Ep06: “GitHub Security horror stories ” (withย Steveย Giguere)

๐Ÿ‘จ๐Ÿฝโ€๐Ÿš€ Welcome to Episode 06 of “Tech Beats unplugged”

This time, weโ€™re diving headfirst into ๐ญ๐ก๐ž ๐œ๐ซ๐š๐ณ๐ข๐ž๐ฌ๐ญ ๐†๐ข๐ญ๐‡๐ฎ๐› ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฌ๐ญ๐จ๐ซ๐ข๐ž๐ฌ, and who better to join us than Steve Giguere, an industry veteran and security expert whoโ€™s seen it all.

From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.

๐ŸŒŸ Weโ€™re so excited to share our latest tech Beats show with you๐Ÿงก! Please share away ๐Ÿค—

We hope you’ll enjoy it!!!

Topics discussed:

  1. (00:00) Introduction
  2. (03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)
  3. (09:15) โ€œA workflow is an application within your applicationโ€ – What does that mean?!
  4. (12:16) Public vs. Private Repos – Are private orgs still at risk?
  5. (18:27) Self-hosted runners: Safe or security nightmare?
  6. (21:16) GitHub Environment Variables – How critical are they?
  7. (22:55) Secrets, masks, and how secure they really are
  8. (28:05) Artifact vs. Caching: Which is safer?
  9. (31:27) Craziest GitHub security screw-ups Steve has ever seen ๐Ÿ”ฅ
  10. (36:42) Common attack vectors in GitHub Actions
  11. (44:19) Best security practices for GitHub Actions – Low-hanging fruit fixes ๐Ÿ
  12. (50:22) Are public actions safe? Can they be scanned?
  13. (53:52) xz backdoor fiasco – Lessons from the latest supply chain attack
  14. (59:00) NVDโ€™s slowdown – Whatโ€™s at stake?

Show Notes

๐ŸŽ™About Steve Giguere: