October 22, 2024

François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

Listen Later

45 minutes

François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guidance. Francois has over 10 years of experience in building application security programs, he’s also the founder of the NorthSec conference in Montreal.

Mentioned in the Episode:
Cooking for Geeks by Jeff Potter
Poutine
Living Off the Pipeline project
Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan and John Stawinski

Where to find Francois:
LinkedIn
X: @francoisproulx

Previous Episodes:
François Proulx -- Actionable Software Supply Chain Security

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

...more

View all episodes

View all episodes

Download on the App Store

Download on the App Store

Get it on Google Play

The Application Security Podcast

By Chris Romeo and Robert Hurlbut

5

3636 ratings

October 22, 2024

François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

Listen Later

45 minutes

François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guidance. Francois has over 10 years of experience in building application security programs, he’s also the founder of the NorthSec conference in Montreal.

Mentioned in the Episode:
Cooking for Geeks by Jeff Potter
Poutine
Living Off the Pipeline project
Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan and John Stawinski

Where to find Francois:
LinkedIn
X: @francoisproulx

Previous Episodes:
François Proulx -- Actionable Software Supply Chain Security

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

...more

More shows like The Application Security Podcast

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) by Johannes B. Ullrich

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

626 Listeners

Smashing Security by Graham Cluley & Carole Theriault

Smashing Security

312 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

7,879 Listeners

The Blindboy Podcast by Blindboyboatclub

The Blindboy Podcast

1,764 Listeners

The Doctor's Kitchen Podcast by Dr Rupy Aujla

The Doctor's Kitchen Podcast

623 Listeners

CISO Series Podcast by David Spark, Mike Johnson, and Andy Ellis

CISO Series Podcast

189 Listeners

Defense in Depth by David Spark, Steve Zalewski, Geoff Belknap

Defense in Depth

74 Listeners