Andrei Epure

Aug 20, 2024 • World Congress 2024

How your .NET software supply chain is open to attack : and how to fix it

NuGet's default settings leave your projects vulnerable to supply chain attacks. Learn the two essential configuration changes you need to secure your builds.

#1about 3 minutes

Understanding the risks in your software supply chain

Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.

#2about 4 minutes

How typosquatting attacks exploit common developer mistakes

Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.

#3about 4 minutes

A live demo of a typosquatting attack in .NET

A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.

#4about 4 minutes

Using trusted signers to defend against typosquatting

You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.

#5about 4 minutes

Explaining dependency confusion attacks in the NuGet ecosystem

NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.

#6about 3 minutes

A live demo of a dependency confusion attack

A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.

#7about 2 minutes

Preventing dependency confusion with package source mapping

The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.

#8about 5 minutes

A summary of key NuGet security best practices

A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.

yesterday

Senior Tech Consultant M365 (Tenant)

Riverty
Berlin, Germany

Intermediate

Senior

21 days ago

Senior Fullstack Engineer – Angular/.Net (f/m/d)

Apaleo
München, Germany

Remote

Senior

11 days ago

Cloud Engineer (m/w/d)

fulfillmenttools
Köln, Germany

Intermediate

From learning to earning

Jobs that call for the skills explored in this talk.

Cyber Security Content Engineer, Blue Team - Azure

20 days ago

Cyber Security Content Engineer, Blue Team - Azure

TryHackMe
Charing Cross, United Kingdom

Remote

€46K

Intermediate

PHP

Bash

Azure

Evento Microsoft Netcoreconf 14 de noviembre

yesterday

.NET

Azure

DevOps

Routing

yesterday

Cybersecurity Architect

Kyndryl
Municipality of Madrid, Spain

17 days ago

Application Security Engineer

MotabilityDotNet
Charing Cross, United Kingdom

Remote

Java

React

Node.js

Amazon Web Services (AWS)

today

Microsoft Security Engineer

X4 Technology
Nottingham, United Kingdom

Remote

€78K

Azure

Microsoft Access

Network Security

Understanding the risks in your software supply chain

How typosquatting attacks exploit common developer mistakes

A live demo of a typosquatting attack in .NET

Using trusted signers to defend against typosquatting

Explaining dependency confusion attacks in the NuGet ecosystem

A live demo of a dependency confusion attack

Preventing dependency confusion with package source mapping

A summary of key NuGet security best practices

Senior Tech Consultant M365 (Tenant)

Senior Fullstack Engineer – Angular/.Net (f/m/d)

Cloud Engineer (m/w/d)

Matching moments

How attackers exploit developers and packages

Vue3 practical development

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Understanding the rising threat to software supply chains

Open Source Secure Software Supply Chain in action

Learning from the SolarWinds supply chain attack

Securing your application software supply-chain

The danger of dependency confusion in NPM packages

Security in modern Web Applications - OWASP to the rescue!

Modern cybersecurity challenges for developers

Cyber Security: Small, and Large!

Implementing and enforcing supply chain policies

Securing your application software supply-chain

Understanding software supply chain security in JavaScript

Oops! Stories of supply chain shenanigans

Featured Partners

Related Videos

Programming secure C#/.NET Applications: Dos & Don'ts

Securing your application software supply-chain

Supply Chain Security and the Real World: Lessons From Incidents

Open Source Secure Software Supply Chain in action

You click, you lose: a practical look at VSCode's security

Walking into the era of Supply Chain Risks

Security Pitfalls for Software Engineers

Real-World Security for Busy Developers

From learning to earning

Cyber Security Content Engineer, Blue Team - Azure

Evento Microsoft Netcoreconf 14 de noviembre

Cybersecurity Project Manager

Security Architects

Cybersecurity Consultant - Threat Modeling

Full-Stack Software Engineer .NET / Angular / Azure

Cybersecurity Architect

Application Security Engineer

Microsoft Security Engineer