.NET Day Switzerland 2022 Resources (Dependency Confusion)

You probably arrived on this page after watching my talk about Dependency Confusion at .NET Day Switzerland on the 30th of August 2022.

As a reminder, these are the three easy steps to do in order to secure you NuGet supply chain against dependency confusion attacks (links to Microsoft docs):

1. Use Package Source Mapping
2. Use <trusted signers>: Manage package trust boundaries
3. Reserve prefixes for both your public and private packages on nuget.org: Package ID prefix reservation

The source code for my demos is on GitHub, feel free to use it when explaining the problem to your colleagues.

More docs from Microsoft:

• NuGet Best practices for a secure software supply chain
• For Maven, Gradle, NuGet, npm, Pip, Yarn: 3 Ways to Mitigate Risk When Using Private Package Feeds
• MSBuild .props and .targets in a NuGet package
• MSBuild inline tasks

You can read about the NuGet historical design decision of having a non-deterministic package resolution behavior for hybrid configurations (fetching packages from all configured sources in parallel): NuGet/Home#5611.

About substitution attacks - the original article by security researcher Alex Bîrsan from Romania: Dependency Confusion: How I Hacked Into Apple, Microsoft, and Dozens of Other Companies.

About typosquatting:

• Typosquatting programming language package managers (2016) in the NPM, PyPi and rubygems ecosystems
• IconBurst NPM software supply chain attack grabs data from apps and websites (2022) in the NPM ecosystem

About the SolarWinds breach:

• overview, timeline: New Findings From Our Investigation of SUNBURST
• technical explanation of SUNSPOT, the malicious tool that was deployed into the SolarWinds build environment: SUNSPOT: An Implant in the Build Process.
• technical explanation of SUNBURST, the trojan shipped inside Orion: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
• SUNBURST Additional Technical Details
• list of victims: The List of Known SolarWinds Breach Victims Grows, as Do Attack Vectors

C. Augusto Proiete demonstrated that NuGet packages can execute arbitrary code in 2019 - i-am-root-nuget-package.

Whether you enjoyed or not my talk, please fill in this Feedback form (Google Form, anonymous).

Last, but not least: we’re hiring at Sonar!