The Open Source Security Crisis: Is Trust the Weakest Link in Supply Chain? with François Proulx

The Elephant in AppSec
19/03/2025 44 min

Listen "The Open Source Security Crisis: Is Trust the Weakest Link in Supply Chain? with François Proulx"

Descargar episodio Ver en sitio original

Episode Synopsis

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the roomToday, I’m joined by François Proulx, Senior Product Security Engineer at BoostSecurity, where he leads the Supply Chain research team. With over 10 years of experience in building AppSec programs for both large corporations like Intel and innovative startups, François has been at the forefront of the DevSecOps movement.He’s also one of the maintainers of the "poutine" security scanner, which detects misconfigurations and vulnerabilities in build pipelines. Be sure to check it out on GitHub and give it a star!François is a frequent speaker and one of the founders of the NorthSec conference, where he also serves as a challenge designer for the CTF.In this episode, we dive into the critical topic of supply chain insider threats in open source projects. We discuss the importance of the “trust, but verify” mantra and how the transition from a single maintainer to a team can increase security risks.If you’re wondering about the future of automated security checks on platforms like GitHub, and the specific vulnerabilities in build pipelines, this episode is for you.And with that, get ready to hear Francois’s opinions. Dive right in! Connect with François: https://www.linkedin.com/in/francoisp/Connect with Alexandra: https://www.linkedin.com/in/alexandra-charikova/This podcast is brought to you byEscape: https://escape.tech  — Modern DAST built to tests for business logic instead of missing headersMentionedArticle “Opening the Pandora’s Box: Supply Chain Insider Threats in Open Source Projects”: https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projectsRuss Cox at ACM SCORED: Open Source Supply Chain Security at Google https://www.youtube.com/watch?v=6H-V-0oQvCADEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski -> https://www.youtube.com/watch?v=5P7KatZBr_INorthSec 2024 talk “Under the Radar: 0-days in the Build Pipeline” https://www.youtube.com/watch?v=4nfsTPEOzHANorthsec conference https://nsec.io/fr/ Poutine security scanner-  detects misconfigurations and vulnerabilities in the build pipelines of a repository:  https://github.com/boostsecurityio/poutineDependabot: https://github.com/dependabot BoostSecurity ASPM Platform : boostsecurity.io 

More episodes of the podcast The Elephant in AppSec

What best drives the adoption of secure software practices? with Enrique Larios Vargas 11/12/2025
Why AppSec Needs More Than Just a Checkbox ⎢ Marcos Vinicius Cassel 03/12/2025
The Supply Chain Crisis We Created: How AI, Extensions, and Dependencies Became the New Attack Surface with Aamiruddin Syed 26/11/2025
Why AppSec Is breaking: Vibe Coding, DevSecOps backlogs & the new OWASP Top 10 (with Tanya Janca) 13/11/2025
Secure by Design: Who’s Really Responsible? with Abhijeth Dugginapeddi 04/11/2025
The Pressure of Security Leadership: What SLAs Actually Work? with Terry O'Daniel 19/10/2025
Can We Make AI Agents Smarter Than Security Teams? with Anshuman Bhartiya 25/09/2025
Why DevSecOps isn't enough without deep cloud context with Anjali Singh Shukla 24/09/2025
Decoding a Healthy Security Program: What Does "Healthy" Even Mean? with Maxwell Zhou 18/09/2025
Why SAP Security Can be a Hidden Weakness for Enterprises with Oumaima Baira 12/09/2025
© 2003-2025 ZARZA | AHEAD OF OUR TIME
privacy policy
In God we trust In God we trust
PreSales Questions? Click Here
or call our toll-free line at +1-888-5002068 Miami, Florida, USA