OWASP Global AppSec EU 2026 Vienna

Have you heard about “security champions programs” that seem to be gaining popularity these days? Maybe your company is running such a program, yet you doubt its effectiveness, wondering if it’s worth sustaining? The thing is, you might not be the only one asking these questions. Let’s hear from security and champions alike.

Mireia is a security engineer focused on application security who has created and run security champions programs, and has seen them both fail and succeed. Lisi worked in development teams for a long time, became a security champion and later switched gears to security engineering. Both of us were in the trenches, on opposite sides - and both of us tried to build a strong bridge between security and engineering teams.

In this talk, we’ll have our two perspectives merge and draw lessons from our attempts. Both security engineers and champions need clarity on what’s expected from them to sustain the program. Both benefit from nurturing a strong community to increase resilience. Both need to dare to be vulnerable in acknowledging what’s wrong in our systems and processes so we can grow.

None of us can operate effectively alone. Tossing a rope from security to development teams is not enough to establish security champions. Instead, let’s build this bridge together from both ends to make it strong, sustainable and scalable.