2024-09-19 –, Stage 1
In the DevOps era of frequent releases, CI tools such as Github actions are powerful platforms to enable secure and rapid software releases, but what additional attack surface do these often privileged components come with? This talk covers a recent research project from Snyk Security Labs to understand Github actions in depth and how they can be attacked to leak cloud environment access tokens, arbitrary secrets and result in a full compromise of the repository. Security engineers, pentesters and bug hunters alike will come away knowing the threat landscape for Githubs CI platform, and through case studies of high impact vulnerabilities we have uncovered, be equipped to exploit and secure Github actions.
Elliot is a senior security researcher at software security company Snyk. He has a background in software engineering and application security.