2023-05-18, 11:30–12:00, Salle de Bal
So-called “Supply Chain” attacks are all over the news as several high profile breaches highlight CI/CD pipelines as a prime target. While AppSec focuses on writing secure code (SAST), managing risks from Open Source dependencies (SCA) and more generally finding vulnerabilities in apps and APIs, a large attack surface is often overlooked. The supply chain links the developer’s laptop, via the SCM, through CI/CD and finally the running application in production.
We’ve all heard about the SolarWinds breach, but what can be done to prevent such an attack? In this talk, we dive behind the scenes of similar attacks through the lens of SLSA (Supply chain Levels for Software Artifacts), a threat model designed to tackle these emergent threats.
Most importantly, we will discuss new technologies and approaches that are available today (or are under active development) to address these threats.
François is a Senior Product Security Engineer for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps movement took shape. François is one of founders of NorthSec and was a challenge designer for the NorthSec CTF.