Traditional patching has failed to scale - it's time for a new approach. This hands-on workshop teaches you to eliminate entire bug classes with modern browser security features instead of endlessly reacting to reports. Instead of firefighting the same issues, you'll learn how Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata go beyond traditional OWASP recommendations to prevent vulnerabilities at scale.

You'll work with a training app that's already secured, but we'll go further. By applying advanced browser defenses, testing effectiveness, and enforcing security at scale, you'll experience firsthand how modern web standards protect both new and legacy systems.

This isn't just about fixing issues - it's about scaling security across an organization. We'll explore measuring adoption across hundreds of services, automating enforcement, and applying defense-in-depth beyond single vulnerabilities.

Through interactive group challenges, you'll tackle real-world vulnerabilities, enforce modern safeguards, and transform how you approach web security. Whether you're a developer, security engineer, or architect, you'll leave with practical tools and a proactive security mindset - moving from patching to prevention.

1. Introduction and Overview
• Why traditional vulnerability patching fails to scale.
• The shift towards bug class elimination instead of endless fixes.
• Setting expectations: Moving from firefighting vulnerabilities to scalable, long-term solutions.
• Overview of browser security standards that didn't exist three years ago and how they help eliminate entire attack classes.
• No deep coding required - all solutions, code snippets, and automation blueprints are provided throughout the training.
2. The Case for Secure by Default
• The impact of insecure defaults and why patching isn't enough.
• The dramatic shift in browser security standards and the new opt-in approaches ready for use.
• Core modern web standards:
• CSP3 for preventing XSS.
• Trusted Types for eliminating DOM-based XSS and client side sanitizing.
• Sec-Fetch Metadata & SameSite Cookies for CSRF protection.
• COOP/COEP for preventing cross-origin attacks.
• latest Reporting API & sneak preview into Integrity-Policy
3. Bug Class Elimination in Practice
• Analysing common vulnerability classes (XSS, CSRF, Clickjacking, cross-origin exploits).
• Leveraging frameworks and browser-led security mechanisms for prevention instead of mitigation.
• Measuring security adoption of modern security mechanisms at scale in environments with hundreds of services or products.
• Blueprints for automation and reporting to track adoption across an organisation.
4. Multiple Hands-On Challenges: Applying Secure-by-Default Protections
• Participants will work with a vulnerable training application that has partial security but still requires additional defenses.
• Teams apply advanced browser security standards, test their effectiveness, and experience firsthand how they eliminate entire attack classes.
• Minimal coding required - all solutions, code snippets, and automation templates are provided.
5. Group Peer Session: Designing Solutions for Modern Standards
• Applying modern browser security standards to real-world applications.
• Small group exercises to design scalable security strategies.
• Discussion of real-world adoption challenges (legacy apps vs modern SPA) and how organisations can roll out secure-by-default strategies effectively.
6. Scalable Security Through Automation
• How to automate enforcement of browser security features across an organisation.
• Using scalability metrics to track adoption in large environments.
• Blueprints for automating CSP enforcement, reporting adoption rates, and tracking non-compliant services.

Im Workshop vermitteln wir zunächst, was der Cyber Resilience Act (CRA) ist: Wir erklären, dass er eine EU-Verordnung ist, die Produkte mit digitalen Elementen EU-weit reguliert, und dass er am 10. Dezember 2024 in Kraft tritt, mit Meldepflichten ab dem 11. September 2026 und voller Geltung ab dem 11. Dezember 2027.

Wir schauen uns die essenziellen Anforderungen an Hersteller an: Sicherheit durchgängig im Produktlebenszyklus („security-by-design“), Risikobewertung, sichere Updates, Zugriffskontrollen, Schwachstellenmanagement, und wie Dokumentation und SBOMs ausgestaltet sein müssen - unterstützt durch die technische Richtlinie TR-03183 des BSI als praktischer Leitfaden.

Außerdem erarbeiten wir, was das Ganze für End-kund:innen und Nutzer bedeutet: klare Produkt- und Sicherheitshinweise, transparente Sicherheitsupdates, Kontaktpunkte für Sicherheit (PSIRT / SPOC), einen nachvollziehbaren Supportzeitraum und wie Unternehmen konkret eine Lücke („Gap“) zwischen dem aktuellen Status und CRA-Konformität schließen können.

Da das Workshop-Material recht theoretisch ist, soll mit Diskussionen und Beispielen der Teilnehmer gearbeitet werden, um Fragen zu diskutieren und den Workshop interaktiver zu gestalten. Viele Fragen des CRA sind in der Praxis noch nicht abschließend geklärt. Je nach Hintergrund der Teilnehmer und Zeitverlauf können wir einmal den Umgang mit Meldungen eines Herstellers oder das Schwachstellenhandling in einem PSIRT unter dem Cyber Resilience Act durchspielen.

1. Der Cyber Resilience Act im Überblick: Cyber Resilience Act und EU Gesetzgebung. Der CRA als Ergänzung zu NIS-2 mit Produktfokus.
2. Cyber Resilience Act: Umfang, Struktur, Klassifizierung und Zeitplan: Wer ist betroffen, wie ist der CRA aufgebaut, wie ist die Timeline? Welche Produktkategorien und Strafen bei Verstößen sind vorgesehen?
3. Security und Vulnerability Handling Anforderungen:
1. Wie sehen die Sicherheitsanforderungen für die einzelnen Kategorien im CRA im Detail aus?
2. Wie sehen die Reporting-Pflichten aus? In welchem Zeitraum muss was reported werden?
3. Welche Vorteile haben Firmen, Anwender und Nutzer von Produkten, die unter den CRA fallen, aus der neuen Gesetzgebung? Welche Informationen stellen Supplier und Vendoren an Ihre Kunden bereit?
4. Die Rolle des Sicheren Entwicklungslebenszyklus für den CRA: Welche Guidance stellt die BSI TR-03183 bereit, und was sind die Kernelemente, um einen Secure Development Lifecycle zu etablieren, der die Konformität zu den Anforderungen des CRA unterstützt? Welche Rolle spielen Risikoanalyse, Security by Design und SBOMs?
5. Incident Management und Dokumentation: Wie sieht ein kompatibler Vuulnerability Disclosure Prozess aus, welche Aufgabe hat das Product Security Incident Response Team und welche Arten von Dokumentation muss gepflegt werden, um die Anforderungen des CRA zu erfüllen?

Da der CRA ein grundlegender Standard bedeutet, wird sich Gelegenheit ergeben zu diskutieren, welche Produkte zukünftig unter den CRA fallen, welche Rollen im CRA mit welchen Verantwortungen einhergehen, aber auch wie sich Informationen, die Hersteller auf Basis des CRAs an Ihre Kunden bereitstellen müssen, in die eigenen Prozesse integrieren lassen.

This workshop aims to introduce Security Professionals, Developers, Architects, and Product Managers to integrating AI assistance into their threat modeling workflows. In this session, participants will learn how to leverage AI for diagramming, threat identification, and countermeasure recommendations to speed up threat model analysis.

To bring these concepts to life, the workshop includes a guided case study on a Digital Wallet / Payment App, where participants will use AI tools to generate a data flow diagram, identify threats using STRIDE, propose mitigations mapped to industry standards, and summarize findings for business stakeholders. This integrated exercise provides an engaging, end-to-end view of how AI can support—but not replace—human judgment in threat modeling.

While participants should have a working knowledge of Generative AI and LLM concepts and tools (e.g., prompt engineering), no prior experience with threat modeling is required.

• Welcome and Introduction
• Introductions
• Workshop overview
• Setting expectations
• Threat Modeling Fundamentals
• What is threat modeling?
• Doomsday scenarios
• Threat modeling augmented by AI
• AI as a force multiplier, not a replacement
• Natural Language Processing (NLP) for requirements analysis, knowledge graphs for context, and large language models (LLMs) for generating ideas
• Ethical considerations (data privacy, hallucinations, and the need for human oversight)
• Threat Modeling Methodology: DICE
• Introduction to the DICE framework
• Data Flow Diagrams (DFD) basics
• Trust boundaries
• Automated Data Flow Diagramming
• Use AI to analyze design documents and source code
• Generate comprehensive data flow diagrams (DFDs) through AI assistance
• Identify system components and sensitive data based on text analysis
• Crafting effective prompts to extract system components, data types, and trust boundaries from architecture descriptions
• Introduction to tools that can generate DFDs from natural language or code snippets (DiagramGPT, etc.)
• Hands-on: Generate DFD for a Digital Wallet / Payment App
• AI-Driven Threat and Vulnerability Identification
• STRIDE / AI Threats
• STRIDE GPT tool demo
• Using AI to generate potential threats for each element of a DFD
• Training AI models using threat libraries like MITRE ATT&CK to suggest relevant attack vectors
• Hands-on: AI-Assisted STRIDE analysis for a Digital Wallet / Payment App
• AI for Mitigation and Control Recommendation (60 minutes)
• Asking an AI to suggest specific security controls (e.g., "What are three ways to mitigate a 'Tampering' threat on this API endpoint?")
• AI can link proposed controls back to business requirements and compliance standards
• Use AI to summarize the threat modeling process, key findings, and action items for stakeholders
• Hands-on: AI-Assisted mitigations for a Digital Wallet / Payment App
• Hands-on: Prompting the Digital Wallet / Payment App report and outcomes
• Workshop Wrap-up
• Resources for continued learning
• Next steps

Generative AI is supposed to make our lives easier. But what if it's really just coding us straight into a new Dark Age? We hand over our systems to AI agents, only to watch them invent backdoors nobody asked for. Developers are left with the glamorous job of bug janitors, while attackers get new exploits. It's hard not to feel like we are front-row spectators to the collapse of digital civilization. This talk shows how these risks are multiplying, and how the public debate around security often misses the point, making it even harder to fix what is broken. Maybe what we are really witnessing is the world's biggest live demo of the digital apocalypse. But sometimes you have to watch everything burn down before you can rebuild it better.

With the increasing reliance on third-party software components, ensuring their security against known vulnerabilities has become a daily challenge for individuals and organizations. Despite the availability of a variety of tools and databases, we found all of them fall short when applied to real-world scenarios - raising questions about their effectiveness, generalizability, and practical utility.

Starting from our perspective as penetration testers, we identified three main problems with existing solutions in vulnerability identification:

• Accuracy and completeness of results - Many tools exhibit limited precision and recall, often depending on a single data source (e.g. NVD) and overlooking critical indicators such as known exploits or patch history.
• Rigid input requirements - Most solutions enforce strict formatting constraints (e.g., requiring exact CPEs), creating usability and reliability issues when dealing with diverse or incomplete data.
• Lack of usable outputs - The inability to meaningfully export or integrate results into broader workflows hampers both manual and automated security processes.

In order to solve these challenges, we developed the open-source tool search_vulns. It leverages information from multiple data sources and uses text comparison techniques and CPEs in combination to increase accuracy in software identification. Due to this approach, it can even automatically generate CPEs that have yet to be published. Together with its custom logic for version comparison, this further enhances the quality of results. Finally, search_vulns provides a fine-granular export of results in different formats.

In conclusion, this talk aims to simplify the surprising complexity of finding known vulnerabilities in software. To do so, we discuss common challenges in mapping software names to CPEs, e.g. for product rebrandings, single-version vulnerabilities and yet to be published software versions. In addition, we present an approach using multiple data sources in combination to enrich CVE data with information on known exploits, likelihood of exploitability (EPSS) and other data sources. Finally, we present search_vulns as open-source tool.

PDFs are considered static and trustworthy - but in fact, they are far more dynamic than most users realize. With XML Forms Architecture (XFA), Adobe introduced a powerful extension back in 1999 that is used in millions of forms worldwide.

It allows dynamic layouts, scripts, network communication, and even file access - opening up a huge, previously unexplored attack surface. In addition, PDFs support JavaScript functions and actions that can dynamically change the contents of PDFs. This enables various attacks on digital signatures. The presentation for German OWASP Day is divided into two main parts.

• In the first part of the presentation, we show how PDFs can be cleverly used for attacks that allow content to be reloaded, files to be read, or applications to be crashed in a targeted manner. For this, we use XML Forms Architecture (XFA), a powerful PDF feature that has received little attention in the security community to date. Using concrete examples and with the help of our XFA scanner tool, we will show that almost all PDF viewers examined are vulnerable in at least one category (RCE, file inclusion, URL invocation, DoS).
• The second part of the presentation focuses on attacks on digital signatures in PDFs. To do this, we use the concept of dynamic content in PDFs. We demonstrate how the PDF and XFA specifications can be used to manipulate content in signed documents after or even immediately before the signature is created. Surprisingly, this works both with and without JavaScript. We present various categories of attacks, show the role of actions and embedded code, and explain the countermeasures taken by PDF software manufacturers. The presentation thus provides a better understanding of the hidden dangers of dynamic PDF functions and offers ideas on how to deal with legacy issues in security-critical applications.

Security teams often inherit their organisation's structure - for better or worse. The way you design your AppSec programme and choose your team topology can determine whether security becomes a trusted enabler or a frustrating bottleneck.

In this story-driven session, we follow Alex, who begins as the only security person in a 50-person startup. At first, Alex builds a centralised AppSec team, finding it effective for control but slow to scale. As the company grows to hundreds of employees, bottlenecks appear, and burnout looms. Alex experiments with embedded security engineers, Security as a Platform, and a Security Champions network, learning the trade-offs of each approach along the way.

Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts.

While it is desirable to standardize invoice data formats, the EU standards have severe problems. They are overly and needlessly complicated, and security was not given much consideration. An unfortunate design choice to use a problematic "standard" (XSLT 2/3) only supported by a single implementation with inherent security problems makes security vulnerabilities in electronic invoicing software even more likely.

The EU standard allows multiple redundant XML data formats to encode electronic invoices. XML processing has several well-known, inherent security problems, most notably file exfiltration via XML eXternal Entity (XXE) attacks.

It appears that XML security was not considered during the creation of these standards. Neither the standardization documents nor the information found on various government and EU web pages contain any information about avoiding XML security flaws.

Therefore, unsurprisingly, security vulnerabilities in software processing these electronic invoices are very common.

Die von LangSec beschrieben grundlegenden Sicherheitsprinzipien erklären die Hauptursachen vieler Sicherheitslücken und wie man diese beheben kann. LangSec sieht die anhaltende Schwachstellen-Epidemie in Software als eine Folge der ad-hock Entwicklung von Code, der Ein- und Ausgaben verarbeitet. Gemäß LangSec besteht der Schlüssel zur Entwicklung vertrauenswürdiger Software, die mit potenziell bösartigen Eingaben korrekt umgeht, darin alle gültigen oder erwarteten Eingaben und Ausgaben als formale Sprache zu behandeln. Dementsprechend müssen die Routinen zur Verarbeitung von Eingaben und Ausgaben als Parser beziehungsweise Unparser für diese Sprache behandelt werden und auch dementsprechend entwickelt werden. In diesem Vortrag möchte ich LangSec und die Implikationen für unsere tägliche Arbeit in AppSec vorstellen ohne in die Tiefen der Theoretischen Informatik und des Compilerbaus abzudriften.

Web application firewalls are often seen as a hindrance when going live, as perimeter WAFs can clash with GitOps-driven platforms. Empowering development teams with an application-centric WAF setup allows them to run and tune the WAF throughout the entire development lifecycle. It also enables full integration into any CI/CD pipeline or GitOps approach, reducing late surprises during deployment.

In this talk, we demonstrate the application-centric approach with Envoy Proxy, OWASP Coraza, and the OWASP Core Rule Set (components are examples and interchangeable; focus is on principles and selection criteria), and take you along our real-world journey - highlighting the challenges and lessons learned. What you'll take away: We show where this reusable reference design reduces friction and where it backfires, and we outline the governance and guardrails needed to make it work in practice.

Die Zukunft der Authentifizierung ist passwortlos - Passkeys sind die zentrale Technologie. Dieser Vortrag unterstützt Entwickler:innen bei der Einführung von Passkeys im Unternehmen und hilft bei der Entscheidung zwischen Eigenentwicklung, SDK oder Passkey-as-a-Service-Lösungen. Sie lernen, wie Recovery-Flows und Fallback-Mechanismen nutzerfreundlich gestaltet werden, wie Passkeys sicher geräte- und plattformübergreifend geteilt werden können und welche Sicherheitsstufe sie gegenüber traditionellen Verfahren bieten. Praxisnahe User Stories und konkrete Beispiele zeigen typische Stolperfallen und helfen Ihnen, die Vorteile von Passkeys optimal zu kommunizieren.

The OWASP secureCodeBox project aims to provide a unified way to run and automate open-source scanning tools like nmap, nuclei, zap, ssh-audit, and sslyze to continuously scan the code and infrastructure of entire organizations.

This allows setting up automated scans that will regularly scan internal networks and internet-facing systems for vulnerabilities. The SCB also allows defining rules to automatically start more in-depth scans based on previous findings, e.g., to start a specialized SSH scan if a port scan discovers an open SSH port.

Scan results can be uniformly handled with prebuilt hooks, e.g. to send out alerts via messaging tools, or to ingest the findings into vulnerability management systems like OWASP DefectDojo.