Andrei Epure
How your .NET software supply chain is open to attack : and how to fix it
#1about 3 minutes
Understanding the risks in your software supply chain
Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.
#2about 4 minutes
How typosquatting attacks exploit common developer mistakes
Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.
#3about 4 minutes
A live demo of a typosquatting attack in .NET
A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.
#4about 4 minutes
Using trusted signers to defend against typosquatting
You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.
#5about 4 minutes
Explaining dependency confusion attacks in the NuGet ecosystem
NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.
#6about 3 minutes
A live demo of a dependency confusion attack
A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.
#7about 2 minutes
Preventing dependency confusion with package source mapping
The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.
#8about 5 minutes
A summary of key NuGet security best practices
A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.
Related jobs
Jobs that call for the skills explored in this talk.
Featured Partners
Related Videos
33:29Programming secure C#/.NET Applications: Dos & Don'ts
Sebastian Leuer
28:27Securing your application software supply-chain
Niels Tanis
24:47Supply Chain Security and the Real World: Lessons From Incidents
Adrian Mouat
32:55Open Source Secure Software Supply Chain in action
Natale Vinto
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
37:36Walking into the era of Supply Chain Risks
Vandana Verma
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
29:50Real-World Security for Busy Developers
Kevin Lewis
From learning to earning
Jobs that call for the skills explored in this talk.
Software Engineer.NET / C# - Remote
Cybersecurity and Cyberintelligence Experts
Municipality of Madrid, Spain
Remote
€24-33K
Intermediate
API
CSS
HTML
+9
Cyber Security Content Engineer, Blue Team - Azure
TryHackMe
Charing Cross, United Kingdom
Remote
€46K
Intermediate
PHP
Bash
Azure
+2
Software Security Lead, DevSecOps, .NET, C#, Microsoft Stack, Remote
Carrington Recruitment Solutions Limited
Charing Cross, United Kingdom
Remote
€85K
Senior
.NET
Azure
Partner Solution Architect - Security
Microsoft
Charing Cross, United Kingdom
€78K
Azure
Microsoft Dynamics
Solution Engineering - Cybersecurity
Microsoft
Canton of Issy-les-Moulineaux, France
Senior
Azure
Cisco networks
Application Security Engineer
MotabilityDotNet
Charing Cross, United Kingdom
Remote
Java
React
Node.js
Amazon Web Services (AWS)
Full Stack Software Engineer (Attack Surface Management)
Sysdig
Remote
Intermediate
REST
MySQL
Neo4j
PostgreSQL
+4