BoostSecurity News, Press & Events

Build Pipelines (aka CI/CD) are often a total mess…

Unveiling 'poutine': An Open Source Build Pipelines security scanner

TL;DR is thrilled to announce ‘poutine’ – an Open Source security scanner CLI you can use to detect misconfigurations and vulnerabilities in Build Pipelines. Additionally, it can create an inventory of build-time dependencies so you can track known vulnerabilities (CVEs) as well. Today, the tool has about a dozen rules covering vulnerabilities found in GitHub Actions workflows and Gitlab pipelines. We have plans to add support for CircleCI, Azure Pipelines and more. The source code is published under the Apache 2.0 license and it is available on GitHub.

Read More
Spotting an Insider Threat isn't always as obvious!

Opening Pandora’s box - Supply Chain Insider Threats in Open Source projects

TL;DR: Granting repository "Write" access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential – branch and tag protection, code review, and especially controls around the publication of release artifacts. Also GitHub may be lacking in terms of auditing capabilities to help spot Indicators of Compromises (IoCs) in some scenarios.  

Read More

Do we need new antidotes to protect against the poisoning the supply chain of Generative AI?

Generative AI solutions and tools are being developed at a breakneck pace. Builders everywhere are doing whatever it takes to ship their products. Security left merely an afterthought. There are a myriad of concerns on the surface of these solutions including bias, privacy of information, and harmful output (i.e. hate speech). Looking deeper, issues can manifest within these solutions that are imperceptible. Imagine querying one of these solutions and receiving reasonable output in return. Unless you are a subject matter expert, the validity of the contents are likely to go over your head. You’re prone to instinctively trust the output. In some domains, this is harmless. Using code emitting from one of these solutions that is broken requires you to spend some time sharpening its rough edges. In biotechnology, a misdiagnosis from a generative AI solution might prescribe a medication or a certain procedure that could kill the patient. Generative AI is being built on a shaky foundation that could collapse at any moment. Is anyone paying attention?

Read More

Erosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform Registry

Last fall, my security research team at BoostSecurity published two articles on supply chain security, initiating an in-depth exploration of the Supply chain Levels for Software Artifacts (SLSA) model. Our first article, “SLSA dip — At the Source of the problem!” concentrated on Source Control Management (SCM) systems like GitHub. There we analyzed the role of SCMs in the supply chain from both Red Team (Attackers’) and Blue Team (Defenders’) perspectives, culminating in an attack tree built using Deciduous, an open-source security decision tree tool. Since then, we gave a talk entitled “Broken Links : Behind the scenes of Supply Chain breaches” at several conferences, including BSides NYC and NorthSec.

Read More

SLSA dip — At the Source of the problem!

This article is part of a series about the security of the software supply chain. Each article will be analyzing a component of the Supply chain Levels for Software Artifacts (SLSA) model in depth, from the developer’s workstation all the way to the consumer side of the chain.

Read More