OWASP Global AppSec EU 2026 Vienna

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 4

OWASP Certified Secure-Software Developer Certification project is aimed at developing a certification program for developers.

This presentation will take the audience through the journey of OCSD, the progress made so far and will include a call for contributions. This session seeks to answer common questions about the relevance of the certification in the world where applications are stood up in a matter of hours using Claude / AI.

We would like to demonstrate the relevance of OCSD in the face of development / coding carried out with the help of AI / tools. We have the curriculum content and have added references from OWASP body of knowledge. We would like to make a call contribution to review the curriculum, the references and add supplementary reading material.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3
 
Ever looked at a CycloneDX file and thought, there’s gotta be a better way to read this? You're not alone. In late December 2024 OWASP CycloneDX unveiled a brand new SBOM visualization tool called Sunshine - a first-of-its-kind visualization tool that transforms static CycloneDX SBOM files into intuitive, interactive experiences.

Sunshine lets you explore software components, dependencies, vulnerabilities, and licenses like never before. As an open-source tool under the Apache 2.0 license, it's accessible to everyone. Designed with a privacy-first approach, all processing happens client-side, ensuring your SBOM data remains entirely within your browser.

Presented for the first time at OWASP AppSec EU 2025, since then many new features have been released and will be showcased at OWASP AppSec EU 2026:
- Advanced filters, to let you focus and prioritize according to your own personal criteria
- Ability to easily identify and analyse n-tier dependencies within the SBOM
- "Query my SBOM" feature: an integrated full fledged SQL engine to let you literally query your SBOM in a powerful yet simple way - and export results in CSV
- Thanks to the invaluable community feedback and support, compatibility and stability have been largely improved, now being able to seamlessly analyze big and complex SBOMs
- Last but not least: during the conference a brand new exciting feature will be presented: "Chat with my SBOM", a privacy-first LLM-based AI chatbot entirely running in your browser (no server side components involved), that will empower you to get information from your SBOM in a convenient conversational way.

Join us for a hands-on walkthrough of Sunshine, where you’ll get to see it in action — not just slides. You will see how Sunshine helps developers, security pros, and even less-technical stakeholders actually understand what's in a software bill of materials.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 2

The OWASP Web Application Honeypot Project provides foundational tooling to observe attacker activity against simulated web interfaces. CHAMELEON-REN extends this work with a stimulus-driven, Dockerised honeypot framework that dynamically adapts its identity, exposed paths, and technology stack in response to probing behaviours. By rotating realistic education-sector personas — including virtual learning environments, student records, finance/ERP, and research portals — CHAMELEON-REN aims to sustain engagement from automated scanners and adversaries that would otherwise abandon static honeypots. The demonstration will showcase the framework in action, discuss telemetry capture and structured logging, and invite participants to explore deployment recipes and community integration options.

OWASP Cornucopia is a card game to assist software development teams in identifying security requirements in agile software development processes. It is language-, platform-, and technology-agnostic (https://cornucopia.owasp.org). 

In this session, attendees will play OWASP Cornucopia and, through practical application, learn how to use EoP-based games for threat modeling, along with tips and tricks for scaling their threat modeling while remaining ISO27001 certified and keeping developers engaged in security requirements and design activities.

We will be playing the game differently from what we usually do. You will be taken through a provocative scenario. With the grumpy old senior developer who doesn't shift left due to too many hours working overtime on his incredibly sophisticated pet projects, what will you do? Will you be able to teach him a lesson about why security is essential, or will he be laughing all the way to his developer cave? Only true passionate application security engineers will succeed. Expect confetti, swags (yes, you read right, swag, valued just below the corruption limit), and illegal bribes as you venture into the unknown of OWASP Cornucopia.

Most people will agree with you that security is important, but they forget what you were saying once they leave the room.
The brain is amazing. It can let you learn to ride a bike, write poetry, learn a new programming language, or even fall in love, but if your brain is so amazing, why do your colleagues forget all the things you said about security during your last meeting?
In this session, we will learn how to play games to create agency, empathy, community, spark the imagination, and wake up the brain. When choosing a strategy for scaling your application security program, don’t choose reading materials, presentations with “talking heads,” or meetings as a medium for increasing awareness and knowledge about security. Instead, focus on activities that can be repeated on a regular basis that are both relevant and engaging to the work you are doing. When employees are authentically involved and curious about their learning, their heightened focus and emotional connection stimulate better memory formation and application of knowledge. In fact, numerous studies have reported that emotions have a significant impact on human cognitive processes. This underpins why games can strengthen learning over time, which is why you should have an extensive collection of games in your arsenal when teaching others about application security.

OWASP Demo Lab - Hands-On Workshop / Small Group Session

How do you actually verify that an AI system is secure? In this workshop, the AISVS project leads walk through practical assessment scenarios using the OWASP AI Security Verification Standard. We'll work through real requirements from chapters on prompt injection defense, agentic action security, RAG/vector database hardening, and output safety controls, showing what "verify that" looks like in practice against running systems. Participants will leave with a working understanding of how to scope an AI security assessment, select appropriate verification levels, and apply AISVS requirements to LLM-based applications, autonomous agents, and MCP-connected tool ecosystems. Bring a laptop if you want to follow along.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3

In this hands-on session we will demonstrate the threat modeling card game "Cumulus" and show how it can help you start threat modeling your cloud and DevOps processes.

Using a real live example scenario, we will discuss, laugh and increase security. And maybe the winner will even get a prize! :)

Are you looking to strengthen your organization’s software assurance program, prove compliance with industry frameworks, or simply level up your AppSec game? Join OWASP project leaders Sebastien and Aram for an engaging introduction and the latest updates on OWASP Software Assurance Maturity Model (SAMM) — the open, community-driven standard for building and measuring software security practices.

This session will highlight how SAMM helps organizations jumpstart, assess, and accelerate their software assurance roadmap, with practical takeaways you can apply right away:

• Tools and Assessment Guidance – Learn about the growing ecosystem of SAMM tools and the latest assessment techniques that make measuring and improving your maturity more approachable than ever.
• Framework Mapping – See how SAMM connects with industry standards like the NIST Secure Software Development Framework (SSDF) and OpenCRE, helping you demonstrate compliance and align with external requirements while maintaining a developer-friendly approach.
• Benchmarking with Peers – Discover the OWASP SAMM Benchmark, which allows organizations to compare their security practices against peers and industry trends anonymously—helping you spot strengths, identify gaps, and track progress over time.

Whether you’re new to SAMM or already using it, you’ll gain actionable strategies, practical insights, and a clear roadmap to achieving security excellence.

Most teams don’t have a "container security problem." They have a "Dockerfile hygiene" problem that quietly becomes a supply chain problem. Dockerfiles are often treated as simple build instructions, but in practice they introduce real security risk. Even teams with mature AppSec programs regularly ship Dockerfiles that run as root, rely on untrusted base images, or hide supply-chain risks inside multi-stage builds. Scanners catch many of these issues, yet the same mistakes keep showing up.

In this talk I will share lessons learned from building and using DockSec, an open-source Dockerfile security analysis tool adopted by OWASP, in real development pipelines. The focus is not on introducing a new scanner, but on understanding why Dockerfile issues persist and what actually helps developers fix them.

Using real examples from production pipelines, I’ll walk through common Dockerfile patterns that lead to security problems and explain how those risks translate into real attack paths. I’ll also discuss what worked, and what didn’t, when trying to integrate Dockerfile security checks into CI/CD without slowing teams down or turning security into a constant blocker. I will also cover what "good" looks like in CI: turning findings into developer-friendly feedback, using policy gates sparingly (and correctly), and keeping scan noise under control.

This is not a product demo or a sales talk. It’s a practical discussion about Dockerfile security, developer behavior, and how AppSec teams can reduce repeat mistakes using clearer feedback, better explanations, and OWASP-aligned guidance. Attendees should leave with concrete ideas they can apply immediately, even if they never use DockSec.

The OWASP ISO Liaison Working Group is the bridge between OWASP's practitioner-driven security guidance and the international standards that govern how organizations worldwide implement security controls. Stop by to learn how ISO standards like 27034 (Application Security) and 27002 are developed, where OWASP is actively shaping that process as an official liaison organization, and — most importantly — how you can get involved. Whether you've never heard of ISO/IEC JTC 1/SC 27 or you've been curious about how standards actually get written, this is your chance to ask questions, see the current work program, and find out where your expertise fits.