SecAppDev 2026 lecture details
What's New in ASVS v5
A practical session for security practitioners already familiar with ASVS, covering what changed in v5, how to apply it in code review, how it can be used alongside other AppSec tools, and common pitfalls / best practices.
Tuesday June 2nd, 14:00 - 15:30
Room West Wing
Add to calendar (ICS) Add to Google calendarAbstract
ASVS 5.0 is the standard's first major release since 2021. Requirements have been rewritten as verifiable properties of the application, levels have been rebalanced around risk, and CWE mappings have been cleaned up in favor of OpenCRE.
This session highlights key new requirements worth noting for practitioners, through interactive code review demos covering topics like OAuth, WebSockets, and race conditions, We'll also cover implementation pitfalls and best practices, and demonstrate how to use complementary OWASP ecosystem tools alongside ASVS.
Key takeaway
Coding standards are even more relevant in an age where LLMs are writing most code, making ASVS an increasingly useful resource.
Content level
Advanced
Target audience
AppSec engineers, ProdSec teams, engineering leaders including staff / principal engineers
Prerequisites
Familiarity with OWASP ASVS / common software vulnerabilities
Join us for SecAppDev. You will not regret it!
Grab your seat now
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Secure by Design — Ideas and Techniques
Introductory lecture by Dan Bergh Johnsson and Daniel Deogun in room West Wing
Monday June 1st, 11:00 - 12:30
Security is a design concern, not just an implementation concern. This session shows how domain modelling, type design, and boundary thinking can structurally eliminate entire classes of vulnerability - before attackers ever get a chance.
Key takeaway: Security is a quality aspect of software - like maintainability or correctness. Teams that design for quality get security as an emergent benefit
An Updated Security Model of the Web
Deep-dive lecture by Philippe De Ryck in room Lemaire
Monday June 1st, 14:00 - 15:30
An up-to-date look at the browser security model, new browser features, and how mechanisms like the Sanitizer API, cookie prefixes, and script integrity help build more secure web applications.
Key takeaway: Understand how browsers think about security, and how to leverage modern browser features in your applications.
Achieving Risk-based and Effective Security Testing
Deep-dive lecture by Ruben De Visscher in room West Wing
Monday June 1st, 14:00 - 15:30
This talk discusses how to achieve a risk-based and effective security testing strategy by taking ownership of what and how to test instead of relying on limited built-in checkers of off-the-shelf security scanning tools.
Key takeaway: Take ownership of your security testing strategy to improve coverage and efficiency, do not let tool vendors create a sub-optimal strategy for you.