Evaluating Software Architectures for Security: Welcome to the 2025 Edition of the OWASP Top 10

In this workshop, you will gain up-to-date practical knowledge on the evaluation of software architectures for security properties, and how to improve an insecure architecture using protective measures and best practices such as derived from the “OWASP Top 10 Security Vulnerabilities” of the “Open Worldwide Application Security Project (OWASP)”. Since, after 4 years of waiting, the 2025 edition of the OWASP Top 10 is expected for early fall 2025 (as of June 2025), we plan to be able to have a look at what is new here.
This will be done in particular by analyzing commonly used patterns for architectures for security and by considering principles for secure design.
We will also consider security and privacy aspects of architectures that make use of AI, at the hand of the OWASP AI Security and Privacy Guide and the current top 10 security issues of machine learning systems (OWASP Machine Learning Security Top 10).
There will be practical exercises in break-out groups using open source tools for security analysis of architectures and their implementations, which include SonarQube and the Threat Dragon Tool. You will take on the role of the attacker and attack the (deliberately insecure) web application ‘Google Gruyere’.
This way, you will acquire conceptual and practical knowledge of IT security at the architectural level and in the context of software development.