Third edition of sec4dev Dialogues brings insightful content and lively exchange
On June 19, SBA Research and its partner Condignum hosted the third edition of the sec4dev Dialogues event series.
Security for Software Developers is essential. The current threat landscape and security incidents in recent years make it clear: the topic is more relevant than ever. Around 60 participants joined us for the third edition of the sec4dev Dialogues at SBA Research. The event aims to bring together professionals from software development and cybersecurity, foster discussions on current challenges and emerging trends, and jointly advance software security.
The presentations provided valuable insights into current regulatory developments, long-term research findings, and emerging challenges in software security, privacy, and artificial intelligence.
The key takeaways from the four insightful talks are:
Vulnerability Management under the Cyber Resilience Act
Lukas Feiler – Baker McKenzie
Starting September 11, 2026, the EU Cyber Resilience Act (CRA) introduces stricter requirements for vulnerability management across all software products. This talk provides practical guidance on how these obligations apply in real-world development contexts and how they can be integrated into a Secure Software Development Life Cycle.
It addresses key questions around the CRA’s scope, including free and open-source software, alpha and beta releases, and hybrid architectures with server-side components. It further explores mandatory vulnerability disclosure obligations to national CSIRTs, ENISA, and customers, including practical challenges, exceptions, and handling vulnerabilities in third-party components under tight reporting deadlines.
In addition, the talk discusses risks associated with voluntary vulnerability disclosure by security researchers and examines the CRA’s requirements for timely security updates, including implementation challenges, potential compensation models, and dependency management in third-party software components.
15 Years of WhatsApp
Sebastian Schrittwieser, Gabriel Gegenhuber & David Schmidt – SBA Research, University of Vienna, IT:U
- Enumeration attacks against messenger apps have been a well-known problem for more than 15 years. Using the same class of attack that allowed us to enumerate more than 21,000 WhatsApp users in 2011, it was possible in 2025 to enumerate approximately 3.5 billion accounts, including profile pictures and X25519 public keys.
- Fundamental security issues in mobile applications continue to persist. In our research, we discovered 416 valid hard-coded cloud credentials across approximately 10,000 mobile apps.
- Why are such obvious security measures still so often neglected? Rate limiting, key revocation, and secret scanning in CI/CD pipelines are well-established practices and do not pose any significant technical challenge to implement.
If You Talk About ESG, You Need to Talk About SCI
Michael Koppmann – SBA Research
- Green software is ultimately good software: user-friendly, secure, efficient, and maintainable. Sustainability can be integrated seamlessly with existing software engineering best practices.
- Inefficient software wastes more than just energy. It increases emissions, consumes unnecessary computing resources, and also drains human energy by causing frustration, delays, and poor user experiences.
- The industry is increasingly embracing sustainable software development. Concrete tools, frameworks, recommendations, and standards are emerging to help organizations measure and improve the environmental impact of their software.
- While AI is a major consumer of energy and drives up demand for hardware, it may also become a key catalyst for advancing sustainable software practices by increasing awareness of efficiency and resource consumption.
Agents without Agency: Security Risks of Autonomous AI Agents
Caroline König – SBA Research, University of Vienna
- Agents are powered by LLMs and are therefore vulnerable to prompt injection attacks, which remain an unsolved problem.
- Exploits have already occurred, and new CVEs linked to the use of AI agents continue to emerge.
- Secure deployment relies on containing and restricting agents, as well as minimizing the tools, data, and APIs they can access.
© SBA Research
Following the five exciting talks, the mild summer evening was the perfect setting for engaging conversations over food and drinks on the terrace. We would like to thank all participants, speakers, and our partner Condignum for making the event a success. We look forward to the next edition of sec4dev Dialogues in 2027!