Learn AI, Data Science & Business — Earn Certificates That Get You Hired
The Private Equity Associate Certification
Overview
Build a Learning Habit
Download Class Central's free printable study calendar
Download for Free
This talk explores the often overlooked vulnerabilities in build pipelines of Open Source Software packages, moving beyond typical supply chain security discussions. Learn how researchers developed large-scale data analysis infrastructure to uncover numerous zero-day vulnerabilities in critical OSS projects including AWS-managed Kubernetes Operators, Google OSS Fuzz, RedHat OS Build, hundreds of popular Terraform providers and modules, and widely-used GitHub Actions. Examine a comprehensive attack tree for GitHub Actions pipelines that provides deeper analysis than previous research, detailing both attack vectors and mitigation strategies. Discover three complementary open source projects that emerged from this research: the 'Living Off the Pipeline' (LOTP) project, the 'poutine' build pipeline scanner, and the 'messypoutine' CTF-style training tool - all designed to provide actionable insights for builders and defenders in the OSS ecosystem.
Syllabus
Under the Radar: How we found 0-days in the Build Pipeline of OSS Packages - François Proulx
Taught by
OWASP Foundation