How to attack a .NET software supply chain

How to attack a .NET software supply chain with Andrei Epure

Software supply chain attacks can be catastrophic. For instance, the 2020 SolarWinds hack was considered an attack against the entire government and private sector of the United States of America.

Security researchers have shown that all significant package managers are vulnerable to supply chain attacks like typosquatting and dependency confusion. NuGet is vulnerable by design in its default configuration.

First, you will see how typosquatting and dependency confusion attacks can compromise .NET supply chains that rely on the default NuGet configuration. Second, I will show how you can secure your NuGet configuration to thwart evil hackers.

This talk will assume attendees have some basic knowledge of NuGet and MSBuild.

About speaker: Andrei is part of the Languages Team at Sonar in Geneva, developing the code analyzers for the .NET offering (Code Quality and Security for C# and VB.NET using the Roslyn compiler framework). Formerly at Microsoft Ireland, Almetis France, and Bitdefender Romania.