OWASP Global AppSec EU 2026 Vienna

Historically (pun intended) the OWASP Top 10 has been a standard awareness document for developers and web application security. However its mitigation strategies can transcend history and be applied to critical infrastructures under attack, *exempli gratia* museums.

In this talk, we’ll explore the newest OWASP Top 10 (released in November MMXXV) through the lens of famous Museum heists (Louvre, you are not alone) — a narrative journey through security blind spots, sneaky exploits, and lack of awareness.

Are you looking to strengthen your organization’s software assurance program, prove compliance with industry frameworks, or simply level up your AppSec game? Join OWASP project leaders Sebastien and Aram for an engaging introduction and the latest updates on OWASP Software Assurance Maturity Model (SAMM) — the open, community-driven standard for building and measuring software security practices.

This session will highlight how SAMM helps organizations jumpstart, assess, and accelerate their software assurance roadmap, with practical takeaways you can apply right away:

• Tools and Assessment Guidance – Learn about the growing ecosystem of SAMM tools and the latest assessment techniques that make measuring and improving your maturity more approachable than ever.
• Framework Mapping – See how SAMM connects with industry standards like the NIST Secure Software Development Framework (SSDF) and OpenCRE, helping you demonstrate compliance and align with external requirements while maintaining a developer-friendly approach.
• Benchmarking with Peers – Discover the OWASP SAMM Benchmark, which allows organizations to compare their security practices against peers and industry trends anonymously—helping you spot strengths, identify gaps, and track progress over time.

Whether you’re new to SAMM or already using it, you’ll gain actionable strategies, practical insights, and a clear roadmap to achieving security excellence.

Security is widely recognized as one of the top global risks, yet many organizations struggle managing that risk effectively. One of the key reasons is that application security efforts often consist of fragmented tools and isolated practices rather than a coherent program focused on people, processes, and tools.
Within the OWASP community, two mature models exist to support application security programs, OWASP Software Assurance Maturity Model (SAMM) and OWASP DevsSecOps Maturity Model (DSOMM). However, practitioners frequently struggle to understand how these models differ, where they overlap, and how they should be applied in practice. As a result, SAMM and DSOMM are often perceived as competing frameworks. Moreover, their breadth and depth can be overwhelming for teams encountering them for the first time, reinforcing the myth that they must choose one or the other.

This talk provides a structured, high level introduction to both OWASP SAMM and OWASP DSOMM, focusing on their shared principles as well as their key differences. By introducing a simple taxonomy of security scopes, the session explains why multiple security frameworks are necessary and clarifies where SAMM and DSOMM each fit. SAMM is positioned as a model focused on organizational security capabilities and application program maturity, supporting management and strategic decision making, while DSOMM focuses on DevSecOps implementation and operational practices, providing concrete guidance for technical teams and engineering workflows.

This session concludes with a practical case study of a SaaS organization, illustrating how SAMM and DSOMM can be used together to create a coherent improvement roadmap. The case study demonstrates how organizations can start small, avoid boiling the ocean, and use both models in tandem to achieve structured, practical, and sustainable improvements in application security.

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments.

This session will provide key updates on the latest advancements in the Mobile Application Security (MAS) project, including the MASWE (Mobile Application Security Weakness Enumeration) Beta and the MASTG (Mobile Application Security Testing Guide) v2. We’ll share the progress on the creation of new weaknesses, atomic tests, and demos designed to help developers and security researchers enhance their testing methodologies.

A major highlight will be a new Frida-based tool for dynamic analysis of Android and iOS apps. It is based on JSON hook files which allows a consistent and simple test approach of the OWASP MAS demos and during assessments.

Whether you're a security researcher, developer, or just doing it for fun, this talk will equip you with the latest tools and insights to boost your mobile application security skills to stay ahead in mobile security!

Kubernetes features are moving fast, and its networking layer is constantly adapting for all new kinds of workloads. However we still lack a basic but essential feature: a way to filter and protect incoming web traffic.

The Gateway API is the natural place to add security, and many enterprises mandate such a thing. In this session, we introduce a new project that connects OWASP Coraza WAF directly with Kubernetes.

Join us to learn more on how Coraza Kubernetes Operator is proposing to bring the well known CoreRuleSet (CRS) filtering approach to Kubernetes, on a structured way, allowing cluster and gateway admins to provide traffic filtering on Gateway API and lift the security features to another level.

Project leaders Colin Watson and Tin Zaw announced the official release of the version 1.3 of the OWASP Automated Threat Handbook on March 12, 2026.

Even after ten years, this handbook remains the go-to resource for security pros who want actionable information and resources to help defend against automated threats to web applications which abuse valid functionality. The handbook still defines twenty-one unique, unordered, OWASP Automated Threats (OATs). This latest update ensures it stays ahead of the curve in our rapidly shifting threat landscape.

In this session, I will share updates on version 1.3 and, more importantly, discuss our progress toward version 2.0 of the handbook.

With the rise of Agentic AI—which is automated by nature—the project is seeking to better understand how this specific traffic impacts web applications. Audience participation and input are highly encouraged

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the penetration testing community and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Stay tuned