OWASP Global AppSec EU 2026 Vienna

3-Day Training: June 22-24, 2026
Level: Introductory and Overview
Trainer: Fabio Cerullo

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Introduction
Modern organisations rely heavily on web applications, and attackers exploit their weaknesses daily.
As AI tools accelerate software development, code is being generated faster than ever before. Yet every line, human-written or AI-generated, still carries risk. This three-day instructor-led course gives participants the knowledge and practical experience to recognise vulnerabilities, understand how exploitation works, and assess potential impact.
Aligned with the latest OWASP Top 10 2025, the course provides an in-depth exploration of each key risk, illustrated through demonstrations and guided labs.
Participants will learn how attackers think, how vulnerabilities are introduced, and how to recognise and validate them, preparing participants to collaborate effectively with developers and security teams in future remediation work.

Format
You will begin by exploring common web application vulnerabilities before gaining access to a purpose-built lab environment containing the very bugs and coding errors discussed in class. This provides an ideal, safe setting to observe and exploit these vulnerabilities using open-source tools and techniques, bridging the gap between theory and real-world practice.
This practical approach builds the confidence and analytical skills needed to identify and assess security risks effectively. Sessions encourage active participation, group discussions, and collaboration, allowing you to share insights and learn from peers across disciplines.

Course Outline
1. Introduction to Web Application Security
2. Technologies Used in Web Applications
3. Tools Used During the Course
4. Critical Areas in Web Applications: OWASP Top 10 2025
5. Broken Access Control (A01:2025)
6. Security Misconfiguration (A02:2025)
7. Software Supply Chain Failures (A03:2025)

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

1-Day Training: Tuesday, June 23
Trainer: Aram Hovsepyan
Level: All

Please note that this 1-day training course takes place on TUESDAY, not Wednesday like our other 1-day training courses. 

Application security has become synonymous with a vulnerability management program driven primarily by tools. This view is flawed. As many teams and organizations have already found out, tools often end up creating more problems than solutions. Any decent application security program starts with people knowing their roles and responsibilities. The team is then given friction-free processes to work with. Tools are brought in to streamline those processes and provide additional guardrails.

This is precisely what OWASP's Software Assurance Maturity Model (SAMM) provides as a high-level solution to build exactly this kind of program. This interactive training will give you a deep understanding of OWASP SAMM and show you how to apply it in real world scenarios. Through expert led sessions and hands-on exercises, you will learn how to embed security into every phase of the software development lifecycle. You will also gain a clear view of how SAMM naturally prepares you for upcoming regulations such as the EU Cyber Resilience Act. Finally, we will also cover some aspects of how using LLMs for writing code fits in the context of SAMM.

Participants will leave the training with:
- A comprehensive understanding of OWASP SAMM and its application in real-world organizations and teams.
- Experience performing OWASP SAMM assessments, setting improvement targets, and prioritizing those improvements.
- Insights into scoring and benchmarking to demonstrate progress and align efforts with organizational objectives.
- A practical understanding of how OWASP SAMM aligns with the expectations of the EU Cyber Resilience Act
- An interactive learning experience through hands-on exercises.
- What are the implications of using AI for writing code in the context of SAMM.

3-Day Training: June 22-24, 2026
Level: Introductory and Overview
Trainer: Fabio Cerullo

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Introduction
Modern organisations rely heavily on web applications, and attackers exploit their weaknesses daily.
As AI tools accelerate software development, code is being generated faster than ever before. Yet every line, human-written or AI-generated, still carries risk. This three-day instructor-led course gives participants the knowledge and practical experience to recognise vulnerabilities, understand how exploitation works, and assess potential impact.
Aligned with the latest OWASP Top 10 2025, the course provides an in-depth exploration of each key risk, illustrated through demonstrations and guided labs.
Participants will learn how attackers think, how vulnerabilities are introduced, and how to recognise and validate them, preparing participants to collaborate effectively with developers and security teams in future remediation work.

Format
You will begin by exploring common web application vulnerabilities before gaining access to a purpose-built lab environment containing the very bugs and coding errors discussed in class. This provides an ideal, safe setting to observe and exploit these vulnerabilities using open-source tools and techniques, bridging the gap between theory and real-world practice.
This practical approach builds the confidence and analytical skills needed to identify and assess security risks effectively. Sessions encourage active participation, group discussions, and collaboration, allowing you to share insights and learn from peers across disciplines.

Course Outline
1. Introduction to Web Application Security
2. Technologies Used in Web Applications
3. Tools Used During the Course
4. Critical Areas in Web Applications: OWASP Top 10 2025
5. Broken Access Control (A01:2025)
6. Security Misconfiguration (A02:2025)
7. Software Supply Chain Failures (A03:2025)

3-Day Training: June 22-24, 2026
Level: Introductory and Overview
Trainer: Fabio Cerullo

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Introduction
Modern organisations rely heavily on web applications, and attackers exploit their weaknesses daily.
As AI tools accelerate software development, code is being generated faster than ever before. Yet every line, human-written or AI-generated, still carries risk. This three-day instructor-led course gives participants the knowledge and practical experience to recognise vulnerabilities, understand how exploitation works, and assess potential impact.
Aligned with the latest OWASP Top 10 2025, the course provides an in-depth exploration of each key risk, illustrated through demonstrations and guided labs.
Participants will learn how attackers think, how vulnerabilities are introduced, and how to recognise and validate them, preparing participants to collaborate effectively with developers and security teams in future remediation work.

Format
You will begin by exploring common web application vulnerabilities before gaining access to a purpose-built lab environment containing the very bugs and coding errors discussed in class. This provides an ideal, safe setting to observe and exploit these vulnerabilities using open-source tools and techniques, bridging the gap between theory and real-world practice.
This practical approach builds the confidence and analytical skills needed to identify and assess security risks effectively. Sessions encourage active participation, group discussions, and collaboration, allowing you to share insights and learn from peers across disciplines.

Course Outline
1. Introduction to Web Application Security
2. Technologies Used in Web Applications
3. Tools Used During the Course
4. Critical Areas in Web Applications: OWASP Top 10 2025
5. Broken Access Control (A01:2025)
6. Security Misconfiguration (A02:2025)
7. Software Supply Chain Failures (A03:2025)

The OWASP Top Ten has been one of the most influential resources in application security for more than two decades — shaping training, security programs, and procurement decisions around the world. In this session, we’ll unveil the newest edition of the OWASP Top Ten Critical Risks to Web Applications, explain how it was built through community input and real-world data, and show what these changes mean for you.

We will cover all ten risks, focusing more time on the new and expanded items, as well as covering 3 ‘honourable mentions’ (#11, #12, and one that we do not have data to support). We’ll wrap up with practical guidance on how to use the Top Ten in your own programs (not as a compliance checklist, but as a strategic awareness tool).

Whether you’re an application security engineer, developer, or in management, this is your chance to get ahead of the curve and help shape the conversation: the writing is open for comment, and your feedback will make a difference.

If you’ve ever wanted to make AppSec relatable to your developers, your business stakeholders, etc…

If you want to hear an example of security flaws in a digital-physical system and how AppSec practices apply…

If you want to hear a funny story about my student-years shenanigans and maybe reminisce about your own…

Then this is the talk for you.

Security is often taught through theory, but some of the most powerful lessons come from lived experience even when that experience involves some very questionable ethics.

I will share with you the story of how I, a broke university student, reverse engineered and exploited a parking system to get free parking for a whole school year.

But this talk isn’t just a funny story, it’s about the lessons about AppSec that it taught me. And the realization that AppSec failures can have an impact on the physical world, and will even more so in the future as our physical environments become more intertwined with technology. The current example is minor and relatively harmless, but the implications of AppSec failures could have been far more serious in a different setting.

We’ll dissect this real-world exploit and how the vulnerabilities directly map to application security. Then each aspect will be mapped to the relevant CWEs, OWASP Top 10 categories and OWASP SAMM practices.

I will leave you with one activity that would have likely prevented the issues in the aforementioned system, and that I believe should be implemented in all organizations without exception.

This is a review of recent mobile app security incidents I work on day to day. We’ll walk through concrete cases from banking, food delivery, and e-commerce to break down how the breaches happened.

By the end, you’ll have a clearer sense of which security practices hold up in modern mobile apps and which ones fail in practice. You’ll also learn what commonly introduces vulnerabilities and where to find secure practices that actually work.

Whichever public cloud you use, there are literally hundreds of assignable permissions — and while everyone quotes the ideal of “least privilege,” just when the deadline looms it becomes far too tempting to grant “just one more permission.” Before you know it, your developer teams and service accounts are swimming in high privileges.

In this session we’ll start from the basics of structured permission management, then go deeper — all the way to time-limited access, rule-based privileged-access workflows, and on-demand role elevation. We won’t rehash each cloud provider’s security guide; instead, we’ll deliver pragmatic, maintainable, and flexible guidelines that balance solid permission hygiene with the realities of tight deadlines.

This talk is targeted at security engineers, cloud engineers or anyone just looking for a point to start organizing and structuring their permission approach.

AI is becoming increasingly embedded in threat modeling processes. Some organizations now claim that threat modeling can be performed entirely by AI. This appears to be a natural progression, given the growing use of AI in software development itself.

Before the current wave of AI adoption, the Threat Modeling Manifesto (TMM) was developed, drawing inspiration from the Agile Manifesto. It distilled years of practitioner experience in application security into a short, actionable document. The TMM emphasizes values such as a culture of finding and fixing design issues, people and collaboration over tools, and a journey of understanding rather than a static security snapshot.

This talk examines how AI-assisted threat modeling can diverge from these values through five recurring anti-patterns. These include treating AI as the hero threat modeler, de-emphasizing human collaboration and input, prioritizing snapshots over the journey of understanding, delegating creativity to AI, and favoring exhaustive enumeration over deliberate discussion.

The session then explores three silent failure modes that frequently emerge in the presence of these anti-patterns: hallucination, automation bias, and the illusion of completeness. Together, they produce threat models that appear finished and authoritative, while concealing subtle errors, weakening shared understanding and ownership, and failing to create the motivation needed for people to act.

Finally, the talk synthesizes emerging best practices observed across real-world AppSec teams. These include using AI as a facilitator rather than an authority, designing explicitly for disagreement and multiple viewpoints, and structuring processes that increase meaningful human participation and understanding.

Attendees will leave with a practical framework for adopting AI-assisted threat modeling that helps teams avoid silent failures, preserve human judgment and collaboration, and use AI to generate output that gets understood and acted upon.