OWASP Global AppSec EU 2026 Vienna: Full Schedule

Welcome to the OWASP Global AppSec EU 2026 conference! We are excited you are with us, not only to attend this amazing event, but also to celebrate our 25th anniversary!

Don't miss the opening remarks for the event as we welcome you and provide a few key details to provide you with a roadmap to a successful time with us!

Thursday June 25, 2026 9:00am - 9:15am CEST
Hall D (Level -2)

Keynote

Audience All

10:00am CEST

AM Break in Expo Hall

Thursday June 25, 2026 10:00am - 10:30am CEST

Meals Provided by OWASP

Audience All

10:30am CEST

OpenCRE.org: Uniting all standards and guidelines

Thursday June 25, 2026 10:30am - 11:00am CEST

Room -2.82 (Level 2)

In security, it is important to understand the whole chain: from regulation to business risk, to requirement, to code example, to vulnerability, to test method, to tool configurations. However, so far there hasn’t been a solid way to interconnect standards, documentation, and tooling. Standards writers often work in isolation, and tooling authors rightly focus on quality results instead of comprehensive information about those results.

The open source initiative OpenCRE.org connects all these sources of information: It links topics across multiple standards, including the Top 10, ASVS, Pro-active controls, Testing guide, Cheat sheets, SAMM, SSDF, ISO27001, CSA CCMv3, CWE, CAPEC, PCI-DSS, NIST 800-53 and 63b. It further links code samples and offensive tooling configurations or rules. That way it serves as a universal translator, to connect every role involved: executive, compliance officer, procurement, architect, developer,and tester.

This talk takes you through how openCRE.org works, how we have brought all these standards together, how we used AI in a revolutionary way, and how you can benefit in your work as a manager, builder, breaker, buyer, or standard maker!

The intended audience for this talk is anyone involved with Application Security and looking for an easy-to-use guide, mapping standards to regulations to code and configurations.

Speakers

Rob van der Veer

Chief AI Officer, Software Improvement Group

Rob van der Veer is an AI pioneer with 33 years of AI experience, specializing in engineering, security and privacy. He is the lead author of the ISO/IEC 5338 standard on AI lifecycle, contributor to OWASP SAMM, co-founder of OWASP's digital bridge for security standards OpenCRE... Read More →

Thursday June 25, 2026 10:30am - 11:00am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Standards
Project Link https://owasp.org/www-project-ai-testing-guide/

10:30am CEST

Meet the Mentor

Thursday June 25, 2026 10:30am - 11:45am CEST

One more Global AppSec event.
You’re taking training, you’re running between sessions, you’re connecting with people over coffee or when talking to a vendor.

What if you could use the event to also meet a potential mentor, or mentee?
What if you could connect face to face with someone who may help take your career to the next level, or that you can help and make a difference with?

We are inviting you to an OWASP Global AppSec activity: Meet The Mentor! A speed-dating activity between potential mentors and mentees where you can come face to face and see if it “clicks”, start a conversation, and see if it is a match.

Speakers

Izar Tarandach

Sr. Principal Architect, SiriusXM

Long-time security practitioner, Sr. Principal Security Architect at SiriusXM, previouslyDatadog, at Squarespace, Bridgewater Associates to DellEMC via RSA, Autodesk, startup founder, investor and advisor. Founding member of the IEEE Center for Secure Design, holds a masters degree... Read More →

Avi Douglen

Software Security Consultant, Bounce Security

Avi Douglen is the founder and CEO at Bounce Security, a boutique consultancy specializing in software security, where he spends a lot of time with development teams of all sizes. He helps them integrate security methodologies and products into their development processes, and often... Read More →

Thursday June 25, 2026 10:30am - 11:45am CEST

Bonus Track

Audience All

10:35am CEST

OWASP masCon - Let's get frooky: Structured Mobile DAST with Frida

Thursday June 25, 2026 10:35am - 11:25am CEST

Room -2.33 (Level -2)

Mobile application penetration tests can be challenging. In order to find vulnerabilities in the OWASP MAS Testing Profile L2, security testers have to simulate attacks on compromised devices. When apps protect themselves with advanced static and dynamic hardening techniques, security testers often rely on instrumentation in order to assess the security of the app at runtime.

This talk will present some of these challenges as seen in real world mobile apps and then present “frooky”, a Frida-powered hook runner based on structured I/O. This tool was consolidated together with OWASP MAS leadership and released as a standalone project for OWASP MASTG. We will show you what it can do, how it was developed and how you can use it for any mobile app penetration testing efforts in general.

Speakers

Stefan Bernhardsgrütter

Lead Security Tester, Redguard

As a Security Tester at Redguard, Stefan puts a wide variety of IT systems, networks and applications to the test. He has an M.Sc. in Engineering with focus on IT-Security and more than 10 years experience in this field. At Redguard he is responsible for developing and maintaining... Read More →

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Carlos is a principal mobile security research engineer working with NowSecure and one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS), the industry standard for mobile app... Read More →

Thursday June 25, 2026 10:35am - 11:25am CEST
Room -2.33 (Level -2)

MobileAppSecCon

Audience All

11:00am CEST

OWASP AI Testing Guide in Practice: Securing LLM Applications

Thursday June 25, 2026 11:00am - 11:30am CEST

Room -2.82 (Level 2)

This talk presents the OWASP AI Testing Guide as a practical extension of traditional application security methodologies for AI and LLM-based systems. It shows how AppSec engineers can systematically identify, model, and test AI-specific risks using an OWASP-aligned approach, rather than relying on ad hoc assessments or vendor claims.

The session starts with an architecture-driven threat modeling process for AI systems, decomposing LLM applications into application, model, data, and infrastructure layers. Using OWASP LLM Top 10 and threat modeling of AI System and Agent AI architectures, the talk demonstrates how AI attack surfaces and threat scenarios can be identified and mapped to concrete security risks. These threats are then mapped to testable hypotheses using the OWASP AI Testing Guide, bridging the gap between threat modeling and hands-on security testing.

Through real-world examples, the talk explores how common AI vulnerabilities manifest in practice, including prompt injection, jailbreak techniques, sensitive data exposure, model misalignment, hallucinations, RAG pipeline abuse, and agent workflow exploitation.
The audience will see how these issues can be tested in LLM-based applications using OWASP AITG test cases, OWASP LLM Top 10 payloads, and common AppSec and AI toolings.

The session concludes by showing how AI security testing can be integrated into MLSecOps. It highlights how organizations can move from intuition-based AI security to evidence-based risk validation, positioning OWASP AITG as a foundational methodology for securing AI systems within modern application security programs.

The key message of the talk is that trustworthy AI is not achieved through design assumptions or policy statements, but through systematic, repeatable testing aligned with OWASP principles.

Speakers

Matteo Meucci

CEO, Synapsed.ai

Throughout his career, Matteo has played a pivotal role in the global cybersecurity community, particularly through his involvement with OWASP. He is the founder and leader of OWASP Italy and has contributed to the creation of foundational open-source projects such as the OWASP Testing Guide and the Software Security 5D Framework, establishing security standards that are now widely adopted worldwide.In the field of AI... Read More →

Marco Morana

Field CISO- Head of Application & Product Security Architecture, Avocado Systems Inc.

Marco Morana is the Field CISO at Avocado Systems Inc., specializing in threat modeling automation and Zero Trust Architecture for financial services. With over 15 years of leadership experience, he has held senior security roles at JP Morgan Chase and Citi, securing financial applications... Read More →

Thursday June 25, 2026 11:00am - 11:30am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject AI
Project Link https://owasp.org/www-project-ai-testing-guide/

11:30am CEST

OWASP AI Security Verification Standard (AISVS)

Thursday June 25, 2026 11:30am - 12:00pm CEST

Room -2.82 (Level 2)

AI systems face threats that traditional application security standards weren't built to address. This includes prompt injection, training data poisoning, model extraction, agentic autonomy risks, and more. The OWASP AI Security Verification Standard (AISVS) provides 400+ testable requirements across 14 chapters, covering everything from input validation and model lifecycle management to MCP protocol security and autonomous agent controls. This lightning talk introduces the standard's structure, its three verification levels, and how security teams can use it today to assess and harden AI-powered applications. We'll show where AISVS fits alongside existing frameworks like ASVS, NIST AI RMF, and ISO 42001 and where it deliberately doesn't overlap.

Speakers

Otto Sulin

Head of Security, Supermetrics

Russ Memisyazici

Aras “Russ” Memişyazıcı, M.Sc. is a senior technology and architecture leader specializing in AI security, cloud transformation, application security, and enterprise modernization. He currently serves as a Global Head of Reference Architecture at Aon, where his work focuses... Read More →

Jim Manico

Founder and CEO, Manicode Security

Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like 10Security, MergeBase, Nucleus Security... Read More →

Rico Komenda

Senior Security Consultant

Rico is a senior product security engineer. His main security areas are in application security, cloud security, offensive security and AI security.

For him, general security intelligence in various aspects is a top priority. Today’s security world is constantly changing and you... Read More →

Thursday June 25, 2026 11:30am - 12:00pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject AI
Project Link https://owasp.org/www-project-artificial-intelligence-security-verification-standard-aisvs-docs/

12:15pm CEST

Lunch in Expo Hall

Thursday June 25, 2026 12:15pm - 1:15pm CEST

Expo Hall X1

Thursday June 25, 2026 12:15pm - 1:15pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

1:45pm CEST

OWASP masCon - Meet the New Frida Frontend on the Block

Thursday June 25, 2026 1:45pm - 2:10pm CEST

This talk introduces a new Frida frontend for macOS and iOS, designed as an interactive, persistent environment for exploring live processes.

It supports local and remote targets, long-lived sessions that survive crashes, and saved documents you can return to later. Built around this core model are a REPL, a code tracer, a powerful editor with completion and inline documentation, a persistent notebook, package management, and built-in collaboration.

We’ll walk through the motivation and architecture behind the frontend, and demo how a more stateful, GUI-driven approach opens up new workflows for dynamic instrumentation—without naming names (yet).

Speakers

Ole André Vadla Ravnås

Security Researche, NowSecure

Creator of Frida · Security Researcher at NowSecure
@oleavr
no.linkedin.com/in/oleavr... Read More →

Thursday June 25, 2026 1:45pm - 2:10pm CEST

MobileAppSecCon

Audience All

2:15pm CEST

Evil User Stories Modeling: Ensuring your User Stories in agile playing OWASP Cornucopia

Thursday June 25, 2026 2:15pm - 2:45pm CEST

Room -2.82 (Level 2)

In this session, I´ll show you how to sreamline the identification of security requirements associated with user stories in agile methodologies Using OWASP Cornucopia. Here you´ll se how to integrate User Stories with Cornucopia Cards and with ASVS as an security requirements and the defects that may arise if the security requirements are not properly considered or implemented. At the beginning ,we will explore two concepts I used to create this different way of playing OWASP Cornucopia and scaling it in agility, complementing the architecture-based threat model: Evil User Stories Modeling and Secure Scrum. All of this to apply the principle Security Just in Time for design a single product backlog that integrates security functionalities and controls into user stories avoiding the creation of a cybersecurity parallel backlog.

Speakers

Max Alejandro Gomez Sanchez Vergaray

Application Security Program Leader, AppSec & DevSecOps Consultant | Risk-driven Security for real-world products | S-SDLC, DevSecOps, Secure Design & Threat Modeling Trainer

I designed and led the application security program during the digital transformation process of one of the largest banks in Latin America, training more than 3,000 people in secure software development, specially in Secure Design using OWASP Cornucopia, another tools for threat modeling... Read More →

Thursday June 25, 2026 2:15pm - 2:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Threat Modeling, Gamification
Project Link https://cornucopia.owasp.org/

2:45pm CEST

OWASP masCon - Closure of conference by OWASP MAS team

Thursday June 25, 2026 2:45pm - 3:00pm CEST

Speakers

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Sven Schleier

Co-Founder, Bai7 GmbH

Sven is a co-founder of Bai7 GmbH in Austria, which is specialized in trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications... Read More →

Thursday June 25, 2026 2:45pm - 3:00pm CEST

MobileAppSecCon

Audience All

3:00pm CEST

PM Break in Expo Hall

Thursday June 25, 2026 3:00pm - 3:30pm CEST

Expo Hall X1

Thursday June 25, 2026 3:00pm - 3:30pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

3:30pm CEST

OWASP AI Exchange Showcase

Thursday June 25, 2026 3:30pm - 4:00pm CEST

Room -2.82 (Level 2)

OWASP's flagship project, AI Exchange, is the world's AI security guide.

300+ pages of free, constantly-evolving, practical guidance on securing AI systems. It covers the fundamentals and represents the closest publicly available alignment of global expert consensus, feeding directly into the AI Act and ISO standards through a unique SDO partnership.

Speakers

Rob van der Veer

Chief AI Officer, Software Improvement Group

Aruneesh Salhotra

Fractional CISO, Author, Podcaster, Blogger, Fractional CISO, Author, Podcaster, Blogger

Aruneesh Salhotra is a seasoned technologist and servant leader, renowned for his extensive expertise across cybersecurity, DevSecOps, AI, Business Continuity, Audit, Sales. His impactful presence as an industry thought leader is underscored by his contributions as a speaker and panelist... Read More →

Behnaz Karimi

Co-Lead / Leader AI Red Teaming / Creator RAID-AI Framework / Senior cyber security engineer, OWASP AI Exchange

Behnaz Karimi is AI Security Researcher and the Creator of the RAID-AI Framework. She is also a Co-Author, Co-Lead, Leader AI Red Teaming at OWASP AI Exchange, where she actively contributes to advancing security practices for AI systems.

She has played a key role in OWASP initiatives, including contributing to the GenAI Red Teaming Guide for the OWASP Top 10 for Large Language Model Applications & Generative AI. Behnaz is a speaker at Global AppSec Barcelona and has spoken at OWASP Chapter Germany. She was also invited

... Read More →

Thursday June 25, 2026 3:30pm - 4:00pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject AI, Standards
Project Link https://owaspsamm.org/

4:15pm CEST

Networking Reception in Expo Hall and OWASP Jeopardy!

Thursday June 25, 2026 4:15pm - 6:45pm CEST

Expo Hall X1

Come mingle with attendees and exhibitors AND have the chance to win prizes during OWASP Jeopardy with Jerry Hoff!

Thursday June 25, 2026 4:15pm - 6:45pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

8:30am CEST

Coffee/tea

Friday June 26, 2026 8:30am - 9:00am CEST

Expo Hall X1

Friday June 26, 2026 8:30am - 9:00am CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

9:00am CEST

Opening Remarks

Friday June 26, 2026 9:00am - 9:15am CEST

Hall D (Level -2)

Friday June 26, 2026 9:00am - 9:15am CEST
Hall D (Level -2)

Keynote

Audience All

9:15am CEST

Keynote: We Live in the Future: The Death and Rebirth of Application Security

Friday June 26, 2026 9:15am - 10:00am CEST

Hall D (Level -2)

Speakers

Gadi Evron

Founder and CEO, Knostic

Gadi Evron is Founder and CEO at Knostic, an AI agent security company, CISO-in-Residence for AI at CSA, and chairs the [un]prompted conference. Previously, he founded Cymmetria (acquired), was the Israeli National Digital Authority CISO, founded the Israeli CERT, and headed PwC's... Read More →

Friday June 26, 2026 9:15am - 10:00am CEST
Hall D (Level -2)

Keynote

Audience All

10:00am CEST

AM Break in Expo Hall

Friday June 26, 2026 10:00am - 10:30am CEST

Expo Hall X1

Friday June 26, 2026 10:00am - 10:30am CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

10:00am CEST

Bob the Breaker: Welcome to the Jungle! (Sponosored by Nokod Security)

Friday June 26, 2026 10:00am - 2:00pm CEST

TBA

The jungle is thick, the paths are tangled, and Bob the Breaker is already deep inside.

Behind polished apps and smooth workflows lies a wild terrain of permissions, hidden data, andnewly unleashed AI agents roaming freely through the system.

Vines of automation twist everywhere, secrets hide beneath the canopy, and Bob has beenswinging from one weak spot to the next, uncovering what was never meant to be found.

Follow Bob into the canopy, capture the flags, and out-hack the competition.

Swing by the Nokod booth Thursday June 24 (10:15, 13:00, 16:00) to catch livevulnerability demos and grab clues to help you navigate the CTF jungle

Friday June 26, 2026 10:00am - 2:00pm CEST
TBA

Bonus Track

Audience All

10:00am CEST

OWASP Official Store: Come explore books, games and merch (or Explore CyberSec Games, OWASP books and official merch)

Friday June 26, 2026 10:00am - 4:00pm CEST

Come visit our table in the Expo Hall for books, games, and merch

Friday June 26, 2026 10:00am - 4:00pm CEST

Bonus Track

Audience All

10:30am CEST

When Museums Get Hacked: OWASP Top 10 Lessons from Heists

Friday June 26, 2026 10:30am - 11:00am CEST

Room -2.82 (Level 2)

Historically (pun intended) the OWASP Top 10 has been a standard awareness document for developers and web application security. However its mitigation strategies can transcend history and be applied to critical infrastructures under attack, *exempli gratia* museums.

In this talk, we’ll explore the newest OWASP Top 10 (released in November MMXXV) through the lens of famous Museum heists (Louvre, you are not alone) — a narrative journey through security blind spots, sneaky exploits, and lack of awareness.

Speakers

Jose Carlos Chávez

Security Software Engineer, Okta

José Carlos Chávez is a Security Software Engineer at Okta, an OWASP Coraza co-leader and a Mathematics student at the University of Barcelona. He enjoys working in Security, compiling to WASM, designing APIs and building distributed systems. While not working with code, you can... Read More →

Friday June 26, 2026 10:30am - 11:00am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Project Link https://owasp.org/Top10/2025/

10:30am CEST

From ASVS to APVS: What Changes When You Treat Privacy as a System Property?

Friday June 26, 2026 10:30am - 11:15am CEST

Hall D (Level -2)

Privacy is increasingly expected to be “built in by design”, yet most privacy guidance remains legal, abstract, or disconnected from how systems are actually designed and reviewed. As a result, privacy is still treated as a compliance exercise rather than an engineering discipline.

In this talk, we share early lessons from the OWASP Privacy Project and our work on the Application Privacy Verification Standard (APVS). Drawing on familiar AppSec concepts such as ASVS, threat modeling, and weakness classification, we explore what changes when privacy is treated as a system property rather than a checkbox.

We discuss where traditional security controls fall short, how privacy risks can exist without attackers or breaches, and how we are translating high-level privacy principles into actionable guidance for architects and developers. This is not a finished standard, but a candid look at what works, what doesn’t, and where practitioner feedback is essential as the project evolves.

Speakers

Matthew Coles

Product Security Architect/Technologist

Matthew Coles is a Product Security Architect and Technologist with 20+ years experience working with business leaders and developers to secure hardware and software systems and processes. He is a technical contributor to community standard initiatives such as OpenSSF and OWASP, a... Read More →

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Dr. Kim Wuyts is a leading privacy engineer with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy threat modeling... Read More →

Avi Douglen

Software Security Consultant, Bounce Security

Friday June 26, 2026 10:30am - 11:15am CEST
Hall D (Level -2)

Planning and Design

Audience All

10:30am CEST

Keep It Between Us: Manipulating Humans for Better AppSec (Ethically)

Friday June 26, 2026 10:30am - 11:15am CEST

Hall K2 (Level -2)

Most AppSec programs fail not because people disagree with security, but because security competes with habits that are already winning. Developers don’t wake up wanting to threat-model or review alerts - they wake up wanting to ship.

In this talk, we’ll stop trying to “convince” people to care about security and instead learn how to design AppSec activities so they naturally stick. Using proven techniques from behavioural science, you’ll learn how to create a quiet, behind-the-scenes plan that turns security tasks into habits - without mandates, enforcement, or friction-heavy processes.

We’ll explore how to reduce friction, align incentives, and embed security into existing workflows, so secure behavior becomes the default. This is not about more policies or awareness training. It’s about building a deliberate, ethical “secret plan” that makes AppSec activities feel wanted, automatic, and hard to avoid - in the best possible way.

Speakers

Nariman Aga-Tagiyev

Founder & AppSec Architect, SecureHabits

Founder & AppSec Architect at SecureHabits, OWASP SAMM core team member, ISO/IEC 27034 working group liaisonNariman Aga-Tagiyev is an Application Security Architect with 20+ years of experience in software development. Since 2016, he has focused on advancing SSDLC maturity and building... Read More →

Friday June 26, 2026 10:30am - 11:15am CEST
Hall K2 (Level -2)

Process and Culture

Audience All

10:30am CEST

Hands-On AI Security Assessment with OWASP AISVS (Workshop)

Friday June 26, 2026 10:30am - 12:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group Session

How do you actually verify that an AI system is secure? In this workshop, the AISVS project leads walk through practical assessment scenarios using the OWASP AI Security Verification Standard. We'll work through real requirements from chapters on prompt injection defense, agentic action security, RAG/vector database hardening, and output safety controls, showing what "verify that" looks like in practice against running systems. Participants will leave with a working understanding of how to scope an AI security assessment, select appropriate verification levels, and apply AISVS requirements to LLM-based applications, autonomous agents, and MCP-connected tool ecosystems. Bring a laptop if you want to follow along.

Speakers

Jim Manico

Founder and CEO, Manicode Security

Rico Komenda

Senior Security Consultant

Otto Sulin

Head of Security, Supermetrics

Russ Memisyazici

Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject AI
Project Link https://owasp.org/www-project-artificial-intelligence-security-verification-standard-aisvs-docs/

11:00am CEST

From Maturity to Mastery: Accelerating Software Security with OWASP SAMM

Friday June 26, 2026 11:00am - 11:30am CEST

Room -2.82 (Level 2)

Are you looking to strengthen your organization’s software assurance program, prove compliance with industry frameworks, or simply level up your AppSec game? Join OWASP project leaders Sebastien and Aram for an engaging introduction and the latest updates on OWASP Software Assurance Maturity Model (SAMM) — the open, community-driven standard for building and measuring software security practices.

This session will highlight how SAMM helps organizations jumpstart, assess, and accelerate their software assurance roadmap, with practical takeaways you can apply right away:

• Tools and Assessment Guidance – Learn about the growing ecosystem of SAMM tools and the latest assessment techniques that make measuring and improving your maturity more approachable than ever.
• Framework Mapping – See how SAMM connects with industry standards like the NIST Secure Software Development Framework (SSDF) and OpenCRE, helping you demonstrate compliance and align with external requirements while maintaining a developer-friendly approach.
• Benchmarking with Peers – Discover the OWASP SAMM Benchmark, which allows organizations to compare their security practices against peers and industry trends anonymously—helping you spot strengths, identify gaps, and track progress over time.

Whether you’re new to SAMM or already using it, you’ll gain actionable strategies, practical insights, and a clear roadmap to achieving security excellence.

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Aram Hovsepyan

Founder and CEO, Codific

For the past 15 years Aram has been involved in application security as a researcher, industry expert, and core contributor to the OWASP SAMM project.

Aram is the founder and CEO of Codific, a Belgian cybersecurity product firm. At Codific, he works at the intersection of software... Read More →

Friday June 26, 2026 11:00am - 11:30am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject CRA, SSDLC
Project Link https://owaspsamm.org

11:30am CEST

Using OWASP SAMM and OWASP DSOMM together in practice

Friday June 26, 2026 11:30am - 12:00pm CEST

Room -2.82 (Level 2)

Security is widely recognized as one of the top global risks, yet many organizations struggle managing that risk effectively. One of the key reasons is that application security efforts often consist of fragmented tools and isolated practices rather than a coherent program focused on people, processes, and tools.
Within the OWASP community, two mature models exist to support application security programs, OWASP Software Assurance Maturity Model (SAMM) and OWASP DevsSecOps Maturity Model (DSOMM). However, practitioners frequently struggle to understand how these models differ, where they overlap, and how they should be applied in practice. As a result, SAMM and DSOMM are often perceived as competing frameworks. Moreover, their breadth and depth can be overwhelming for teams encountering them for the first time, reinforcing the myth that they must choose one or the other.

This talk provides a structured, high level introduction to both OWASP SAMM and OWASP DSOMM, focusing on their shared principles as well as their key differences. By introducing a simple taxonomy of security scopes, the session explains why multiple security frameworks are necessary and clarifies where SAMM and DSOMM each fit. SAMM is positioned as a model focused on organizational security capabilities and application program maturity, supporting management and strategic decision making, while DSOMM focuses on DevSecOps implementation and operational practices, providing concrete guidance for technical teams and engineering workflows.

This session concludes with a practical case study of a SaaS organization, illustrating how SAMM and DSOMM can be used together to create a coherent improvement roadmap. The case study demonstrates how organizations can start small, avoid boiling the ocean, and use both models in tandem to achieve structured, practical, and sustainable improvements in application security.

Speakers

Aram Hovsepyan

Founder and CEO, Codific

Timo Pagel

Security architect, DevSecOps Consultant, DevSecOps Strategist

Timo has been in the IT industry for over twenty years. After being a system administrator and web developer in his early times, he became involved in OWASP. He now advises his clients on DevOps security, either as a strategist, hands on or as a trainer, with the focus on security... Read More →

Friday June 26, 2026 11:30am - 12:00pm CEST
Room -2.82 (Level 2)

Audience All
Subject CRA
Project Link https://owasp.org/www-project-devsecops-maturity-model/

11:30am CEST

Enforcing Application Security Policies at Scale: Lessons from an Enterprise Rollout

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall K2 (Level -2)

Enforcing security policies at enterprise scale is challenging, and it's becoming more so with rapid delivery cycles and AI-assisted development. Many organisations adopt policy-as-code to improve security and compliance but realise that, despite the solution’s technical soundness, exceptions multiply and teams quietly work around enforcement to meet delivery targets, with little real improvement in security outcomes.

This talk shares a real-world story of rolling out policy-as-code enforcement across an organisation with several thousand developers. It highlights not only the technical architecture of the enforcement system but also the organisational changes required to ensure its sustainability.

You’ll find out how security policies were defined, versioned, and consistently enforced across CI/CD pipelines. This talk also covers how enforcement points were designed and how feedback loops were built and embedded in the organisation to reduce friction. The session also explores how bypasses and exceptions were handled consistently at scale, and how validation was treated as an organisational assurance problem rather than just a tooling concern.

The talk offers vendor-neutral solutions and practical patterns, lessons learned, and design principles that attendees can adapt to their own environments.

Speakers

Mehran Koushkebaghi

Head of Product Security, Nationwide Building Society

Mehran is a Chartered Engineer with over 18 years of experience across software, security, and civil engineering. He approaches application security as a systemic concern, using a systems-thinking lens to understand how technical controls, organisational structures, and human behaviour... Read More →

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall K2 (Level -2)

Process and Culture

Audience All

12:15pm CEST

Lunch in Expo Hall

Friday June 26, 2026 12:15pm - 1:15pm CEST

Expo Hall X1

Friday June 26, 2026 12:15pm - 1:15pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

1:15pm CEST

OWASP Mobile Application Security (MAS) Project Updates

Friday June 26, 2026 1:15pm - 1:45pm CEST

Room -2.82 (Level 2)

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments.

This session will provide key updates on the latest advancements in the Mobile Application Security (MAS) project, including the MASWE (Mobile Application Security Weakness Enumeration) Beta and the MASTG (Mobile Application Security Testing Guide) v2. We’ll share the progress on the creation of new weaknesses, atomic tests, and demos designed to help developers and security researchers enhance their testing methodologies.

A major highlight will be a new Frida-based tool for dynamic analysis of Android and iOS apps. It is based on JSON hook files which allows a consistent and simple test approach of the OWASP MAS demos and during assessments.

Whether you're a security researcher, developer, or just doing it for fun, this talk will equip you with the latest tools and insights to boost your mobile application security skills to stay ahead in mobile security!

Speakers

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Sven Schleier

Co-Founder, Bai7 GmbH

Friday June 26, 2026 1:15pm - 1:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Mobile Security
Project Link https://mas.owasp.org

1:15pm CEST

Security Champions: Lessons from Opposite Trenches

Friday June 26, 2026 1:15pm - 2:00pm CEST

Hall K2 (Level -2)

Have you heard about “security champions programs” that seem to be gaining popularity these days? Maybe your company is running such a program, yet you doubt its effectiveness, wondering if it’s worth sustaining? The thing is, you might not be the only one asking these questions. Let’s hear from security and champions alike.

Mireia is a security engineer focused on application security who has created and run security champions programs, and has seen them both fail and succeed. Lisi worked in development teams for a long time, became a security champion and later switched gears to security engineering. Both of us were in the trenches, on opposite sides - and both of us tried to build a strong bridge between security and engineering teams.

In this talk, we’ll have our two perspectives merge and draw lessons from our attempts. Both security engineers and champions need clarity on what’s expected from them to sustain the program. Both benefit from nurturing a strong community to increase resilience. Both need to dare to be vulnerable in acknowledging what’s wrong in our systems and processes so we can grow.

None of us can operate effectively alone. Tossing a rope from security to development teams is not enough to establish security champions. Instead, let’s build this bridge together from both ends to make it strong, sustainable and scalable.

Speakers

Lisi Hocke

Security Engineer, DocuWare GmbH

Lisi found tech as her place to be in 2009 and has grown as a specialized generalist ever since. Building great products that deliver value together with great people motivates her and lets her thrive. As a security engineer, she’s now fully focusing on all things product security... Read More →

Mireia Cano

Application Security Engineer, PPRO

I am a security engineer focused on application security, with over 7 years of experience. I have helped companies build their application security programs both as a consultant and as an in-house security engineer. I am passionate about fostering collaboration between development... Read More →

Friday June 26, 2026 1:15pm - 2:00pm CEST
Hall K2 (Level -2)

Process and Culture

Audience All

1:15pm CEST

CHAMELEON-REN: Advancing the OWASP Web Application Honeypot Project with Adaptive, Education-Sector (Workshop)

Friday June 26, 2026 1:15pm - 3:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 2

The OWASP Web Application Honeypot Project provides foundational tooling to observe attacker activity against simulated web interfaces. CHAMELEON-REN extends this work with a stimulus-driven, Dockerised honeypot framework that dynamically adapts its identity, exposed paths, and technology stack in response to probing behaviours. By rotating realistic education-sector personas — including virtual learning environments, student records, finance/ERP, and research portals — CHAMELEON-REN aims to sustain engagement from automated scanners and adversaries that would otherwise abandon static honeypots. The demonstration will showcase the framework in action, discuss telemetry capture and structured logging, and invite participants to explore deployment recipes and community integration options.

Speakers

Adrian Winckles

Cyber Security Academic, Security Researcher, Cyber Security Academic, Security Researcher

Adrian Winckles is an independent Cyber Security Academic, Security Researcher and IT Professional with over 32 years of experience in developing and implementing cyber security strategies and robust, resilient IT infrastructure solutions. A proven leader in driving digital transformation... Read More →

Gautam Mahesh Juvarajiya

Research Associate, The Open University, UK

Currently Working as a Research Associate at Open University with a Background in IT and a MSc in Cyber Security Engineering from University of Warwick, UK.

Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject Network Security

1:15pm CEST

Let's Play: OWASP Cumulus (Workshop)

Friday June 26, 2026 1:15pm - 3:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3

In this hands-on session we will demonstrate the threat modeling card game "Cumulus" and show how it can help you start threat modeling your cloud and DevOps processes.

Using a real live example scenario, we will discuss, laugh and increase security. And maybe the winner will even get a prize! :)

Speakers

Christoph Niehoff

Senior Consultant, TNG Technology Consulting

In his role as a Senior Consultant at TNG Technology Consulting, Christoph Niehoff develops software products for his clients on a daily basis. As a full-stack developer, he lives and breathes DevOps, overseeing all steps of the development cycle. The security of the products is particularly... Read More →

Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject DevSecOps, Threat Modeling, Gamification
Project Link https://owasp.org/www-project-cumulus/

2:15pm CEST

Updates on the OWASP Automated Threats Project

Friday June 26, 2026 2:15pm - 2:45pm CEST

Room -2.82 (Level 2)

Project leaders Colin Watson and Tin Zaw announced the official release of the version 1.3 of the OWASP Automated Threat Handbook on March 12, 2026.

Even after ten years, this handbook remains the go-to resource for security pros who want actionable information and resources to help defend against automated threats to web applications which abuse valid functionality. The handbook still defines twenty-one unique, unordered, OWASP Automated Threats (OATs). This latest update ensures it stays ahead of the curve in our rapidly shifting threat landscape.

In this session, I will share updates on version 1.3 and, more importantly, discuss our progress toward version 2.0 of the handbook.

With the rise of Agentic AI—which is automated by nature—the project is seeking to better understand how this specific traffic impacts web applications. Audience participation and input are highly encouraged

Speakers

Tin Zaw

Director, Security Solutions, Project Leader, OWASP Automated Threats Project

Tin Zaw has been an OWASP volunteer since 2010, starting as the president of Los Angeles chapter for 3 years. Since 2015, he's been a co-leader of the OWASP Automated Threats Project. Along with Colin Watson, they have released versions 1.2 and 1.3 of the handbook and are working... Read More →

automated threat handbook EN v1.30 pdf

Friday June 26, 2026 2:15pm - 2:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All

2:30pm CEST

CfP/CfTs for the Newcomer: How To Write A Good Submission

Friday June 26, 2026 2:30pm - 3:15pm CEST

Ready to showcase your expertise? Don’t miss the chance to submit for a Call for Trainers or Call for Papers! Join the dynamic Izar Tarandach and Avi Douglen as they take you through the submission process and reveal insider tips on what the review team is looking for when selecting papers. This is your opportunity to shine and make a lasting impact—let’s make it happen!

Speakers

Izar Tarandach

Sr. Principal Architect, SiriusXM

Avi Douglen

Software Security Consultant, Bounce Security

Friday June 26, 2026 2:30pm - 3:15pm CEST

Bonus Track

Audience All
about <strong style=" color: rgb(65, 65, 65); font-family: sans-serif; font-size: 14px;">Izar Tarandach</strong> is Sr. Principal Architect at SiriusXM and co-author of <em style=" font-size: 14px; font-family: sans-serif; color: rgb(65, 65, 65);">Threat Modeling: A Practical Guide for Development Teams</em>. He pioneered Continuous Threat Modeling and contributes to projects like OWASP PyTM and the CycloneDX TMBOM. A frequent speaker and podcast host, Izar focuses on making security practical, scalable, and developer-friendly.

2:45pm CEST

OWASP Nettacker Project

Friday June 26, 2026 2:45pm - 3:15pm CEST

Room -2.82 (Level 2)

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the penetration testing community and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing

Speakers

Sam Stepanyan

OWASP London Chapter Leader, OWASP London Chapter Leader

Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions... Read More →

Arkadii Yakovets

Cybersecurity Lead (OWASP Nest, OWASP Nettacker)

Arkadii Yakovets is a cybersecurity lead specializing in secure application development and DevSecOps. Since joining OWASP in 2023, he has served as a leader and active contributor to the OWASP Nest and OWASP Nettacker projects. Arkadii has mentored over 10 students through Google... Read More →

Friday June 26, 2026 2:45pm - 3:15pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Pentesting
Project Link https://owasp.org/www-project-nettacker/

3:00pm CEST

PM Break in Expo Hall

Friday June 26, 2026 3:00pm - 3:30pm CEST

Expo Hall X1

Friday June 26, 2026 3:00pm - 3:30pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

3:15pm CEST

From Maturity to Mastery: Accelerating Software Security with OWASP SAMM (Workshop)

Friday June 26, 2026 3:15pm - 4:15pm CEST

Room -2.33 (Level -2)

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Aram Hovsepyan

Founder and CEO, Codific

Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject Threat Modeling, CRA, SSDLC
Project Link https://owaspsamm.org/

3:15pm CEST

Shaping International Security Standards: Get Involved with OWASP's ISO Working Group (Call for Contributors)

Friday June 26, 2026 3:15pm - 4:15pm CEST

Room -2.33 (Level -2)

The OWASP ISO Liaison Working Group is the bridge between OWASP's practitioner-driven security guidance and the international standards that govern how organizations worldwide implement security controls. Stop by to learn how ISO standards like 27034 (Application Security) and 27002 are developed, where OWASP is actively shaping that process as an official liaison organization, and — most importantly — how you can get involved. Whether you've never heard of ISO/IEC JTC 1/SC 27 or you've been curious about how standards actually get written, this is your chance to ask questions, see the current work program, and find out where your expertise fits.

Speakers

Matt Houseman

OWASP ISO Working Group Chair

Matt Houseman is the OWASP ISO Working Group Chair and the OWASP Liaison Representative to ISO/IEC JTC 1/SC 27/WG 4. With over 15 years of experience in software engineering and application security, Matt bridges the gap between hands-on practitioner guidance and formal international... Read More →

Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All

8:30am CEST

8:30am CEST

8:30am CEST

9:00am CEST

5:30pm CEST

8:30am CEST

8:30am CEST

9:00am CEST

10:00am CEST

10:30am CEST

10:30am CEST

10:35am CEST

11:00am CEST

11:30am CEST

12:15pm CEST

1:45pm CEST

2:15pm CEST

2:45pm CEST

3:00pm CEST

3:30pm CEST

4:15pm CEST

8:30am CEST

9:00am CEST

9:15am CEST

10:00am CEST

10:00am CEST

10:00am CEST

10:30am CEST

10:30am CEST

10:30am CEST

10:30am CEST

11:00am CEST

11:30am CEST

11:30am CEST

12:15pm CEST

1:15pm CEST

1:15pm CEST

1:15pm CEST

1:15pm CEST

2:15pm CEST

2:30pm CEST

2:45pm CEST

3:00pm CEST

3:15pm CEST

3:15pm CEST

Get help with the event