François Proulx
VP of Security Research at BoostSecurity
Montréal, Canada
Actions
François is VP of Security Research for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps movement took shape. François is one of founders of NorthSec and was a challenge designer for the NorthSec CTF.
Links
Area of Expertise
Topics
Under the Radar: How we found 0-days in the Build Pipeline of OSS Packages
Beyond the buzzword of 'supply chain security,' lies a critical, frequently ignored area: the Build Pipelines of Open Source packages. In this talk, we discuss how we’ve developed a data analysis infrastructure that targets these overlooked vulnerabilities. Our efforts have led to the discovery of 0-days in major OSS projects, such as Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. We will present a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than the prior art, and outlining attacks and mitigations. In addition, we will introduce a unique reference for 'Living Off the Pipeline' (LOTP) components, aimed at providing Red and Blue teams with a way to prioritize more risky scenarios.
Living Off the Pipeline: From Supply Chain 0-Days to Predicting the next XZ-like attacks
The next wave of Supply Chain attacks is brewing in our Build Pipelines (CI/CD), where 0-days and novel attack paths are still waiting to be discovered. In 2024, the XZ compression library compromise was used as a trojan horse to backdoor OpenSSH, thankfully, this was caught early on, but the next time it might go unnoticed for much longer. This talk picks up where we left off last year, and we tell the story of how we went from finding 0-day vulnerabilities in the Build Pipelines of critical Open Source packages to predicting TTPs for the next XZ-like attacks. This time we've adapted MITRE's ATT&CK framework for CI/CD environments. We'll go in depth on how Threat Actors can "Live Off the Pipeline" by abusing legitimate build tools to do their bidding proving why this has become Red Teamer's favorite new soft spot.
The session introduces practical methods for predicting and identifying threats before they materialize by mapping build pipeline tactics to our adapted ATT&CK model. Real-world case studies, based on our forensics of tj-actions/changed-files, Kong Kubernetes Ingress Controller and Ultralytics YOLOv5 ML library compromises, will demonstrate how adversaries exploit build pipelines, escalate privileges, and can remain undetected long enough to have significant impact.
This session empowers attendees to proactively identify and defend against advanced supply chain attacks, effectively countering adversaries that seek to "Live Off the Pipeline" as demonstrated in the XZ compromise.
OWASP AppSec Days France 2025 Sessionize Event Upcoming
MCTTP Munich Cyber Tactics, Techniques und Procedures 2025 Sessionize Event Upcoming
OpenSSF Community Day North America 2025 Sessionize Event
François Proulx
VP of Security Research at BoostSecurity
Montréal, Canada
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top