June meetup
Details
Blank is the sponsor of this meetup! Thank you!
Agenda:
- 17:00-17:30 : Food
- 17:30-17:50 : How to get pwned by npm packages and weak settings in GitHub Actions - Erlend Åmdal
- 18:00-18:45 : Open Policy Agent in-depth - Anders Eknert
How to get pwned by npm packages and weak settings in GitHub Actions
Do you know if your GitHub Actions workflows are secure? I will demonstrate a proof of concept of a supply chain attack that exploits weak security settings in a typical GitHub Actions workflow to do things you might not expect an npm package to be able to do, followed by a presentation of simple methods to prevent this kind of attack. Due to Action's tight integration with the rest of the GitHub platform, the attack can easily target a repository's contents and metadata, including the issue tracker, pull requests and GitHub Packages. If you value the content on your issue tracker or publish to GitHub Packages and are curious about the security of GitHub Actions, this presentation might prove interesting and useful.
Erlend Åmdal is a software development consultant at Blank with a few years of industry experience. He is a passionate developer who strives for secure software. Having worked with various customers ranging from reMarkable to Autodesk, Erlend has been involved with several organizations depending on GitHub Actions and npm packages for their CI/CD, and knows a thing or two about securing this dependency.
Open Policy Agent in-depth
Should user Alice be allowed to read credit reports? Should a cloud compute instance be deployable without basic security configuration in place? Should service X be allowed to query the database?
Policy defines the rules of our systems, but how do we ensure our policies are enforced consistently in increasingly distributed and diverse tech stacks?
In this technical talk we’ll explore the benefits of decoupling policy from our applications, deployment pipelines and platforms, and how Open Policy Agent (OPA) and its policy language Rego works to unify policy enforcement across the whole stack.
Anders Eknert is a developer advocate at Styra with a long background in software development, security and identity systems in primarily distributed environments. When not in front of his computer he enjoys watching football, cooking and Belgian beers.