Our colleague Reinhard Kugler, Applied Research Consultant at SBA Research, gives a training on “This Build can Break You – Evil Runners and eBPF for Detection“ at the OWASP AppSec EU on June 25, 2026.
Abstract
CI/CD pipelines play an important role in modern software development. From a security perspective, this methodology contributes to more secure products, as automated checks can be applied on every run. Developers define tasks in a metadata file, and the system executes the defined jobs automatically. But what if the build chain itself becomes the security problem, allowing attackers to manipulate artifacts or take control of backend infrastructure? Let’s take a deep dive into “Poisoned Pipeline Execution” (OWASP CICD-SEC-4).
Builds are typically carried out in multiple steps using Runners – agents that pick up jobs and execute build instructions. These instructions, such as compiling a program or building a container image, are usually performed inside containers. Containers may provide isolation, but the effectiveness in terms of security strongly depends on the Runner’s configuration. Attackers can abuse Runners to execute arbitrary commands, leading to information disclosure or privilege escalation. While such attacks are well documented, effective detection mechanisms are often lacking.
Any viable detection method must be independent of the source code, language-agnostic, and container-friendly. The eBPF technology, which enables tracing of kernel-level activity, is well suited for this purpose. In this talk, we explore security vulnerabilities in CI Runners, how they become targets for attackers, and how malicious activities can be detected using eBPF.
About the speaker
Reinhard’s focus relies on security testing of IT and industrial cyber-physical systems. Based on his prior experience in cyber defense, he works with companies to develop security capabilities and secure products. Reinhard is an experienced instructor and develops tailored security trainings. His mission is to apply research methods (combinatorial security testing) to industrial applications, like automotive, embedded or cloud.
Mathias Tausig, information security consultant at SBA Research, gives a training titled “The TPM and You – How (and Why) to Actually Make Use of Your TPM” taking place on June 26, 2026.
Abstract
There is a common saying that “every problem in cryptography can be reduced to key management problem”. OWASP’s Cheat Sheet series even has a whole document dedicated to “Cryptographic Storage”. What if we could make life easier for us in this area?
TPMs (Trusted Platform Modules) have been a fixed part of every standard PC for many years, providing all users with a “free” hardware that can be used for all kinds of cryptography.
They are already widely in use by most operating systems and firmwares, but haven’t really found usage for userspace applications yet.
This talk elaborates why this is the case and how to change this fact. We are going to discuss the capabilities of a TPM and demonstrate them live with a sample application, a TOTP client which stores its secrets securely.
About the speaker
Mathias Tausig is a trained mathematician and has professional experience as a Security Officer, developer, sysadmin, as well as a university lecturer for IT security. He is currently working as a Security Consultant, focusing on penetration testing, trainings, and application security. As a speaker, he has appeared at events such as heise devSec, sec4dev, WeAreDevelopers, Linuxwochen, and the CCC Easterhegg.
About the Event
OWASP AppSec EU is an annual European cybersecurity conference focused on application security. Organized by the Open Worldwide Application Security Project (OWASP), it brings together developers, security engineers, researchers, and industry leaders to share knowledge about securing modern software and web applications. The event typically features keynote presentations, technical talks, panel discussions, and hands-on training sessions covering topics such as secure coding, vulnerability management, cloud and DevSecOps security, and emerging threats. AppSec EU also provides networking opportunities, security competitions, and vendor exhibitions. Its goal is to advance application security practices and promote collaboration within the global cybersecurity community.
Fotocredit: Niklas Schnaubelt