logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Magno Logan
2023-02-15

tldr - powered by Generative AI

The presentation discusses the vulnerabilities, attacks, and countermeasures related to GitHub Actions, a continuous integration tool used in DevOps methodology.
  • GitHub Actions automate tasks in software development life cycle
  • The presentation demonstrates the risks of using Runners, the servers provided by GitHub to run Actions
  • Attackers can leverage Runners to mine cryptocurrencies, pivot into other targets, and distribute backdoors into different repositories
  • The problem of third-party dependencies via the GitHub Actions Marketplace is highlighted
  • Creating a fake GitHub Action can make runners act as bots to target other victims and be used in supply-chain attacks
Authors: Varun Sharma
2022-06-23

tldr - powered by Generative AI

The importance of setting minimum permissions for the GITHUB token and how the open-source project SecureWorkflows can automatically restrict permissions for the token.
  • GitHub Actions is a CI/CD platform with over 2 million workflows used by open-source projects, and each workflow gets a GITHUB token.
  • Restricting permissions for the GITHUB token is recommended by GitHub and the Open Source Security Foundation (OSSF) Security Scorecards.
  • Setting permissions for the token is difficult and time-consuming, as different GitHub Actions require different permissions.
  • SecureWorkflows is an open-source project that can automatically set minimum permissions for the GITHUB token, based on a knowledge base of required permissions for common GitHub Actions.
  • SecureWorkflows has been used to set token permissions for hundreds of workflows, including for the GitHub Actions starter workflows, and is recommended by OSSF Scorecards to fix token permissions.
  • The importance of setting minimum permissions for the GITHUB token is illustrated by a story of a supply chain attack on the VS Code GitHub repository, where a security researcher was able to push a commit to a release branch using a GitHub Actions workflow and an injected token with content's right permission.
Authors: Ronen Slavin, Alex Ilgayev
2022-06-22

tldr - powered by Generative AI

The presentation discusses the security landscape of Github Actions and the potential vulnerabilities that can arise from misconfigurations. The focus is on code injection as the main scenario of the exploit and the consequences that can result from such attacks.
  • Github Actions is a popular CI/CD tool that allows developers to automate development workflows easily
  • Misconfigurations in Github Actions can lead to potential vulnerabilities
  • Code injection is a common exploit that can result from misconfigurations
  • The consequences of such attacks can be disastrous, including exposing secrets and allowing attackers to commit malicious code
  • Possible mitigations to stop such attacks are explored
Authors: Daniel Krasnokucki
2021-09-24

Abstract:Having Security testing in the pipeline is getting more and more popular, I would say it is becoming a standard! But what we are doing with findings? What are we automating and how are using the automation?The presentation will cover security-as-a-code practices to integrate security testing into the CI and CD pipelines, but in addition - I will discuss the part of the testing that cannot be automated, which is penetration testing. How do you connect it with your automation testing and what is the role of penetration testing in monitoring? I will show how it affects next round of the process and what the process should look like.During the presentation I will discuss real use cases from different pipelines and security tools, showing pros and cons, advantages and challenges. Demo will include GitHub Actions and open-source tools like OWASP ZAP and examples will be provided with pipeline-as-a-code and security-as-a-code. Real life use cases and examples with step-by-step instruction how the development process in mature state of DevSecOps should look like.