ICSE 2024
Fri 12 - Sun 21 April 2024 Lisbon, Portugal
Mon 15 Apr 2024 10:10 - 10:30 at Amadeo de Souza-Cardoso - Developing secure software Chair(s): Awais Rashid

Hassan Onsori Delicheh, Tom Mens. University of Mons, Belgium


Collaborative practices have revolutionised the software development process, enabling distributed teams to seamlessly work together. Social coding platforms have integrated CI/CD automation workflows, with GitHub Actions emerging as a prominent automation ecosystem for GitHub repositories. While automation brings efficiency, it also introduces security challenges, often related to software supply chain attacks and workflow misconfigurations. We outline the security issues associated with the software supply chain of GitHub Actions workflows, most notably their reusable Actions and their dependencies. We also explore the security risks associated with misconfigurations of repositories and workflows, such as poor permission management, command injection, and credential exposure. To mitigate these risks we suggest practical remediations, including dependency and security monitoring, pinning Actions, strict access control, verified creator practices, secret scanning tools, raising awareness, and training. In doing so, we provide valuable insights on the need to integrate security seamlessly into the automated collaborative software development processes. To enhance the security of workflow automation within GitHub repositories we encourage a proactive approach and advocate for the adoption of best practices.

Mon 15 Apr

Displayed time zone: Lisbon change

09:00 - 10:30
Developing secure softwareEnCyCriS/SVM at Amadeo de Souza-Cardoso
Chair(s): Awais Rashid University of Bristol, UK
Day opening
Wokshop opening
W: Coralie Esnoul Institute For Energy Technology (IFE)
Keynote: If you build it, they (probably) won’t come
K: Adam Joinson School of Management University of Bath
WasmCFuzz: Structure-aware Fuzzing for Wasm Compilers
A: Xiangwei Zhang College of Intelligence and Computing, Tianjin University, A: Junjie Wang College of Intelligence and Computing, Tianjin University, A: Xiaoning Du Monash University, Australia, A: Shuang Liu Tianjin University
Mitigating Security Issues in GitHub Actions
A: Hassan Onsori Delicheh University of Mons, Belgium, A: Tom Mens University of Mons