In this workshop, through a mix of presentations, demos, and hands-on exercises, you’ll learn how to identify and prevent the most common attack vectors in modern build pipelines.

While the examples use GitHub, the principles and techniques are vendor-agnostic and applicable across different CI/CD platforms.

What is expected from participants?
- Basic knowledge of GitHub.
- Bring a laptop and an active Github account.

Workshop (60 min)

Part 2/2: Hack your own pipeline (before someone else does)

Hacking

Supply Chain

Cloud Security

In this session, we will learn to play the game differently from what we usually do. Johan Sydseter, OWASP Cornucopia co-lead and game master, will take you through a provocative scenario. With the grumpy old senior developer who doesn't shift left due to too many hours working overtime on his incredibly sophisticated pet projects, what will you do? Will you be able to teach him a lesson about why security is essential, or will he be laughing all the way to his developer cave? Only true passionate application security engineers will succeed. Expect confetti, swags (yes, you read right, swag, valued just below the corruption limit), and illegal bribes as you venture into the unknown of OWASP Cornucopia.

Most people will agree with you that security is important, but they forget what you were saying once they leave the room.
The brain is amazing. It can let you learn to ride a bike, write poetry, learn a new programming language, or even fall in love, but if your brain is so amazing, why do your colleagues forget all the things you said about security during your last meeting?
In this session, we will learn how to play games to create agency, empathy, community, spark the imagination, and wake up the brain. When choosing a strategy for scaling your application security program, don’t choose reading materials, presentations with “talking heads,” or meetings as a medium for increasing awareness and knowledge about security. Instead, focus on activities that can be repeated on a regular basis that are both relevant and engaging to the work you are doing. When employees are authentically involved and curious about their learning, their heightened focus and emotional connection stimulate better memory formation and application of knowledge. In fact, numerous studies have reported that emotions have a significant impact on human cognitive processes. This underpins why games can strengthen learning over time, which is why you should have an extensive collection of games in your arsenal when teaching others about application security.

Part 1/2: Games as tools for scaling your application security program

Application Security

Architecture

Culture

Design

People

Security Tooling

The reason was a cyber - related incident that invovled a software for check-in and baggage handling, called Muse. Just days earlier NATO launched operation Eastern Sentry in response to an Article 4 declaration by the Polish government. Is there a connection between these 2 incidents? This session aims to present the circumstances under which the cyberattack took place, who were the victims, the technologies that were affected, what was happening on the international scene and how supply-chain or OT-related attacks on civilian infrastructure are primary objectives for nation-state backed threat actors in times of crisis and conflict.

Talk (60 min)

Has your flight been cancelled? You might be eligible for a cybersec session!

Platforms

This talk is the story of that journey, told from the perspective of two champions who became AppSec engineers themselves. We’ll share how the network evolved, the rituals that keep it alive, and the real-world struggles we’ve faced: distributed offices, high consultant turnover, and sustaining engagement over time.

You’ll also see how gamification and small touches like community merch helped us create belonging and visibility.

Attendees will leave with:
- A model for building an inclusive, developer-friendly champion network.
- Ideas for motivating participation without forcing compliance.
- Lessons learned from both failures and successes.

If you’ve ever wondered how to turn developers into security advocates, this session will give you both inspiration and a playbook.

An AppSec Tale: From Zero to 250+ Champions

Experience report

In this talk we'll dive into a report done using PromptFoo on secure code evaluation, there might be an existential crisis or two before we move on to how we can automate security into code generated by the LLMs we are increasingly depending on.

You’ll leave this talk with a minimal, repeatable prompt pattern, an evaluation recipe you can copy, a deeper understanding of the significance of priming the AI and some ideas on how to add security by default into your own AI generated code.

Prompt Hardening - Secure Code Generation Using AI

Programming

We’ll also clarify what the EU AI Act and platform policies actually change (disclosure, labeling, provenance) and what they don’t. Last but not least, we'll look at tech solutions and defenses that move risk: provenance at capture (C2PA/cryptographic signing), authentication-first pipelines, verified-callback and payment-halt controls, takedown playbooks, and fast human triage. You’ll leave with a simple checklist and a set of rules to keep you and your team from getting "played".

Seeing Isn’t Believing: Deepfakes Without the Panic

AI/ML

A talk on how we have moved from local clients (Adobe, etc) to browsers and online services to render, view, edit, and sign PDF files, and how this has changed the role of PDFs in attacks and exploitations. From the false-positive vulnerabilities (CVE-2020-26505, CVE-2023-0108, CVE-2023-5873, and other CVEs that were not vulnerabilities) to vulnerabilities in client-side PDF SDKs.

During the talk, we will investigate some cross-site-scripting vulnerabilities exploited in the real world (e.g. bug bounty programs), focusing in particular on PDF.js (CVE-2018-5158, and CVE-2024-4367) and Apryse Webviewer (CVE-2024-4327, and CVE-2024-29359).
The talk will show how a PDF file can exploit web applications if they don't properly mitigate risks (using CSP, and keeping the dependencies updated).

app.alert(1) is the new alert(1): PDFs as a vector to inject JavaScript code in web applications

Bug Bounties

After numerous implementations of CNAPP tools, we'll share our insights into what commonly goes wrong and offer best practices on how to succeed on your cloud security journey.

The talk will cover common anti-patterns from a business perspective and technical perspective.


Anti-Patterns: How to Not implement a Cloud Security tool

How did this robbery happen? What was the (both sophisticated and age-old) kill chain that enabled it?

After the robbery the story gets even more interesting. Any detective will always tell you, "follow the money!". Crime only pays if you can convert those ill gotten gains into a currency you spend to buy real things. So how do you launder the proceeds from the biggest robbery ever? The answer might be surprising, it winds through a crypto mixer set up to operate as a DAO (Decentralised Autonomous Organisation), following the funds, US Government sanctions (recently ruled illegal by an appeal court), an activist campaign and potentially far reaching privacy consequences for all of us.

In this talk we'll analyse the kill chain of the initial attack, where the money led and how this could affect all of us. I'll go through the main takeaways that everybody should be interested in.

What we can learn from the World's Biggest Heists

Dark Arts

This session explores modern, hardware-backed patterns for client authentication that go beyond simple secrets. We will examine how TPMs, Apple’s Secure Enclave, hardware attestation, automated certificate delivery, HTTP message signatures, and mTLS can work together to provide verifiable client identity with strong cryptographic guarantees.

Through real-world examples, we will break down how these technologies fit together, where they differ, and how to layer them to build resilient, zero trust authentication architectures. Attendees will learn practical integration strategies spanning hardware attestation, certificate management, and transport-level verification, and how to apply these patterns to stop client impersonation in production environments.

How to Know Your Client Is Real: Hardware-Backed Authentication Patterns

Cloud

DevOps

Tooling

First part of this talk will focus on the challenges of securing our software supply chain, particularly on NuGet package security and the hidden threats lurking within all of our used dependencies. We'll examine how traditional approaches fall short when it comes to identifying planted malware, risky APIs, and other security vulnerabilities embedded deep within the packages we trust.

While tools like the OpenSSF Security Scorecard provide valuable metrics, they only scratch the surface of what's needed for comprehensive supply chain security. What if we could go deeper? What if we had detailed analysis of NuGet package contents, automated detection of risky API usage?

Join me as I introduce Fennec Labs, a community-focused OSS project designed to help out with how we analyze and secure our software dependencies. I'll demonstrate how this tool enables developers to collaboratively identify security risks, share insights, and make more informed decisions about the NuGet packages they integrate into their applications.

Whether you're a security-conscious developer, a DevOps engineer, or someone responsible for maintaining your organization's software supply chain, this session will provide practical insights and tools to help you level up your security game and protect your applications from supply chain attacks.

Beyond Trust: Building Community-Driven Security Analysis for Your .NET Software Supply Chain

.NET

Security

This talk will explore how UX design can be the unsung hero in protecting banking applications from security breaches. When UX and IT security work together, users are guided safely through complex security features without frustration or error. By focusing on intuitive design, we can reduce risky behaviors like bypassing 2FA, and ultimately build trust in digital banking systems.

Let us discover how seamless UX can be your first line of defense in the fight against cyber threats, and learn why good security design is just as important as good security code.

Safe by design: the UX of secure banking

Process

Keynote

We will take you through a mixture of practice (yes, we will do live demo) and theory of authentication in MCP Servers. We will look into the "how", "why" and "when".

We will also address some common pitfalls, issues and limitations, like "consent fatigue" (what is that? Join, and we'll tell you). Can you just re-use your existing RBAC thought, or does the nature of agents and MCP endpoint structure force you to start thinking different?

Make your services and data available in a whole new way, hopefully without exposing all your company's deepest secrets. Let us give you some concrete actions and bullet points for you to bring back and get started!

MCP Security: Keep Your AI Agents from Spilling the Tea

In this session, we’ll explore practical strategies and guardrails to keep your codebase safe in an AI-driven world. We'll cover how to integrate security into your workflows, enforce compliance without slowing down innovation, and build a culture where speed and safety go hand in hand. Walk away with actionable techniques to detect risks early, automate secure practices, and ensure your AI-powered development doesn’t compromise trust.

Securing Code in the Age of AI

SDLC

Well, I don't know, but if you've ever wanted to learn about what security monitoring is and how you can leverage it for improved security, look no further!

In this talk we will learn about security operations by the way we screw it up. Join me for some interesting war-stories, anti-patterns and hopefully some valuable pieces of hard-earned advice! 

Learning security monitoring through failure

In this keynote, one of the SDL's founders, Michael Howard, will discuss what worked, what didn't, lessons learned, the role of AI, how the SDL evolves and it's intersection with blue teams, threat intel and the red team, and perhaps even a peek into the future!

Keynote: 25 Years of the Microsoft SDL

Part 1/2: Hack your own pipeline (before someone else does)

Do you know how quickly a child can be blackmailed online?

In this session, I will show you the various social engineering techniques that are used against kids, how features in very common social media applications are being used to harass others, sell drugs and aid in human trafficking.

I will provide advice, technical controls and resources that you can use to educate yourself and the community around you to help protect the next generation of IT professionals


Won't somebody please think of the children!?

Privacy

Through real-world examples and practical playbooks, we will examine automated alert enrichment, intelligent case prioritization, and workflow orchestration that reduce analyst workload while increasing consistency and response velocity. The session will also highlight automated containment actions—such as host isolation, identity lockdown, and network control—along with safe and auditable remediation patterns.

Finally, we will dive into how AI can assist analysts during investigations: from natural-language querying of security data, to contextual reasoning over incidents, to guided hypothesis testing. Attendees will walk away with a clear understanding of where automation delivers the most value today, how to integrate it into existing SOC processes, and how AI is shaping the future of incident response.

Supercharging Incident Response: Practical Automation and AI-Driven Investigations

Tools

Introduction: Myself and how my experience building vulnerability management programs altered my views on risks.

Seeing the Forest: I discuss the common focuses of security programs, and how headlines can influence reactions and prioritizations. Then introduce some of the largest breaches of the past few years and highlight how AI actually played into those breaches.

Building Blocks: Before I can get to risk modeling I introduce the tools needed to understand your own risks: inventories, topologies, data flow diagrams, and relationships with the teams that own the above. However this is a ‘trick’ and I reveal that building those blocks causes you to threat model without even realizing it which is why I harp on documenting everything you find throughout building those blocks.

Prioritization: To properly prioritize what risks you accept, first you need to understand the feasibility and likelihood of AI being exploited. As well as what impact its use would have on the business: can revenue still be generated, what services go offline, can an attacker pivot and make things worse, how long would it take to recover, ect. Understanding how your business operates, and what's interconnected is key to building your priorities.

Mitigation: It’s not always possible to eliminate all of your risks which is why we mitigate them as best as we can. I explain how mitigation can come from two forms: making a AI harder to exploit, or decreasing the likelihood of a threat taking place.

Acceptance: Security staff cannot accept risks, oftentimes executives insist that we do or insist on mitigations that are unsatisfactory to security teams. When executives are presented with a risk acceptance document outlining the potential impacts and potential better mitigations that can be implemented. That way we can CYA.

AI Inventoring: Just inventorying what AI tools you have isn’t enough, they can be used in so many different ways in different configurations, how do you document how they are used while preventing too much disruption and upset from the executive suite?

Wrap up: recap that there are always new threats, vulnerabilities, and AIs that someone might want to onboard, so don’t get derailed from your priorities.


The Risky Business, of AI Illiteracy

In this talk we'll start with the most basic example of an SSRF, and then work our way to increasingly more interesting cases. There will be real world examples of bugs found during engagements and in the wild in products like Azure, as well as examples of bypasses of the mitigations made by the vendors.

The server that talked back: a deep dive into SSRFs

However, all this falls apart if we need to access a system with no network connection. These could range from low-end small IoT devices to even high performance servers with a broken or a misconfigured network card. Such systems usually only provide access via a serial port (or a similar text based interface) or emulate a browser-based KVM (keyboard-video-mouse). So to authenticate one needs to actually type something in and most text based authentication is still relying on plain old passwords.

Password-based authentication has some security challenges: passwords may leak, may be cracked and need to be rotated periodically. Wouldn’t it be great to be able to just use the same secure cryptographic authentication as in SSH for text-based logins? This presentation proposes a protocol and an implementation on how to reuse existing SSH keys for text based authentication. We will also explore how to further enhance the security of the solution by using hardware-backed SSH credentials.

sshlogin: securely authenticating to remote Linux systems via a serial or a text-based interface

In this talk, I will show how an AI agent can run Python code, add markdown, and work through security datasets inside a live Jupyter notebook. I will walk through open-source tools that make it easy to connect to data sources and support this workflow. We will see how analysts can watch the agent’s reasoning, review the notebook as it builds, and reuse the steps for new playbooks. This approach enables deeper analysis, cleaner visuals, and faster iteration while keeping humans in control. It also gives analysts a simple way to test and understand how agentic workflows can support their existing investigation process.

AI Agents and Jupyter Notebooks for Security Data Analysis

Incidents like the compromise of the popular tj-actions/changed-files (impacting over 23,000 repositories) and the multi stage S1ngularity (Nx) attack exposed the immense blast radius of pipeline vulnerabilities, leading to the leak of thousands of sensitive credentials and the compromise of private source code. 

The security of your software supply chain is at stake. We will break down the technical mechanics of these breaches and present actionable, practical principles to secure your automation against credential theft, script injection, and third party action hijacking. Crucially, these supply chain protection principles (from the Principle of Least Privilege governing secret scope and lifetime to dependency vetting and input sanitization) are not limited to GitHub; they are universally applicable for securing any modern CI/CD system, including emerging considerations around AI agents. You will walk away with a clear roadmap and the tools needed to transform your pipeline from a critical vulnerability into a robust supply chain sentinel.

Beyond the Commit: Weaponizing and Hardening GitHub Actions

How can a DevOps team in their daily work assert that new features do not introduce vulnerabilities, that security bugs get caught before deploy to production? What are the key questions to ask in a code review? And how can we show that the application code also aligns with requirements from compliance, well-known best practices and internal security policies?

This presentation will demonstrate how to build APIs that are both secure and compliant by design; using OWASP ASVS and support from an application security tuned coding agent.

Demos will be for an API in .NET with Copilot custom agents.

Secure and Compliant APIs - By Design

Testing

This talk will dive into three vulnerabilities:

-	BOLA (Broken Object Level Authorization)
-	BOPLA (Broken Object Property Level Authorization)
-	BFLA (Broken Function Level Authorization)

Why are these three vulnerabilities all in the top five from OWASP Top 10 API? Why are these some of the most common security mistakes a developer makes? How do we systematically protect against them and drastically reduce our attack surface? These are all questions that will be answered in this talk.

Through code examples of both good and bad code we will increase our understanding of how we effectively implement authorization. Fixing these vulnerabilities can actually be quite easy with good design patterns that factors in security at all levels of the application.

BOLA, BOPLA, and BFLA: Let’s get rid of broken authorization!

This shift has forced us to confront just how fragile and how critical our ecosystem really is, and to ask hard questions about where we go from here.

This talk traces the recent history of supply-chain threats, highlights the evolution that brought us to this moment, and explores the uncomfortable but necessary conversations we must have as a community to ensure that open source remains resilient, secure, and worthy of our trust.

Worms in our software supply chain - Where do we go from here?

What exactly is a pipeline? What systems and resources does it interact with? And most importantly, how can we ensure that no pipeline becomes a pivot point for an attacker to compromise our most valuable systems? Can we be confident pipelines are running what we expect and providing the necessary evidence supporting engineering quality requirements?

These questions point to a (perhaps overlooked) concept: Protected Resources. In this talk, we will explore how shifting to a new mindset can promote visibility into pipelines, ensure adherence to security protocols, and prevent pipelines from becoming attack vectors. We'll delve into practical strategies to gain observability, improve compliance, and better secure your CI/CD system in the age of automation.

---
Session @ London BSides 2024: https://www.youtube.com/watch?v=DPof3FAh8U4&t=401s
Relevant blogs:
- https://ytimyno.github.io/blog/cicd/protected_resources/
- https://ytimyno.github.io/blog/cicd/access_lifecycle/
- https://ytimyno.github.io/blog/cicd/execution_agents/

Is Your Approach to Pipeline Security Flawed? Rethinking CI/CD Security

Daniel has grown the project from a silly toy to an Internet infrastructure foundation that runs in some 30 billion installations - in thirty years.

He talks about what it takes to succeed with Open Source: patience, time, ups and downs, cooperation, fighting your impostor syndrome - all while having fun. There's no genius or magic trick behind successful open source. You can do it. The talk will of course be spiced up with anecdotes, experiences and stories from Daniel's life long mission of leading the curl project.

Three decades of curl

This workshop will start with the basics, explain what lattices are, show how we can build cryptography from them, and end with a comprehensive understanding of the new standards. This will be the public-key cryptography everyone uses going forward.

Participants should have some intermediate experience with existing public-key cryptography (DH, RSA, ECC) to benefit the most from this workshop; no expert knowledge is needed.

Part 1/2: Introduction to the new post-quantum standards

Encryption and digital signatures are the most commonly used methods for secure communication and authentication, such as when utilizing chat applications, online banking, or accessing government services.

Recent research has significantly advanced cryptographic methods, including fully homomorphic encryption, multi-party computation, and zero-knowledge proofs, to name a few. These methods are associated with privacy, enabling computation on or proof of statements about encrypted information, potentially involving many different (untrusted) parties in a distributed setting.

Zero-knowledge proofs are a crucial component in privacy contexts. They allow us to convince third parties that specific properties of encrypted data are met without revealing the data itself, thereby ensuring the integrity and privacy of the information involved. This addresses a significant challenge in many systems: the data owner seeks privacy, while the data receiver requires the data to be adequately generated to be applicable or valid.

This talk will explain zero-knowledge proofs and their security properties. We will also examine real-world applications such as electronic voting, blockchain transactions, private contact tracing, and privacy-preserving machine learning.

Zero-Knowledge Proofs: Simultaneously ensuring integrity and privacy

Last year, we took them up on this challenge and successfully demonstrated a 0day exploit chain against a QNAP router and pivoting to a TrueNAS system. In this presentation, we'll describe how we performed our research and the vulnerabilities we found.

The Dutch NCSC issued a warning last year that they see an increase of threat actors that shift their attention from endpoints to edge devices, including routers. This demonstrates the relevance of the SOHO Smashup category in Pwn2Own. Vulnerabilities in routers that could be exploited from the WAN side pose a real security risk for companies; as these devices are often badly monitored and not kept up to date. Threat actors who are able to compromise a router are in a key position to further advance into the internal network of a company.

In this talk we'll describe the vulnerabilities and exploits. Specifically, we'll describe our research method on the QNAP router. We tried to increase our attack surface step by step, until we found a reliable exploitation path.

From WAN to NAS: A Pwn2Own Journey Through the SOHO Attack Surface

Using real activity data, this talk journeys through graph approaches to visual analysis that answer questions that are difficult to see in traditional table-based views. We’ll walk through the following techniques in going from tables to graphs:

- Graph shaping: One of the most important decisions is how to represent tabular security data like logs, alerts, and telemetry as graph structures. We’ll start by identifying entities like users, hosts, and processes as nodes, and dynamic events and static relationships as edges, such as authentication, network traffic, and file access.
- Surfacing patterns, outliers, and behaviors: We’ll show how to use the resulting graph topology to quickly identify malicious behavior such as reconnaissance scanning and lateral movement. The before/after views give a clear view of how, for both machine and human use, the graph modeling turns seemingly complex correlation rules into obvious graph insights.
- Contextualizing Investigations: Understanding standard security alerts like credential compromises is hard because they require correlating multiple diverse data sources with entirely different kinds of data. That pushes the work onto the analyst to mentally integrate them for understanding the true scope, while graphs solve this almost for free.
- Handling time: Timelining is one of the most fundamental tasks in a security investigation, yet traditional tabular views make it hard to see what is happening when multiple entities are interacting over time. We will show how to solve such temporal multi-dimensional analysis problems for the incident with a few simple graph tricks.

We will introduce an end-to-end framework for transforming security tables into graphs that make complex threats visible at a glance.

Connecting the dots to go from tabular security incident data to behavioral graph understanding

This talk will explore a small Python-based C2 lab with pluggable transports: the same controller/agent pair that can talk over ICMP payloads, DNS TXT records and HTTP headers, and automatically fails over to another protocol without changing its core logic when detection occurs.

The goal is not to show off yet another tunnel or a 'hey look, an ICMP data exfiltrator!', but to make the architectural pattern behind advanced tools like Cobalt Strike as painfully obvious as possible: C2 logic is transport-agnostic, indifferent, and ruthless, and protocol-centric defences are outdated.

Protocol-Hopping C2: Transport-Agnostic Command & Control That Won't Die

This talk will begin by delving into the physics and mathematics of quantum computing to understand why it poses a significant threat to current encryption methods. We'll then explore the new post quantum cryptography standards, specifically from the perspective of the .NET ecosystem, examining practical examples related to data integrity, digital signatures, and secure communication, including end-to-end encryption.

Post-quantum cryptography for .NET developers

There’s no phishing required. It just… does things. Silently. At scale.
In this session, we’ll expose the hidden attack surface in modern cloud infrastructure, how autonomous systems gradually accumulate dangerous permissions, why IAM only solves the human half of identity, and how attackers exploit long-lived secrets and blind automation in cloud environments. Drawing from real-world incident response and the emerging Identity Security Fabric (ISF) architecture, you'll learn why traditional IAM fails for machines and how to fix it.

Who Gave the Agent Admin Rights?! Securing Cloud & AI Machine Identities

Kubernetes

This session bridges the gap between threat intelligence and practical development, showing how to apply adversarial thinking to your code.
OWASP focuses on vulnerabilities, but MITRE ATT&CK focuses on adversary behavior. While OWASP tells you what can go wrong, ATT&CK tells you what attackers actually do. This combination creates more robust, defendable applications that can withstand sophisticated attacks.
We'll explore practical applications of ATT&CK techniques in development scenarios.
Perfect for developers who want to elevate their security mindset beyond traditional vulnerability scanning, security engineers working with development teams, and anyone building systems that need to withstand sophisticated, persistent attacks.

MITRE ATT&CK for Developers

The session will cover:
* The built-in authorization model in ASP.NET Core, including policies, roles, and claims
* Attribute-based vs. resource-based authorization
* Custom policy and handler development
* Managing fine-grained permissions across microservices and APIs
* Externalizing authorization decisions using centralized authorization systems
* Best practices for combining authentication (OIDC / OAuth2) with robust authorization logic
* Common pitfalls—like hardcoding roles or overloading claims—and how to avoid them

This session will equip you with the patterns and practices to build secure, testable, and future-proof authorization in .NET.

Getting Authorization Right in .NET: Patterns, Pitfalls, and Practical Guidance

But the real risk was never about tricking chatbots.

As AI systems become embedded into CI/CD pipelines, build tooling, automation frameworks, and production infrastructure, prompt injection evolves from a toy problem into a true security vulnerability. When AI agents are granted access to privileged tools, shell commands, GitHub/GitLab tokens, issue editing, code generation, untrusted text becomes an execution vector.
Aikido Security recently uncovered a critical, widespread vulnerability pattern inside GitHub Actions workflows used by multiple Fortune 500 companies, including Google, where prompt injection enabled unauthorized command execution and credential exfiltration directly from their pipelines. These were not hypothetical weaknesses: the attacks were reproduced in controlled environments and confirmed by affected companies.

This talk examines why prompt injection becomes fundamentally dangerous when AI agents act inside trusted automation systems, and why solving it is far harder than filtering keywords or blocking certain phrases. We will draw parallels to SQL injection, another vulnerability once thought “solved”, and explore how we can protect ourselves against this new classification threat.

Hijacking Google’s CI/CD Through Prompt Injection: The New Era of AI-Based Exploits

Join me in this talk where we walk through the new OWASP Top 10 and looks into how each of the threats can be mitigated in an ASP.NET application.

ASP.NET Core meets OWASP Top 10 2025

Prompt injection is best understood not as an exotic AI risk, but as the logical evolution of classic injection vulnerabilities, in which untrusted input can alter system behaviour in unintended ways.

We begin by breaking down LLM architecture and the anatomy of an in-application chat feature, highlighting where prompts, retrieved data (RAG), and tools are combined into a single execution context. From there, we explore practical prompt injection techniques observed in real-world testing, including direct elicitation, role-play and distraction attacks, formatting-based evasion, token smuggling, and indirect prompt injection via poisoned documents and external data sources. These techniques demonstrate how attackers can leak system prompts, bypass safeguards, exfiltrate sensitive data, and abuse excessive model agency to trigger high-impact actions.

The presentation emphasizes that the real risk is not what a model can say, but what it is allowed to access and do. We conclude with a defender-focused methodology rooted in familiar AppSec principles: attack surface enumeration, least privilege, explicit permissions, separation of duties, and defense in depth. By reframing prompt injection as an injection class vulnerability within a broader AI ecosystem, rather than a purely “AI problem”, security teams can apply proven strategies to secure LLM-enabled systems before attackers do


Prompt Injection Attacks in LLM-Powered Applications

We decided to implement passkeys for Have I Been Pwned, gathered metrics and a lot of other data just so we could tell you about it!

I'll show you what we did, what technology we used and if it has made things better or worse, so you can do it too!

Have I Been Pwned - A Passkey Journey

This session will be instrumental in helping you unravel the mysteries behind CSP. Concretely, you will learn why most CSP policies are highly ineffective and likely insecure. You will learn how to configure CSP the right way and how to build a backwards compatible policy. You will also learn about three ways of deploying CSP in single page applications. At the end of this session, you will know how to deal with CSP and you will have actionable guidelines to leverage CSP for security.

Demystifying CSP for modern applications

In this workshop, we will walk through approaches to secure AI code-generation workflows end to end: from writing safer prompts to building “agentic” pipelines that continuously review and harden AI-produced code. We will look at bad prompt examples that can lead to vulnerable implementations. We will then explain how to embed security guidelines, MCP-based prompt files, and stack-specific templates so the AI defaults to secure patterns instead of reinventing them.

Attendees will leave with actionable patterns, reusable templates, and concrete workflows they can plug into their own AI code generation toolchains.

Part 1/2: Securing your AI code generation workflow 

This session explores the risk of what that really means and what can go wrong. You can’t secure what you can’t see — but the browser can.

Your Website Is Running Code You’ve Never Seen

This session presents an attacker-minded walkthrough of MCP’s security failure mode: tool poisoning, server impersonation, prompt injection through tool metadata and retrieved content, unsafe streaming notifications, and authorization gaps that turn MCP servers into high-impact “confused deputies.”

We then map those risks to concrete, implementable mitigations: strong server identity and allowlisting, fine-grained authorization (scopes/claims), deterministic policy enforcement outside the model, tool capability minimization, execution sandboxing, audit-grade tracing, and safe handling of dynamic tool updates.

Attendees leave with a practical hardening checklist for MCP hosts/clients/servers and verification tests to prevent MCP integrations from becoming security nightmares.

Securing Model Context Protocol (MCP): Threat Modeling and Hardening the Tool & Context Supply Chain

Talk 1: Trusting AI with Code: How Secure is AI-written code? - Mackenzie Jackson


There is no doubt that AI is changing the way we build software. The AI revolution is happening around us with AI code assistants/generators, AI-assisted code reviews and even AI embedded directly into your IDE. Even if we wanted to prevent it, it seems impossible to stop developers from utilizing these exciting shiny new tools.

The benefit is clear, massive increases in productivity…. The cost is also just as clear, security.
So how (un)secure is AI-generated code? This presentation will utilize a combination of live demos and novel research to try and get down to the bottom of that very question.
First we explore AI-generated code and the many ways it can make us vulnerable, from static coding issues to hallucinated packages, and even hard-coded credentials. We will explore the different tools and share statistics on what AI dev tool produces the most secure code.
In the next part of the presentation, we will dive into research that shows an increase in the number of vulnerabilities we are seeing, per line of code, and if AI is responsible for this. We will also explore a change in the type of vulnerabilities seen over the past 5 years and how AI has altered this.
The last part of the presentation will explore how we can combat insecure AI-generated code and if AI can be effectively used to combat this.
If you want to know how we can reap the benefits of AI without sacrificing security then this talk is for you.

Talk 2: The dark art of OIDC abuse - A case study in Entra ID - Cody Burkard


Learn how an OIDC flaw in Azure DevOps could have allowed an attacker to take over all of your production cloud deployments.

In this talk, I will publicly disclose a now-patched vulnerability found in Azure Devops. I will walk the audience through the reverse engineering process, the exploitation of the finding and the reporting process with Microsoft.

Talk 3: Security Starts With Plain Language - Håvard Eide


Language is a fundamental part of how we communicate and interpret when we develop software: how does it shape intent, assumptions, risks and security implications?

A look at how we as developers should use plain language to communicate throughout the development cycle: from requirements to production, breaking changes and post mortem. How we use language can shape the consequences that happens when things go wrong.

Talk 4: Trust, Design, and the Reality of Security Engineering in an AI-Driven World - Patricia R


Solution designs are created in the world of possibility, built on high-level promises and assumptions about how components will behave. Security engineers work in reality, uncovering edge cases, handling failures, and raising tickets or feature requests when vendor systems don’t behave as expected. AI creates a snowball effect: Polished marketing material sounds even more convincing, gains stakeholder buy-in, and pushes unverified assumptions forward, widening the gap between ambitious designs and operational reality. The result is a subtle but real load, as engineers try to bridge that gap without burning out or being labelled blockers. This talk shares a bit of rant, real-world stories, and practical suggestions to help you stay sane.

Lightning Talks

Talk 1: What my cats taught me about implementing a new framework - Inge Amdal Halvorsen


Learning a new framework is hard. So hard, in fact, that even my cats had opinions. In this talk, I’ll share the unexpected lessons I learned from installing a chip-controlled cat flap: how early adopters embrace change, how traditionalists resist, and why users will always find creative workarounds.
No previous knowledge of cats necessary.

Talk 2: Chasing Unicorns: A Lovable Security Story - Bendik Schartum Thorbjørnsen & Karim El-Melhaoui


Are the fastest unicorns and vibe-coding platforms, mostly vibe-coded? We've conducted security research into the fastest companies to become unicorn in our decade, and will present how we uncovered the same authentication vulnerability allowing us to break their multi-tenancy design and gain access to enterprise customers.

Talk 3: One shop's timing issue is another mans free dogfood - Even Tillerli


Join in a fun talk about how I accidentally did a time based attack on a big Nordic pet shop. I will touch on the events leading up to the finding, the vulnerability, the disclosure process and the end result.
This will be a non technical talk where you will leave with a fun story, knowledge on an actual vulnerability and how being patient helps.

Talk 4: Ctrl+Alt+Deceit - The Game Jam Scam - Sean Sinclair


I would have lost all of my crypto if I had any. This is a story about when I was asked to test out an indie game which turned out to be something completely different. You'll walk away from this talk with a nice reminder about the importance of "trust but verify".


Join Jason as he discusses his seven point methodology to assessing these systems and releases Arcanum’s prompt injection taxonomy and other resources for aspiring testers.

Attacking AI

In this talk, the project leaders Björn Kimminich and Jannik Hollenbach will introduce you to the project, its core features and a lot of interesting use cases. We will cover at least the following:


Happy path shopping tour through the OWASP Juice Shop

Hacking some security challenges within Juice Shop

How you can run Juice Shop for yourself very easily

Hosting team events or CTFs with the help of MultiJuicer

NDC { Security }

Agenda

09:00 - 10:00 (UTC+01)

Three decades of curl

Daniel Stenberg

The server that talked back: a deep dive into SSRFs

Sofia Lindqvist

app.alert(1) is the new alert(1): PDFs as a vector to inject JavaScript code in web applications

Luigi Gubello

Automated Security Testing with OWASP Nettacker

Sam Stepanyan

Part 1/2: Securing your AI code generation workflow

Armin Buescher

Erlend Oftedal

10:20 - 11:20 (UTC+01)

Post-quantum cryptography for .NET developers

Filip W.

Is Your Approach to Pipeline Security Flawed? Rethinking CI/CD Security

Patricia R

Protocol-Hopping C2: Transport-Agnostic Command & Control That Won't Die

Francine Solheim

Breaking the Black Box: Why Testing Generative AI Is Full Spectrum

Jason Ross

Part 2/2: Securing your AI code generation workflow

Armin Buescher

Erlend Oftedal

11:40 - 12:40 (UTC+01)

The Risky Business, of AI Illiteracy

Sean Juroviesky

Hijacking Google’s CI/CD Through Prompt Injection: The New Era of AI-Based Exploits

Mackenzie Jackson

From WAN to NAS: A Pwn2Own Journey Through the SOHO Attack Surface

Daan Keuper

OWASP Juice Shop: Take your security vitamins!

Jannik Hollenbach

Björn Kimminich

Part 1/2: Introduction to the new post-quantum standards

Tjerand Silde

13:40 - 14:40 (UTC+01)

Connecting the dots to go from tabular security incident data to behavioral graph understanding

Sindre Breda

Manfred Cheung

Worms in our software supply chain - Where do we go from here?

Charlie Eriksen

Attacking AI

Jason Haddix

AppSec Security: The SDLC in the age of agentic

Jon Mccoy

Part 2/2: Introduction to the new post-quantum standards

Tjerand Silde

15:00 - 16:00 (UTC+01)

Learning security monitoring through failure

Truls Dahlsveen

Anti-Patterns: How to Not implement a Cloud Security tool

Johan Paramanathan

Secure and Compliant APIs - By Design

Daniel Sandberg

Tobias Ahnoff

It is rough without a WAF

José Carlos Chávez

Part 1/2: Games as tools for scaling your application security program

Johan Sydseter

16:20 - 17:20 (UTC+01)

Supercharging Incident Response: Practical Automation and AI-Driven Investigations

Giorgio Perticone

What's New in ASVS V5

Eden Yardeni

BOLA, BOPLA, and BFLA: Let’s get rid of broken authorization!

Eivind Jahr Kirkeby

Who Gave the Agent Admin Rights?! Securing Cloud & AI Machine Identities

Bodhisattva Das

Part 2/2: Games as tools for scaling your application security program

Johan Sydseter