13:40 - 14:40
Talk (60 min)
Abusing GitHub for fun and profit: Actions and Codespaces Security
This presentation will examine the security exposures in GitHub Actions and GitHub Codespaces, two popular features of the widely used code-hosting platform GitHub. In 2019, GitHub released its own CI tool called GitHub Actions (GHA). GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. In addition, GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based IDE (Integrated Developer Environments) allows developers and organizations to customize projects via configuring dev-container files, easing earlier pain points in project development.
The talk will explore how attackers can abuse these cloud services to achieve their malicious goals, either for crypto mining, delivering malware, or using it to attack other targets inside or outside Azure. The audience will learn about real-world exploitation scenarios from cybercriminals and proof of concepts from our threat modeling analysis and be provided with practical tips to detect, avoid or prevent attacks and secure their codebases and pipelines. The presentation aims to raise awareness of the potential abuses associated with attackers using GitHub Actions and Codespaces and to encourage best practices in protecting your software supply chain platform.