Loading…
THE MUST ATTEND EVENT FOR CYBERSECURITY PROFESSIONALS
Thursday September 26, 2024 11:30am - 12:15pm PDT
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a large scale data analysis infrastructure that targets these overlooked vulnerabilities in Open Source projects. Our efforts have led to the discovery of countless 0-days in critical OSS projects, such as AWS-managed Kubernetes Operators, Google OSS Fuzz, RedHat OS Build, hundreds of popular Terraform providers and modules and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a much deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will present three Open Source projects that complement our research and provide actionable insights to Builders and Defenders: the 'Living Off the Pipeline' (LOTP) project, the 'poutine' build pipeline scanner and the 'messypoutine' CTF-style training.
Speakers
avatar for François Proulx

François Proulx

Senior Product Security Engineer, BoostSecurity
François is a Senior Product Security Engineer for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps... Read More →
Thursday September 26, 2024 11:30am - 12:15pm PDT
Room: Seacliff AB
Feedback form is now closed.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Share Modal

Share this link via

Or copy link