Benoit Cote-Jodoin

Senior Product Security Engineer

Back to the list of Speakers and Sessions

Benoit Cote-Jodoin Senior Product Security Engineer,

Benoît Côte-Jodoin is a Senior Product Security Engineer at BoostSecurity researching software supply chain security. Former active CTF player, he now designs challenges for the NorthSec CTF competition.

Discussion: AppSec Q&A

This is a Q&A session. Moderators will take audience questions both remotely and on-site via

Q&A Discussion for the AppSec block

Talk: Under the Radar: How we found 0-days in the Build Pipeline of OSS Packages

Talks will be streamed on YouTube and Twitch for free.

Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.