SBA @ BSidesVienna 0x7E9

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

November 25, 2025

SBA Research has proudly supported BSidesVienna as a Gold Sponsor for several years. We’re committed to fostering independent security research and collaboration within the cybersecurity community, and BSidesVienna is an excellent platform for advancing these goals.

This year our colleagues Fabian Funder and Mathias Tausig, gave insightful talks on The OWASP Top 10 Looks Different From the Trenches and The TPM and You – How (and why) to actually make use of your TPM.

Abstract

The OWASP Top 10 Looks Different From the Trenches

Top software vulnerability lists like OWASP Top 10 or CWE Top 25 are well-known and used broadly across the industry. They shape how we talk about software vulnerabilities and guide us to focus on certain vulnerabilities over others. But how well do they hold up in the real world? Are there any blind spots that are not covered by the most prominent lists?
To answer this question, he aggregated results from over 400 web application penetration tests in the last four years. In this talk, Fabian walked through how these “top vulnerability” lists were created, what trade-offs they make, and where they fall short. Finally, he compared their priorities against real-world data from a mid-sized penetration testing team and showed which issues actually show up again and again in practice.

The TPM and You – How (and why) to actually make use of your TPM

There is a common saying that “every problem in cryptography can be reduced to key management problem”. What if we could make life easier for us in this area?
TPMs (Trusted Platform Modules) have been a fixed part of every standard PC for many years, providing all users with a “free” hardware that can be used for all kinds of cryptography.
They are already widely in use by most operating systems and firmwares, but haven’t really found usage for userspace applications yet.

This talk elaborated why this is the case and how to change this fact. Mathias discussed the capabilities of a TPM and demonstrated with a sample application, a TOTP client which stores its secrets securely.

We look forward to continuing our collaboration and are already excited for BSides Vienna 2026!

About the Conference

BSides is a global series of community-organized events that foster independent security research, education, and collaboration within the cybersecurity community. Unlike commercial conferences, BSides events have a more relaxed, meetup-like atmosphere, focusing on open dialogue, networking, and exchanging perspectives. They feature engaging talks, workshops, and the famous “hallway track,” where participants can connect with old friends, meet new people, and share insights. BSidesVienna aims to contribute to the global spread of these events and provide valuable input to the information security community.

Links

Professional Services
Conference

News