PinnedFrançois ProulxinboostsecurityOpening the Pandora’s box — Supply Chain Insider Threats in Open Source projectsGiving repo “Write” in OSS project is risk. We look at insider threats in the context of a responsible disclosure for AWS Karpenter.Mar 15Mar 15
PinnedFrançois ProulxinboostsecurityThe tale of a Supply Chain near-miss incidentWe disclosed to Chainguard in December 2023 that a GitHub Actions workflow we discovered was vulnerable to a “pwn request”, potentially…Feb 131Feb 131
PinnedFrançois ProulxinboostsecuritySLSA dip — At the Source of the problem!This article is part of a multi-part series about the security of the software supply chain. We will be analyzing in depth each component…Nov 11, 20221Nov 11, 20221
François ProulxinboostsecurityUnveiling ‘poutine’: An Open Source Build Pipelines security scannerTL;DR BoostSecurity.io is thrilled to announce ‘poutine’ — an Open Source security scanner CLI you can use to detect misconfigurations and…Apr 15Apr 15
François ProulxinboostsecurityErosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform RegistryJun 19, 2023Jun 19, 2023
François ProulxinboostsecuritySLSA dip — It’s Build Time!This article is part of a multi-part series about the security of the software supply chain. We will be analyzing in depth each component…Nov 11, 2022Nov 11, 2022
François ProulxinCoinmonksThe call is coming from inside the house — DNS rebinding in EOSIO keosd wallet(Before I begin — this bug was responsibly disclosed and has been fixed in the version 1.0.9 and later of EOSIO software, so I highly…Jul 19, 20182Jul 19, 20182