OWASP Global AppSec EU 2026 Vienna

Most AppSec programs fail not because people disagree with security, but because security competes with habits that are already winning. Developers don’t wake up wanting to threat-model or review alerts - they wake up wanting to ship.

In this talk, we’ll stop trying to “convince” people to care about security and instead learn how to design AppSec activities so they naturally stick. Using proven techniques from behavioural science, you’ll learn how to create a quiet, behind-the-scenes plan that turns security tasks into habits - without mandates, enforcement, or friction-heavy processes.

We’ll explore how to reduce friction, align incentives, and embed security into existing workflows, so secure behavior becomes the default. This is not about more policies or awareness training. It’s about building a deliberate, ethical “secret plan” that makes AppSec activities feel wanted, automatic, and hard to avoid - in the best possible way.