Thursday
Room 1
10:20 - 11:20
(UTC+02)
Talk (60 min)
Abusing GitHub for fun and profit: Actions and Codespaces Security
This presentation will examine the security exposures in GitHub Actions and GitHub Codespaces, two popular features of the widely used code-hosting platform GitHub. In 2019, GitHub released its own CI tool called GitHub Actions (GHA). GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. In addition, GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based IDE (Integrated Developer Environments) allows developers and organizations to customize projects via configuring dev-container files, easing earlier pain points in project development.
The talk will explore how attackers can abuse these cloud services to achieve their malicious goals, either for crypto mining, delivering malware, or using it to attack other targets inside or outside Azure. The audience will learn about real-world exploitation scenarios from cybercriminals and proof of concepts from our threat modeling analysis and be provided with practical tips to detect, avoid or prevent attacks and secure their codebases and pipelines. The presentation aims to raise awareness of the potential abuses associated with attackers using GitHub Actions and Codespaces and to encourage best practices in protecting your software supply chain platform.
Magno Logan
Magno is an information security specialist with a focus on application, cloud, and container security, as well as DevSecOps, currently working at Jane as a Staff Security Engineer. He leads the security champions program, among other security enablement activities. Before Jane, he worked at Okta and Trend Micro. He is a speaker at worldwide security conferences, including DEFCON, OWASP AppSec, SecTor, NorthSec, and BSides, among others. He holds certifications from multiple organizations, including SANS, CompTIA, EC-Council, AWS, and Microsoft.
Nitesh Surana
Nitesh Surana is a Threat Researcher with over two years of experience at Trend Micro. His passion revolves around Cloud Vulnerability & Security Research, Threat Hunting, Threat Modeling, Detection Engineering, and building honeypots targeting Cloud and Container environments, amongst others. With three years of experience, Nitesh has had a track record of discovering and reporting security issues to various companies/startups and governments. His findings have been recognized by the US Department of Defense (DoD), ZDNet, BleepingComputer, TheHackerNews, and Dark Reading. In addition to his previous work in a Managed SOC and Purple Teaming, Nitesh has presented at events such as the Null/OWASP Meetups, 7th Annual DynamicCISO Summit 2020, DecodePH 2021, c0c0n XV 2022, and Security BSides Delhi 2022. When he's not working, Nitesh enjoys playing CTFs, attending concerts, and playing music.