OWASP Global AppSec EU 2026 Vienna

Mobile application penetration tests can be challenging. In order to find vulnerabilities in the OWASP MAS Testing Profile L2, security testers have to simulate attacks on compromised devices. When apps protect themselves with advanced static and dynamic hardening techniques, security testers often rely on instrumentation in order to assess the security of the app at runtime.

This talk will present some of these challenges as seen in real world mobile apps and then present “frooky”, a Frida-powered hook runner based on structured I/O. This tool was consolidated together with OWASP MAS leadership and released as a standalone project for OWASP MASTG. We will show you what it can do, how it was developed and how you can use it for any mobile app penetration testing efforts in general.

Flutter, React and Unity are the main multiplatform runtimes of choice when developing mobile applications for iOS and Android. We will cover the main characteristics, starting with the programming language associated with the framework, the ecosystem, the toolchains and showcase some clever low level details in their implementations. Recovering code and data from the final release binaries with the help of the opensource plugins for radare2.

This is a review of recent mobile app security incidents I work on day to day. We’ll walk through concrete cases from banking, food delivery, and e-commerce to break down how the breaches happened.

By the end, you’ll have a clearer sense of which security practices hold up in modern mobile apps and which ones fail in practice. You’ll also learn what commonly introduces vulnerabilities and where to find secure practices that actually work.

OWASP Demo Lab - Hands-On Workshop / Small Group Session

How do you actually verify that an AI system is secure? In this workshop, the AISVS project leads walk through practical assessment scenarios using the OWASP AI Security Verification Standard. We'll work through real requirements from chapters on prompt injection defense, agentic action security, RAG/vector database hardening, and output safety controls, showing what "verify that" looks like in practice against running systems. Participants will leave with a working understanding of how to scope an AI security assessment, select appropriate verification levels, and apply AISVS requirements to LLM-based applications, autonomous agents, and MCP-connected tool ecosystems. Bring a laptop if you want to follow along.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 4

OWASP Certified Secure-Software Developer Certification project is aimed at developing a certification program for developers.

This presentation will take the audience through the journey of OCSD, the progress made so far and will include a call for contributions. This session seeks to answer common questions about the relevance of the certification in the world where applications are stood up in a matter of hours using Claude / AI.

We would like to demonstrate the relevance of OCSD in the face of development / coding carried out with the help of AI / tools. We have the curriculum content and have added references from OWASP body of knowledge. We would like to make a call contribution to review the curriculum, the references and add supplementary reading material.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3
 
Ever looked at a CycloneDX file and thought, there’s gotta be a better way to read this? You're not alone. In late December 2024 OWASP CycloneDX unveiled a brand new SBOM visualization tool called Sunshine - a first-of-its-kind visualization tool that transforms static CycloneDX SBOM files into intuitive, interactive experiences.

Sunshine lets you explore software components, dependencies, vulnerabilities, and licenses like never before. As an open-source tool under the Apache 2.0 license, it's accessible to everyone. Designed with a privacy-first approach, all processing happens client-side, ensuring your SBOM data remains entirely within your browser.

Presented for the first time at OWASP AppSec EU 2025, since then many new features have been released and will be showcased at OWASP AppSec EU 2026:
- Advanced filters, to let you focus and prioritize according to your own personal criteria
- Ability to easily identify and analyse n-tier dependencies within the SBOM
- "Query my SBOM" feature: an integrated full fledged SQL engine to let you literally query your SBOM in a powerful yet simple way - and export results in CSV
- Thanks to the invaluable community feedback and support, compatibility and stability have been largely improved, now being able to seamlessly analyze big and complex SBOMs
- Last but not least: during the conference a brand new exciting feature will be presented: "Chat with my SBOM", a privacy-first LLM-based AI chatbot entirely running in your browser (no server side components involved), that will empower you to get information from your SBOM in a convenient conversational way.

Join us for a hands-on walkthrough of Sunshine, where you’ll get to see it in action — not just slides. You will see how Sunshine helps developers, security pros, and even less-technical stakeholders actually understand what's in a software bill of materials.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 2

The OWASP Web Application Honeypot Project provides foundational tooling to observe attacker activity against simulated web interfaces. CHAMELEON-REN extends this work with a stimulus-driven, Dockerised honeypot framework that dynamically adapts its identity, exposed paths, and technology stack in response to probing behaviours. By rotating realistic education-sector personas — including virtual learning environments, student records, finance/ERP, and research portals — CHAMELEON-REN aims to sustain engagement from automated scanners and adversaries that would otherwise abandon static honeypots. The demonstration will showcase the framework in action, discuss telemetry capture and structured logging, and invite participants to explore deployment recipes and community integration options.

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 1

Internal development teams and external suppliers love producing binaries for ease of deployment and distribution. Binary formats, however, make security analysis and compliance more complex for the security and OSPO teams. The good news is that the team behind OWASP dep-scan maintains a couple of binary analysis tools (OWASP blint and OWASP dosai). We show how these two tools can help defenders find strange things in binaries and help with your software transparency journey.

The session will be technical showcasing blint and dosai to analyse complex binaries to identify capabilities, risks, and threats. Users can walk away with new knowledge about modern techniques related to binary SBOM generation, Source line to Assembly instruction mapping, security capabilities analysis, and more.

https://github.com/owasp-dep-scan/blint
https://github.com/owasp-dep-scan/dosai

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3

In this hands-on session we will demonstrate the threat modeling card game "Cumulus" and show how it can help you start threat modeling your cloud and DevOps processes.

Using a real live example scenario, we will discuss, laugh and increase security. And maybe the winner will even get a prize! :)

Are you looking to strengthen your organization’s software assurance program, prove compliance with industry frameworks, or simply level up your AppSec game? Join OWASP project leaders Sebastien and Aram for an engaging introduction and the latest updates on OWASP Software Assurance Maturity Model (SAMM) — the open, community-driven standard for building and measuring software security practices.

This session will highlight how SAMM helps organizations jumpstart, assess, and accelerate their software assurance roadmap, with practical takeaways you can apply right away:

• Tools and Assessment Guidance – Learn about the growing ecosystem of SAMM tools and the latest assessment techniques that make measuring and improving your maturity more approachable than ever.
• Framework Mapping – See how SAMM connects with industry standards like the NIST Secure Software Development Framework (SSDF) and OpenCRE, helping you demonstrate compliance and align with external requirements while maintaining a developer-friendly approach.
• Benchmarking with Peers – Discover the OWASP SAMM Benchmark, which allows organizations to compare their security practices against peers and industry trends anonymously—helping you spot strengths, identify gaps, and track progress over time.

Whether you’re new to SAMM or already using it, you’ll gain actionable strategies, practical insights, and a clear roadmap to achieving security excellence.

Most teams don’t have a "container security problem." They have a "Dockerfile hygiene" problem that quietly becomes a supply chain problem. Dockerfiles are often treated as simple build instructions, but in practice they introduce real security risk. Even teams with mature AppSec programs regularly ship Dockerfiles that run as root, rely on untrusted base images, or hide supply-chain risks inside multi-stage builds. Scanners catch many of these issues, yet the same mistakes keep showing up.

In this talk I will share lessons learned from building and using DockSec, an open-source Dockerfile security analysis tool adopted by OWASP, in real development pipelines. The focus is not on introducing a new scanner, but on understanding why Dockerfile issues persist and what actually helps developers fix them.

Using real examples from production pipelines, I’ll walk through common Dockerfile patterns that lead to security problems and explain how those risks translate into real attack paths. I’ll also discuss what worked, and what didn’t, when trying to integrate Dockerfile security checks into CI/CD without slowing teams down or turning security into a constant blocker. I will also cover what "good" looks like in CI: turning findings into developer-friendly feedback, using policy gates sparingly (and correctly), and keeping scan noise under control.

This is not a product demo or a sales talk. It’s a practical discussion about Dockerfile security, developer behavior, and how AppSec teams can reduce repeat mistakes using clearer feedback, better explanations, and OWASP-aligned guidance. Attendees should leave with concrete ideas they can apply immediately, even if they never use DockSec.

The OWASP ISO Liaison Working Group is the bridge between OWASP's practitioner-driven security guidance and the international standards that govern how organizations worldwide implement security controls. Stop by to learn how ISO standards like 27034 (Application Security) and 27002 are developed, where OWASP is actively shaping that process as an official liaison organization, and — most importantly — how you can get involved. Whether you've never heard of ISO/IEC JTC 1/SC 27 or you've been curious about how standards actually get written, this is your chance to ask questions, see the current work program, and find out where your expertise fits.