Archive / INF Seminars / INF_2025_05_08_Edoardo_Riggio_
USI - Email
 
 
Università
della
Svizzera
italiana
INF
 
 
 
  
 main_banner
 

The SUNBURST Wake-Up Call: Why CI/CD Security Matters Now More Than Ever

 
 
 

Chair: Alberto Martín López

 

Thursday

08.05

USI Lugano East Campus, Room D0.02
16:30 - 17:30
  
 

Edoardo Riggio, PhD researcher, USI
Abstract:
Modern CI/CD pipelines have become central in how we automatically build, test, and deliver software. However, such pipeline automatizations have also become prime targets for sophisticated supply chain attacks. The SUNBURST attack on SolarWinds demonstrates how malicious actors can use trusted build systems to distribute tainted updates to thousands of organizations. We will start by dissecting the anatomy of SUNBURST, revealing how the Russian cyber espionage group known as Nobelium managed to successfully execute such a large-scale attack. We will then analyze its fallout, which called for major legislative efforts, such as the US Executive Order 14067 and the EU Cyber Resilience Act. Finally, we will also be introducing the research we are carrying out towards evaluating and securing the software supply chain of CI/CD environments. In particular, we will present Soteria, a tool we developed to automatically detect security misconfigurations in GitHub workflow files.

Biography:
Edoardo Riggio is currently a PhD researcher in the DESIGN research group under the supervision of Prof. Cesare Pautasso. He graduated at USI in Informatics and later in Software and Data Engineering. Edoardo’s research focuses on the security of software supply chains in CI/CD environments.

Chair: Alberto Martín López

*************************

In February 2019, the Software Institute started its SI Seminar Series. Every Thursday afternoon, a researcher of the Institute will publicly give a short talk on a software engineering argument of their choice. Examples include, but are not limited to novel interesting papers, seminal papers, personal research overview, discussion of preliminary research ideas, tutorials, and small experiments.

On our YouTube playlist you can watch some of the past seminars. On the SI website you can find more details on the next seminar, the upcoming seminars, and an archive of the past speakers.
 
Università
della
Svizzera
italiana
Quicklinks:
INF Website
INF Newsletter Archive
Campus Lugano
 Follow us:Unsubscribe here
Reports decanato.inf@usi.ch