Workshop 1: GitHub Actions 101 - Creating a DevSecOps Pipeline

More organizations are applying a DevOps methodology to optimize software development. One of the main tools used in this process is a continuous integration (CI) tool that automates code changes from multiple developers working on the same project. In 2019, GitHub released its own CI tool called GitHub Actions. According to GitHub, GitHub Actions help you automate tasks within your software development life cycle, and it has been gaining a lot of adoption from developers.

This workshop will demonstrate how GitHub Actions work and show security tools to protect your applications from attackers. First, we’ll dive deeply into the Actions, the language, and the runners, the servers provided by GitHub to run your Actions. Then, we’ll show how to run SAST, DAST, and SCA using open source or free tools into your pipeline just using GitHub Actions. We’ll set up Actions for each tool to scan our application for security vulnerabilities at every pull request. We’ll leverage SonarCloud for SAST, OWASP ZAP for DAST, and Snyk for SCA.

Outline:

  1. GitHub Actions
  2. What they are
  3. Main components
  4. How they work
  5. Self-runners
  6. Creating your first action
  7. SAST in CI/CD
  8. Benefits and considerations
  9. Semgrep
  10. CodeQL
  11. Integrating with GitHub Action
  12. DAST in CI/CD
  13. Main concerns
  14. OWASP ZAP
  15. Nuclei
  16. Integrating GitHub Action
  17. SCA in CI/CD
  18. Advantages and when to run
  19. Dependabot
  20. Dependency Check
  21. Integrating with GitHub Action

Outline:

  1. GitHub Actions
  2. What they are
  3. Main components
  4. How they work
  5. Self-runners
  6. Creating your first action
  7. SAST in CI/CD
  8. Benefits and considerations
  9. Semgrep
  10. CodeQL
  11. Integrating with GitHub Action
  12. DAST in CI/CD
  13. Main concerns
  14. OWASP ZAP
  15. Nuclei
  16. Integrating GitHub Action
  17. SCA in CI/CD
  18. Advantages and when to run
  19. Dependabot
  20. Dependency Check
  21. Integrating with GitHub Action

Bio: As an Information Security Specialist, Magno Logan specializes in various subjects, including Cloud, Container, Application Security Research, Threat Modeling, and Kubernetes Security. He boasts multiple international certifications and is a sought-after speaker at worldwide security conferences, presenting in countries such as Canada, the US, Brazil, and Europe. In addition to his professional accomplishments, Magno is the founder of the JampaSec Security Conference and the OWASP Paraiba Chapter. He has previously served as a Snyk Ambassador and member of the CNCF Security TAG, Kubernetes SIG Security, and OpenSSF.

Workshop 2: Reverse Engineering For Malware Analysis Workshop

Reverse-engineering is a useful skill when you want to really understand what a program does. While most of this knowledge can be applied across different types of software, reversing malware presents its own unique challenges; number one being that the author usually doesn’t want you to analyze it.

In this hands-on workshop, we are going to look at various techniques used by malware creators. We will also cover issues specifically related to reversing malware, including:

  • Basics of Windows internals and the Windows API
  • Some anti-analysis techniques
  • Multi-stage deployment
  • Analysis of Command and Control (C&C) network communication

Requirements:
We will provide a virtual machine with the required tools pre-installed, including Ghidra. However, feel free to install and use your preferred reverse engineering tool (IDA, Binary Ninja, Iaito, etc.)

Attendees are expected to have at least a basic level understanding of one low-level programming language such as C/C++.

Knowledge of the following is not required but will be of use (if you want to prep beforehand)

  • x64 assembly
  • Software debugging
  • A scripting language of you choice
  • Operating systems fundamentals

Bio: Alexandre is a malware researcher at ESET since 2021. Working with the Montreal team, his research is focused on tracking APT groups and their toolsets. He has previously presented about APTs and attribution at Botconf, Sleuthcon, Hackfest, and BSidesMTL. He is also involved in mentoring students getting started in infosec. His interests include operating systems fundamentals and writing shell scripts to automate tasks that don’t always need to be automated.

Limited seating

Registration

Registration for the workshops is available with the purchase of a ticket. A small fee is required to show commitment. Please note that the workshop will be in English.