Securing your .NET application software supply-chain - Niels Tanis - NDC Sydney 2022

Introduction

In the ever-evolving landscape of software development, securing the application software supply chain has become paramount. This article delves into the complexities of the software supply chain, as presented by Niels Tanis at NDC Sydney 2022.

Introduction

Hello everyone, I'm Niels Tanis from the Netherlands. It's a pleasure to be here at NDC Sydney. Today, we will explore the topic of securing your .NET application software supply chain, extending upon insights shared during the morning keynote.

The Evolution of Software Development

Over the last two decades, software development has transformed significantly. Originally, developers would create monolithic applications that were installed directly on a server. Today, development practices emphasize continuous delivery, cloud-native strategies, and microservices, leading to more complex workflows that introduce additional risks.

Definition of the Supply Chain

We will start by defining what constitutes a software supply chain, as it plays a crucial role in our discussion. A simplified analogy can be drawn from the automotive industry, where a car is assembled from various parts sourced from different suppliers. In software, this means that a developer uses third-party libraries, builds and tests their code, and then deploys it to production.

Risks in the Software Supply Chain

Risks can emerge at various points in the supply chain. One notable incident was the SolarWinds compromise, where attackers infiltrated the company’s build server, leading to malicious code being signed and distributed. These types of risks emphasize the importance of understanding the full breadth of our software dependencies and the potential for vulnerabilities.

Securing the Development Process

Managing Git Credentials

One primary concern in the development phase is managing Git credentials. A notable incident occurred in 2019 when Canonical's GitHub account credentials were stolen, highlighting the need for robust security measures such as multi-factor authentication (MFA).

Dependency Management

As we rely heavily on third-party libraries, consistent updates are crucial. Surprisingly, nearly 80% of developers neglect to update these libraries, leaving applications vulnerable. Examples include malicious additions to the UIParser library and the dependency confusion that arises when internal package names clash with public ones.

Next, vulnerability scanning tools and platforms that consolidate knowledge about library risks can be invaluable.

The Role of S-BOMs

A Software Bill of Materials (S-BOM) serves a vital function, detailing the ingredients of your software and underlying libraries. Tools like Cyclone DX can automate the generation of these documents, providing visibility into all components involved in your application.

Enhancing Build Security

To improve the integrity of builds, developers can adopt principles such as reproducible builds and artifact signing. Initiatives like SLSA (Supply-chain Levels for Software Artifacts) provide a framework to enhance supply chain security.

Conclusion

The landscape of software supply chain security is complex, but by incorporating rigorous standards, appropriate tooling, and secure practices, developers can mitigate risks effectively.

Keywords

• .NET
• Software supply chain
• Dependency management
• Vulnerability scanning
• Software Bill of Materials (S-BOM)
• Cyclone DX
• Reproducible builds
• SLSA

FAQ

Q1: What is a software supply chain?
A: A software supply chain refers to the end-to-end process involved in developing, building, and deploying software, including the use of third-party libraries.

Q2: How can I secure my software supply chain?
A: Implement best practices such as multi-factor authentication, regular updates to libraries, creating S-BOMs, and adopting reproducible build processes.

Q3: What are the risks associated with third-party libraries?
A: Third-party libraries can introduce vulnerabilities and risks, especially if they are not regularly updated or if they become compromised.

Q4: What is an S-BOM?
A: A Software Bill of Materials (S-BOM) is a document that lists all components and dependencies within a piece of software, providing insights into potential risks.

Q5: How can I automate the generation of S-BOMs?
A: Tools like Cyclone DX can help automate the process of generating S-BOMs to ensure visibility in your software dependencies.