François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

Update: 2024-10-22

Description

François Proulx shares his discovery of security vulnerabilities in build pipelines. Francois has found that attackers can exploit this often overlooked side of the software supply chain. To help address this, his team developed an open source scanner called Poutine that can identify vulnerable build pipelines at scale and provide remediation guidance. Francois has over 10 years of experience in building application security programs, he’s also the founder of the NorthSec conference in Montreal.

Mentioned in the Episode:
Cooking for Geeks by Jeff Potter
Poutine
Living Off the Pipeline project
Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan and John Stawinski

Where to find Francois:
LinkedIn
X: @francoisproulx

Previous Episodes:
François Proulx -- Actionable Software Supply Chain Security

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Comments

Top Podcasts

The Best New Comedy Podcast Right Now – June 2024 The Best News Podcast Right Now – June 2024 The Best New Business Podcast Right Now – June 2024 The Best New Sports Podcast Right Now – June 2024 The Best New True Crime Podcast Right Now – June 2024 The Best New Joe Rogan Experience Podcast Right Now – June 20 The Best New Dan Bongino Show Podcast Right Now – June 20 The Best New Mark Levin Podcast – June 2024

In Channel

Matin Mavaddat - Understanding Security as a Systemic Concern: The Role of Anti-Requirements

2024-11-1250:20

Kayra Otaner -- DevSecOps

2024-10-2932:46

François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

2024-10-2245:31

Steve Wilson -- The Developer's Playbook for Large Language Model Security: Building Secure AI Applications

2024-10-0136:32

Jeff Williams -- Application Detection & Response (ADR)

2024-09-2451:28

Phillip Wylie -- Pen Testing from Somebody who Knows about Pen Testing

2024-09-1752:08

Steve Springett -- Software and System Transparency

2024-08-2948:13

Irfaan Santoe -- The Power of Strategy in AppSec

2024-07-3140:14

Andrew Van Der Stock -- The New OWASP Top Ten

2024-07-2351:51

Derek Fisher -- Hiring in Cyber/AppSec

2024-07-1601:01:45

Tanya Janca -- Secure Guardrails

2024-07-0901:04:50

Jahanzeb Farooq -- Launching and executing an AppSec program

2024-07-0249:44

David Quisenberry -- Building Security, People, and Programs

2024-06-1856:54

Matt Rose -- Software Supply Chain Security Means Many Different Things to Different People

2024-06-1146:14

James Berthoty -- Is DAST Dead? And the future of API security

2024-05-3144:56

Mark Curphey and Simon Bennetts -- Riding the Coat Tails of ZAP, without Open Source Funding

2024-05-2142:32

Devin Rudnicki -- Expanding AppSec

2024-05-1435:57

Dustin Lehr -- Culture Change through Champions and Gamification

2024-04-1645:10

Francesco Cipollone -- Application Security Posture Management and the Power of Working with the Business

2024-04-0938:11

Mukund Sarma -- Developer Tools that Solve Security Problems

2024-04-0246:32

00:00

François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

Chris Romeo and Robert Hurlbut

#box-pro-ellipsis-173235886336185{-webkit-line-clamp:2;}François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

Chris Romeo and Robert Hurlbut

François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages