Under the Radar: How we found 0-days in the build pipeline of OSS Packages

Join us virtually in December for our final event of the year! Under the Radar: How we found 0-days in the build pipeline of OSS Packages, presented by François Proulx.

Synopsis:
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a large scale data analysis infrastructure that targets these overlooked vulnerabilities in Open Source projects. Our efforts have led to the discovery of countless 0-days in critical OSS projects, such as AWS-managed Kubernetes Operators, Google OSS Fuzz, RedHat OS Build, hundreds of popular Terraform providers and modules and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a much deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will present three Open Source projects that complement our research and provide actionable insights to Builders and Defenders: the 'Living Off the Pipeline' (LOTP) project, the 'poutine' build pipeline scanner and the 'messypoutine' CTF-style training.

Location: Virtual
Timing: 7pm Start
Tune in here

RSVP to join us!
With thanks to our Gold Sponsors Prisma Cloud by Palo Alto, Apiiro and Tigera for their continued support throughout 2024!

Join the community:
Can't make it to the event? Keep up to date with our activities on LinkedIn & Twitter