Andrei Epure
How your .NET software supply chain is open to attack : and how to fix it
#1about 3 minutes
Understanding the risks in your software supply chain
Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.
#2about 4 minutes
How typosquatting attacks exploit common developer mistakes
Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.
#3about 4 minutes
A live demo of a typosquatting attack in .NET
A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.
#4about 4 minutes
Using trusted signers to defend against typosquatting
You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.
#5about 4 minutes
Explaining dependency confusion attacks in the NuGet ecosystem
NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.
#6about 3 minutes
A live demo of a dependency confusion attack
A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.
#7about 2 minutes
Preventing dependency confusion with package source mapping
The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.
#8about 5 minutes
A summary of key NuGet security best practices
A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.
Related jobs
Jobs that call for the skills explored in this talk.
Matching moments
05:43 MIN
How attackers exploit developers and packages
Vue3 practical development
05:49 MIN
Common attacks targeting software developers
Vulnerable VS Code extensions are now at your front door
01:46 MIN
Understanding the rising threat to software supply chains
Open Source Secure Software Supply Chain in action
01:25 MIN
Learning from the SolarWinds supply chain attack
Securing your application software supply-chain
05:36 MIN
Taking action on NPM supply chain security vulnerabilities
WeAreDevelopers LIVE - Build a multi AI agents game master with Strands & our weekly web finds
02:18 MIN
The danger of dependency confusion in NPM packages
Security in modern Web Applications - OWASP to the rescue!
03:36 MIN
Developers as an unintentional malware distribution vehicle
Walking into the era of Supply Chain Risks
04:45 MIN
Mitigating supply chain attacks with DevSecOps practices
Security Pitfalls for Software Engineers
Featured Partners
Related Videos
28:27Securing your application software supply-chain
Niels Tanis
33:29Programming secure C#/.NET Applications: Dos & Don'ts
Sebastian Leuer
24:47Supply Chain Security and the Real World: Lessons From Incidents
Adrian Mouat
32:55Open Source Secure Software Supply Chain in action
Natale Vinto
37:36Walking into the era of Supply Chain Risks
Vandana Verma
29:47You click, you lose: a practical look at VSCode's security
Thomas Chauchefoin & Paul Gerste
27:10Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
Sonya Moisset
27:32Security Pitfalls for Software Engineers
Jasmin Azemović
Related Articles
View all articles
.gif?w=240&auto=compress,format)
.png?w=240&auto=compress,format)
From learning to earning
Jobs that call for the skills explored in this talk.
SYSKRON GmbH
Regensburg, Germany
Intermediate
Senior
.NET
Python
Kubernetes
Noir
Vienna, Austria
Remote
€65-90K
Dependency Injection
Microsoft SQL Server
Continuous Integration
Computacenter AG & Co. OHG
Nürnberg, Germany
Remote
Microservices