Building Secure Software: Unveiling the Hidden Dependencies with Niels Tanis

Avalonia XPF This episode of The Modern .NET Show is supported, in part, by Avalonia XPF, a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes And keep in mind that, not to bash OWASP and the top ten at all because I'm a big fan of OWASP, but people always tell me like, "yeah, I'm OWASP compliant," and that's the biggest BS, to be honest. Because a top ten could not like, it should be an awareness piece and you should work from it. And there are better ways of dealing with that. But I think a security scorecard should never be a goal. It should be a means to reach the goal, to have better understanding, right? And hopefully they can change stuff and be more expressive. — Niels Tanis Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor. In this episode, Niels Tanis returned to the show. He was previous on the show back in episode 69 - The Risks of Third Party Code With Niels Tanis - which was released back in February of 2021. I asked Niels to back on the show to talk more about securing the software development supply chain and SBoMs (Software Bills of Materials). Yeah, that makes sense. It's funny. So I think when I started out talking about supply chain, and there were some tools that have been introduced to do SBoM data, and then you also come into an area called provenance, which tells more about the build and about "this build server was used. And I've run on GitHub actions, or I run on a GitLab instance, or I have stuff done differently," right? Maybe even the Redhat one: Tekton, that kind of thing. And based on that, I'm producing an SBoM. And I did a talk and I concluded with that, "it's like, these are cool tools, you need to look into it." And then somebody at the end asked me the question, "and the what? You have all the data? And then what?" I said, "yeah, that's solid question because that will be the next step." And it's funny that you mentioned it as well. So over the time, I think it was around already when I started out talking. But there's a project that Google created called Guac. — Niels Tanis So let's sit back, open up a terminal, type in dotnet new podcast and we'll dive into the core of Modern .NET. Supporting the Show If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-6/building-secure-software-unveiling-the-hidden-dependencies-with-niels-tanis/ Useful Links Getting started with Tekton Guac NDC in London NDC security Vercaode BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET Charles Lamb - To Be Creative, Don't Think So Hard Log4j vulnerability - what everyone needs to know Google SALSA CycloneDX Open Source Security Foundation ossf/scorecard: OpenSSF Scorecard securityscorecards.dev Newtonsoft.Json Open Source Insights What deps.dev has to say about OwaspHeaders.Core nielstanis/Fennec.NetCore: Fennec.NetCore Metalnem/sharpfuzz: AFL-based fuzz testing for .NET AFL) libfuzzer Five years of fuzzing .NET with SharpFuzz CodeQL SonarCube Cargo Vet Common Vulnerabilities and Exposures defintion OpenVas RLBox Emscripten Extending Webassembly to the Cloud with .NET Microsoft Build 2023 - Hyperlight Bytecode Alliance Wasmtime CyberBunker WasmCon 2023 Talks Playlist XKCD - Dependency Connecting with Niels: on Mastodon his website Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Getting in touch: via the contact page joining the Discord Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.