You’ve probably arrived on this page after watching my talk “How to attack a .NET software supply chain” at the VisugXL conference on the 28th of October 2022 (held in Hasselt, Belgium).

Whether you enjoyed or not my talk, please fill in this anonymous feedback form.

As a reminder, these are the three easy steps to do in order to secure you NuGet supply chain against typosquatting and dependency confusion supply chain attacks:

  1. Use Package Source Mapping.
  2. Use <trusted signers>: Manage package trust boundaries.
  3. Reserve prefixes for both your public and private packages on Package ID prefix reservation.

In addition, to have the overview of all your direct and transitive dependencies and be aware of changes in your dependency graph use a NuGet lock file.

Some real life NuGet configurations:

The source code for my demos is on GitHub, feel free to use it when explaining these problems to your colleagues.

For more docs from Microsoft and more resources on software supply chain attacks, read the second part of this post.

Last, but not least: we’re hiring at Sonar!