Save 40% on Coursera Plus Annual

Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Under the Radar: How We Found 0-days in the Build Pipeline of OSS Packages

OWASP Foundation via YouTube

Start learning Write review
Datacamp Ad

Power BI Fundamentals - Create visualizations and dashboards from scratch

Learn More → Udacity Ad

Get 50% Off Udacity Nanodegrees — Code CC50

Learn More →

Overview

Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
This talk explores the often overlooked vulnerabilities in build pipelines of Open Source Software packages, moving beyond typical supply chain security discussions. Learn how researchers developed large-scale data analysis infrastructure to uncover numerous zero-day vulnerabilities in critical OSS projects including AWS-managed Kubernetes Operators, Google OSS Fuzz, RedHat OS Build, hundreds of popular Terraform providers and modules, and widely-used GitHub Actions. Examine a comprehensive attack tree for GitHub Actions pipelines that provides deeper analysis than previous research, detailing both attack vectors and mitigation strategies. Discover three complementary open source projects that emerged from this research: the 'Living Off the Pipeline' (LOTP) project, the 'poutine' build pipeline scanner, and the 'messypoutine' CTF-style training tool - all designed to provide actionable insights for builders and defenders in the OSS ecosystem.

Syllabus

Under the Radar: How we found 0-days in the Build Pipeline of OSS Packages - François Proulx

Taught by

OWASP Foundation

Reviews

Start your review of Under the Radar: How We Found 0-days in the Build Pipeline of OSS Packages

Start learning

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.