logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

Flux Beyond Git: Harnessing the Power of OCI

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Stefan Prodan, Hidde Beydals
2023-04-19

tldr - powered by Generative AI

Flux is moving towards OCI and container registries without relying on GitOps. The project is split into multiple controllers that can be extended without modifying its source code. GitLab and Orange have joined the Flux ecosystem, and there is an open-source edition called Weave Flux that offers a full-featured web UI for Flux.
  • Flux is a project that is split into multiple controllers that can be extended without modifying its source code.
  • Flux is moving towards OCI and container registries without relying on GitOps.
  • GitLab and Orange have joined the Flux ecosystem.
  • Weave Flux is an open-source edition that offers a full-featured web UI for Flux.
Tags:
flux
OCI
Kubernetes
Terraform
Github Actions

GitHub Actions: Vulnerabilities, Attacks, and Counter-measures

Conference:  Global AppSec Dublin 2023
Authors: Magno Logan
2023-02-15

tldr - powered by Generative AI

The presentation discusses the vulnerabilities, attacks, and countermeasures related to GitHub Actions, a continuous integration tool used in DevOps methodology.
  • GitHub Actions automate tasks in software development life cycle
  • The presentation demonstrates the risks of using Runners, the servers provided by GitHub to run Actions
  • Attackers can leverage Runners to mine cryptocurrencies, pivot into other targets, and distribute backdoors into different repositories
  • The problem of third-party dependencies via the GitHub Actions Marketplace is highlighted
  • Creating a fake GitHub Action can make runners act as bots to target other victims and be used in supply-chain attacks
Tags:
Github Actions
CI tools
DevOps
cryptocurrency mining
reverse shell

Lightning Talk: Automatically Restrict Permissions for the GITHUB Token

Conference:  SupplyChainSecurityCon 2022
Authors: Varun Sharma
2022-06-23

tldr - powered by Generative AI

The importance of setting minimum permissions for the GITHUB token and how the open-source project SecureWorkflows can automatically restrict permissions for the token.
  • GitHub Actions is a CI/CD platform with over 2 million workflows used by open-source projects, and each workflow gets a GITHUB token.
  • Restricting permissions for the GITHUB token is recommended by GitHub and the Open Source Security Foundation (OSSF) Security Scorecards.
  • Setting permissions for the token is difficult and time-consuming, as different GitHub Actions require different permissions.
  • SecureWorkflows is an open-source project that can automatically set minimum permissions for the GITHUB token, based on a knowledge base of required permissions for common GitHub Actions.
  • SecureWorkflows has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions.
  • The importance of setting minimum permissions for the GITHUB token is illustrated by a story of a supply chain attack on the VS Code GitHub repository, where a security researcher was able to push a commit to a release branch using a GitHub Actions workflow and an injected token with content's right permission.
Tags:
GitHub
Github Actions
GITHUB token
SecureWorkflows
security breaches
Open Source Security Foundation

Github Actions Security Landscape

Conference:  SupplyChainSecurityCon 2022
Authors: Ronen Slavin, Alex Ilgayev
2022-06-22

tldr - powered by Generative AI

The presentation discusses the security landscape of Github Actions and the potential vulnerabilities that can arise from misconfigurations. The focus is on code injection as the main scenario of the exploit and the consequences that can result from such attacks.
  • Github Actions is a popular CI/CD tool that allows developers to automate development workflows easily
  • Misconfigurations in Github Actions can lead to potential vulnerabilities
  • Code injection is a common exploit that can result from misconfigurations
  • The consequences of such attacks can be disastrous, including exposing secrets and allowing attackers to commit malicious code
  • Possible mitigations to stop such attacks are explored
Tags:
Github Actions
CI/CD
DevOps
best practices

Feedback loop in DevSecOps - mature security process and dev cooperation

Conference:  OWASP 20th Anniversary Event
Authors: Daniel Krasnokucki
2021-09-24
Abstract:Having Security testing in the pipeline is getting more and more popular, I would say it is becoming a standard! But what we are doing with findings? What are we automating and how are using the automation?The presentation will cover security-as-a-code practices to integrate security testing into the CI and CD pipelines, but in addition - I will discuss the part of the testing that cannot be automated, which is penetration testing. How do you connect it with your automation testing and what is the role of penetration testing in monitoring? I will show how it affects next round of the process and what the process should look like.During the presentation I will discuss real use cases from different pipelines and security tools, showing pros and cons, advantages and challenges. Demo will include GitHub Actions and open-source tools like OWASP ZAP and examples will be provided with pipeline-as-a-code and security-as-a-code. Real life use cases and examples with step-by-step instruction how the development process in mature state of DevSecOps should look like.
Tags:
security testing
automation
penetration testing
DevSecOps
Github Actions