Thursday
Room 1
10:20 - 11:20
(UTC+02)
Talk (60 min)
Abusing GitHub for fun and profit: Actions and Codespaces Security
This presentation will examine the security exposures in GitHub Actions and GitHub Codespaces, two popular features of the widely used code-hosting platform GitHub. In 2019, GitHub released its own CI tool called GitHub Actions (GHA). GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers. In addition, GitHub Codespaces, initially in preview for specific users, became widely available for free in November 2022. This cloud-based IDE (Integrated Developer Environments) allows developers and organizations to customize projects via configuring dev-container files, easing earlier pain points in project development.
The talk will explore how attackers can abuse these cloud services to achieve their malicious goals, either for crypto mining, delivering malware, or using it to attack other targets inside or outside Azure. The audience will learn about real-world exploitation scenarios from cybercriminals and proof of concepts from our threat modeling analysis and be provided with practical tips to detect, avoid or prevent attacks and secure their codebases and pipelines. The presentation aims to raise awareness of the potential abuses associated with attackers using GitHub Actions and Codespaces and to encourage best practices in protecting your software supply chain platform.
Magno Logan
Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container and Application Security Research, Threat Modelling and Red Teaming. He has been tapped as a resource speaker for numerous security conferences around the globe. He is also a member of the CNCF SIG-Security team.
Nitesh Surana
Nitesh Surana is a Threat Researcher with over two years of experience at Trend Micro. His passion revolves around Cloud Vulnerability & Security Research, Threat Hunting, Threat Modeling, Detection Engineering, and building honeypots targeting Cloud and Container environments, amongst others. With three years of experience, Nitesh has had a track record of discovering and reporting security issues to various companies/startups and governments. His findings have been recognized by the US Department of Defense (DoD), ZDNet, BleepingComputer, TheHackerNews, and Dark Reading. In addition to his previous work in a Managed SOC and Purple Teaming, Nitesh has presented at events such as the Null/OWASP Meetups, 7th Annual DynamicCISO Summit 2020, DecodePH 2021, c0c0n XV 2022, and Security BSides Delhi 2022. When he's not working, Nitesh enjoys playing CTFs, attending concerts, and playing music.