
BoostSecurity News, Press & Events


OWASP Top 10 CI/CD Security Risks Explained

Benefits of a Developer-First Approach: Enhance Security & Innovation

Agentless vs. Agent-Based Security: What's Best for You?

Software Supply Chain Security: 1st Party Code Risks
After connecting with dozens of CISOs and CTOs, we've realized there’s a lot of diverging ideas around what software supply chain security even is. Even more so, the range of opinions around how to effectively protect against the unique and expanding kinds of risks is confusing to say the least. And while there are plenty of supply chain security standards around, and plenty of deeply technical supply chain security resources, there wasn't anything talking about it from a business risk level. So, we put together a resource for CISOs and CTOs that explores four categories of risks;

Weaponizing Dependabot: Latest Dependabot News and Pwn Request at its Finest
TL;DR: Your trusty Dependabot (and other GitHub bots) might be an unwitting accomplice. Through "Confused Deputy" attacks, they can be tricked into merging malicious code. This doesn’t stop here. It can escalate to full command injection via crafted branch names and even bypass branch protection rules. Plus, we disclose two new TTPs to build upon previously known techniques.

Exploiting CI/CD with Style(lint): LOTP Guide
TL;DR: CI/CD remains a stealthy and soft target for supply chain attacks—especially via linters, formatters, build and test tools. This guide breaks down Living Off the Pipeline (LOTP) techniques, where attackers exploit CI tools already present and without modifying the workflow itself—using config files, plugins, and environment variables instead.

Software Supply Chain Security: Understanding Developer Risk
After connecting with dozens of CISOs and CTOs, we've realized there’s a lot of diverging ideas around what software supply chain security even is. Even more so, the range of opinions around how to effectively protect against the unique and expanding kinds of risks is confusing to say the least. And while there are plenty of supply chain security standards around, and plenty of deeply technical supply chain security resources, there wasn't anything talking about it from a business risk level. So, we put together a resource for CISOs and CTOs that explores four categories of risks;

From Pandora's Box to Nuclear Fishing: Escalating Threats in Build Pipelines Security
TL;DR: We've been quiet lately—despite recent Supply Chain drama—because we wanted a clearer picture before chiming in. Attacks on popular GitHub Actions (tj-actions/changed-files and reviewdog/action-setup) have shocked us, but not surprised us. They simply proved the point we had warned about. Alarmingly, reviewdog automatically promoted “typo-fixers” to maintainers overnight. Combine that with GitHub's audit logging gaps—attackers can update releases leaving no trace—and we've got a real mess. It’s time we reassess our threat models and demand better visibility.

Under The Radar: Zero-Days in Open Source Build Pipelines
TL;DR: Our deep dive into open source projects’ CI/CD systems has revealed that build pipelines can be just as vulnerable as any other link in the software supply chain. We found hundreds of zero days on open source projects’ build pipelines with our detection at scale and responsibly disclosed them. Jump to the Research at Scale section to learn more.