Ep06: "GitHub Security horror stories " (with Steve Giguere) cover art

Ep06: "GitHub Security horror stories " (with Steve Giguere)

Ep06: "GitHub Security horror stories " (with Steve Giguere)

Listen for free

View show details

About this listen

 👨🏽‍🚀 Welcome to Episode 06 of "Tech Beats unplugged" This time, we’re diving headfirst into 𝐭𝐡𝐞 𝐜𝐫𝐚𝐳𝐢𝐞𝐬𝐭 𝐆𝐢𝐭𝐇𝐮𝐛 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐬𝐭𝐨𝐫𝐢𝐞𝐬, and who better to join us than Steve Giguere, an industry veteran and security expert who’s seen it all.From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.🌟 We’re so excited to share our latest tech Beats show with you🧡! Please share away 🤗We hope you'll enjoy it!!!Topics discussed: (00:00) Introduction(03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)(09:15) “A workflow is an application within your application” - What does that mean?!(12:16) Public vs. Private Repos - Are private orgs still at risk?(18:27) Self-hosted runners: Safe or security nightmare?(21:16) GitHub Environment Variables - How critical are they?(22:55) Secrets, masks, and how secure they really are (28:05) Artifact vs. Caching: Which is safer?(31:27) Craziest GitHub security screw-ups Steve has ever seen 🔥(36:42) Common attack vectors in GitHub Actions(44:19) Best security practices for GitHub Actions - Low-hanging fruit fixes 🍏(50:22) Are public actions safe? Can they be scanned?(53:52) xz backdoor fiasco - Lessons from the latest supply chain attack(59:00) NVD’s slowdown - What’s at stake?Show NotesCI/CD Goat (Deliberately vulnerable CI/CD environment): GitHubGitHub cache poisoning: Cacheract Attack | ScribeSecurityYour GitHub Secrets in Plain Text: CloudThrillGhat tool (Updating dependencies in GitHub Actions): GitHubOpenSSF Scorecard: WebsiteThe GitHub Worm (Asi Greenholts): Palo Alto BlogOWASP Top 10 CI/CD Risks: OWASPHeartbleed OpenSSL Exploit: Wikipedia🎙About Steve Giguere:⁠⁠⁠⁠Website: stevegiguere.comLinkedIn: Steve GiguereBook: Cloud Native Application Protection Platforms – O'ReillyPersonal Blog: CodifyreTalk Lessons Learned from OSS and GitOps Journey: YouTubeOWASP Lisbon Talk: YouTubeStayWiredIn YouTube Show: StayWiredInDevSecOps Podcast: Spotify

What listeners say about Ep06: "GitHub Security horror stories " (with Steve Giguere)

Average Customer Ratings

Reviews - Please select the tabs below to change the source of reviews.

Audible.com.au reviews

Amazon Reviews
No Reviews are Available
In the spirit of reconciliation, Audible acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.