Sign up to save your podcasts
Or
Share Ep06: "GitHub Security horror stories " (withย Steveย Giguere)
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ep06: "GitHub Security horror stories " (withย Steveย Giguere)
๐จ๐ฝโ๐ Welcome to Episode 06 of "Tech Beats unplugged"
This time, weโre diving headfirst into ๐ญ๐ก๐ ๐๐ซ๐๐ณ๐ข๐๐ฌ๐ญ ๐๐ข๐ญ๐๐ฎ๐ ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฌ๐ญ๐จ๐ซ๐ข๐๐ฌ, and who better to join us than Steve Giguere, an industry veteran and security expert whoโs seen it all.
From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.
๐ Weโre so excited to share our latest tech Beats show with you๐งก! Please share away ๐ค
We hope you'll enjoy it!!!
Topics discussed:
- (00:00) Introduction
- (03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)
- (09:15) โA workflow is an application within your applicationโ - What does that mean?!
- (12:16) Public vs. Private Repos - Are private orgs still at risk?
- (18:27) Self-hosted runners: Safe or security nightmare?
- (21:16) GitHub Environment Variables - How critical are they?
- (22:55) Secrets, masks, and how secure they really are
- (28:05) Artifact vs. Caching: Which is safer?
- (31:27) Craziest GitHub security screw-ups Steve has ever seen ๐ฅ
- (36:42) Common attack vectors in GitHub Actions
- (44:19) Best security practices for GitHub Actions - Low-hanging fruit fixes ๐
- (50:22) Are public actions safe? Can they be scanned?
- (53:52) xz backdoor fiasco - Lessons from the latest supply chain attack
- (59:00) NVDโs slowdown - Whatโs at stake?
Show Notes
CI/CD Goat (Deliberately vulnerable CI/CD environment): GitHub
GitHub cache poisoning: Cacheract Attack | ScribeSecurity
Your GitHub Secrets in Plain Text: CloudThrill
Ghat tool (Updating dependencies in GitHub Actions): GitHub
OpenSSF Scorecard: Website
The GitHub Worm (Asi Greenholts): Palo Alto Blog
OWASP Top 10 CI/CD Risks: OWASP
Heartbleed OpenSSL Exploit: Wikipedia
๐About Steve Giguere:
- โ โ โ โ Website: stevegiguere.com
LinkedIn: Steve Giguere
Book: Cloud Native Application Protection Platforms โ O'Reilly
Personal Blog: Codifyre
Talk Lessons Learned from OSS and GitOps Journey: YouTube
OWASP Lisbon Talk: YouTube
StayWiredIn YouTube Show: StayWiredIn
DevSecOps Podcast: Spotify
View all episodes
By Cloud Dude๐จ๐ฝโ๐ Welcome to Episode 06 of "Tech Beats unplugged"
This time, weโre diving headfirst into ๐ญ๐ก๐ ๐๐ซ๐๐ณ๐ข๐๐ฌ๐ญ ๐๐ข๐ญ๐๐ฎ๐ ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฌ๐ญ๐จ๐ซ๐ข๐๐ฌ, and who better to join us than Steve Giguere, an industry veteran and security expert whoโs seen it all.
From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.
๐ Weโre so excited to share our latest tech Beats show with you๐งก! Please share away ๐ค
We hope you'll enjoy it!!!
Topics discussed:
- (00:00) Introduction
- (03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)
- (09:15) โA workflow is an application within your applicationโ - What does that mean?!
- (12:16) Public vs. Private Repos - Are private orgs still at risk?
- (18:27) Self-hosted runners: Safe or security nightmare?
- (21:16) GitHub Environment Variables - How critical are they?
- (22:55) Secrets, masks, and how secure they really are
- (28:05) Artifact vs. Caching: Which is safer?
- (31:27) Craziest GitHub security screw-ups Steve has ever seen ๐ฅ
- (36:42) Common attack vectors in GitHub Actions
- (44:19) Best security practices for GitHub Actions - Low-hanging fruit fixes ๐
- (50:22) Are public actions safe? Can they be scanned?
- (53:52) xz backdoor fiasco - Lessons from the latest supply chain attack
- (59:00) NVDโs slowdown - Whatโs at stake?
Show Notes
CI/CD Goat (Deliberately vulnerable CI/CD environment): GitHub
GitHub cache poisoning: Cacheract Attack | ScribeSecurity
Your GitHub Secrets in Plain Text: CloudThrill
Ghat tool (Updating dependencies in GitHub Actions): GitHub
OpenSSF Scorecard: Website
The GitHub Worm (Asi Greenholts): Palo Alto Blog
OWASP Top 10 CI/CD Risks: OWASP
Heartbleed OpenSSL Exploit: Wikipedia
๐About Steve Giguere:
- โ โ โ โ Website: stevegiguere.com
LinkedIn: Steve Giguere
Book: Cloud Native Application Protection Platforms โ O'Reilly
Personal Blog: Codifyre
Talk Lessons Learned from OSS and GitOps Journey: YouTube
OWASP Lisbon Talk: YouTube
StayWiredIn YouTube Show: StayWiredIn
DevSecOps Podcast: Spotify