OWASP Global AppSec EU 2026 Vienna

2-Day Training: June 23-24, 2026
Level: Intermediate
Trainer:Sven Schleier

You may attend this training course in person or virtually.

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This two-day, hands-on course is designed to teach penetration testers, developers, and engineers how to analyse Android and iOS applications for security vulnerabilities. The course covers the different phases of testing, including dynamic testing, static analysis, reverse engineering, and software composition analysis (SCA). We will also explore how you can use the Model Context Protocol (MCP) to automate some of these workflows and leverage its strengths.

The course is based on the OWASP Mobile Application Security Testing Guide (MASTG) and taught by one of the project co-leaders. This comprehensive, open-source mobile security testing book covers both iOS and Android, providing a methodology and detailed technical test cases to ensure completeness and utilizes the latest attack techniques against mobile applications. This course provides hands-on experience with open-source tools and advanced methodologies, guiding you through real-world scenarios.

Detailed outline

On the first day, we will start with an introduction to the OWASP MASVS and MASTG projects, including the latest updates. Then, we will dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device; instead, each student will be provided with a cloud-based, virtualised Android device from Corellium.

Topics include:

- Intercepting network traffic of an Android App in various scenarios, including intercepting traffic that is not HTTP.
- Scanning for secrets in an APK.
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Static Scanning of decompiled Kotlin source code by using MCP workflows with semgrep and radare2, identifying vulnerabilities and eliminating false positives.
- Frida crash course to get started with dynamic instrumentation on Android apps by using MCP workflows.
- Use dynamic instrumentation with Frida to bypass client-side security controls such as root detection mechanisms.
- We will close day 1 with a Capture the Flag (CTF) by attacking several apps, including a real world app and overcome it's protection mechanisms.

Day 2 focuses on iOS. We will begin the day by exploring the OWASP MASWE and creating an iOS test environment using Corellium and dive into several topics, including:

- Introduction into iOS Security fundamentals
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic from apps written in mobile app frameworks such as Google's Flutter.
- How to retrieve an IPA, execute static scanning of an IPA and identifying vulnerabilities and eliminating false positives.
- Software Composition Analysis (SCA) for iOS by using SBOM's and scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and planning mitigation strategies.
- Frida crash course to get started with dynamic instrumentation for iOS applications and utilsing MCP workflows.
- Testing methodology with a non-jailbroken (jailed) device by repackaging an IPA with the Frida gadget.
- Analyse the storage of an iOS app and understand the various options on how (files, databases, logs etc.) and where files can be stored.
- Using Frida to bypass runtime instrumentation of iOS applications, like anti-Jailbreaking Mechanisms.

We'll wrap up the final day with a CTF and participants can win a prize!

Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer or engineer who wants to improve your existing skills to perform more advanced attack techniques, this training will help you achieve your goals.

The course consists of many different hands-on labs developed by the instructor or using real world apps that are part of bug bounty platforms.

Upon successfully completing this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to recommend appropriate mitigation techniques to developers and how to perform consistent and efficient testing using MCP (Model Context Protocol) workflows.

2-Day Training: June 23-24, 2026
Level: Intermediate
Trainer:Sven Schleier

You may attend this training course in person or virtually.

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This two-day, hands-on course is designed to teach penetration testers, developers, and engineers how to analyse Android and iOS applications for security vulnerabilities. The course covers the different phases of testing, including dynamic testing, static analysis, reverse engineering, and software composition analysis (SCA). We will also explore how you can use the Model Context Protocol (MCP) to automate some of these workflows and leverage its strengths.

The course is based on the OWASP Mobile Application Security Testing Guide (MASTG) and taught by one of the project co-leaders. This comprehensive, open-source mobile security testing book covers both iOS and Android, providing a methodology and detailed technical test cases to ensure completeness and utilizes the latest attack techniques against mobile applications. This course provides hands-on experience with open-source tools and advanced methodologies, guiding you through real-world scenarios.

Detailed outline

On the first day, we will start with an introduction to the OWASP MASVS and MASTG projects, including the latest updates. Then, we will dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device; instead, each student will be provided with a cloud-based, virtualised Android device from Corellium.

Topics include:

- Intercepting network traffic of an Android App in various scenarios, including intercepting traffic that is not HTTP.
- Scanning for secrets in an APK.
- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.
- Static Scanning of decompiled Kotlin source code by using MCP workflows with semgrep and radare2, identifying vulnerabilities and eliminating false positives.
- Frida crash course to get started with dynamic instrumentation on Android apps by using MCP workflows.
- Use dynamic instrumentation with Frida to bypass client-side security controls such as root detection mechanisms.
- We will close day 1 with a Capture the Flag (CTF) by attacking several apps, including a real world app and overcome it's protection mechanisms.

Day 2 focuses on iOS. We will begin the day by exploring the OWASP MASWE and creating an iOS test environment using Corellium and dive into several topics, including:

- Introduction into iOS Security fundamentals
- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic from apps written in mobile app frameworks such as Google's Flutter.
- How to retrieve an IPA, execute static scanning of an IPA and identifying vulnerabilities and eliminating false positives.
- Software Composition Analysis (SCA) for iOS by using SBOM's and scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and planning mitigation strategies.
- Frida crash course to get started with dynamic instrumentation for iOS applications and utilsing MCP workflows.
- Testing methodology with a non-jailbroken (jailed) device by repackaging an IPA with the Frida gadget.
- Analyse the storage of an iOS app and understand the various options on how (files, databases, logs etc.) and where files can be stored.
- Using Frida to bypass runtime instrumentation of iOS applications, like anti-Jailbreaking Mechanisms.

We'll wrap up the final day with a CTF and participants can win a prize!

Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer or engineer who wants to improve your existing skills to perform more advanced attack techniques, this training will help you achieve your goals.

The course consists of many different hands-on labs developed by the instructor or using real world apps that are part of bug bounty platforms.

Upon successfully completing this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to recommend appropriate mitigation techniques to developers and how to perform consistent and efficient testing using MCP (Model Context Protocol) workflows.

As organizations grow, application security often becomes more painful but not more effective. Vulnerabilities recur, engineers feel blocked, and security teams struggle to scale. These failures are rarely caused by careless engineers or missing tools — they are symptoms of broken systems.

In this talk, we examine why AppSec fails to scale, particularly in growing teams and startups, and why adding more guidelines, scanners, or training usually makes the problem worse. Instead, let's approach application security as a sociotechnical system shaped by incentives, defaults, ownership boundaries, and feedback loops.

In this session, you will hear about common failure modes such as compliance-driven security, misplaced responsibility, and metrics that reward activity instead of risk reduction. Then hear about practical strategies for fixing the system: shifting security into platforms and defaults, reducing cognitive load for engineers, and aligning AppSec goals with delivery pressure and business constraints.

As agentic AI systems evolve from simple LLM interfaces into autonomous and multi-agent workflows. Given the high autonomy of agentic AI systems, there is a growing need to perform a detailed risk assessment, which means traditional LLM-focused red teaming is no longer enough. Unlike standalone LLMs with text input and output, agentic systems interact with tools, memory, external data, and other agents, creating many new attack surfaces. Attacks may be introduced through emails, tool descriptions, or environmental content, and their impact can go beyond model responses to affect system behavior, planning, and perform harmful real-world actions.

In this talk, we share our hands-on journey building a comprehensive red teaming scanning solution tailored for agentic AI systems. We begin by analyzing why current scanning tools fall short, specifically their emphasis on structured components (e.g., protocols like MCP, A2A, and Skills) while overlooking unstructured and highly dynamic attack vectors where most real-world risks emerge. We then walk through the technical challenges of simulating realistic attacks without harming production environments, handling the diversity of agent architectures, frameworks, and agency-levels, and designing scanners that generalize across heterogeneous systems.

We present a practical full scanning pipeline that creates a novel holistic solution, including sandboxing and emulation strategies, automated system discovery pipelines, abstraction-based scanning mechanisms, and a risk-aware robustness scoring framework that goes beyond binary attack success. Throughout the talk, we highlight concrete lessons learned, trade-offs between cost and reliability, and real examples of agent-specific vulnerabilities.
We conclude with a concrete end-to-end scanning workflow and discuss open challenges such as adaptive scanner generation and black-box agent discovery. Attendees will leave with a deep understanding of why agentic AI requires fundamentally new red teaming methodologies and with actionable techniques for securing real-world autonomous AI systems.

Flutter, React and Unity are the main multiplatform runtimes of choice when developing mobile applications for iOS and Android. We will cover the main characteristics, starting with the programming language associated with the framework, the ecosystem, the toolchains and showcase some clever low level details in their implementations. Recovering code and data from the final release binaries with the help of the opensource plugins for radare2.

Your API keys, business logic, database connections, sometimes even customer data and user information - might be all directly accessible from your IDE. This makes the IDE in one of the top spots for threat actors to try and break into.

Because the IDE has direct access to so much data, it makes your entire software supply chain to be as secure as a single extension, turning it to the weakest link in the chain.

It takes only one evil extension, one vulnerability or one prompt, to compromise your entire organization. We will explore how each of these attack scenarios can turn a developer’s workspace into a gateway for threat actors to exfiltrate customer data before a single line of code is even written.

We’ll dive deep into the IDEs architecture, starting from how IDE extensions are developed and their permissions stack, and how threat actors could manipulate extensions and IDE configurations to bypass security measures including the ability to exfiltrate valuable information from the developer’s IDE, then perform lateral movement directly after infection, and their ability to stay persistent even after being removed.
It's not just about threat actors hacking your IDE - they will go after everything in the organization that’s connected to it, and they will try to stay there as long as possible.

We’ll take a look at how threat actors could leverage vulnerabilities that lie in existing IDE extensions to execute remote code & exfiltrate information - transforming a developer's local machine into an under the radar backdoor of your organization. This includes our finding of multiple 0-day vulnerabilities in popular IDE extensions, and our research of weaponizing Chromium 1-day vulnerabilities on Cursor & Windsurf.

We’ll wrap up by giving the best practice recommendations for securing your IDE, avoiding evil extensions, adding company-wide policies and for approved extensions, and showing security teams how to integrate IDE security into their organization at scale.

Vulnerability scanners are everywhere. CVE databases are growing exponentially. Yet vulnerability exploitation has surpassed phishing as the leading initial access vector. What's going wrong?

The problem isn’t a lack of vulnerability data – it’s that defenders are solving last year’s problems. While teams drown in CVE backlogs, attackers use AI to rapidly weaponize exploit techniques that work across vulnerability classes. OS command injection, deserialization, and path traversal aren't just individual CVEs – they're attack patterns that persist regardless of patch status.

This session introduces the Application Attack Matrix, the first comprehensive, community-driven framework mapping tactics, techniques, and procedures used against modern applications. Built by contributors from Mandiant, Microsoft, AWS, and Meta, it does for application security what MITRE ATT&CK did for enterprise defense.

You’ll learn how to shift from reactive CVE remediation to proactive technique-based defense, understand which exploit patterns dominate real-world attacks, and prioritize security controls that protect against entire attack classes, not just individual CVEs.

With the rise of AI, especially large language models, it seems every security workflow will soon be automated or heavily supported by automation - from LLM-powered threat-intelligence enrichment or compliance mappings to AI-written threat models, codefixes and complete CISO roadmaps. But which processes will truly benefit, and in which cases will AI just increase the risk of adding cost and complexity? As security managers or leaders, how can we determine where to focus our efforts and investments upfront?

This talk presents a practical framework for evaluating the effectiveness of AI-driven automation in application security and related fields. First, we explore how to identify processes that are strong candidates for automation based on criteria such as repeatability, return on investment, and risk tolerance. Then, we map typical security processes to AI approaches, including large language models (LLMs), traditional machine learning, retrieval-augmented generation (RAG), and hybrid systems.

We will learn how these solutions are applied to critical security areas, such as vulnerability management, secure software development, threat detection, and compliance. We will explore an AI Capability Map, industry benchmarks, and real-world examples, such as the use of RAG-powered chatbots for security guidance and LLMs for compliance analysis. Our goal is to help you determine where AI would be a good fit for your organization and where you would likely see measurable value when applying it, so that you can make informed decisions. Also, we will examine the available data: In which areas of the industry is value already being recognized? We explore potential pitfalls, from fragile LLM implementations to poor risk modeling, and discuss how to avoid wasting resources.

Using industry data, real-world experience, and structured criteria, this talk provides security leaders and practitioners with more guidance in this rapidly evolving field.

When analyzing the security of mobile applications, we often have to overcome local security controls to perform a thorough audit. This can include obtaining access to the application’s internal storage, disabling TLS pinning or forcing the application to use our interception proxy.
For many applications, this is straightforward. We can install the app on our rooted device, inject Frida and accomplish all of the above. However, this gets tricky when the application has implemented resiliency controls, known as Runtime Application Self Protection (RASP).

In this talk, I will zoom in on one lesser-known technique targeting the Android Runtime (ART): Manipulating ODEX/VDEX files. Any code implemented in Java/Kotlin can easily be manipulated without leaving any traces.

As LLMs evolve from passive text generators to autonomous Agentic AI, the attack surface is shifting from simple prompt injection to Excessive Agency and Goal Hijacking. When we grant agents the power to execute shell commands, call sensitive APIs, or modify cloud infrastructure, we are essentially deploying "unattended administrators" into our environments.

This session moves past theoretical AI risks to provide a hands-on blueprint for securing autonomous actors.I will explore the newly released OWASP Top 10 for Agentic Applications 2026, focusing on critical vulnerabilities like ASI02 (Tool Misuse) and ASI05 (Unexpected Code Execution). Attendees will leave with a practical framework for implementing "Least-Agency" architecture, hardware-enforced sandboxing, and real-time intent validation.

ShadowRay did not disappear after disclosure.
Despite extensive public reporting and technical analysis, the campaign remains active and continues to expand in scale, with more than 230,000 exposed Ray endpoints and an order-of-magnitude increase in observed exploitation.

Enter a self-propagating botnet built from compromised machine-learning clusters, all running on Ray—the de facto execution layer of modern AI infrastructure, embedded across production training pipelines, inference services, and internal compute platforms.

This is ShadowRay 2.0.

The attackers weaponized Ray's orchestration features to spread autonomously across exposed servers, turning victims into both mining rigs and propagation nodes.

We'll walk through the concrete evidence that enabled the researchers to stop the attack in real time by finding billions worth of compute that were compromised. This includes LLM-generated payloads evolving in real-time, GPU cryptojacking, competitor miner elimination scripts, how Ray's own APIs were weaponized for lateral movement, and more.

The talk also reveals the techniques employed by the attackers to evade detection, employing CI/CD for malware distribution, and building multi-purpose capabilities beyond cryptojacking, including DDoS, data exfiltration, and more. This is AI infrastructure turned against itself, at internet scale with verifiable proof.

People in your organization might have a living-breathing backdoor right now, and you don’t even know it.

EDR wouldn’t catch it - not because it employs a zero-day, but because it behaves harmlessly. It might be a malicious extension that wasn’t flagged yet that has excessive permissions, it might be an NPM package that reads .env files and sends them to a remote server, and it might be an Android application tracking your location.

During our research we detected two seemingly innocent Chrome extensions that add a sidebar with AI capabilities over any website, with a total of 900,000+ users. These extensions had a backdoor that exfiltrated both your browser history and your ChatGPT & DeepSeek conversations - none of them were flagged by anti-malware and EDR tools.

These extensions, together with almost any add-on, NPM package, or application you have installed have broad permissions, giving them the ability to execute code, read files, and basically do anything on your machine.

During our presentation we will present how we dissect a malicious Chrome extension, the techniques that it uses to avoid detection and how it reads and exfiltrates data. We’ll also show how actors think, from cloning legitimate extensions, adding their malicious code and bypassing store reviews in order to publish their malicious extensions into the official Chrome Web Store.

We will present how the permissions model works in different platforms, including the Chrome Web Store, the Android Play Store, and IDE marketplaces - allowing different malware on different platforms to perform bad activities.

Lastly, we will give our insights about how to best protect your personal browser at home and in your organization, to help you reduce the possibility of being infected from malware in official marketplaces. We’ll also discuss how a good permission model should look like, and what companies can do to return the power to the users over their private information in order to protect them from extensions and applications reading their data unknowingly.

The arrival of cryptographically relevant quantum computers (CRQC) is no longer a theoretical "if"—it is a question of "when." With the "Harvest Now, Decrypt Later" (HNDL) attack vector, adversaries are already stockpiling encrypted traffic today to decrypt it once quantum capability matures. In August 2024, NIST officially finalized the first set of Post-Quantum Cryptography (PQC) standards (FIPS 203, 204, and 205), marking the starting gun for the greatest cryptographic migration in history.

This session moves beyond the math of lattices and isogenies to focus on the immediate engineering reality. we will dissect the current state of PQC adoption across major tech giants and nation-states, analyzing how entities like Cloudflare, Google, and the US Federal Government are operationalizing these new algorithms. We will provide a technical primer on the finalized standards—ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+)—and expose the hidden performance pitfalls and "gotchas" in implementation.

Attendees will leave with a combat-tested roadmap for enterprise PQC migration. We will cover how to conduct a cryptographic inventory (discovery), the necessity of "hybrid" key exchange (mixing X25519 with Kyber), and how security teams can upskill rapidly. This talk bridges the gap between theoretical cryptography and the practical defense required to secure infrastructure against the quantum threat looming on the horizon.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 1

Internal development teams and external suppliers love producing binaries for ease of deployment and distribution. Binary formats, however, make security analysis and compliance more complex for the security and OSPO teams. The good news is that the team behind OWASP dep-scan maintains a couple of binary analysis tools (OWASP blint and OWASP dosai). We show how these two tools can help defenders find strange things in binaries and help with your software transparency journey.

The session will be technical showcasing blint and dosai to analyse complex binaries to identify capabilities, risks, and threats. Users can walk away with new knowledge about modern techniques related to binary SBOM generation, Source line to Assembly instruction mapping, security capabilities analysis, and more.

https://github.com/owasp-dep-scan/blint
https://github.com/owasp-dep-scan/dosai

Kubernetes features are moving fast, and its networking layer is constantly adapting for all new kinds of workloads. However we still lack a basic but essential feature: a way to filter and protect incoming web traffic.

The Gateway API is the natural place to add security, and many enterprises mandate such a thing. In this session, we introduce a new project that connects OWASP Coraza WAF directly with Kubernetes.

Join us to learn more on how Coraza Kubernetes Operator is proposing to bring the well known CoreRuleSet (CRS) filtering approach to Kubernetes, on a structured way, allowing cluster and gateway admins to provide traffic filtering on Gateway API and lift the security features to another level.

The need to isolate untrusted code or user-provided expressions is ubiquitous, even in backend systems, and there are many misconceptions around this practice. Workflow automation platforms allow users to provide complex constraints evaluated on the server, AI agents must securely execute synthesized code, and reused untrusted UI components might render on the server-side. In practice, many developers gravitate toward lightweight eval-based shortcuts instead of robust isolation primitives like OS-level or runtime-based sandboxing, often unaware of the security pitfalls. These dangerous language-features are still very prevalent across OSS ecosystems and they are the culprit of many recent vulnerabilities. While there exist legitimate use cases for eval-like APIs, developers continue to abuse them when attempting to isolate the execution of untrusted code, despite years of warnings from the security and programming language communities. If you really need to use these features, this talk can help you understand what can go wrong and how to mitigate these risks.

I will first motivate the need for lightweight, language-based isolation in scripting languages and highlight the fundamental challenges in this space, grounding the empirical work in several top-tier academic publications I co-authored on the topic. I will then present four misconceptions around language-based sandboxing, underlying more than 20 zero-day vulnerabilities I discovered in the past six months in popular projects across JavaScript and Python, revealing fundamental flaws in isolation approaches. We will examine why built-in isolation primitives like Node.js's vm module and Python's Pysandbox fail to provide adequate security, and explore the real-world consequences through case studies involving major platforms. The talk will then shift to practical solutions, covering best practices and emerging isolation features, including the permission model in modern runtimes like Deno. Attendees will gain a deeper understanding of the isolation landscape and leave with actionable guidance on how to safely handle untrusted code execution in their applications. While this talk is not an endorsement for using eval-like features in scripting languages, it is a guide about the things that work in practice and about the ones that fail spectacularly in production.

Everyone expects Identity & Access Management to be a "set it and forget it" problem. But the reality looks quite different: the same challenges keep resurfacing, they are technically demanding, time-consuming, and frequently create friction between teams, ultimately resulting in significant costs. And the rise of AI agents makes it even worse.

Over the years, I explored these recurring issues, which led to a multi part blog series (https://www.innoq.com/en/blog/2025/07/whats-wrong-with-the-current-owasp-microservice-security-cheat-sheet/) published in 2025, initially aimed at updating the OWASP Microservice Security Cheat Sheet. My goal was to show how well known IAM building blocks can be combined into pragmatic, coherent, and operationally realistic solutions. That work eventually grew beyond the original scope and is becoming multiple new OWASP Cheat Sheets plus an entirely new architectural-level cheat sheet format.

In this talk I'll share the essence of the patterns and the strategies I identified and documented, show how to avoid the usual traps, and how to reduce IAM complexity in distributed systems to create the space to focus on what we're actually building - the product.

The landscape of DAST (Dynamic Application Security Testing) tools is evolving to address modern web application complexities. While these tools are effective at detecting classic vulnerabilities like injection flaws, misconfigurations, and broken access control, they struggle with JavaScript-heavy SPAs, complex workflows, file upload/download analysis, and second-order vulnerabilities. To improve, modern DAST solutions are beginning to integrate AI-driven agentic browsers (e.g., Playwright + AI), out-of-band payloads, timing-based testing, and workflow-aware automation to better simulate real user behavior and detect deeper, context-sensitive issues.