Session Name: Pwning the CI Workflow (and How to Prevent it.)
Our journey to open source and GitOps heaven has exposed new security challenges as our CI platforms have also become exposed to the outside world. The soft underbelly of our development pipeline is as visible to willing contributors as it is to malicious subversives. In this talk, we'll look at some known potential abuses and exploits to GitHub Actions Workflows to show how simple CI misconfigurations or straight-up bad practices can leave our supply chain-wide open to attackers. We'll also highlight the best practices required to mitigate these risks!
I started my cyber security life by being kicked out of high school computing class for privilege escalation on the school Linux system. I changed the teacher's password to "peaches". Since then I've spent time writing software in the aero, telecoms, and automotive industries largely ensuring things do not crash while improving velocity and efficiency. With quality, safety, and security as a focus for over 25 years in software development, I'm now a dedicated DevSecOps community champion and developer advocate for Bridgecrew and Palo Alto Networks.