François Proulx - Arbitrary Code Execution 0-day in Build Pipeline of Popular Open Source Packages

Oct 22, 2024

François Proulx, a senior product security engineer at Boost Security and founder of the NorthSec conference, reveals alarming vulnerabilities in build pipelines of popular open-source packages. He introduces his open source scanner, Poutine, designed to pinpoint these weaknesses. The discussion touches on zero-day exploits, supply chain attacks, and the critical role of security architecture. Proulx also emphasizes the importance of threat modeling and educational initiatives for developers to enhance security practices.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Cooking as a Tech Escape

François Proulx enjoys cooking as a practical way to get away from technology.
He combines geeky science with creative flavor experimentation in his cooking.

INSIGHT

Vulnerable Build Pipelines

Open source build pipelines are frequently vulnerable to exploits despite existing security tools.
Vulnerabilities in build pipelines provide a new attack surface overlooked by many in software supply chain security.

INSIGHT

Linters as Attack Vectors

Many pipelines run linters with known vulnerabilities that can be exploited for remote code execution.
Malicious configuration files in repos can enable attackers to pivot and compromise secrets via linters.

Get the Snipd Podcast app to discover more snips from this episode

Get the app