Monday 

Room 1 

09:00 - 17:00 

(UTC+02

2 Days

Securing your .NET application software supply-chain

With our complete software development process becoming more complex we also got a lot more security problems to deal with. What starts with code and ends with releasing/deploying software is also being referred at as the software supply-chain. Over the last years we've seen some big security incidents tied to the software supply-chain and the software industry acknowledged there was a need for action. And today there is a lot to choose from, but what will be the most effective things to do?

Security
.NET

In this course we'll take an existing .NET application available in GitHub and work our way through securing it's supply-chain. Starting with code, depedencies, building and releasing our software. This training will be a combination instructions followed by a lab to putting it into practice.

This workshop covers:

  • Intro to supply-chain security risks
  • Working with source and Git commit signing
  • Reproducible Builds
  • Understanding used 3rd party libraries and used containers using SBOM and OpenVEX
  • Working with Software-Bill of Materials (SBOM) using CycloneDX and Syft/Docker for Containers
  • Signing code and artifacts with SigStore
  • Google SLSA (Supply-chain Levels for Software Artifacts)
  • Microsoft Secure Supply Chain Consumption Framework (S2C2F)
  • Google GUAC: Graph for Understanding Artifact Composition
  • Oh no our supply-chain got hacked! Now what?

Prerequisites:
The attendee needs to bring their own .NET development machine with .NET9 SDK, Docker Desktop, your favorite IDE installed and have access to GitHub.

Although most of this workshop is driven from GitHub, I'll make sure to also share similar examples/references how same can be achieved on different platforms (e.g. GitLab/Azure DevOps/Tekton).

Niels Tanis

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He is Microsoft MVP and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of two and lives in a small village just outside Amersfoort, The Netherlands.