This talk recalls an incident at GitHub in which a security researcher was able to access all of the production environment variables from github.com by utilizing obj.send to exploit a vulnerability in our codebase. We'll walk through the process of identifying the vulnerability, our response to the disclosure, and the internal research around managing secrets in our Ruby apps that followed.
Schedule
Dennis is a Senior Product Security Engineer at GitHub, working on building security paved paths and improving code security across the open source community. He's based in Toronto, Canada.
Wei Lin is a Lead Offensive Security Engineer at Praetorian focusing on product and application security. He's previously a Senior Web Security Researcher at STAR Labs.