Ep06: "GitHub Security horror stories " (with Steve Giguere)

https://is1-ssl.mzstatic.com/image/thumb/Podcasts126/v4/e2/69/ac/e269ac3a-fe0d-8b89-80dc-4d31b162bb21/mza_6753880242152877511.jpg/600x600bb.jpg

Tech Beats Unplugged

Cloud Dude

8 episodes

1 day ago

Welcome to Tech Beats Unplugged, the podcast where we dive into the dynamic world of technology, open source, cloud innovation, devops, Tech economics, and much more. Join us as we bring together experts, thought leaders, and innovators from diverse tech arenas and leading tech vendors. Here, we believe in creating a safe space where guests can freely share their opinions, insights, and experiences without any strings attached. It's a platform dedicated to unlocking knowledge, fostering meaningful discussions, and exploring the latest trends that shape the tech industry. Time to Tune in !

Technology

RSS

All content for Tech Beats Unplugged is the property of Cloud Dude and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_episode/6967131/6967131-1745525428072-f0c2460a8642c.jpg

Ep06: "GitHub Security horror stories " (with Steve Giguere)

Tech Beats Unplugged

1 hour 5 minutes 42 seconds

4 months ago

Ep06: "GitHub Security horror stories " (with Steve Giguere)

👨🏽‍🚀 Welcome to Episode 06 of "Tech Beats unplugged"

This time, we’re diving headfirst into 𝐭𝐡𝐞 𝐜𝐫𝐚𝐳𝐢𝐞𝐬𝐭 𝐆𝐢𝐭𝐇𝐮𝐛 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐬𝐭𝐨𝐫𝐢𝐞𝐬, and who better to join us than Steve Giguere, an industry veteran and security expert who’s seen it all.

From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.

🌟 We’re so excited to share our latest tech Beats show with you🧡! Please share away 🤗

We hope you'll enjoy it!!!

Topics discussed:

(00:00) Introduction
(03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)
(09:15) “A workflow is an application within your application” - What does that mean?!
(12:16) Public vs. Private Repos - Are private orgs still at risk?
(18:27) Self-hosted runners: Safe or security nightmare?
(21:16) GitHub Environment Variables - How critical are they?
(22:55) Secrets, masks, and how secure they really are
(28:05) Artifact vs. Caching: Which is safer?
(31:27) Craziest GitHub security screw-ups Steve has ever seen 🔥
(36:42) Common attack vectors in GitHub Actions
(44:19) Best security practices for GitHub Actions - Low-hanging fruit fixes 🍏
(50:22) Are public actions safe? Can they be scanned?
(53:52) xz backdoor fiasco - Lessons from the latest supply chain attack
(59:00) NVD’s slowdown - What’s at stake?

Show Notes

CI/CD Goat (Deliberately vulnerable CI/CD environment): GitHub
GitHub cache poisoning: Cacheract Attack | ScribeSecurity
Your GitHub Secrets in Plain Text: CloudThrill
Ghat tool (Updating dependencies in GitHub Actions): GitHub
OpenSSF Scorecard: Website
The GitHub Worm (Asi Greenholts): Palo Alto Blog
OWASP Top 10 CI/CD Risks: OWASP
Heartbleed OpenSSL Exploit: Wikipedia

🎙About Steve Giguere:

⁠⁠⁠⁠Website: stevegiguere.com

LinkedIn: Steve Giguere
Book: Cloud Native Application Protection Platforms – O'Reilly
Personal Blog: Codifyre
Talk Lessons Learned from OSS and GitOps Journey: YouTube
OWASP Lisbon Talk: YouTube
StayWiredIn YouTube Show: StayWiredIn
DevSecOps Podcast: Spotify