Name: Living Off the Pipeline: From Supply Chain 0-Days To Predicting the Next XZ-like Attacks - François Proulx, BoostSecurity.io
Start: 2025-06-26T11:25:00-0600
End: 2025-06-26T11:45:00-0600

June 26, 2025 | Denver, Co
Learn More and Register To Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for OpenSSF Community Day NA 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Mountain Daylight Time. To see the schedule in your preferred timezone, please select from the drop-down located at the bottom of the menu to the right.

Schedule is subject to change.

Thursday June 26, 2025 11:25am - 11:45am MDT

Bluebird Ballroom 3A

The next wave of Supply Chain attacks is brewing in our Build Pipelines (CI/CD), where 0-days and novel attack paths are still waiting to be discovered. In 2024, the XZ compression library compromise was used as a trojan horse to backdoor OpenSSH, it was caught early on, next time it might go unnoticed.

We tell the story of how we went from finding 0-day vulnerabilities in the Build Pipelines of critical Open Source packages to predicting TTPs for the next XZ-like attacks, adapting MITRE's ATT&CK for CI/CD. We'll go in depth on how Threat Actors can "Live Off the Pipeline" by abusing legitimate build tools to do their bidding.

We introduce practical methods for predicting and identifying threats, by mapping build pipeline tactics to our ATT&CK model. Case studies, based on forensics of recent supply chain compromises, will demonstrate how adversaries exploit build pipelines, escalate privileges, and can remain undetected long enough to have significant impact.

This session empowers attendees to proactively identify and defend against advanced supply chain attacks, effectively countering adversaries that seek to "Live Off the Pipeline" as demonstrated in the XZ compromise.

Speakers

François Proulx

Senior Product Security Engineer, BoostSecurity.io

François is a Senior Product Security Engineer for BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for large corporations (such as Intel) and small startups he has been in the heat of the action as the DevSecOps... Read More →

Thursday June 26, 2025 11:25am - 11:45am MDT
Bluebird Ballroom 3A

20-minute Sessions

OpenSSF Community Day North America 2025

François Proulx

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!