Andrei Epure

How your .NET software supply chain is open to attack : and how to fix it

NuGet's default settings leave your projects vulnerable to supply chain attacks. Learn the two essential configuration changes you need to secure your builds.

How your .NET software supply chain is open to attack : and how to fix it
#1about 3 minutes

Understanding the risks in your software supply chain

Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.

#2about 4 minutes

How typosquatting attacks exploit common developer mistakes

Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.

#3about 4 minutes

A live demo of a typosquatting attack in .NET

A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.

#4about 4 minutes

Using trusted signers to defend against typosquatting

You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.

#5about 4 minutes

Explaining dependency confusion attacks in the NuGet ecosystem

NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.

#6about 3 minutes

A live demo of a dependency confusion attack

A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.

#7about 2 minutes

Preventing dependency confusion with package source mapping

The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.

#8about 5 minutes

A summary of key NuGet security best practices

A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Prompt injection as an unsolved AI security problem
07:39 MIN

Prompt injection as an unsolved AI security problem

AI in the Open and in Browsers - Tarek Ziadé

Preventing exposed API keys in AI-assisted development
03:45 MIN

Preventing exposed API keys in AI-assisted development

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Technical challenges of shipping a cross-platform browser
09:38 MIN

Technical challenges of shipping a cross-platform browser

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

How AI-generated content is overwhelming open source maintainers
06:46 MIN

How AI-generated content is overwhelming open source maintainers

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Featured Partners

Related Videos

See all videos
Programming secure C#/.NET Applications: Dos & Don'ts33:29

Programming secure C#/.NET Applications: Dos & Don'ts

Sebastian Leuer

Securing your application software supply-chain28:27

Securing your application software supply-chain

Niels Tanis

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Security Pitfalls for Software Engineers27:32

Security Pitfalls for Software Engineers

Jasmin Azemović

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
DC
Daniel Cranney
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms
Inside last week’s Dev Digest 188 . 🤖 GitHub Copilot CLI is now in public review 💻 Microsoft is bringing ‘vibe working’ to office apps 🎣 Attackers abuse AI tools to generate captchas in fishing attacks ⚠️ When LLMs autonomously attack 🧠 Common cause...
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms

From learning to earning

Jobs that call for the skills explored in this talk.