ashar

Hacking CI/CD Pipelines: Some Use Cases For Hacking CI/CD Orchestrators - Mauricio Cano - OWASP Netherlands

Abstract: In this talk, we will discuss the hacking of CI/CD orchestrators, with a focus on GitHub actions and what kind of things can be done from the perspective of a malicious insider. Some of the cases we will discuss are:

• Secret enumeration.
• Accessing infrastructure through runners.
• Public runners vs Private runners.
• Code injection in the pipeline and supply chain.
• GitHub commits information.
• Secret searching in the repository. The goal is to provide a broad view on the attack surface that can be derived from CI/CD orchestrators and their runners, as well as to show a few demos on how this can be done.

Bio: Mauricio Cano: Mauricio Cano is a cloud pentester focused on container technologies. In particular, he focuses on the security of containers and serverless architectures. He has pentested Kubernetes clusters and serverless architectures for several multinational financial institutions. Prior to his security work, he has a background in academia and a Ph.D. in Computer Science from the University of Groningen, focused on programming language design and formal methods to ensure correctness. In his spare time, Cano enjoys reading, cooking, and solving puzzles.

Open Source Security Podcast Episode 401 - Security skills shortage - We've tried nothing and the same thing keeps happening.

Josh and Kurt talk about security skills shortage. We start out on the topic of cybersecurity skills and weave our way around a number of human related problems in this space. The world of tech has a lot of weird problems and there's not a lot of movement to fix many of them. Tech is weird and hard, and with the almost complete lack of regulation creates some of these challenges. In the world of security we need a better talent pipeline, but that takes actual efforts, not just complaining on the internet.

In this episode of the Modern Security Podcast, we interviewed John Steven about scaling security teams and implementing secure by default culture. 6:23 - Intro to John Steven 9:28 - Interesting efforts with AppSec & ProdSec to scale security 10:20 - How to embrace secure defaults 24:01 - Threat Modeling problems 43:02 - Secure Control Efficacy Pyramid 58:50 - Overcoming secure default friction 1:04:12 - Advice for CISOs and startups

Taming The Wild West Of LLMs, Nazneen Rajani, Hugging Face

The AI Conference 2023 , 54 talks

Darknet Diaries podcast 139: D3f4ult

This is the story of D3f4ult (twitter.com/_d3f4ult) from CWA. He was a hacktivist, upset with the state of the way things were, and wanted to make some changes. Changes were made.

Smashing Security podcast 347 Trolls, military data, and the hitman and her

Ashar's collection of security podcasts

JawnCon Schedule from the website

JawnCon playlist

Understanding Value at Risk Helps Quantify Uncertainty, Gauge Cybersecurity

In a book he coauthored, Resilience Chief Risk Officer Rich Seiersen discusses shortcomings in risk management practices, and the value of quantitative language of risk analysis to cybersecurity.

HEXACON 2022 playlist

Hexacon 2022 schedule from the website

BSidesMunich is the premiere, independently organized computer security event in the Munich, Germany area, bringing together both local and internationally renowned experts. As an offshoot of our Meetup group, MUC:SEC, this conference extends our goals of bringing local computer security professionals together, exchanging ideas and experience and most importantly, establishing trust relationship within our community. This event is free.

BSides Munich 2023 playlist

Schedule from the website

BruCON 0x0F Playlist

Schedule on the website

WHAT IS BRUCON

BruCON is an annual security and hacker() conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker() community.

How to Fix the Internet talks to James Mickens. The Philosopher King

https://www.youtube.com/watch?v=k4-7OitNo3M

Computer scientists often build algorithms with a keen focus on “solving the problem,” without considering the larger implications and potential misuses of the technology they’re creating. That’s how we wind up with machine learning that prevents qualified job applicants from advancing, or blocks mortgage applicants from buying homes, or creates miscarriages of justice in parole and other aspects of the criminal justice system.

James Mickens—a lifelong hacker, perennial wisecracker, and would-be philosopher-king who also happens to be a Harvard University professor of computer science—says we must educate computer scientists to consider the bigger picture early in their creative process. In a world where much of what we do each day involves computers of one sort or another, the process of creating technology must take into account the society it’s meant to serve, including the most vulnerable.

Mickens speaks with EFF's Cindy Cohn and Danny O’Brien about some of the problems inherent in educating computer scientists, and how fixing those problems might help us fix the internet.

In this episode you’ll learn about:

• Why it’s important to include non-engineering voices, from historians and sociologists to people from marginalized communities, in the engineering process • The need to balance paying down our “tech debt” —cleaning up the messy, haphazard systems of yesteryear—with innovating new technologies • How to embed ethics education within computer engineering curricula so students can identify and overcome challenges before they’re encoded into new systems • Fostering transparency about how and by whom your data is used, and for whose profit • What we can learn from Søren Kierkegaard and Stan Lee about personal responsibility in technology.