logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency tree

Conference:  Defcon 31
Authors: Asi Greenholts Security Researcher at Palo Alto Networks
2023-08-01
GitHub is the most popular platform to host Open Source projects therefore, the popularity of their CI/CD platform - GitHub Actions is rising, which makes it an attractive target for attackers. In this talk I’ll show you how an attacker can take advantage of the Custom GitHub Actions ecosystem by infecting one Action to spread malicious code to other Actions and projects by showing you a demo of POC worm. We will start by exploring the ways in which Actions are loosely and implicitly dependent on other Actions. This will allow us to create a dependency tree of Actions that starts from a project that we want to attack and hopefully ends in a vulnerable Action that we can take control of. We will then dive down to how GitHub Actions is working under the hood and I’ll show you how an attacker that is in control of an Action can utilize the mechanism of the GitHub Actions Runner to infect other Actions that are dependent on their Action and eventually infect the targeted project. Finally, after we’ve gained all of the theoretical knowledge I’ll show you a demo with POC malware that is spreading through Actions and we will talk on how to defend against this kind of attack.
Tags:
GitHub
actions
CI/CD
Open Source
POC

What Role Do Package Registries Have in Securing the Supply Chain?

Conference:  SupplyChainSecurityCon 2022
Authors: Margaret Tucker, Justin Colannino
2022-06-22
This interactive session will discuss the important role of package registries in securing the open source software supply chain, as well as best practices and guiding principles for a secure package registry ecosystem. Maintainers have been managing risk in their ecosystems since the start and are the first line of defense for ecosystem code quality. But package registries also have a responsibility to protect developers depending on their package ecosystem and, ultimately, the end-users of the software. This responsibility to maintain safety and reliability must be balanced against the freedom and creativity of package maintainers whose skill, innovation, and gumption allow others to accomplish great things.
Tags:
package registries
Open Source
package ecosystems
package maintainers
end-users

Sponsored Session: Malicious Package Trends Compared With Malware Evolution

Conference:  SupplyChainSecurityCon 2022
Authors: Daniel Elkabes
2022-06-22

tldr - powered by Generative AI

Malicious packages are a growing threat to organizations and communities, costing billions of dollars in damages. Attackers use various techniques to exfiltrate private information and evade detection. The community is exploring solutions such as Salsa and S-BOM to reduce the risk, but categorizing malicious packages is still a challenge.
  • Malicious packages are a significant threat, costing billions of dollars in damages
  • Attackers use various techniques such as dependency hijacking, typo squatting, and brain jacking to exfiltrate private information and evade detection
  • Solutions such as Salsa and S-BOM are being explored to reduce the risk of malicious packages
  • Categorizing malicious packages is a challenge for the community
Tags:
malware
package managers
Open Source
Daniel
forecast

Panel Discussion: Summing Up the Summit: OpenSSF’s May 2022 Gathering and Action Plan

Conference:  SupplyChainSecurityCon 2022
Authors: David Wheeler, Brian Behlendorf, Trey Herr, Amelie Koran
2022-06-22

tldr - powered by Generative AI

The panel discussion summarizes the OpenSSF summit held in May 2022, which aimed to develop a mobilization plan for securing the open source ecosystem. The discussion focuses on the attitudes and progress of open source software security in the federal government and the input of developers and maintainers to the OpenSSF summit and mobilization plan.
  • The panelists introduce themselves and their backgrounds in technology and policy.
  • The Cyber Statecraft Initiative at the Atlantic Council has been working on software supply chain issues since 2019 and is collaborating with OpenSSF to bring more policy attention to open source security.
  • The OpenSSF mobilization plan includes ten work streams that prioritize different areas of open source security.
  • The panelists discuss the importance of prioritization and government demand signals in the mobilization plan.
  • The panelists also emphasize the need for more community engagement and volunteer contributions to the work streams.
  • The panelists reflect on the historical context of open source security and the usefulness of an S-bomb in incident response.
Tags:
Open Source
software security
federal government
Developers
maintainers

Sponsored Session: Software Supply Chain Threat Landscapes: A Moving Target

Conference:  SupplyChainSecurityCon 2022
Authors: Brian Fox
2022-06-21

tldr - powered by Generative AI

The presentation discusses the evolving threat landscape in software supply chains and the need for developer-first security tools.
  • Organized attackers are exploiting vulnerabilities in open source ecosystems by making their malware appear legitimate.
  • Security and development teams need to understand the cascading impacts and changing landscapes of these exploitations.
  • The supply chains of open source ecosystems are everywhere in the software development process.
  • The attacks are focused on the developers and the development infrastructure itself.
  • The development infrastructure can be a significant way into the rest of the organization.
  • The presentation emphasizes the need for developer-first security tools to address the evolving threat landscape.
Tags:
cybersecurity
Open Source
malware
vulnerabilities
exploits

Panel Discussion: How the Business Community is Working to Make the Open Source Software Supply Chain More Secure by Default

Conference:  SupplyChainSecurityCon 2022
Authors: Jory Burson, Andrew Aitken, Jeffrey Borek, Rao Lakkakula
2022-06-21

tldr - powered by Generative AI

The importance of software supply chain security and the need for organizations to prioritize knowledge and training in analyzing S-bombs.
  • Encouraging younger developers to get involved in software supply chain security
  • Creating a database to share and compare S-bombs
  • Training people to review and analyze S-bombs
  • Procurement as a gatekeeper to S-bomb adoption
  • The OpenCRE project as a way to develop a common format for regulations and standards
  • The importance of developing a constituency within an organization to address software supply chain security
Tags:
Open Source
companies
OpenSSF
community

Addressing Cybersecurity Challenges in Open Source Software

Conference:  SupplyChainSecurityCon 2022
Authors: Matt Jarvis, Steve Hendrick
2022-06-21

tldr - powered by Generative AI

The main theme of the conference presentation is the importance of involving developers in improving security knowledge and leveraging specialized security tools to automate security processes in DevOps. The presentation also emphasizes the need to rely on vendors for guidance and to follow best practices for security policy.
  • Involving developers in improving security knowledge and empowering them to make decisions based on guidance and feedback can be effective in improving security posture.
  • Leveraging specialized security tools, such as FAST, is crucial for providing guidance and insight for identifying security risks.
  • Relying on vendors for guidance and help in solving security problems is necessary due to the complexity of identifying security risks.
  • Automating security processes is essential for addressing security issues without impacting the speed of innovation.
  • Following best practices for security policy, such as those provided by the Linux Foundation's Secure Software Development course, can help organizations understand their current security posture and improve it over time.
Tags:
cybersecurity
Open Source
software
supply chain
vulnerabilities

Assessing the Risk of Open-source Components Using OpenSSF's Scorecard

Conference:  SupplyChainSecurityCon 2022
Authors: Naveen Srinivasan, Laurent Simon
2022-06-21

tldr - powered by Generative AI

Scorecard is a tool that helps users assess the security of their open source projects and dependencies on GitHub.
  • Scorecard checks for good practices, authentication, and over-privileged CI runs.
  • Scorecard flags empty patterns and warns about secrets in pull requests.
  • Scorecard can be installed as a GitHub action for projects and dependencies.
  • Scorecard alerts users to potential risks, such as unmaintained dependencies.
  • Scorecard is configurable and can be used to enforce policies at scale.
  • Scorecard plans to add support for more languages and improve configurability.
Tags:
Open Source
demand
Developers
downloads
growth

Fight Club | Grow your OWASP Chapter

Conference:  OWASP 20th Anniversary Event
Authors: Sam Stepanyan, Tom Brennan
2021-09-24

tldr - powered by Generative AI

The presentation discusses the importance of OWASP chapters in advancing tactical knowledge and understanding software security. It emphasizes the value of membership and consistent meetings in recruiting attendees and building a community.
  • OWASP chapters are important in advancing tactical knowledge and understanding software security
  • Multiple people in the chapter should share a common bond and understanding
  • Understanding historical changes and policies can help utilize operational processes
  • OWASP has around 300 projects on its list, constantly growing every day
  • Existing projects can be used as content for meetings and collaboration
  • Recruiting attendees is not difficult if the focus is on software security
  • Membership is important in shaping the direction of the organization and building a global community
  • Consistent meetings and virtual components are useful in building a community
Tags:
Open Source
software
community
development
collaboration