BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Attacking and Defending Software Supply Chains: How we got\n Admin in your Clouds!\n When: Friday\, Aug 9\, 14:30 - 15:10 PDT\n Where: LVCC West/Floor 1/Hall 2/HW2-09-01 - [1]Map\n\n Descripti on:\n\n This talk will explore how default configurations in reference\n architectures of our most commonly used software supply chain services\ n can lead to a handful of unsavory outcomes including secrets\n exfil tration\, lateral movement\, and privilege escalation within\n productio n cloud and SaaS environments. We'll take a close look at how\n many of the interactions between people and CI|CD services are not as\n safe as we think. Some examples we’ll look at:\n\n - Abusing PRs against Githu b repositories allows for execution of code prior to code review & merge\, for all downstream services (GH Actions\, Buildkite\, & Terraform)\n - Multi-tenant infrastructures in CI like Buildkite lead to over-authorizati on & access to production cloud secrets\n - Lacking Pipeline Based Acces s Control (PBAC) in CI services like Buildkite leads to code execution in production cloud environments \n\n After we identify the pitfalls in o ur by-default configurations\,\n we’ll demonstrate how best to modify them using available tools\,\n services\, & best practices.\n\n Speake rBio: Mike Ruth\n\n Mike is a Senior Staff Security Engineer at Ripplin g\, where he works\n on securing the world’s best All-In-One HR & IT P latform. Previously\n the technical lead for Infrastructure Security at companies such as\n Brex & Cruise\, Mike has over thirteen years of expe rience securing\,\n designing\, and deploying cloud infrastructure & Saa S services.\n\n '\n\n 1. #LVCCW_Level1_Hall2\n\n\n DTEND:20240809T221000Z DTSTART:20240809T213000Z LOCATION:CLV - LVCC West/Floor 1/Hall 2/HW2-09-01 SUMMARY:Attacking and Defending Software Supply Chains: How we got Admin in your Clouds! END:VEVENT END:VCALENDAR