OWASP global AppSec EU 2026
OWASP Global AppSec EU 2026 brought together 800+ application security practitioners, developers, and researchers in Vienna for a week of hands-on training, technical talks, and community events. Here's what stood out, and how it connects to the work we do at Echo on container image security.

OWASP Global AppSec EU 2026: what happened
OWASP Global AppSec EU is one of Europe's largest gatherings dedicated purely to application security, and the 2026 edition lived up to that reputation. Running June 22 through 26 at the Austria Center in Vienna, the week opened with four days of hands-on training — covering everything from full-stack pentesting to AI-assisted threat modeling — before the main two-day conference kicked off on June 25.
The main program leaned heavily into the themes shaping AppSec right now:
- AI and agentic security — sessions like "Securing Agentic AI After the Death of LLM Wrappers" and "Scanning Agentic AI Systems: Beyond Traditional LLM Red Teaming" reflected how much of the community's energy is now going into securing AI-driven applications rather than just traditional web apps.
- Software supply chain security — talks on continuous SBOM diffing and CVE propagation across thousands of projects underscored how central the software supply chain has become to the OWASP agenda.
- MASCon — the mobile security track ran its own mini-conference within the conference, covering mobile DAST and multiplatform mobile runtime internals.
- Community programming — the Meet the Mentor Program, a Capture the Flag competition, and the OWASP Official Store (books, games, and merch) rounded out a schedule built as much around community as content.

Why supply chain security kept coming up
One session in particular resonated with the work we do every day: "Why Isn't the Fix in My Container? Tracking CVE Propagation Across 10,000 Projects." It's a question we hear constantly from engineering teams — a CVE gets patched upstream, yet it keeps showing up in scans months later because it's still baked into a base image somewhere in the dependency tree.
That's precisely the problem Echo was built to solve. Every Echo image ships CVE-free, is FIPS-validated using a CMVP-validated cryptographic module, and comes pre-hardened against DISA STIG requirements — so the fix doesn't just exist upstream, it's already in the image your team is pulling. Full SBOM transparency in both SPDX and CycloneDX formats, plus signed provenance via cosign and sigstore, means teams can actually answer "is this in my container?" instead of guessing.
For teams wrestling with the same CVE-propagation problem discussed on stage in Vienna, Varonis's path to FedRAMP authorization with Echo is a useful case study in what "the fix is actually in the container" looks like in production — zero vulnerabilities at audit time, and a process their Deputy CTO called "just a smooth ride."
The bigger picture for AppSec teams
Sessions across the week reinforced a pattern many security leaders already feel in their day-to-day: traditional vulnerability scanning and patching cycles aren't keeping pace with how software gets built now. Between AI-generated code, agentic systems calling out to dozens of dependencies, and base images that quietly accumulate CVEs between rebuilds, the attack surface keeps growing faster than most teams can triage it.
That's a big part of why we spend so much time thinking about container hardening and vulnerability management on our own blog — including deeper dives into how to detect and fix common container security vulnerabilities and how CVEs fall through the cracks in upstream bug trackers, both of which echo (pun intended) themes that came up repeatedly on stage in Vienna.
Thanks for a great OWASP Global AppSec EU 2026
It was great connecting with the AppSec community in Vienna this year. If your team is dealing with the same CVE-propagation headaches discussed on the main stage, get in touch — we're happy to walk through exactly how Echo's CVE-free, FIPS-validated images change the picture for your scan dashboards and audit reports.
