Andrei Epure
How your .NET software supply chain is open to attack : and how to fix it
#1about 3 minutes
Understanding the risks in your software supply chain
Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.
#2about 4 minutes
How typosquatting attacks exploit common developer mistakes
Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.
#3about 4 minutes
A live demo of a typosquatting attack in .NET
A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.
#4about 4 minutes
Using trusted signers to defend against typosquatting
You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.
#5about 4 minutes
Explaining dependency confusion attacks in the NuGet ecosystem
NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.
#6about 3 minutes
A live demo of a dependency confusion attack
A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.
#7about 2 minutes
Preventing dependency confusion with package source mapping
The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.
#8about 5 minutes
A summary of key NuGet security best practices
A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
08:22 MIN
How attackers exploit developers and packages
Vue3 practical development
08:16 MIN
Common attacks targeting software developers
Vulnerable VS Code extensions are now at your front door
01:00 MIN
Understanding the rising threat to software supply chains
Open Source Secure Software Supply Chain in action
04:05 MIN
Learning from the SolarWinds supply chain attack
Securing your application software supply-chain
11:13 MIN
The danger of dependency confusion in NPM packages
Security in modern Web Applications - OWASP to the rescue!
15:35 MIN
Modern cybersecurity challenges for developers
Cyber Security: Small, and Large!
23:29 MIN
Implementing and enforcing supply chain policies
Securing your application software supply-chain
00:09 MIN
Understanding software supply chain security in JavaScript
Oops! Stories of supply chain shenanigans
Featured Partners
Related Videos
33:29Programming secure C#/.NET Applications: Dos & Don'ts
Sebastian Leuer
28:27Securing your application software supply-chain
Niels Tanis
24:47Supply Chain Security and the Real World: Lessons From Incidents
Adrian Mouat
32:55Open Source Secure Software Supply Chain in action
Natale Vinto
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
37:36Walking into the era of Supply Chain Risks
Vandana Verma
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
29:50Real-World Security for Busy Developers
Kevin Lewis
From learning to earning
Jobs that call for the skills explored in this talk.
IT Consultant - Azure / PowerShell / Security
Grouplink IT Solutions GmbH
Remote
DNS
Azure
Powershell
Microsoft Office
+1
Operational Security Engineer - Windows & Azure Cloud
Rocken AG
Azure
Powershell
Windows Server
Network Security
Embedded Security Engineer - Schwachstellenanalyse | Car IT | Secure Coding
Prognum Automotive GmbH
Remote
C++