OWASP BASC 2025

Leveraging AI for AppSec presents promise and danger, as let’s face it, you cannot do everything with AI, especially when it comes to security. At our session, we’ll delve into the complexities of AI in the context of auto remediation. We’ll begin by examining our research, in which we used OpenAI to address code vulnerabilities. Despite ambitious goals, the results were underwhelming and revealed the risk of trusting AI with complex tasks. Our session features real-world examples and a live demo that exposes GenAI’s limitations in tackling code vulnerabilities. Our talk serves as a cautionary lesson against falling into the trap of using AI as a stand-alone solution to everything. We’ll explore the broader implications, communicating the risks of blind trust in AI without a nuanced understanding of its strengths and weaknesses. In the second part of our session, we’ll explore a more reliable approach to leveraging GenAI for security relying on the RAG Framework. RAG stands for Retrieval-Augmented Generation. It's a methodology that enhances the capabilities of generative models by combining them with a retrieval component. This approach allows the model to dynamically fetch and utilize external knowledge or data during the generation process. Attendees will leave with a clear understanding of how to responsibly and effectively deploy AI in their programs — and how to properly vet AI tools.

How can we make threat modeling scalable, actionable, and accessible for all stakeholders? Traditional threat modeling methodologies struggle to scale in agile environments. They often result in over-scoped, resource-heavy processes that lack actionable insights and rely on scarce security expertise, limiting adoption in large organizations. This talk introduces Rapid Developer-Driven Threat Modeling (RaD-TM), a lightweight, tool-agnostic approach designed for developers to embed threat modeling into the SDLC without relying on security experts. RaD-TM focuses on targeted assessments of specific functionalities rather than application-wide models, enabling iterative and efficient risk mitigation. Using Risk Templates, which are predefined collections of relevant risks and controls tailored to specific contexts, RaD-TM fosters collaboration among stakeholders to build a scalable threat modeling process. This session will offer real-world examples and step-by-step guidance on integrating RaD-TM into the development workfow.

In this speech, I will explore the significance of the OWASP Application Security Verification Standard (ASVS) and why it is a game-changer for secure software development. We will begin by understanding why traditional security measures fall short and how ASVS provides a structured and scalable approach to security verification. I will break down the different ASVS levels (Level 1, 2, and 3) and explain how they cater to different application security needs—from basic security hygiene to high-assurance applications. Through real-world examples, I will illustrate how integrating ASVS early in the Software Development Lifecycle (SDLC) can reduce vulnerabilities, minimize risk, and ensure compliance with security best practices. Finally, I will discuss practical strategies for implementing ASVS within organizations, including how security teams, developers, and business leaders can collaborate to elevate application security maturity. By the end of this talk, the audience will have a clear roadmap to leverage OWASP ASVS effectively and embed security into development workflows, making security an enabler rather than a roadblock.

Most security practitioners are aware of the learning and fun that comes from participating in Capture the Flag competitions. Racing against other teams, solving brain-twisting challenges, and seeing new ways to compromise systems teaches and entertains. CTFs are also a great tool to give non-security folks a hands-on understanding of how security vulnerabilities enable criminal activities, reduce user privacy, and degrade system reliability. In this session you will learn to build interesting, educational, and easy to use Capture the Flag events targeted at developers and other technical, non-security users. We will cover specific considerations for each audience you target, how to create engaging (yet solvable) challenges, and how to make the overall experience friction free for the participants. You will also learn tools and techniques to create easily repeatable, consistent events with minimal work. We will cover collaborative development, external system integration techniques, tooling and a fully automated deployment pipeline to make spinning up a new CTF as easy as pushing a button.