Living Off the Pipeline / À l’Ombre du Pipeline

OWASP Montréal and Cybereco invite you to a talk by François Proulx on software supply chain security and CI/CD vulnerability analysis.

The next wave of supply chain attacks is brewing in our continuous integration and deployment (CI/CD) pipelines, as demonstrated by the compromise of the XZ library. This presentation explains how malicious actors can “live in the pipeline” by abusing legitimate build tools, the new favorite weak spot of “Red Teams”, and how to predict the TTPs (Tactics, Techniques and Procedures) of future XZ-type attacks using our adaptation of MITRE’s ATT&CK framework for CI/CD environments. Through real-life case studies, this session will equip you to proactively identify and counter these advanced threats before they have a significant impact.

📍 Location: Cybereco offices – 355 Peel Street, Montreal, QC H3C 2G9 – Suite 203

🔊 Language : French

📅 Date: Thursday, August 28, 2025

🕓 Time: Doors open at 5:30 p.m. – Conference begins at 6:15 p.m.

🗣️ Format: Conference – Food and beverages provided

🤝 Networking: A unique opportunity to network with other members of Montreal’s cybersecurity community!

Guest speaker:

François is vice-president of security research at BoostSecurity, where he leads the software supply chain team. He has over ten years’ experience in the development of AppSec programs, both within large companies such as Intel, and in technology startups. A key player in the emergence of the DevSecOps movement, he has combined technical expertise with strategic vision. François is also co-founder of NorthSec and helped design the associated CTF challenges.