Learning to Secure the Supply Chain at OWASP AppSec Days France 2025

Read full article here: https://blog.gitguardian.com/owasp-appsecdays-france-2025/?utm_source=nhimg

OWASP AppSec Days France 2025 brought more than 150 developers, security researchers, and AppSec leaders together in Paris to tackle one of the biggest challenges of our time: software supply chain security. Across eight technical sessions, the community explored why dependency trust, CI/CD pipelines, and passwordless authentication are now critical battlefronts for defending the global digital ecosystem.

Supply Chain Risks Are Everyone’s Risks

The keynote, “Breaking the Chain: Advanced Offensive Strategies in Software Supply Chains” by Roni Carta, aka Lupin, Co-Founder & Offensive Security Lead at Lupin & Holmes, showed how dependency confusion, NPX traps, and maintainer takeovers can silently lead to remote code execution (RCE) across entire ecosystems. His message was clear: attackers don’t just target your code—they target your dependencies. Practical defenses included pinning SHAs, enforcing MFA for maintainers and NHIs, isolating caches, and moving toward SLSA-aligned builds.

CI/CD as the New Perimeter

François Proulx, VP of Security Research at boostsecurity.io, emphasized that CI/CD pipelines are the new attack surface, describing them as “RCE as a service.” Misconfigured GitHub Actions, unpinned versions, and overly privileged tokens expose organizations to supply chain compromises. His open source tool, Poutine, scans thousands of repos for exploitable pipeline misconfigurations—already uncovering more than 200K findings. His call to action: treat pipelines like production systems, enforce strict event filters, and use short-lived, ephemeral credentials.

Passkeys and Identity Without Secrets

Daniel Garnier-Moiroux, Staff Engineer at Broadcom, demonstrated passkeys in practice, explaining how WebAuthn removes the need for passwords and prevents phishing. His session showed how platform authenticators, roaming authenticators, and cross-device logins deliver strong, simple authentication without ever exposing secrets. This aligns closely with the future of non-human identity security, where secretless, cryptographic authentication is the only way forward.

A Culture of Shared Guardrails

The unifying message from Paris was simple: security is a team sport. Whether fighting dependency hijacking, CI/CD abuse, or password phishing, the solution is consistent, observable, and shared guardrails. SLSA provides a common map for supply chain security. Policy-as-code secures pipelines. Passkeys eliminate password risk. Together, they make security not just a toolset, but a culture.

Final Takeaway

OWASP AppSec Days France 2025 proved that defending the software supply chain requires more than patching, it requires coordination between developers, maintainers, registry operators, and security teams. Just as Paris runs smoothly without stop signs thanks to shared rules, AppSec thrives when the community choreographs security together.