BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.nsec.io//XY8XKG
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-2024-XY8XKG@cfp.nsec.io
DTSTART;TZID=EST:20240516T104500
DTEND;TZID=EST:20240516T111500
DESCRIPTION:Beyond the buzzword of 'supply chain security\,' lies a critica
 l\, frequently ignored area: the Build Pipelines of Open Source packages. 
 In this talk\, we discuss how we’ve developed a data analysis infrastruc
 ture that targets these overlooked vulnerabilities. Our efforts have led t
 o the discovery of 0-days in major OSS projects\, such as Terraform provid
 ers and modules\, AWS Helm Charts\, and popular GitHub Actions. We will pr
 esent a detailed attack tree for GitHub Actions pipelines\, offering a dee
 per analysis than the prior art\, and outlining attacks and mitigations. I
 n addition\, we will introduce a unique reference for 'Living Off the Pipe
 line' (LOTP) components\, aimed at providing Red and Blue teams with a way
  to prioritize more risky scenarios.
DTSTAMP:20260311T225947Z
LOCATION:Ville-Marie
SUMMARY:Under the Radar: How we found 0-days in the Build Pipeline of OSS P
 ackages - François Proulx\, Benoit Cote-Jodoin
URL:https://cfp.nsec.io/2024/talk/XY8XKG/
END:VEVENT
END:VCALENDAR