OWASP Global AppSec EU 2026 Vienna

Most AppSec programs fail not because people disagree with security, but because security competes with habits that are already winning. Developers don’t wake up wanting to threat-model or review alerts - they wake up wanting to ship.

In this talk, we’ll stop trying to “convince” people to care about security and instead learn how to design AppSec activities so they naturally stick. Using proven techniques from behavioural science, you’ll learn how to create a quiet, behind-the-scenes plan that turns security tasks into habits - without mandates, enforcement, or friction-heavy processes.

We’ll explore how to reduce friction, align incentives, and embed security into existing workflows, so secure behavior becomes the default. This is not about more policies or awareness training. It’s about building a deliberate, ethical “secret plan” that makes AppSec activities feel wanted, automatic, and hard to avoid - in the best possible way.

Enforcing security policies at enterprise scale is challenging, and it's becoming more so with rapid delivery cycles and AI-assisted development. Many organisations adopt policy-as-code to improve security and compliance but realise that, despite the solution’s technical soundness, exceptions multiply and teams quietly work around enforcement to meet delivery targets, with little real improvement in security outcomes.

This talk shares a real-world story of rolling out policy-as-code enforcement across an organisation with several thousand developers. It highlights not only the technical architecture of the enforcement system but also the organisational changes required to ensure its sustainability.

You’ll find out how security policies were defined, versioned, and consistently enforced across CI/CD pipelines. This talk also covers how enforcement points were designed and how feedback loops were built and embedded in the organisation to reduce friction. The session also explores how bypasses and exceptions were handled consistently at scale, and how validation was treated as an organisational assurance problem rather than just a tooling concern.

The talk offers vendor-neutral solutions and practical patterns, lessons learned, and design principles that attendees can adapt to their own environments.

Have you heard about “security champions programs” that seem to be gaining popularity these days? Maybe your company is running such a program, yet you doubt its effectiveness, wondering if it’s worth sustaining? The thing is, you might not be the only one asking these questions. Let’s hear from security and champions alike.

Mireia is a security engineer focused on application security who has created and run security champions programs, and has seen them both fail and succeed. Lisi worked in development teams for a long time, became a security champion and later switched gears to security engineering. Both of us were in the trenches, on opposite sides - and both of us tried to build a strong bridge between security and engineering teams.

In this talk, we’ll have our two perspectives merge and draw lessons from our attempts. Both security engineers and champions need clarity on what’s expected from them to sustain the program. Both benefit from nurturing a strong community to increase resilience. Both need to dare to be vulnerable in acknowledging what’s wrong in our systems and processes so we can grow.

None of us can operate effectively alone. Tossing a rope from security to development teams is not enough to establish security champions. Instead, let’s build this bridge together from both ends to make it strong, sustainable and scalable.

This session highlights our 6-year journey of building and sustaining a Security Community of Practice (CoP) from the ground up. We shifted from a project-centric organization with detailed, mandatory quality gates to an Agile model. This challenged us to scale and approach our self-reliant tribes in a new way. We will share which concepts worked and which were scrapped after initial trials. Additionally, we will deep dive into how we used CTFs for continuous content creation usingself developed and readily available challenges. We evolved from a manual "mail-in your solutions" approach to leveraging platforms like OWASP Juice Shop and OWASP UnCrackable Apps, creating a consistent content source and an engaging game experience for all our Security Champions.

Drawing on large-scale telemetry from real-world production environments, this talk examines what modern application and supply-chain security actually look like in 2025–2026. The data paints a clear picture: many organizations ship vulnerable dependencies, exposed secrets remain surprisingly common, infrastructure logging is frequently incomplete, and malicious packages can reach production environments.

We’ll connect these observations to recent supply-chain incidents, from SolarWinds to self-replicating npm worms, and explore why vulnerabilities often persist long after disclosure. More importantly, we’ll discuss which security controls measurably reduce risk in practice, and which tend to generate noise without improving outcomes.

This talk focuses on the gap between defensive effort and attacker leverage - where defenders lose time, and where attackers gain scale.