11-22, 09:35–10:05 (Europe/Vienna), Second Room
Top software vulnerability lists like OWASP Top 10 or CWE Top 25 are well-known and used broadly across the industry. They shape how we talk about software vulnerabilities and guide us to focus on certain vulnerabilities over others. But how well do they hold up in the real world? Are there any blind spots that are not covered by the most prominent lists?
To answer this question, I aggregate results from over 400 web application penetration tests in the last four years.
In this talk, I will walk through how these “top vulnerability” lists are created, what trade-offs they make, and where they fall short.
Finally, we will compare their priorities against real-world data from a mid-sized penetration testing team and see which issues actually show up again and again in practice.
Second Track (approx. 50 people)
Fabian is a Security Consultant at SBA Research, focusing on application security from a technical and software development perspective. He is also part of the SBA's CVE Team, which discloses vulnerabilities to the public. Fabian is finishing up his Master’s degree in Logic and Artificial Intelligence at TU Wien.