OWASP Global AppSec EU 2026 Vienna

As organizations grow, application security often becomes more painful but not more effective. Vulnerabilities recur, engineers feel blocked, and security teams struggle to scale. These failures are rarely caused by careless engineers or missing tools — they are symptoms of broken systems.

In this talk, we examine why AppSec fails to scale, particularly in growing teams and startups, and why adding more guidelines, scanners, or training usually makes the problem worse. Instead, let's approach application security as a sociotechnical system shaped by incentives, defaults, ownership boundaries, and feedback loops.

In this session, you will hear about common failure modes such as compliance-driven security, misplaced responsibility, and metrics that reward activity instead of risk reduction. Then hear about practical strategies for fixing the system: shifting security into platforms and defaults, reducing cognitive load for engineers, and aligning AppSec goals with delivery pressure and business constraints.