Ep06: “GitHub Security horror stories ” (with Steve Giguere)

👨🏽‍🚀 Welcome to Episode 06 of “Tech Beats unplugged”

This time, we’re diving headfirst into 𝐭𝐡𝐞 𝐜𝐫𝐚𝐳𝐢𝐞𝐬𝐭 𝐆𝐢𝐭𝐇𝐮𝐛 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐬𝐭𝐨𝐫𝐢𝐞𝐬, and who better to join us than Steve Giguere, an industry veteran and security expert who’s seen it all.

From supply chain security mayhem to GitHub Actions gone wrong, we uncover real-world security blunders, attack vectors, and best practices to keep your repos and workflows safe.

🌟 We’re so excited to share our latest tech Beats show with you🧡! Please share away 🤗

We hope you’ll enjoy it!!!

Topics discussed:

  1. (00:00) Introduction
  2. (03:53) Software Supply Chain Security acronyms (SAST, DAST, IAST, etc.)
  3. (09:15) “A workflow is an application within your application” – What does that mean?!
  4. (12:16) Public vs. Private Repos – Are private orgs still at risk?
  5. (18:27) Self-hosted runners: Safe or security nightmare?
  6. (21:16) GitHub Environment Variables – How critical are they?
  7. (22:55) Secrets, masks, and how secure they really are
  8. (28:05) Artifact vs. Caching: Which is safer?
  9. (31:27) Craziest GitHub security screw-ups Steve has ever seen 🔥
  10. (36:42) Common attack vectors in GitHub Actions
  11. (44:19) Best security practices for GitHub Actions – Low-hanging fruit fixes 🍏
  12. (50:22) Are public actions safe? Can they be scanned?
  13. (53:52) xz backdoor fiasco – Lessons from the latest supply chain attack
  14. (59:00) NVD’s slowdown – What’s at stake?

Show Notes

🎙About Steve Giguere: