Watch the stream
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.
François Proulx VP of Security Research, BoostSecurity.io
François Proulx is the VP of Security Research at BoostSecurity.io and the co-creator of the poutine Open Source CI/CD scanner. He co-founded the "Living Off The Pipeline" (LOTP) project to describe the abuse of build tools for lateral movement. After spending years teaching defenders how to secure their workflows, he is now demonstrating how attackers are dismantling them.