OWASP Boston Application Security Conference (BASC) 2026 in Cambridge

The OWASP Boston Application Security Conference (BASC) brings the region’s developer, AppSec, and security leadership communities together for a practical, vendor‑neutral day focused on building and defending modern software.

Organized by the OWASP Boston Chapter, BASC sits squarely in the application security niche—where secure design, engineering discipline, and pragmatic defenses meet real-world delivery timelines.

Attendees can expect a strong emphasis on secure development practices, actionable tooling, and OWASP’s open standards and projects.

While you should consult the official site for the latest agenda and logistics, BASC is known for hands-on content and community-driven knowledge sharing that participants can apply the next workday.

Key themes typically include the secure software development lifecycle and DevSecOps automation—think threat modeling as code, security controls baked into CI/CD, and practical coverage of SAST/DAST/IAST in developer workflows.

Supply chain security remains a headline topic: guidance around SBOMs (such as CycloneDX), package provenance and build integrity (SLSA), dependency hygiene, and governance that scales across organizations.

Given the prevalence of APIs and microservices, sessions often explore API security patterns, testing GraphQL and REST endpoints, secrets management, and resilient identity and authorization models aligned with zero-trust principles.

With AI and LLMs reshaping software delivery, BASC is poised to spotlight emerging guidance such as the OWASP Top 10 for LLM Applications, secure prompt engineering, model and data supply chain risks, and guardrails for code-generation tools.

Cloud-native security is another anchor: container hardening, Kubernetes admission controls, policy-as-code, and runtime detection that complements preventative controls. Web and mobile remain core domains, supported by OWASP references like ASVS, MASVS, SAMM, and widely used tools such as ZAP, Juice Shop, Dependency-Track, and DefectDojo.

What sets BASC apart is its community-first ethos. The program traditionally favors deep technical talks, live demos, and workshops with measurable takeaways over pure theory. It draws a diverse audience—software engineers, AppSec practitioners, product security leaders, security researchers, architects, QA engineers, and students—mirroring the collaborative reality of modern product teams.

The Cambridge location also taps into a vibrant academic and startup ecosystem, making for strong networking and cross-pollination between industry, research, and open source.

Expect conversations that connect AppSec practice to broader industry currents: secure-by-design principles from major regulators and standards bodies; the rising importance of measurable maturity (SAMM) and compliance mapping; the operationalization of “shift everywhere” security; and the economic case for finding issues at design time rather than in production.

Whether your focus is governance and risk, platform engineering, or hands-on testing, BASC offers a concentrated way to align your roadmap with the latest community-backed approaches.

If you plan to attend, monitor the official site for registration, CFP updates, volunteer opportunities, and sponsor information, BASC’s community roots typically keep the event accessible and highly practical—an ideal venue to learn, contribute, and grow your AppSec network.

As the leading free cybersecurity conference directory serving the Information Security community, we make it easy to discover events like BASC and track what matters across the global calendar.

To help organizers reach the right audience and enrich their programs, we also enhance event visibility with targeted promotional services and provide speaker matching to connect conferences with expert voices.