Paris is one of the most bustling metropolises on earth, with millions of locals going about their daily routines and all the visitors wandering about to see all the wonders. One thing that no one sees is stop signs, as Paris removed the last of these in 2016. That is not chaos, it is choreography. Drivers rely on clearer rules, right of way, and constant attention rather than a red octagon.
This backdrop made the city of lights the perfect backdrop for a community that is learning that you can't just rely on obvious controls at the edge; security throughout your software delivery pipelines must be precise, observable, and enforced. This was the message that rang out loud and clear through all the sessions at the first-ever OWASP AppSec Days France.
Over 150 security practitioners, developers, and OWASP members got together at "La Maison des Associations et de la Solidarité" to listen to 8 sessions that helped them get a handle on the challenges of modern security. Along the way, many hallway conversations were had, where we learned we all had a lot common in our quest for security, as well as many shared challenges. Here are just a few of the highlights from OWASP AppSec Days France 2025.
The organizers of OWASP AppSec Days France 2025
Dependency Confusion, NPX traps, and Maintainer Takeovers
In the keynote session "Breaking the Chain: Advanced Offensive Strategies in Software Supply Chains," Roni Carta, aka Lupin, Co-Founder & Offensive Security Lead at Lupin & Holmes, reminded everyone that we are not only defending our own code. Every dependency arrives with its own build pipeline and people behind it, which turns provenance into a moving target. SLSA helps, but today's software supply chain is a maze where small seams can become big breach paths.
He showcased how source layer weaknesses turn into execution. Dependency confusion on npm, unclaimed package names, and NPX confusion via .bin files can lead to silent remote code execution (RCE). Maintainer takeovers through email and domain tricks ripple across massive ecosystems, while clever registries and obfuscation sidestep static scanners. In the build layer, GitHub Actions cache poisoning and 'short SHA' collisions create ambiguity about what actually ran and what got published.
Roni gave us plenty of practical advice: Pin exact versions or full SHAs, disable install scripts in CI, and enforce MFA and least privilege for maintainers and NHIs. He also said to isolate caches with strong keys, lock down artifact registries and tokens, and monitor for 'typosquats.' Add egress controls and honeytokens in build environments, and keep moving toward SLSA-aligned, hermetic builds so surprises have nowhere to land.
Roni Carta
Living Off The Pipeline Is The New Post Exploitation
François Proulx, VP of Security Research at boostsecurity.io, made the case that CI/CD is the new perimeter in his session, "Living Off the Pipeline: From Supply Chain 0-Days to Predicting the next XZ-like attacks". He called today's CI/CD reality a dumpster fire, consisting of pipelines that run with high privileges that happily turn untrusted inputs into trusted artifacts.
The plot points were painfully familiar to anyone paying attention to recent supply chain attacks: "Pwn requests" that slip template or script injection into PRs and bot-mediated confused-deputy paths that lean on Dependabot events to bypass weak auth logic.
He went so far as to rename CI pipelines to "RCE as a service."
From there, he shifted into incidents demoing misused pull_request_target, missing branch filters, unpinned latest versions, Makefile-driven execution, and overly privileged GitHub tokens across workflows. François explained that every major CI platform can be tripped the same way because they all trust SCM events. To get ahead of it, he and his team built Poutine, an open source scanner that applies rules to thousands of repos, even stale branches, and surfaces what is actually exploitable. The early haul was big: about 200K findings with roughly 10K higher-confidence leads, followed by real-world echoes like the Ultralytics/YOLO exposures in August 2024 and a December Monero miner repeating the exact same class of flaw.
He urged us to treat pipelines like production systems with strict event and branch filters and pin full SHAs. We should all be moving to short-lived tokens and prefer ephemeral runners. He concluded that CI/CD is the new perimeter, and the teams that treat their pipeline as such are going to end up with better security.
François Proulx
Identity Without Knowable Secrets
In his session "Des applis sans mot de passe: Passkeys en pratique," Daniel Garnier-Moiroux, Staff Engineer at Broadcom, told us that passwords create pain and phishing risk. He made a strong case for passkeys, which use the best of what we know about cryptography to make logins both simpler and safer. He broke down the basics of the WebAuthn spec, which can be oversimplified as: when you try to log into a site, that site sends a challenge. Your browser asks a platform or roaming authenticator to sign it, and the device returns a public key and signature that the server verifies. The key material is tied to the site's domain, so "look-alike" pages cannot trick you, and nothing secret ever leaves your device.
We saw three flavors in action in his live demo.
A platform authenticator on your phone or laptop, unlocked with a fingerprint or face; something you have plus something you are. A roaming authenticator like a YubiKey unlocked with a PIN; something you have plus something you know. And cross-device login flows using an iPhone, Android, or tablet, which was also unlocked with biometrics, over Bluetooth or the local network.
Daniel made sure to clarify that passkeys are not themselves biometrics. Biometrics only unlock the private key to produce a signature and never leave the local device.
Daniel Garnier-Moiroux
Cyber Resilience Takes People Working Together
If there was a single through line in Paris, it was that our risk does not live in one team or one tool. Tiny seams in package ecosystems become real incidents when developers, maintainers, and registry operators are not aligned. Inside CI, where unfiltered events, unpinned images, and long-lived runners turn "just a pull request" into remote code execution. Passwords keep failing because people are easy to trick, while passkeys only work when product, IT, and security make them easy to use everywhere.
There is no one single silver bullet or technology that is going to fix this. It is going to take coordination, communication, and some real teamwork.
Security needs to give developers paved roads and practical, easy to follow guidance, like like pinned SHAs, branch and event filters, and disabling install scripts in CI. Platform and SRE need ephemeral runners, isolated caches, and scoped short-lived tokens. Identity teams need to roll out WebAuthn at scale. None of that lands without enablement, docs, and fast feedback when something breaks.
Call it a culture of determinism. SLSA can give us a shared map for builds, "policy as code" can give us shared guardrails in pipelines, and passkeys can give us a shared answer to phishing, but only if we are consistent in how we approach these topics. When these pieces move in step, attackers have fewer places to hide, incident response gets faster, and the path from "we found a weakness" to "we cannot make that class of mistake again" becomes a habit, not a hope.
OWASP Helps Us All Choreograph Security Over Chaos
Paris does not need stop signs at every corner because the city runs on shared understanding, constant attention, and practiced courtesy. OWASP AppSec Days France carried the same lesson for software. We cannot bolt a few red octagons onto the edge and call it secure. We have to agree on how we move, who yields, and what happens when something unexpected enters the intersection.
Your author was proud to share a session as well at the event, where I implored those who focused on application security to treat security, especially around NHI authentication, as a team sport. None of the strategies the speakers throughout the day discussed would be realistic to implement if we do not get the developers on the same page. This is especially true in a world where a single incorrect package choice can magnify across an ecosystem and one password phish can undo a year of patching.
There is real work to do, and it starts with good habits. Good habits begin with raising awareness of an issue and providing guidance on how to improve. It should give you hope that OWASP, as a community, is delivering on that mission, still, after over twenty years. You can see it for yourself at all the AppSec Days, and other security focused events around the world, where people share what is going wrong and how to fix it.
Top comments (0)