Elad Pticha

Elad Pticha is a passionate security researcher with a focus on software supply chain and API security. Elad specializes in finding vulnerabilities in SDLC-related software. In his free time, Elad loves to code, hunt for vulnerable technologies, and use his skills to help companies mitigate their security risks. Before his current work at Cycode, Elad dedicated his time to finding critical vulnerabilities in web applications, IoT devices, and pretty much anything with an IP address, but his recent focus has shifted towards software supply chain security vulnerabilities. Elad is committed to staying up-to-date with the latest security trends and technologies and always seeking new challenges to tackle.

The speaker's profile picture

Sessions

10-26
10:25
25min
Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines
Elad Pticha

Cloud computing adoption is increasing, and organizations have an increasing need to secure their access to cloud resources. Traditional access control mechanisms such as access tokens, while still widely used, are insufficient to protect against modern threats. Even if the least-privilege principles are preserved, these tokens could leak and expose your infrastructure.

Identity tokens, such as OpenID Connect (OIDC), have emerged as a popular alternative for authentication and authorization in cloud environments. Even though major CI/CD platforms are now supporting these tokens - GitHub Actions, GitLab CI, CircleCI, etc. - it isn't widely adopted yet.

In this session, we'll explore the advantages of leveraging OIDC (OpenID Connect) for artifact registries, setting up artifact registries to accept OIDC tokens, and integrating OIDC-based authentication and authorization into popular artifact registry systems. Additionally, we'll showcase practical demonstrations of OIDC-based authentication and authorization in action.

Main stage
10-26
18:00
5min
Securing Software Package Releases with SLSA v1.0
Elad Pticha

Join us as we delve into secure software releases, focusing on the real-world scenario of implementing the SLSA (Supply-Chain Levels for Software Artifacts) v1.0 standard in popular CI/CD systems such as GitHub and Azure Pipelines. In the face of growing threats to packages, distributions, releases, and dependencies from software supply chain attacks, SLSA offers a crucial standard to secure artifacts.
We will explore SLSA in detail, the differences the v1.0 standard offers comparing its predecessor, and understand how SLSA would have helped mitigate previous software supply chain attacks.
Then we dive into the implementation of SLSA and show how to apply it to secure builds done in popular systems, such as GitHub and Azure Pipelines, including a live demo of how to generate and use SLSA to secure a containerized software release in an OCI registry.

Main stage