1. How Your .NET Software Supply Chain is Open to Attack: And How to Fix It - Andrei Epure
Software supply chain attacks can have devastating consequences, as demonstrated by the SolarWinds breach. In this session, Andrei Epure discussed two major vulnerabilities in package distribution: typosquatting and dependency confusion. While demonstrated using NuGet, these concepts are applicable to other package repositories.
Key takeaways:
- Typosquatting: Attackers exploit human errors in package configuration, releasing malicious packages with similar names to legitimate ones. To prevent this, configure trusted signers and allow only verified certificates and owners to compile resources.
- Dependency Confusion: Attackers release packages with identical names and versions to those in a company’s private repository. By configuring package source mapping, restrict downloads to authorized repositories and prevent potential compromise.
- Reserve Package Prefix: Prevent malicious creators from releasing packages in your company’s name by reserving a prefix. Contact the package repository team and provide the necessary information to ensure only authorized creators can release packages with the reserved prefix.
Implementing these measures strengthens your software supply chain security, mitigating risks associated with compromised packages.
2. You are doing logging in .NET wrong. Let’s fix it. - Nick Chapsas
Efficient logging is essential for maintaining optimal application performance. In Nick Chapsas’ session, the drawbacks of suboptimal logging practices were highlighted, emphasizing the need for optimized logging techniques.
Key takeaways:
- Performance Impact of Default Logging: Out-of-the-box logging, such as structured logging, can lead to unnecessary memory allocation, even for log lines that are not logged due to lower log levels. This can negatively impact system performance.
- Serilog for Improved Logging: Utilizing the Serilog NuGet package provides a solution to the performance issue. Serilog includes a logical check for log levels, ensuring efficient memory allocation only when needed. Adopting Serilog helps optimize logging implementation and reduces resource usage.
- Custom Logging Adapters: Developing custom logging adapters tailored to specific requirements offers an alternative approach. Creating a customized solution allows for fine-grained control over logging behavior, enhancing performance and resource utilization.
- By addressing inefficient logging practices through the use of Serilog or custom adapters, developers can enhance application performance and mitigate long-term logging issues.
3. Hacker vs Azure Web Application Firewall - Laura Kokkarinen
In this session, Laura Kokkarinen presented a case study to evaluate the effectiveness of the Azure Web Application Firewall (WAF) in protecting against the OWASP Top 10 security vulnerabilities. The findings shed light on the importance of proactive security measures for developers, despite the presence of a firewall.
Key takeaways:
- Azure Web Application Firewall (WAF) Benefits: Setting up an Azure WAF provides an immediate security boost to your web application on Azure. It comes with built-in protection against the OWASP Top 10 security risks and can automatically block common attacks.
- Limitations of WAF: The experiment revealed that the Azure WAF does not fully protect against all the top 10 OWASP security vulnerabilities. Several leaks were still present despite its implementation. This highlights the fact that a firewall alone is not sufficient to ensure comprehensive application security.
- Developer Responsibility: As a developer, it is crucial to take an active role in addressing and mitigating security risks. While the WAF provides a layer of protection, it is essential to proactively identify and fix any security vulnerabilities that may exist in your application.
Subscribe to our RSS feed