François Proulx
François Proulx is the VP of Security Research at BoostSecurity.io and the co-creator of the poutine Open Source CI/CD scanner. He co-founded the "Living Off The Pipeline" (LOTP) project to describe the abuse of build tools for lateral movement. After spending years teaching defenders how to secure their workflows, he is now demonstrating how attackers are dismantling them.
Session
We created "Living Off The Pipeline" (LOLBAS for CI/CD) and a 0-day vuln scanner, then we saw Threat Actors on BreachForums were paying attention. Enter the "Metasploit for CI/CD." In this live kill-chain, we exploit "pwn requests" to pivot from a public GitHub repo to private repos. We show how anonymous users gain "insider" privileges to exfiltrate secrets, poison releases, and escalate to Cloud Admin.