Loading…
Venue: Room -2.33 (Level -2) clear filter
Monday, June 22
 

9:00am CEST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Monday June 22, 2026 9:00am - 5:00pm CEST
Room -2.33 (Level -2)
3-Day Training:June 22-24, 2026
Level: Intermediate
Trainer: Dawid Czagan


To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector... 

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.

Speakers
avatar for Dawid Czagan

Dawid Czagan

Founder and CEO, Silesia Security Lab
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others.

Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), OWASP 2025 Global AppSec EU (Barcelona), Hack In The... Read More →
Monday June 22, 2026 9:00am - 5:00pm CEST
Room -2.33 (Level -2)
  3-Day Training
 
Tuesday, June 23
 

9:00am CEST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Tuesday June 23, 2026 9:00am - 5:00pm CEST
Room -2.33 (Level -2)
3-Day Training:June 22-24, 2026
Level: Intermediate
Trainer: Dawid Czagan


To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector... 

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.

Speakers
avatar for Dawid Czagan

Dawid Czagan

Founder and CEO, Silesia Security Lab
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others.

Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), OWASP 2025 Global AppSec EU (Barcelona), Hack In The... Read More →
Tuesday June 23, 2026 9:00am - 5:00pm CEST
Room -2.33 (Level -2)
  3-Day Training
 
Wednesday, June 24
 

9:00am CEST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Wednesday June 24, 2026 9:00am - 5:00pm CEST
Room -2.33 (Level -2)
3-Day Training:June 22-24, 2026
Level: Intermediate
Trainer: Dawid Czagan


To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector...
 
What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.

Speakers
avatar for Dawid Czagan

Dawid Czagan

Founder and CEO, Silesia Security Lab
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others.

Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), OWASP 2025 Global AppSec EU (Barcelona), Hack In The... Read More →
Wednesday June 24, 2026 9:00am - 5:00pm CEST
Room -2.33 (Level -2)
  3-Day Training
 
Thursday, June 25
 

10:30am CEST

OWASP masCon - Introduction by OWASP MAS team to MAS Con
Thursday June 25, 2026 10:30am - 10:35am CEST
Room -2.33 (Level -2)

Speakers
avatar for Carlos Holguera

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure
Carlos is a principal mobile security research engineer working with NowSecure and one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS), the industry standard for mobile app... Read More →
avatar for Sven Schleier

Sven Schleier

Co-Founder, Bai7 GmbH
Sven is a co-founder of Bai7 GmbH in Austria, which is specialized in trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications... Read More →
Thursday June 25, 2026 10:30am - 10:35am CEST
Room -2.33 (Level -2)
  MobileAppSecCon

10:35am CEST

OWASP masCon - Let's get frooky: Structured Mobile DAST with Frida
Thursday June 25, 2026 10:35am - 11:25am CEST
Room -2.33 (Level -2)
Mobile application penetration tests can be challenging. In order to find vulnerabilities in the OWASP MAS Testing Profile L2, security testers have to simulate attacks on compromised devices. When apps protect themselves with advanced static and dynamic hardening techniques, security testers often rely on instrumentation in order to assess the security of the app at runtime.

This talk will present some of these challenges as seen in real world mobile apps and then present “frooky”, a Frida-powered hook runner based on structured I/O. This tool was consolidated together with OWASP MAS leadership and released as a standalone project for OWASP MASTG. We will show you what it can do, how it was developed and how you can use it for any mobile app penetration testing efforts in general.
Speakers
SB

Stefan Bernhardsgrütter

Lead Security Tester, Redguard
As a Security Tester at Redguard, Stefan puts a wide variety of IT systems, networks and applications to the test. He has an M.Sc. in Engineering with focus on IT-Security and more than 10 years experience in this field. At Redguard he is responsible for developing and maintaining... Read More →
avatar for Carlos Holguera

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure
Carlos is a principal mobile security research engineer working with NowSecure and one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS), the industry standard for mobile app... Read More →
Thursday June 25, 2026 10:35am - 11:25am CEST
Room -2.33 (Level -2)
  MobileAppSecCon

11:30am CEST

OWASP masCon - Unveiling The Internals From Multiplatform Mobile Runtimes
Thursday June 25, 2026 11:30am - 11:55am CEST
Room -2.33 (Level -2)
Flutter, React and Unity are the main multiplatform runtimes of choice when developing mobile applications for iOS and Android. We will cover the main characteristics, starting with the programming language associated with the framework, the ecosystem, the toolchains and showcase some clever low level details in their implementations. Recovering code and data from the final release binaries with the help of the opensource plugins for radare2.
Speakers
avatar for Sergi Alvarez

Sergi Alvarez

Mobile Security Research Engineer, NowSecure
Pancake is a mobile security research engineer at NowSecure. It has more than 25 years of experience in the reverse engineering and security fields. Author and maintainer of tools like radare2, r2frida and other plugins around the radare ecosystem, he began working as a forensic analyst... Read More →
Thursday June 25, 2026 11:30am - 11:55am CEST
Room -2.33 (Level -2)
  MobileAppSecCon

1:15pm CEST

OWASP masCon - Recent Mobile App Security Incidents from Real-World Cases
Thursday June 25, 2026 1:15pm - 1:40pm CEST
Room -2.33 (Level -2)
This is a review of recent mobile app security incidents I work on day to day. We’ll walk through concrete cases from banking, food delivery, and e-commerce to break down how the breaches happened.

By the end, you’ll have a clearer sense of which security practices hold up in modern mobile apps and which ones fail in practice. You’ll also learn what commonly introduces vulnerabilities and where to find secure practices that actually work.
Speakers
avatar for Jan Seredynski

Jan Seredynski

Mobile Application Security Engineer, Guardsquare

Jan Seredynski is a mobile security professional with seven years of app development experience. He specializes in secure architectures and anti-tampering techniques. With a keen eye for uncovering vulnerabilities, Jan actively contributes to identifying and resolving CVEs and bugs... Read More →
Thursday June 25, 2026 1:15pm - 1:40pm CEST
Room -2.33 (Level -2)
  MobileAppSecCon

1:45pm CEST

OWASP masCon - Meet the New Frida Frontend on the Block
Thursday June 25, 2026 1:45pm - 2:10pm CEST
Room -2.33 (Level -2)
This talk introduces a new Frida frontend for macOS and iOS, designed as an interactive, persistent environment for exploring live processes.

It supports local and remote targets, long-lived sessions that survive crashes, and saved documents you can return to later. Built around this core model are a REPL, a code tracer, a powerful editor with completion and inline documentation, a persistent notebook, package management, and built-in collaboration.

We’ll walk through the motivation and architecture behind the frontend, and demo how a more stateful, GUI-driven approach opens up new workflows for dynamic instrumentation—without naming names (yet).
Speakers
avatar for Ole André Vadla Ravnås

Ole André Vadla Ravnås

Security Researche, NowSecure
Creator of Frida · Security Researcher at NowSecure
 @oleavr
no.linkedin.com/in/oleavr... Read More →
Thursday June 25, 2026 1:45pm - 2:10pm CEST
Room -2.33 (Level -2)
  MobileAppSecCon

2:15pm CEST

OWASP masCon - Attacking ART
Thursday June 25, 2026 2:15pm - 2:40pm CEST
Room -2.33 (Level -2)
When analyzing the security of mobile applications, we often have to overcome local security controls to perform a thorough audit. This can include obtaining access to the application’s internal storage, disabling TLS pinning or forcing the application to use our interception proxy.
For many applications, this is straightforward. We can install the app on our rooted device, inject Frida and accomplish all of the above. However, this gets tricky when the application has implemented resiliency controls, known as Runtime Application Self Protection (RASP).

In this talk, I will zoom in on one lesser-known technique targeting the Android Runtime (ART): Manipulating ODEX/VDEX files. Any code implemented in Java/Kotlin can easily be manipulated without leaving any traces.
Speakers
avatar for Jeroen Beckers

Jeroen Beckers

Mobile Solution Lead, NVISO

I am the mobile solution lead at NVISO, where I am responsible for quality delivery, innovation and methodology for all mobile assessments. I am actively involved in the mobile security community, and I try to share my knowledge through open-source tools, blogposts, trainings and... Read More →
Thursday June 25, 2026 2:15pm - 2:40pm CEST
Room -2.33 (Level -2)
  MobileAppSecCon

2:45pm CEST

OWASP masCon - Closure of conference by OWASP MAS team
Thursday June 25, 2026 2:45pm - 3:00pm CEST
Room -2.33 (Level -2)

Speakers
avatar for Carlos Holguera

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure
Carlos is a principal mobile security research engineer working with NowSecure and one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS), the industry standard for mobile app... Read More →
avatar for Sven Schleier

Sven Schleier

Co-Founder, Bai7 GmbH
Sven is a co-founder of Bai7 GmbH in Austria, which is specialized in trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications... Read More →
Thursday June 25, 2026 2:45pm - 3:00pm CEST
Room -2.33 (Level -2)
  MobileAppSecCon
 
Friday, June 26
 

10:30am CEST

OWASP Certified Secure-Software Developer (Call for Contributors)
Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)
OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 4

OWASP Certified Secure-Software Developer Certification project is aimed at developing a certification program for developers.

This presentation will take the audience through the journey of OCSD, the progress made so far and will include a call for contributions. This session seeks to answer common questions about the relevance of the certification in the world where applications are stood up in a matter of hours using Claude / AI.

We would like to demonstrate the relevance of OCSD in the face of development / coding carried out with the help of AI / tools. We have the curriculum content and have added references from OWASP body of knowledge. We would like to make a call contribution to review the curriculum, the references and add supplementary reading material.
Speakers
avatar for Shruti Kulkarni

Shruti Kulkarni

OWASP OCSD, Information Security Architect
Shruti is an information security / enterprise security architect with experience in ISO27001, PCI-DSS, policies, standards, security tools, threat modelling, risk assessments. Shruti works on security strategies and collaborates with cross-functional groups to implement information... Read More →
Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

10:30am CEST

OWASP CycloneDX Sunshine: see CycloneDX SBOMs come to life & chat with them (Workshop)
Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)
OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3
 
Ever looked at a CycloneDX file and thought, there’s gotta be a better way to read this? You're not alone. In late December 2024 OWASP CycloneDX unveiled a brand new SBOM visualization tool called Sunshine - a first-of-its-kind visualization tool that transforms static CycloneDX SBOM files into intuitive, interactive experiences.

Sunshine lets you explore software components, dependencies, vulnerabilities, and licenses like never before. As an open-source tool under the Apache 2.0 license, it's accessible to everyone. Designed with a privacy-first approach, all processing happens client-side, ensuring your SBOM data remains entirely within your browser.

Presented for the first time at OWASP AppSec EU 2025, since then many new features have been released and will be showcased at OWASP AppSec EU 2026:
- Advanced filters, to let you focus and prioritize according to your own personal criteria
- Ability to easily identify and analyse n-tier dependencies within the SBOM
- "Query my SBOM" feature: an integrated full fledged SQL engine to let you literally query your SBOM in a powerful yet simple way - and export results in CSV
- Thanks to the invaluable community feedback and support, compatibility and stability have been largely improved, now being able to seamlessly analyze big and complex SBOMs
- Last but not least: during the conference a brand new exciting feature will be presented: "Chat with my SBOM", a privacy-first LLM-based AI chatbot entirely running in your browser (no server side components involved), that will empower you to get information from your SBOM in a convenient conversational way.

Join us for a hands-on walkthrough of Sunshine, where you’ll get to see it in action — not just slides. You will see how Sunshine helps developers, security pros, and even less-technical stakeholders actually understand what's in a software bill of materials.
Speakers
avatar for Luca Capacci

Luca Capacci

Staff Application Security Engineer, Ivanti
Luca received his master's degree in Computer Engineering from the University of Bologna back in 2014 and he has been working in the cybersecurity field since then. Currently he is a Senior Application Security engineer at Ivanti. Since December 2024 he is also a maintainer at OWASP... Read More →
Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

1:15pm CEST

CHAMELEON-REN: Advancing the OWASP Web Application Honeypot Project with Adaptive, Education-Sector (Workshop)
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 2

The OWASP Web Application Honeypot Project provides foundational tooling to observe attacker activity against simulated web interfaces. CHAMELEON-REN extends this work with a stimulus-driven, Dockerised honeypot framework that dynamically adapts its identity, exposed paths, and technology stack in response to probing behaviours. By rotating realistic education-sector personas — including virtual learning environments, student records, finance/ERP, and research portals — CHAMELEON-REN aims to sustain engagement from automated scanners and adversaries that would otherwise abandon static honeypots. The demonstration will showcase the framework in action, discuss telemetry capture and structured logging, and invite participants to explore deployment recipes and community integration options.
Speakers
avatar for Adrian Winckles

Adrian Winckles

Cyber Security Academic, Security Researcher, Cyber Security Academic, Security Researcher
Adrian Winckles is an independent Cyber Security Academic, Security Researcher and IT Professional with over 32 years of experience in developing and implementing cyber security strategies and robust, resilient IT infrastructure solutions. A proven leader in driving digital transformation... Read More →
avatar for Gautam Mahesh Juvarajiya

Gautam Mahesh Juvarajiya

Research Associate, The Open University, UK
Currently Working as a Research Associate at Open University with a Background in IT and a MSc in Cyber Security Engineering from University of Warwick, UK.
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

1:15pm CEST

Games as tools for scaling your application security program
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
OWASP Cornucopia is a card game to assist software development teams in identifying security requirements in agile software development processes. It is language-, platform-, and technology-agnostic (https://cornucopia.owasp.org). 

In this session, attendees will play OWASP Cornucopia and, through practical application, learn how to use EoP-based games for threat modeling, along with tips and tricks for scaling their threat modeling while remaining ISO27001 certified and keeping developers engaged in security requirements and design activities.

We will be playing the game differently from what we usually do. You will be taken through a provocative scenario. With the grumpy old senior developer who doesn't shift left due to too many hours working overtime on his incredibly sophisticated pet projects, what will you do? Will you be able to teach him a lesson about why security is essential, or will he be laughing all the way to his developer cave? Only true passionate application security engineers will succeed. Expect confetti, swags (yes, you read right, swag, valued just below the corruption limit), and illegal bribes as you venture into the unknown of OWASP Cornucopia.

Most people will agree with you that security is important, but they forget what you were saying once they leave the room.
The brain is amazing. It can let you learn to ride a bike, write poetry, learn a new programming language, or even fall in love, but if your brain is so amazing, why do your colleagues forget all the things you said about security during your last meeting?
In this session, we will learn how to play games to create agency, empathy, community, spark the imagination, and wake up the brain. When choosing a strategy for scaling your application security program, don’t choose reading materials, presentations with “talking heads,” or meetings as a medium for increasing awareness and knowledge about security. Instead, focus on activities that can be repeated on a regular basis that are both relevant and engaging to the work you are doing. When employees are authentically involved and curious about their learning, their heightened focus and emotional connection stimulate better memory formation and application of knowledge. In fact, numerous studies have reported that emotions have a significant impact on human cognitive processes. This underpins why games can strengthen learning over time, which is why you should have an extensive collection of games in your arsenal when teaching others about application security.
Speakers
avatar for Grant Ongers

Grant Ongers

Security- Advisor | Ambassador | Architect, esynergy
With 10+ years in Dev, 20 in Ops, and 30 in Sec, Grant Ongers (rewtd) is the Head of esynergy’s Security Practice; a Principal Security Architect at the Department for Science, Innovation and Technology and a former OWASP® Foundation Global Board member. A firm believer that security... Read More →
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

1:15pm CEST

Hands-On AI Security Assessment with OWASP AISVS (Workshop)
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
OWASP Demo Lab - Hands-On Workshop / Small Group Session

How do you actually verify that an AI system is secure? In this workshop, the AISVS project leads walk through practical assessment scenarios using the OWASP AI Security Verification Standard. We'll work through real requirements from chapters on prompt injection defense, agentic action security, RAG/vector database hardening, and output safety controls, showing what "verify that" looks like in practice against running systems. Participants will leave with a working understanding of how to scope an AI security assessment, select appropriate verification levels, and apply AISVS requirements to LLM-based applications, autonomous agents, and MCP-connected tool ecosystems. Bring a laptop if you want to follow along.
Speakers
avatar for Raza Sharif

Raza Sharif

Raza is the founder of CyberSecAI, a UK-based cyber security consultancy, and co-lead of the OWASP AISVS project. With 20+ years securing critical infrastructure for the private sector, governments and financial institutions, he focuses on AI security architecture and securing the... Read More →
avatar for Jim Manico

Jim Manico

Founder and CEO, Manicode Security
Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like 10Security, MergeBase, Nucleus Security... Read More →
avatar for Rico Komenda

Rico Komenda

Senior Product Security Engineer
Rico is a senior product security engineer. His main security areas are in application security, cloud security, offensive security and AI security.For him, general security intelligence in various aspects is a top priority. Today’s security world is constantly changing and you... Read More →
avatar for Otto Sulin

Otto Sulin

Head of Security, Supermetrics


avatar for Russ Memisyazici

Russ Memisyazici

Aras “Russ” Memişyazıcı, M.Sc. is a senior technology and architecture leader specializing in AI security, cloud transformation, application security, and enterprise modernization. He currently serves as a Global Head of Reference Architecture at Aon, where his work focuses... Read More →
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

1:15pm CEST

Let's Play: OWASP Cumulus (Workshop)
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3

In this hands-on session we will demonstrate the threat modeling card game "Cumulus" and show how it can help you start threat modeling your cloud and DevOps processes.

Using a real live example scenario, we will discuss, laugh and increase security. And maybe the winner will even get a prize! :)
Speakers
avatar for Christoph Niehoff

Christoph Niehoff

Senior Consultant, TNG Technology Consulting
In his role as a Senior Consultant at TNG Technology Consulting, Christoph Niehoff develops software products for his clients on a daily basis. As a full-stack developer, he lives and breathes DevOps, overseeing all steps of the development cycle. The security of the products is particularly... Read More →
Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

3:15pm CEST

From Maturity to Mastery: Accelerating Software Security with OWASP SAMM (Workshop)
Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)
Are you looking to strengthen your organization’s software assurance program, prove compliance with industry frameworks, or simply level up your AppSec game? Join OWASP project leaders Sebastien and Aram for an engaging introduction and the latest updates on OWASP Software Assurance Maturity Model (SAMM) — the open, community-driven standard for building and measuring software security practices.

This session will highlight how SAMM helps organizations jumpstart, assess, and accelerate their software assurance roadmap, with practical takeaways you can apply right away:

• Tools and Assessment Guidance – Learn about the growing ecosystem of SAMM tools and the latest assessment techniques that make measuring and improving your maturity more approachable than ever.
• Framework Mapping – See how SAMM connects with industry standards like the NIST Secure Software Development Framework (SSDF) and OpenCRE, helping you demonstrate compliance and align with external requirements while maintaining a developer-friendly approach.
• Benchmarking with Peers – Discover the OWASP SAMM Benchmark, which allows organizations to compare their security practices against peers and industry trends anonymously—helping you spot strengths, identify gaps, and track progress over time.

Whether you’re new to SAMM or already using it, you’ll gain actionable strategies, practical insights, and a clear roadmap to achieving security excellence.
Speakers
avatar for Sebastien Deelersnyder

Sebastien Deelersnyder

Co-Founder and CEO, Toreon
Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →
avatar for Aram Hovsepyan

Aram Hovsepyan

Founder and CEO, Codific
For the past 15 years Aram has been involved in application security as a researcher, industry expert, and core contributor to the OWASP SAMM project.

Aram is the founder and CEO of Codific, a Belgian cybersecurity product firm. At Codific, he works at the intersection of software... Read More →
Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

3:15pm CEST

Hack Your Own Dockerfiles (Before Someone Else Does): Hands-On Container Security with OWASP DockSec (Workshop)
Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)
Most teams don’t have a "container security problem." They have a "Dockerfile hygiene" problem that quietly becomes a supply chain problem. Dockerfiles are often treated as simple build instructions, but in practice they introduce real security risk. Even teams with mature AppSec programs regularly ship Dockerfiles that run as root, rely on untrusted base images, or hide supply-chain risks inside multi-stage builds. Scanners catch many of these issues, yet the same mistakes keep showing up.

In this talk I will share lessons learned from building and using DockSec, an open-source Dockerfile security analysis tool adopted by OWASP, in real development pipelines. The focus is not on introducing a new scanner, but on understanding why Dockerfile issues persist and what actually helps developers fix them.

Using real examples from production pipelines, I’ll walk through common Dockerfile patterns that lead to security problems and explain how those risks translate into real attack paths. I’ll also discuss what worked, and what didn’t, when trying to integrate Dockerfile security checks into CI/CD without slowing teams down or turning security into a constant blocker. I will also cover what "good" looks like in CI: turning findings into developer-friendly feedback, using policy gates sparingly (and correctly), and keeping scan noise under control.

This is not a product demo or a sales talk. It’s a practical discussion about Dockerfile security, developer behavior, and how AppSec teams can reduce repeat mistakes using clearer feedback, better explanations, and OWASP-aligned guidance. Attendees should leave with concrete ideas they can apply immediately, even if they never use DockSec.
Speakers
avatar for Advait Patel

Advait Patel

Senior Site Reliability Engineer, Broadcom
Advait Patel is a Senior Site Reliability Engineer at Broadcom with experienced in securing large-scale cloud platforms across AWS and GCP. He holds an MS in Computer Science from DePaul University and is a Docker Captain and Google Developer Expert in Google Cloud.
Advait is an active contributor to the security community as a founding member of the OWASP AI Vulnerability Scoring System (AIVSS), creator of the OWASP-adopted open-source tool DockSec, and co-author of cloud security guidelines for CSA. He has authored two Springer books on GCP... Read More →
Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)

3:15pm CEST

Shaping International Security Standards: Get Involved with OWASP's ISO Working Group (Call for Contributors)
Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)
The OWASP ISO Liaison Working Group is the bridge between OWASP's practitioner-driven security guidance and the international standards that govern how organizations worldwide implement security controls. Stop by to learn how ISO standards like 27034 (Application Security) and 27002 are developed, where OWASP is actively shaping that process as an official liaison organization, and — most importantly — how you can get involved. Whether you've never heard of ISO/IEC JTC 1/SC 27 or you've been curious about how standards actually get written, this is your chance to ask questions, see the current work program, and find out where your expertise fits.
Speakers
avatar for Matt Houseman

Matt Houseman

OWASP ISO Working Group Chair
Matt Houseman is the OWASP ISO Working Group Chair and the OWASP Liaison Representative to ISO/IEC JTC 1/SC 27/WG 4. With over 15 years of experience in software engineering and application security, Matt bridges the gap between hands-on practitioner guidance and formal international... Read More →
Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)
  Project Demo Lab (Hands-on)
 

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Monday, June 22
Tuesday, June 23
Wednesday, June 24
Thursday, June 25
Friday, June 26
-2.66 (Level -2)
Expo Hall X1
Expo Hall X1, Booth SU4
Foyer D (Level -2)
Hall D (Level -2)
Hall G1 (Level -2)
Hall G2 (Level -2)
Hall K1 (Level -2)
Hall K2 (Level -2)
Level -2
Offsite Vendor Sponsored Event
Room -2.15 (Level -2)
Room -2.33 (Level -2)
Room -2.42 (Level -2)
Room -2.43 (Level -2)
Room -2.62 (Level 2)
Room -2.82 (Level 2)
Room -2.92 (Level -2)
Room -2.94 (Level -2)
Room: -2.14 (Level -2)
Room: -2.31 (Level -2)
Room: -2.32 (Level -2)
Room: -2.41 (Level -2)
Room: -2.77 (Level -2)
Room: -2.93 (Level -2)
Terrace G of Austria Center
  • 1-Day Training
  • 2-Day Training
  • 3-Day Training
  • Bonus Track
  • Book Signing
  • Deployment and Maintenance
  • Implementation
  • Keynote
  • Meals Provided by OWASP
  • Meeting
  • MobileAppSecCon
  • Panel Discussion
  • Planning and Design
  • PODS (Hands-on Activities)
  • Process and Culture
  • Project Demo Lab (Hands-on)
  • Project Showcase (Lightning Talks)
  • Project User Day
  • Registration
  • Sponsored Happy Hour
  • Testing
  • Audience
  • Advanced
  • All
  • AppSec Engineers
  • Beginner
  • Developers
  • Intermediate
  • Introductory and Overview
  • Private Meeting
  • Security Champions
  • Students and newcomers in AppSec
  • Subject
  • AI
  • CRA
  • DevSecOps
  • Gamification
  • Kubernetes
  • Mobile Security
  • Network Security
  • Pentesting
  • SSDLC
  • Standards
  • Threat Modeling
  • WAF