERP, and research portals — CHAMELEON-REN aims to sustain engagement from automated scanners and adversaries that would otherwise abandon static honeypots. The demonstration will showcase the framework in action, discuss telemetry capture and structured logging, and invite participants to explore deployment recipes and community integration options.

Speakers

Adrian Winckles

Cyber Security Academic, Security Researcher, Cyber Security Academic, Security Researcher

Adrian Winckles is an independent Cyber Security Academic, Security Researcher and IT Professional with over 32 years of experience in developing and implementing cyber security strategies and robust, resilient IT infrastructure solutions. A proven leader in driving digital transformation... Read More →

Gautam Mahesh Juvarajiya

Research Associate, The Open University, UK

Currently Working as a Research Associate at Open University with a Background in IT and a MSc in Cyber Security Engineering from University of Warwick, UK.

Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject Network Security

1:15pm CEST

Let's Play: OWASP Cumulus (Workshop)

Friday June 26, 2026 1:15pm - 3:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3

In this hands-on session we will demonstrate the threat modeling card game "Cumulus" and show how it can help you start threat modeling your cloud and DevOps processes.

Using a real live example scenario, we will discuss, laugh and increase security. And maybe the winner will even get a prize! :)

Speakers

Christoph Niehoff

Senior Consultant, TNG Technology Consulting

In his role as a Senior Consultant at TNG Technology Consulting, Christoph Niehoff develops software products for his clients on a daily basis. As a full-stack developer, he lives and breathes DevOps, overseeing all steps of the development cycle. The security of the products is particularly... Read More →

Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject DevSecOps, Threat Modeling, Gamification
Project Link https://owasp.org/www-project-cumulus/

2:15pm CEST

Updates on the OWASP Automated Threats Project

Friday June 26, 2026 2:15pm - 2:45pm CEST

Room -2.82 (Level 2)

Project leaders Colin Watson and Tin Zaw announced the official release of the version 1.3 of the OWASP Automated Threat Handbook on March 12, 2026.

Even after ten years, this handbook remains the go-to resource for security pros who want actionable information and resources to help defend against automated threats to web applications which abuse valid functionality. The handbook still defines twenty-one unique, unordered, OWASP Automated Threats (OATs). This latest update ensures it stays ahead of the curve in our rapidly shifting threat landscape.

In this session, I will share updates on version 1.3 and, more importantly, discuss our progress toward version 2.0 of the handbook.

With the rise of Agentic AI—which is automated by nature—the project is seeking to better understand how this specific traffic impacts web applications. Audience participation and input are highly encouraged

Speakers

Tin Zaw

Director, Security Solutions, Project Leader, OWASP Automated Threats Project

Tin Zaw has been an OWASP volunteer since 2010, starting as the president of Los Angeles chapter for 3 years. Since 2015, he's been a co-leader of the OWASP Automated Threats Project. Along with Colin Watson, they have released versions 1.2 and 1.3 of the handbook and are working... Read More →

automated threat handbook EN v1.30 pdf

Friday June 26, 2026 2:15pm - 2:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All

2:30pm CEST

CfP/CfTs for the Newcomer: How To Write A Good Submission

Friday June 26, 2026 2:30pm - 3:15pm CEST

Ready to showcase your expertise? Don’t miss the chance to submit for a Call for Trainers or Call for Papers! Join the dynamic Izar Tarandach and Avi Douglen as they take you through the submission process and reveal insider tips on what the review team is looking for when selecting papers. This is your opportunity to shine and make a lasting impact—let’s make it happen!

Speakers

Izar Tarandach

Sr. Principal Architect, SiriusXM

Long-time security practitioner, Sr. Principal Security Architect at SiriusXM, previouslyDatadog, at Squarespace, Bridgewater Associates to DellEMC via RSA, Autodesk, startup founder, investor and advisor. Founding member of the IEEE Center for Secure Design, holds a masters degree... Read More →

Avi Douglen

Software Security Consultant, Bounce Security

Friday June 26, 2026 2:30pm - 3:15pm CEST

Bonus Track

Audience All
about <strong style=" color: rgb(65, 65, 65); font-family: sans-serif; font-size: 14px;">Izar Tarandach</strong> is Sr. Principal Architect at SiriusXM and co-author of <em style=" font-size: 14px; font-family: sans-serif; color: rgb(65, 65, 65);">Threat Modeling: A Practical Guide for Development Teams</em>. He pioneered Continuous Threat Modeling and contributes to projects like OWASP PyTM and the CycloneDX TMBOM. A frequent speaker and podcast host, Izar focuses on making security practical, scalable, and developer-friendly.

2:45pm CEST

OWASP Nettacker Project

Friday June 26, 2026 2:45pm - 3:15pm CEST

Room -2.82 (Level 2)

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the penetration testing community and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Speakers

Sam Stepanyan

OWASP London Chapter Leader, OWASP London Chapter Leader

Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions... Read More →

Arkadii Yakovets

Cybersecurity Lead (OWASP Nest, OWASP Nettacker)

Arkadii Yakovets is a cybersecurity lead specializing in secure application development and DevSecOps. Since joining OWASP in 2023, he has served as a leader and active contributor to the OWASP Nest and OWASP Nettacker projects. Arkadii has mentored over 10 students through Google... Read More →

Friday June 26, 2026 2:45pm - 3:15pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Pentesting
Project Link https://owasp.org/www-project-nettacker/

3:00pm CEST

PM Break in Expo Hall

Friday June 26, 2026 3:00pm - 3:30pm CEST

Expo Hall X1

Friday June 26, 2026 3:00pm - 3:30pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

3:15pm CEST

From Maturity to Mastery: Accelerating Software Security with OWASP SAMM (Workshop)

Friday June 26, 2026 3:15pm - 4:15pm CEST

Room -2.33 (Level -2)

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Aram Hovsepyan

Founder and CEO, Codific

Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject Threat Modeling, CRA, SSDLC
Project Link https://owaspsamm.org/

3:15pm CEST

Shaping International Security Standards: Get Involved with OWASP's ISO Working Group (Call for Contributors)

Friday June 26, 2026 3:15pm - 4:15pm CEST

Room -2.33 (Level -2)

The OWASP ISO Liaison Working Group is the bridge between OWASP's practitioner-driven security guidance and the international standards that govern how organizations worldwide implement security controls. Stop by to learn how ISO standards like 27034 (Application Security) and 27002 are developed, where OWASP is actively shaping that process as an official liaison organization, and — most importantly — how you can get involved. Whether you've never heard of ISO/IEC JTC 1/SC 27 or you've been curious about how standards actually get written, this is your chance to ask questions, see the current work program, and find out where your expertise fits.

Speakers

Matt Houseman

OWASP ISO Working Group Chair

Matt Houseman is the OWASP ISO Working Group Chair and the OWASP Liaison Representative to ISO/IEC JTC 1/SC 27/WG 4. With over 15 years of experience in software engineering and application security, Matt bridges the gap between hands-on practitioner guidance and formal international... Read More →

Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All

8:30am CEST

9:00am CEST

9:15am CEST

10:00am CEST

10:00am CEST

10:00am CEST

10:30am CEST

10:30am CEST

10:30am CEST

10:30am CEST

11:00am CEST

11:30am CEST

11:30am CEST

12:15pm CEST

1:15pm CEST

1:15pm CEST

1:15pm CEST

1:15pm CEST

2:15pm CEST

2:30pm CEST

2:45pm CEST

3:00pm CEST

3:15pm CEST

3:15pm CEST

Get help with the event