Abstract:
In the age of rapid digital transformation, CI/CD pipelines are the backbone of modern software development, driving faster delivery and innovation. However, this speed introduces security risks that, if exploited, can cripple systems. This presentation will explore critical vulnerabilities in CI/CD workflows, such as secrets mismanagement, dependency risks, and pipeline misconfigurations.
We will demonstrate how to integrate security into CI/CD pipelines using GitHub Actions, showcasing safe practices for securing workflows, identifying malicious activities, and managing secrets. Key tools like SAST and DAST, secret scanning, and dependency analysis will be discussed. Through case studies such as the PHP Git infrastructure compromise and Dependency Confusion attack, we will highlight the importance of proactive security measures. Best practices for fortifying pipelines, including least-privilege access and centralized logging, will also be covered.
Upasana Raghav is a Security Intern specializing in application security, API security, and mobile security. With a strong passion for discovering vulnerabilities and bugs in websites, she finds excitement in the process, which fuels her enthusiasm for ethical hacking.