Andrei Epure

How your .NET software supply chain is open to attack : and how to fix it

NuGet's default settings leave your projects vulnerable to supply chain attacks. Learn the two essential configuration changes you need to secure your builds.

How your .NET software supply chain is open to attack : and how to fix it
#1about 3 minutes

Understanding the risks in your software supply chain

Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.

#2about 4 minutes

How typosquatting attacks exploit common developer mistakes

Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.

#3about 4 minutes

A live demo of a typosquatting attack in .NET

A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.

#4about 4 minutes

Using trusted signers to defend against typosquatting

You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.

#5about 4 minutes

Explaining dependency confusion attacks in the NuGet ecosystem

NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.

#6about 3 minutes

A live demo of a dependency confusion attack

A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.

#7about 2 minutes

Preventing dependency confusion with package source mapping

The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.

#8about 5 minutes

A summary of key NuGet security best practices

A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

How attackers exploit developers and packages
05:43 MIN

How attackers exploit developers and packages

Vue3 practical development

Common attacks targeting software developers
05:49 MIN

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Understanding the rising threat to software supply chains
01:46 MIN

Understanding the rising threat to software supply chains

Open Source Secure Software Supply Chain in action

Learning from the SolarWinds supply chain attack
01:25 MIN

Learning from the SolarWinds supply chain attack

Securing your application software supply-chain

Taking action on NPM supply chain security vulnerabilities
05:36 MIN

Taking action on NPM supply chain security vulnerabilities

WeAreDevelopers LIVE - Build a multi AI agents game master with Strands & our weekly web finds

The danger of dependency confusion in NPM packages
02:18 MIN

The danger of dependency confusion in NPM packages

Security in modern Web Applications - OWASP to the rescue!

Developers as an unintentional malware distribution vehicle
03:36 MIN

Developers as an unintentional malware distribution vehicle

Walking into the era of Supply Chain Risks

Mitigating supply chain attacks with DevSecOps practices
04:45 MIN

Mitigating supply chain attacks with DevSecOps practices

Security Pitfalls for Software Engineers

Featured Partners

Related Videos

See all videos
Programming secure C#/.NET Applications: Dos & Don'ts
33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Securing your application software supply-chain
28:27

Securing your application software supply-chain

Niels Tanis

Supply Chain Security and the Real World: Lessons From Incidents
24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Open Source Secure Software Supply Chain in action
32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Walking into the era of Supply Chain Risks
37:36

Walking into the era of Supply Chain Risks

Vandana Verma

You click, you lose: a practical look at VSCode's security
29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Real-World Security for Busy Developers
29:50

Real-World Security for Busy Developers

Kevin Lewis

Related Articles

View all articles
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Benedikt Bischof
Walking Into The Era of Supply Chain Risks
Welcome to this issue of the WeAreDevelopers Live Talk series. This article recaps an interesting talk by Vandana Verma who introduced the audience interesting topic of supply chain risks.About the Speaker:Vandana is Security Solutions Architect at S...
Walking Into The Era of Supply Chain Risks
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
Chris Heilmann
Dev Digest 111 - npm i -g issues
In last Friday's Dev Digest we looked at some global tech issues, took a deep dive into code assistants, we have a great video about NPM security and want you to tell us your favourite code questions to use in CODE100. News and ArticlesLet's start th...
Dev Digest 111 - npm i -g issues

From learning to earning

Jobs that call for the skills explored in this talk.