Watch the stream
So-called “Supply Chain” attacks are all over the news as several high profile breaches highlight CI/CD pipelines as a prime target. While AppSec focuses on writing secure code (SAST), managing risks from Open Source dependencies (SCA) and more generally finding vulnerabilities in apps and APIs, a large attack surface is often overlooked. The supply chain links the developer’s laptop, via the SCM, through CI/CD and finally the running application in production.
We’ve all heard about the SolarWinds breach, but what can be done to prevent such an attack? In this talk, we dive behind the scenes of similar attacks through the lens of SLSA (Supply chain Levels for Software Artifacts), a threat model designed to tackle these emergent threats.
Most importantly, we will discuss new technologies and approaches that are available today (or are under active development) to address these threats.
François Proulx VP of Security Research, BoostSecurity.io
François Proulx is the VP of Security Research at BoostSecurity.io and the co-creator of the poutine Open Source CI/CD scanner. He co-founded the "Living Off The Pipeline" (LOTP) project to describe the abuse of build tools for lateral movement. After spending years teaching defenders how to secure their workflows, he is now demonstrating how attackers are dismantling them.