Connor Laidlaw Senior Application Security Engineer, Figment
Connor is a Senior Application Security Engineer at Figment, the world's leading independent staking infrastructure provider. His career spans a diverse range of security domains, including low-level vulnerability research, offensive security for ticket scalping operations, and engineering defenses to protect applications from abuse.
At Figment, Connor serves as the security subject matter expert for all customer-facing applications. He proactively identifies security concerns at every stage of the software development lifecycle and partners with engineering teams to architect robust solutions. Connor is also spearheading an initiative to integrate AI into Figment's security program, including the development of highly specialized offensive security agents powered by deep contextual awareness of Figment's environment—ensuring that Figment's institutional customers can trust they're using the most secure staking product on the market.
Talk: Commit, Push, Compromise: Attacking Modern GitHub Orgs
Talks will be streamed on YouTube and Twitch for free.
GitHub gives attackers something they love: a place where identity, automation, and production changes meet. Once they’re in, the path from “read access” to “shipping malicious code” can be disturbingly short.
In this talk, we walk through realistic attack paths into GitHub organizations, starting with initial access techniques like device-code phishing and the abuse of trusted GitHub Apps (including the GitHub CLI). From there, we explore how different credential types enable access long-lived Personal Access Tokens that often persist on developer machines, and short-lived automation credentials like GITHUB_TOKEN that can still leak through logs, artifacts, or misconfigured workflows and then be leveraged to move laterally or expand privileges.
We highlight tactics we’ve developed and researched post-initial access: how you can abuse sensitive workflows, exploit approval and review dynamics, and find paths around policy guardrails like “protected” pipelines and code-signing rulesets. We’ll also discuss tradeoffs attackers make to reduce forensic visibility and delay detection in environments where GitHub’s native telemetry is limited.
We close with practical defender takeaways: detection strategies and response playbooks focused on the signals that matter and how to improve monitoring coverage in the places GitHub is hardest to observe.
Attendees will leave with a shared framework that’s useful on both sides of the table. Defenders will get a checklist for reducing risk across identities, tokens, integrations, and Actions workflows plus concrete ideas for building higher-signal detection and response in places where visibility is lacking. Red teams will gain a realistic map of where GitHub controls tend to break down in practice, along with a set of hypotheses to test during assessments that go beyond “find a secret in a repo.” The goal is to walk out with sharper intuition for how small weaknesses chain into meaningful impact, and practical ways to either validate that risk (red teams) or eliminate it (blue teams) without grinding delivery to a halt.