logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Asi Greenholts Security Researcher at Palo Alto Networks
2023-08-01

GitHub is the most popular platform to host Open Source projects therefore, the popularity of their CI/CD platform - GitHub Actions is rising, which makes it an attractive target for attackers. In this talk I’ll show you how an attacker can take advantage of the Custom GitHub Actions ecosystem by infecting one Action to spread malicious code to other Actions and projects by showing you a demo of POC worm. We will start by exploring the ways in which Actions are loosely and implicitly dependent on other Actions. This will allow us to create a dependency tree of Actions that starts from a project that we want to attack and hopefully ends in a vulnerable Action that we can take control of. We will then dive down to how GitHub Actions is working under the hood and I’ll show you how an attacker that is in control of an Action can utilize the mechanism of the GitHub Actions Runner to infect other Actions that are dependent on their Action and eventually infect the targeted project. Finally, after we’ve gained all of the theoretical knowledge I’ll show you a demo with POC malware that is spreading through Actions and we will talk on how to defend against this kind of attack.
Authors: Marek Siarkowicz, James Blair, Samba Bandari, Bogdan Kanivets
2023-04-20

Download the code ahead of time. DCO required.Join the contributors to Etcd, the most popular cloud-native database that backs Kubernetes. We'll be working on improving key features and testing for Etcd, and in the process we’ll teach those new to the project how to contribute. Etcd is a very useful, fun, and essential project, and welcomes both new contributors and those who want to “levelup”.Attendees should be familiar with programming in Go, using GitHub, and should bring a laptop on which they can do cloud-native development: either a Linux laptop, your own Github Devcontainer setup, or some equivalent.Etcd maintainers will organise work to improve reliability of Etcd. We will focus on improving etcd robustness testing and paying technical depth.This Contribfest session is designed to provide projects with the space and resources to tackle outstanding technical debt, security issues, or outstanding impactful feature requests. They are intended to provide a place for maintainers to meet contributors and potential contributors and work together on solving a problem.
Authors: Carlos Panato, Adolfo García Veytia
2023-04-20

tldr - powered by Generative AI

The presentation discusses the release toolkit and its use in securing the supply chain for software development projects.
  • The release toolkit generates binaries, checksums, and signatures for release artifacts
  • It includes provenance attestation and S-BOM SPDX
  • The toolkit can be used with GitHub actions and is language-agnostic
  • The Salsa tester creates SLSA attestations and can be used with S-BOMs generated by other tools
  • The toolkit uses OIDC tokens from GitHub to generate temporary certificates for attestation
  • The toolkit can be used to donate repositories to Kubernetes organization
Authors: Jose Donizetti
2023-04-19

tldr - powered by Generative AI

The presentation discusses the use of Tracy, a tool for tracing and profiling software executions, to detect and prevent supply chain attacks in DevOps workflows.
  • Tracy is a tool for tracing and profiling software executions in DevOps workflows
  • The tool can be used to detect and prevent supply chain attacks
  • Tracy uses denial and allow lists to identify good and bad activity
  • The tool extends profiles to include user ID, arguments, and environment variables
  • Tracy can ignore certain system and environment variables to ensure consistency
  • The tool uses syscall to collect information on executed binaries
  • An anecdote is provided to illustrate how Tracy can detect a supply chain attack
Authors: Loris Degioanni
2022-10-25

tldr - powered by Generative AI

The presentation discusses the importance of securing code repositories and how to detect and prevent threats using CNCF's Falco.
  • Code repositories are a prime target for attacks and are subject to several categories of threats such as pushing secrets, running GitHub actions with miners, and mistakenly publishing a private repository.
  • Falco is a runtime security tool that traditionally protects containers and pods in Kubernetes but now has a GitHub plugin to provide real-time runtime security for GitHub repositories.
  • Falco listens on containerized Kubernetes-based endpoints and captures signals such as system calls to detect bad stuff and give alerts.
  • Falco's rule engine is simple and customizable, allowing users to add their own rules to detect specific threats.
  • Falco is free, open-source, and can be helpful in securing code repositories.
  • The presenter invites attendees to a Falco party and a session with Falco developers to learn more about the tool.
Authors: Stephen Giguere
2022-10-25

tldr - powered by Generative AI

The presentation discusses the security challenges faced by open source projects and GitOps workflows, particularly in relation to GitHub Actions workflows. The speaker demonstrates potential abuses and vulnerabilities in GitHub Actions workflows and highlights the importance of implementing best practices to protect against attacks.
  • Open source projects and GitOps workflows are vulnerable to security threats
  • GitHub Actions workflows can be abused by malicious actors to gain access to sensitive information
  • Best practices, such as implementing environmental protection and short-lived tokens, can help protect against attacks
Conference:  Transform X 2022
Authors: Nat Friedman, Alexandr Wang
2022-10-19

tldr - powered by Generative AI

The speaker discusses the emergence of AI capabilities and the need for product development to bridge the gap between research and practical applications. They also touch on the potential for startups to build new products and the challenges of incumbents in adopting generative AI technology.
  • AI capabilities have created new opportunities for product development
  • Product development requires a level of tinkering and creativity to find the intersection between new capabilities and user needs
  • Language is an AGI complete problem with a lot of potential value to be unlocked
  • Models are becoming more accessible and less brittle, making them easier to use for product development
  • Startups have an opportunity to build new products that don't fit neatly into existing categories
  • Incumbents face challenges in adopting generative AI technology due to reputational risk and the potential for offensive content
  • The emergence of AI capabilities is not a joke and may be bad news for startups
  • The moat for startups may be in the application or workflow rather than the model itself
Authors: Varun Sharma
2022-06-23

tldr - powered by Generative AI

The importance of setting minimum permissions for the GITHUB token and how the open-source project SecureWorkflows can automatically restrict permissions for the token.
  • GitHub Actions is a CI/CD platform with over 2 million workflows used by open-source projects, and each workflow gets a GITHUB token.
  • Restricting permissions for the GITHUB token is recommended by GitHub and the Open Source Security Foundation (OSSF) Security Scorecards.
  • Setting permissions for the token is difficult and time-consuming, as different GitHub Actions require different permissions.
  • SecureWorkflows is an open-source project that can automatically set minimum permissions for the GITHUB token, based on a knowledge base of required permissions for common GitHub Actions.
  • SecureWorkflows has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions.
  • The importance of setting minimum permissions for the GITHUB token is illustrated by a story of a supply chain attack on the VS Code GitHub repository, where a security researcher was able to push a commit to a release branch using a GitHub Actions workflow and an injected token with content's right permission.
Authors: Laurent Simon, Asra Ali
2022-06-21

tldr - powered by Generative AI

The presentation discusses the importance of artifact attestation or salsa provenance in ensuring the authenticity of build artifacts and creating strong links between artifacts and their source repositories. It also highlights the various use cases of artifact attestation in the supply chain.
  • Artifact attestation creates a strong link between build artifacts and their source repositories, ensuring authenticity and enabling the creation of policies.
  • Artifact attestation can be used to enforce policies at different stages of the supply chain, including control plane, build time, and installation time.
  • GitHub's dependency API and S-BOM API can benefit from artifact attestation to ensure the authenticity of dependencies and S-BOMs.
  • Artifact attestation can be used to prove to third parties that S-BOMs are authentic and created without cheating or hiding vulnerabilities.
  • Artifact attestation can be used for any kind of metadata, including static analysis tool results.
Authors: Kim Schlesinger
2022-05-19

tldr - powered by Generative AI

The presentation is about using Terraform to create a Digital Ocean managed Kubernetes cluster as part of a GitOps workshop.
  • Terraform is an infrastructure as code tool that automates provisioning infrastructure resources like VMs, managed databases, firewalls, or Kubernetes services.
  • The presenter demonstrates how to create a Digital Ocean managed Kubernetes cluster using Terraform.
  • The presenter explains the importance of using infrastructure as code tools in GitOps.
  • The audience is given step-by-step instructions on how to set up a Digital Ocean account, configure Doctor, and use Terraform to create a Kubernetes cluster.
  • An anecdote is not provided.