Floragasse 7 – 5th floor, 1040 Vienna

News

SBA Research @ OWASP Global AppSec EU 2026

SBA Research was proud to support OWASP Global AppSec EU 2026, one of Europe’s leading conferences on application security, held from June 22–26, 2026, at the Austria Center Vienna.. The event brought together security researchers, practitioners, and industry experts to exchange knowledge, discuss emerging threats, and explore the latest developments in application security.

We were especially proud that three of our colleagues contributed to the conference program by sharing their expertise: Michael Koppmann, Reinhard Kugler, and Mathias Tausig.

In addition to his technical contribution, Michael Koppmann served as Volunteer Lead, coordinating and supporting the volunteer team throughout the conference. His dedication helped ensure the smooth organization and success of the event.

Their presentations reflected SBA Research’s ongoing commitment to advancing cybersecurity research and translating findings into practical solutions for the security community.

A big thank you to the organizers, speakers, and attendees for an inspiring event. We look forward to continuing the conversations and contributing to the future of application security.

***

Our colleague Michael Koppmann, Senior Information Security Consultant at SBA Research, gave a talk on Illegal States Are My Favorite Security Vulnerabilities.

half body portrait of man

Abstract

Types in programming languages are meant to protect us, but how often do we still end up chasing silly bugs caused by a single misplaced value? A common culprit is the code smell “Primitive Obsession”: representing everything as integers, strings, and Booleans instead of meaningful domain types. It works until an order ID gets passed where a customer ID was expected, or missing access control is exploited, and nobody notices until it is too late.

Over the last decades, type systems have become surprisingly powerful. Nowadays, even mainstream languages let us encode business rules, workflows, and even security properties directly into types. That means the compiler can act as a very strict, very fast reviewer that never gets tired. It refuses to build your code if a workflow is incomplete, a state is impossible, or an access rule is violated. Entire classes of bugs simply can’t compile anymore. “Security by design” is the core idea behind this presentation.

In this talk, I will show concrete TypeScript examples of how we can model business workflows and constraints with types. Making illegal states unrepresentable, designing internal APIs that are harder to misuse, and capturing security invariants so they’re enforced automatically. The approach is not tied to a single language but is a practical design technique that can make your programming life easier.

About the speaker

Michael Koppmann is a Senior Information Security Consultant at SBA Research, specializing in application security, penetration testing, and secure software engineering. His work spans web, mobile, and cloud security assessments, source code reviews, and software architecture analysis. He also leads the development of in-house security tools and regularly delivers trainings and talks on secure software development, APIs, and microservices. His research focuses on sustainable software engineering, secure and maintainable software development, and online privacy.

***

Our colleague Reinhard Kugler, Applied Research Consultant at SBA Research, gave a talk on This Build can Break You – Evil Runners and eBPF for Detection.

half body portrait of man

Abstract

CI/CD pipelines play an important role in modern software development. From a security perspective, this methodology contributes to more secure products, as automated checks can be applied on every run. Developers define tasks in a metadata file, and the system executes the defined jobs automatically. But what if the build chain itself becomes the security problem, allowing attackers to manipulate artifacts or take control of backend infrastructure? Let’s take a deep dive into “Poisoned Pipeline Execution” (OWASP CICD-SEC-4).

Builds are typically carried out in multiple steps using Runners – agents that pick up jobs and execute build instructions. These instructions, such as compiling a program or building a container image, are usually performed inside containers. Containers may provide isolation, but the effectiveness in terms of security strongly depends on the Runner’s configuration. Attackers can abuse Runners to execute arbitrary commands, leading to information disclosure or privilege escalation. While such attacks are well documented, effective detection mechanisms are often lacking.

Any viable detection method must be independent of the source code, language-agnostic, and container-friendly. The eBPF technology, which enables tracing of kernel-level activity, is well suited for this purpose. In this talk, we explore security vulnerabilities in CI Runners, how they become targets for attackers, and how malicious activities can be detected using eBPF.

About the speaker

Reinhard’s focus relies on security testing of IT and industrial cyber-physical systems. Based on his prior experience in cyber defense, he works with companies to develop security capabilities and secure products. Reinhard is an experienced instructor and develops tailored security trainings. His mission is to apply research methods (combinatorial security testing) to industrial applications, like automotive, embedded or cloud.

***

Mathias Tausig, information security consultant at SBA Research, gave a talk titled The TPM and You – How (and Why) to Actually Make Use of Your TPM.

half body portrait of man

Abstract

There is a common saying that “every problem in cryptography can be reduced to key management problem”. OWASP’s Cheat Sheet series even has a whole document dedicated to “Cryptographic Storage”. What if we could make life easier for us in this area?

TPMs (Trusted Platform Modules) have been a fixed part of every standard PC for many years, providing all users with a “free” hardware that can be used for all kinds of cryptography.
They are already widely in use by most operating systems and firmwares, but haven’t really found usage for userspace applications yet.

This talk elaborates why this is the case and how to change this fact. We are going to discuss the capabilities of a TPM and demonstrate them live with a sample application, a TOTP client which stores its secrets securely.

About the speaker

Mathias Tausig is a trained mathematician and has professional experience as a Security Officer, developer, sysadmin, as well as a university lecturer for IT security. He is currently working as a Security Consultant, focusing on penetration testing, trainings, and application security. As a speaker, he has appeared at events such as heise devSec, sec4dev, WeAreDevelopers, Linuxwochen, and the CCC Easterhegg.

***

About the Event

OWASP Global AppSec EU is an annual European cybersecurity conference focused on application security. Organized by the Open Worldwide Application Security Project (OWASP), it brings together developers, security engineers, researchers, and industry leaders to share knowledge about securing modern software and web applications. The event typically features keynote presentations, technical talks, panel discussions, and hands-on training sessions covering topics such as secure coding, vulnerability management, cloud and DevSecOps security, and emerging threats. AppSec EU also provides networking opportunities, security competitions, and vendor exhibitions. Its goal is to advance application security practices and promote collaboration within the global cybersecurity community.

Links

OWASP Global AppSec EU 2026
Professional Services