Presented at
BSidesLV 2023,
Aug. 9, 2023, 2:30 p.m.
(Unknown duration).
After reviewing the build logs of public CI pipelines, I noticed security issues related to permissions and build integrity. To investigate the extent of the problem, I analyzed the build logs of the top 2,000 starred repositories on GitHub, and the results surprised even me. In this talk, I will share my findings on the prevalence of the world's most popular repositories that fail to manage their build permissions. Such failure can lead to severe consequences, such as creating tokens to access cloud resources or introducing malware to repository code and artifacts. Next, I will uncover the existence of "unpinnable actions." We will challenge a highly recommended countermeasure for protecting against compromised third-party actions: pinning. Pinning assures that the action's code cannot be tampered with. However, even when pinned, new malicious code can still sneak into your pipeline. I will share the conditions that make an action unpinnable and reveal the significant percentage of the world's most popular actions that we all use and pin, but are actually unpinnable.
Presenters:
-
Yaron Avital
Yaron Avital is a seasoned professional with a diverse background in the technology and cybersecurity fields. With a strong foundation in cutting-edge technologies gained from serving in a technological unit within the Israel Defense Forces (IDF), Yaron's career has spanned over 15 years in the private sector as a software engineer and team lead at global companies and startups. Driven by a passion for cybersecurity, Yaron made a transition into the role of a security researcher, With expertise in application security, software supply chain security, web security research, and 3rd party protocols reversing.
Links:
Similar Presentations: