Thursday
Room 2
11:40 - 12:40
(UTC+01)
Talk (60 min)
GitHub Actions: A Cloudy Day for Security
GitHub actions is a popular CI/CD tool that allows developers to automate their workflows, to do things like run tests or deploy code. In this day and age, deployment often happens to the cloud, and this talk will focus on the many security pitfalls that can happen when integrating GitHub actions with the major cloud providers (Azure, GCP and AWS).
This talk will cover how such integration is done, and in particular how this is done both securely and not-so-securely. The state-of-the-art way to do this is through OIDC/federated identity, which allows access to protected resources without needing to manage secrets. However, there are lots of ways of misconfiguring this, that leave your workflows vulnerable to lateral movement, privilege escalation and more. There will also be examples of real world security vulnerabilites we've seen in the wild related to GitHub actions (mostly integrating with Azure).
Sofia Lindqvist
Sofia works as a security specialist at Binary Security. She started her career with a PhD in pure maths, followed by three years at Cisco developing one of their networking OSs. She eventually made her way into security testing, which she has been doing for two years.