Andrei Epure
How your .NET software supply chain is open to attack : and how to fix it
#1about 3 minutes
Understanding the risks in your software supply chain
Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.
#2about 4 minutes
How typosquatting attacks exploit common developer mistakes
Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.
#3about 4 minutes
A live demo of a typosquatting attack in .NET
A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.
#4about 4 minutes
Using trusted signers to defend against typosquatting
You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.
#5about 4 minutes
Explaining dependency confusion attacks in the NuGet ecosystem
NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.
#6about 3 minutes
A live demo of a dependency confusion attack
A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.
#7about 2 minutes
Preventing dependency confusion with package source mapping
The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.
#8about 5 minutes
A summary of key NuGet security best practices
A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.
Related jobs
Jobs that call for the skills explored in this talk.
VECTOR Informatik
Stuttgart, Germany
Senior
Java
IT Security
Matching moments
03:17 MIN
Selecting strategic partners and essential event tools
Cat Herding with Lions and Tigers - Christian Heilmann
01:32 MIN
Organizing a developer conference for 15,000 attendees
Cat Herding with Lions and Tigers - Christian Heilmann
02:39 MIN
Establishing a single source of truth for all data
Cat Herding with Lions and Tigers - Christian Heilmann
04:49 MIN
Using content channels to build an event community
Cat Herding with Lions and Tigers - Christian Heilmann
04:57 MIN
Increasing the value of talk recordings post-event
Cat Herding with Lions and Tigers - Christian Heilmann
03:38 MIN
Balancing the trade-off between efficiency and resilience
What 2025 Taught Us: A Year-End Special with Hung Lee
05:55 MIN
The security risks of AI-generated code and slopsquatting
Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2
03:48 MIN
Automating formal processes risks losing informal human value
What 2025 Taught Us: A Year-End Special with Hung Lee
Featured Partners
Related Videos
33:29Programming secure C#/.NET Applications: Dos & Don'ts
Sebastian Leuer
28:27Securing your application software supply-chain
Niels Tanis
24:47Supply Chain Security and the Real World: Lessons From Incidents
Adrian Mouat
32:55Open Source Secure Software Supply Chain in action
Natale Vinto
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
37:36Walking into the era of Supply Chain Risks
Vandana Verma
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
27:10Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
Sonya Moisset
Related Articles
View all articles
From learning to earning
Jobs that call for the skills explored in this talk.
GitLab
Newcastle upon Tyne, United Kingdom
£131-282K
API
C++
Gitlab
Burp Suite
+1
Ninedots
Python
CircleCI
Amazon Web Services (AWS)
GitLab
Nottingham, United Kingdom
£131-282K
API
C++
Gitlab
Burp Suite
+1
AJAT GmbH
€45-75K
Senior
Linux
Windows Server
Pflegecampus21 GmbH
Berlin, Germany
Remote
€55-80K
PHP
API
MySQL
+2
NTT Data Deutschland SE
Remote
Java
Python
Node.js
Continuous Integration