Sign up to save your podcasts
Or
Share The Open Source Security Crisis: Is Trust the Weakest Link in Supply Chain? with François Proulx
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Open Source Security Crisis: Is Trust the Weakest Link in Supply Chain? with François Proulx
Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room
Today, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.
He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out on GitHub and give it a star!
François is a frequent speaker and one of the founders of the NorthSec conference, where he also serves as a challenge designer for the CTF.
In this episode, we dive into the critical topic of supply chain insider threats in open source projects. We discuss the importance of the “trust, but verify” mantra and how the transition from a single maintainer to a team can increase security risks.
If you’re wondering about the future of automated security checks on platforms like GitHub, and the specific vulnerabilities in build pipelines, this episode is for you.And with that, get ready to hear Francois’s opinions.
Dive right in!
Connect with François: https://www.linkedin.com/in/francoisp/
Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/
This podcast is brought to you by
Escape: https://escape.tech — Modern DAST built to tests for business logic instead of missing headers
Mentioned
Article “Opening the Pandora’s Box: Supply Chain Insider Threats in Open Source Projects”: https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projects
Russ Cox at ACM SCORED: Open Source Supply Chain Security at Google https://www.youtube.com/watch?v=6H-V-0oQvCA
DEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski -> https://www.youtube.com/watch?v=5P7KatZBr_I
NorthSec 2024 talk “Under the Radar: 0-days in the Build Pipeline” https://www.youtube.com/watch?v=4nfsTPEOzHA
Northsec conference https://nsec.io/fr/
Poutine security scanner- detects misconfigurations and vulnerabilities in the build pipelines of a repository: https://github.com/boostsecurityio/poutine
Dependabot: https://github.com/dependabot
BoostSecurity ASPM Platform : boostsecurity.io
View all episodes
By The Elephant in AppSecWelcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room
Today, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.
He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out on GitHub and give it a star!
François is a frequent speaker and one of the founders of the NorthSec conference, where he also serves as a challenge designer for the CTF.
In this episode, we dive into the critical topic of supply chain insider threats in open source projects. We discuss the importance of the “trust, but verify” mantra and how the transition from a single maintainer to a team can increase security risks.
If you’re wondering about the future of automated security checks on platforms like GitHub, and the specific vulnerabilities in build pipelines, this episode is for you.And with that, get ready to hear Francois’s opinions.
Dive right in!
Connect with François: https://www.linkedin.com/in/francoisp/
Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/
This podcast is brought to you by
Escape: https://escape.tech — Modern DAST built to tests for business logic instead of missing headers
Mentioned
Article “Opening the Pandora’s Box: Supply Chain Insider Threats in Open Source Projects”: https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projects
Russ Cox at ACM SCORED: Open Source Supply Chain Security at Google https://www.youtube.com/watch?v=6H-V-0oQvCA
DEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski -> https://www.youtube.com/watch?v=5P7KatZBr_I
NorthSec 2024 talk “Under the Radar: 0-days in the Build Pipeline” https://www.youtube.com/watch?v=4nfsTPEOzHA
Northsec conference https://nsec.io/fr/
Poutine security scanner- detects misconfigurations and vulnerabilities in the build pipelines of a repository: https://github.com/boostsecurityio/poutine
Dependabot: https://github.com/dependabot
BoostSecurity ASPM Platform : boostsecurity.io