BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.nsec.io//2026//LM9T3R
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-2026-FGDWWG@cfp.nsec.io
DTSTART;TZID=EST:20260515T100000
DTEND;TZID=EST:20260515T103000
DESCRIPTION:GitHub gives attackers something they love: a place where ident
 ity\, automation\, and production changes meet. Once they’re in\, the pa
 th from “read access” to “shipping malicious code” can be disturbi
 ngly short.\n\nIn this talk\, we walk through realistic attack paths into 
 GitHub organizations\, starting with initial access techniques like device
 -code phishing and the abuse of trusted GitHub Apps (including the GitHub 
 CLI). From there\, we explore how different credential types enable access
  long-lived Personal Access Tokens that often persist on developer machine
 s\, and short-lived automation credentials like `GITHUB_TOKEN` that can st
 ill leak through logs\, artifacts\, or misconfigured workflows and then be
  leveraged to move laterally or expand privileges.\n\nWe highlight tactics
  we’ve developed and researched post-initial access: how you can abuse s
 ensitive workflows\, exploit approval and review dynamics\, and find paths
  around policy guardrails like “protected” pipelines and code-signing 
 rulesets. We’ll also discuss tradeoffs attackers make to reduce forensic
  visibility and delay detection in environments where GitHub’s native te
 lemetry is limited.\n\nWe close with practical defender takeaways: detecti
 on strategies and response playbooks focused on the signals that matter an
 d how to improve monitoring coverage in the places GitHub is hardest to ob
 serve.\n\nAttendees will leave with a shared framework that’s useful on 
 both sides of the table. Defenders will get a checklist for reducing risk 
 across identities\, tokens\, integrations\, and Actions workflows plus con
 crete ideas for building higher-signal detection and response in places wh
 ere visibility is lacking. Red teams will gain a realistic map of where Gi
 tHub controls tend to break down in practice\, along with a set of hypothe
 ses to test during assessments that go beyond “find a secret in a repo.
 ” The goal is to walk out with sharper intuition for how small weaknesse
 s chain into meaningful impact\, and practical ways to either validate tha
 t risk (red teams) or eliminate it (blue teams) without grinding delivery 
 to a halt.
DTSTAMP:20260507T194140Z
LOCATION:Ville-Marie
SUMMARY:Commit\, Push\, Compromise: Attacking Modern GitHub Orgs - Andrew B
 uchanan\, Max CM
URL:https://cfp.nsec.io/2026/talk/FGDWWG/
END:VEVENT
END:VCALENDAR