SecAppDev 2026 lecture details
What's New in ASVS v5
A practical session for security practitioners already familiar with ASVS, covering what changed in v5, how to apply it in code review, how it can be used alongside other AppSec tools, and common pitfalls / best practices.
Schedule TBD
Abstract
ASVS 5.0 is the standard's first major release since 2021. Requirements have been rewritten as verifiable properties of the application, levels have been rebalanced around risk, and CWE mappings have been cleaned up in favor of OpenCRE.
This session highlights key new requirements worth noting for practitioners, through interactive code review demos covering topics like OAuth, WebSockets, and race conditions, We'll also cover implementation pitfalls and best practices, and demonstrate how to use complementary OWASP ecosystem tools alongside ASVS.
Key takeaway
Coding standards are even more relevant in an age where LLMs are writing most code, making ASVS an increasingly useful resource.
Content level
Advanced
Target audience
AppSec engineers, ProdSec teams, engineering leaders including staff / principal engineers
Prerequisites
Familiarity with OWASP ASVS / common software vulnerabilities
Join us for SecAppDev. You will not regret it!
Grab your seat now
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Security by default - A European perspective on cyber resilience
Deep-dive lecture by Freddy Dezeure in room Lemaire
A technical deep dive into how Microsoft implements security, resilience, and regulatory compliance at scale—mapping NIS2, DORA, and Secure‑by‑Default principles to concrete controls, engineering processes, and tenant‑level protections
Key takeaway: Learn how regulatory requirements become enforceable controls, measurable metrics, and practical Secure‑by‑Default engineering across cloud systems
Building secure applications in the age of AI agents
Introductory lecture by Pieter Philippaerts
This session explores real-world security risks in AI-assisted coding and presents best practices to mitigate them and securely integrate AI into the development lifecycle.
Key takeaway: AI is a powerful force multiplier, but only when paired with strong security practices, verification, and human oversight.
EU CRA: Survival Workshop for Enterprise & Open Source
Deep-dive lecture by Roman Zhukov
A practical deep-dive into the EU CRA for Enterprise and Open Source. Features interactive "In Scope?", "Who Am I?" and a “Live Gap-Analysis” exercises to help navigating your compliance confidently.
Key takeaway: Transform CRA rules from a legal burden into an engineering advantage using open standards, clear role mapping, and practical guidelines.