Benoit Cote-Jodoin Senior Product Security Engineer, BoostSecurity.io
Benoît Côte-Jodoin is a Senior Product Security Engineer at BoostSecurity researching software supply chain security. Former active CTF player, he now designs challenges for the NorthSec CTF competition.
Talk: Under the Radar: How we found 0-days in the Build Pipeline of OSS Packages
Talks will be streamed on YouTube and Twitch for free.
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.