The 2025 Open Worldwide Application Security Project (OWASP) Global AppSec USA conference last week in Washington, D.C., was a small and intimate affair, more reminiscent of regional security conferences like ShmooCon or a BSides gathering than RSA Conference or Black Hat despite taking place in one of the swankest modern hotels we'd ever seen.The conference was confined to the lowermost level of the Washington Marriott Marquis' quadruple-decker event space. But despite being four stories underground, conference attendees seemed peppy as they guzzled loads of free coffee and wandered in and out of the expo hall.Israeli cloud-security firm Wiz won the prize for the best vendor booth, kitting it out as a "Wiz Mart" complete with reusable shopping bags and familiar household products rebranded as cloud-security tools.You could find "Kubernetes Pods" and "AI Magic Powder" — "join the trend and upgrade your product with a dash of AI!" — for your dishwasher, Windex rebranded as "Cloud Visibility Spray," Raid renamed as "Malware Spray" and cans of Campbell Soup in flavors including "CNAPP," "CWPP," and "CSPM."
Andy Warhol would have been proud. Hopefully, Wiz's new overlords at Google will be too.Wiz's take on 'Acronym Soup' at the OWASP Global AppSec USA conference, Nov. 7, 2025, in Washington, D.C. Credit: Paul Wagenseil/SC Media
Number 10 with a bullet
We had the opportunity to attend the unveiling of two OWASP project — first, the formal OWASP Top 10 list of threats to web applications, and then a more informal preview of OWASP's AI Vulnerability Scoring System (AIVSS).The latter project has also generated a list of threats to agentic AI that just happen to be 10 in number.Ken Huang, a co-leader of the AIVSS working group, said that regular threat-modeling frameworks like the Common Vulnerability Scoring System (CVSS) "are not enough" when it comes to AI."These assume traditional deterministic coding," Huang said. "We need to deal with the non-deterministic nature of agentic AI."Both the Top 10 list and the AIVSS are still works in progress to which you can contribute."These items are finalized, but the writing around the list is still in draft," said Tanya Janca, a Top 10 list co-leader. "We want your input and feedback."
AI, AI, AI everywhere
Speaking of magic powder, it was hard to find a vendor booth that didn't mention AI, and kind of a relief if you did. Many vendors were touting AI assistance in code-analysis tools. Most did a good job convincing me that AI really was a core part of their offerings rather than just something sprinkled on, but then I'm an impressionable layman.One guy who's not a layman is Avi Douglen, founder and CEO of Bounce Security and outgoing chair of the OWASP board of directors. He told our own Josh Marpet, host of the CyberRisk TV interviews during the Global AppSec conference, that AI security seems to have reached a tipping point."Two years ago, we were here [in Washington, D.C.] and I was talking to some sponsors, and they were introducing some AI security stuff, and everybody's like looking at them side-eye," Douglen said."This year, it's gone mainstream," he added. "They're starting to find the actual value in involving that in security products, as opposed to just a cool feature."
And it can help you too
The opening conference keynote by cybersecurity veteran and AI expert Daniel Miessler on Dec. 6 dove into that topic and came up with a blunt message for the infosec pros in the audience: A lot of what you do for a living can soon be done by AI."Security work is being broken into discrete pieces that I call Lego blocks, and they are executable by AI," Miessler said. "Put them together, and it looks like someone's job."But, Miessler insisted, if you can harness AI before your boss decides to replace you with it, then you can save your job by becoming 10 times more productive and showing that you can work alongside AI instead of resisting it.He showed the audience how he'd built his own agentic AI "digital assistant," using Anthropic's Claude Code, to help him with penetration testing. Miessler said similar digital assistants can help any white-collar workers do their jobs.To help get you started, Miessler has created and posted on GitHub a "personal AI infrastructure" framework that anyone can use to create their own digital assistant. It's designed to have Claude Code at its core, but it will also work with Open AI's GPT or Google's Gemini."Use AI to magnify your own capabilities," he told the Global AppSec conference attendees.
The illusion of quantifiable risk
Can you quantify the risk of not using AI in your job? According to Adam Shostack, an architect of threat modeling and a Microsoft veteran, you can't really measure any risk, and you can't really manage it either.That's not something most people in the cybersecurity and risk-management industries would want to hear, but Shostack's second-day keynote laid out a pretty impressive case for it."We gravitate toward the idea of risk. It's treated as if it's an unquestionable axiom," Shostack told the audience. "But it does not solve our problems. It leads to ugly fights inside of companies. It leads to problems we can avoid."The modern workplace notion of risk, a quantified, quasi-mathematical factor that can be calculated by multiplying likelihood by impact, is built on a framework of sand, he said.Unless you're dealing with millions of instances of the same few things happening over and over again (as the insurance industry does), then it's very hard to put a number on the likelihood of a particular type of incident taking place.It's even tougher to gauge the impact of such an incident before it takes place, because every organization and company is different. Without those numbers, Shostack said, risk calculations are just educated guesses.We don't even need to use quantifiable risks to defend our systems, he pointed out. CVSS doesn't claim to measure risk. Microsoft doesn't use risk when prioritizing its bug fixes. Modern threat modeling depends only on finding out what can go wrong and what can be done about it, Shostack said, not the likelihood of any specific incident taking place."We use risk because we believe it will help in prioritization, not because it actually does," he said. "Real prioritization involves the cost of a fix, the impact of fixes, and the security load — none of which are risk."In his interview with Josh Marpet, Avi Douglen was supportive of Shostack's contrarian take."I love when you get a keynote that is a bit controversial, because that's what you need in a keynote," Douglen said. "The thing is, it wasn't quite as controversial as he was hoping, I think ... because risk management is broken, and from the responses in the room, everybody was agreeing with that."
Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.
The National Testing Agency announced the restrictions on Tuesday, aiming to disrupt cheating networks that allegedly use Telegram to sell fake exam papers and spread misinformation before the NEET re-test scheduled for June 21.
