Watch the stream
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.
François Proulx ,