10-26, 10:25–10:50 (Europe/Berlin), Main stage
Cloud computing adoption is increasing, and organizations have an increasing need to secure their access to cloud resources. Traditional access control mechanisms such as access tokens, while still widely used, are insufficient to protect against modern threats. Even if the least-privilege principles are preserved, these tokens could leak and expose your infrastructure.
Identity tokens, such as OpenID Connect (OIDC), have emerged as a popular alternative for authentication and authorization in cloud environments. Even though major CI/CD platforms are now supporting these tokens - GitHub Actions, GitLab CI, CircleCI, etc. - it isn't widely adopted yet.
In this session, we'll explore the advantages of leveraging OIDC (OpenID Connect) for artifact registries, setting up artifact registries to accept OIDC tokens, and integrating OIDC-based authentication and authorization into popular artifact registry systems. Additionally, we'll showcase practical demonstrations of OIDC-based authentication and authorization in action.
This session presents the significant advantages of leveraging OIDC for artifact registries. We will examine valuable insights into configuring artifact registries to accept OIDC tokens and enhancing security measures. The session will also explore seamless integration techniques to implement OIDC-based authentication and authorization with popular artifact registry systems.
In Addition, we will dive into real-world scenarios using OIDC-based authentication and authorization in action. Through hands-on examples, participants will witness how OIDC effectively strengthens cloud resource access, supporting an organization's defense against potential threats such as the CodeCov breach.
Elad Pticha is a passionate security researcher with a focus on software supply chain and API security. Elad specializes in finding vulnerabilities in SDLC-related software. In his free time, Elad loves to code, hunt for vulnerable technologies, and use his skills to help companies mitigate their security risks. Before his current work at Cycode, Elad dedicated his time to finding critical vulnerabilities in web applications, IoT devices, and pretty much anything with an IP address, but his recent focus has shifted towards software supply chain security vulnerabilities. Elad is committed to staying up-to-date with the latest security trends and technologies and always seeking new challenges to tackle.