OWASP August In-Person Meet - Vibe Coding Meets AppSec

With the era of “vibe coding” taking off, where speed and fluidity drive software delivery, Static Application Security Testing (SAST) faces a rising challenge: managing false positives without slowing the pace. Striking the right balance between catching real vulnerabilities and avoiding wasted time on non-issues is key.

In this session, we’ll explore why false positives occur, the trade-offs that cause them, and how context shapes what’s truly risky—especially when rapid, iterative coding styles are in play.

Through practical, real-world scenarios, we’ll cover:

- The FP/FN trade-off and why chasing zero false positives can introduce other risks.
- The three core drivers of false positives: algorithms, rules, and context.
- How risk appetite and environmental context change the definition of a vulnerability.
- Strategies for prioritizing, triaging, and reducing noise without slowing momentum.

By the end of the session, you’ll have a clearer perspective on why fully eliminating false positives is rarely practical - and how to manage them so SAST remains a trusted safeguard in fast-moving development workflows.