Dates
Conferences
Tags
Sort by:
Most recent
Conference: Defcon 31
Authors: Asi Greenholts Security Researcher at Palo Alto Networks
2023-08-01
GitHub is the most popular platform to host Open Source projects therefore, the popularity of their CI/CD platform - GitHub Actions is rising, which makes it an attractive target for attackers.
In this talk I’ll show you how an attacker can take advantage of the Custom GitHub Actions ecosystem by infecting one Action to spread malicious code to other Actions and projects by showing you a demo of POC worm.
We will start by exploring the ways in which Actions are loosely and implicitly dependent on other Actions. This will allow us to create a dependency tree of Actions that starts from a project that we want to attack and hopefully ends in a vulnerable Action that we can take control of.
We will then dive down to how GitHub Actions is working under the hood and I’ll show you how an attacker that is in control of an Action can utilize the mechanism of the GitHub Actions Runner to infect other Actions that are dependent on their Action and eventually infect the targeted project.
Finally, after we’ve gained all of the theoretical knowledge I’ll show you a demo with POC malware that is spreading through Actions and we will talk on how to defend against this kind of attack.
Conference: Black Hat Asia 2023
Authors: Yakir Kadkoda, Ilay Goldman
2023-05-12
Our talk divides the cloud development flow into 5 phases: IDE, SCM, package managers, CI/CD and Artifacts. We will demonstrate how supply chain attacks can affect organizations at each phase. This includes the risks of cloud, platforms, and application development, as well as the attacker's perspective on how to exploit these areas.We will unveil vulnerabilities and flaws in popular platforms corresponding to each one of the areas. We will also talk about the eco-system and how developers are working with these platforms. Finally, we will show our original research including vulnerabilities and flaws in various platforms and talk about each finding and its implications and mitigations.
Conference: Global AppSec Dublin 2023
Authors: Tanya Janca
2023-02-16
tldr - powered by Generative AI
The presentation discusses resources and strategies for maintaining secure legacy applications in DevOps.
- Encourages joining the Open Web Application Security Project and local chapters
- Provides a PDF summary of the presentation
- Offers free online community called We Hack Purple with training courses and podcasts
- Suggests regular communication with software developers and security champions through lunch and learns and presentations
- Emphasizes the importance of feedback and addressing issues promptly
Conference: SupplyChainSecurityCon 2022
Authors: Ronen Slavin, Alex Ilgayev
2022-06-22
tldr - powered by Generative AI
The presentation discusses the security landscape of Github Actions and the potential vulnerabilities that can arise from misconfigurations. The focus is on code injection as the main scenario of the exploit and the consequences that can result from such attacks.
- Github Actions is a popular CI/CD tool that allows developers to automate development workflows easily
- Misconfigurations in Github Actions can lead to potential vulnerabilities
- Code injection is a common exploit that can result from misconfigurations
- The consequences of such attacks can be disastrous, including exposing secrets and allowing attackers to commit malicious code
- Possible mitigations to stop such attacks are explored
Conference: SupplyChainSecurityCon 2022
Authors: Brandon Lum, Parth Patel
2022-06-21
tldr - powered by Generative AI
The presentation discusses the challenges of locking down Providence metadata fields in Tecton and proposes a solution using Spiffy Inspire for strong attestation and verification.
- Tecton users have direct access to objects and metadata fields, making it difficult to lock down Providence metadata fields
- Kubernetes cluster classes are managed by different entities, making it challenging to restrict access to metadata fields
- The Task Run object becomes a main attack point for malicious actors
- The proposed solution involves creating a trusted computing base and restricting access to metadata fields
- Spiffy Inspire provides strong attestation and verification for the trusted computing base
- Future work includes extending the solution to other custom resources and validating artifacts passed between tasks
Conference: OWASP 20th Anniversary Event
Authors: Riotaro OKADA
2021-09-25
tldr - powered by Generative AI
The presentation discusses the challenges of implementing AppSec in DevOps and CI/CD and proposes solutions based on the experience of organizing the Hardening Project in Japan.
- Shift left is important in integrating security early on in the development process
- Development and security teams need to work together to maximize mutual understanding and cooperation
- Risk profiling is important in designing effective security defenses
- The Hardening Project in Japan is an eight-hour security competition that helps participants update their knowledge about incident response and improve their defenses
- The competition involves dealing with technical failures, customer complaints, and public relations response
- The Softening Day is a session where teams and attackers give presentations to share and summarize their activities and strategies
Conference: OWASP 20th Anniversary Event
Authors: Gary Robinson
2021-09-24
tldr - powered by Generative AI
The presentation discusses the challenges of implementing DevSecOps and shifting left in organizations. It emphasizes the importance of planning and fitting security into the CI/CD process, as well as effective communication between security and development teams.
- Challenge #1: Starting in the right way by planning the approach and understanding the aim of DevSecOps
- Challenge #2: Fitting security into the CI/CD process and communicating effectively between security and development teams
- Importance of understanding the long-term goals and considering the impact on future DevSecOps processes
- Emphasis on efficiency and automation in DevSecOps
- Advice to do research and look for other solutions to DevSecOps challenges