Building Secure Software: Unveiling the Hidden Dependencies with Niels Tanis
The Modern .NET Show
Implementing Software Bill of Materials for Dependency Management
The chapter emphasizes the importance of using a software bill of materials (S-BOM) to track dependencies and ensure compliance in software development. It discusses tools like quack, salsa, and Cyclone DX for managing S-BOM data and touches on the significance of addressing hidden dependencies and taking ownership of managing dependencies.
This episode of The Modern .NET Show is supported, in part, by Avalonia XPF, a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility.
Show Notes And keep in mind that, not to bash OWASP and the top ten at all because I'm a big fan of OWASP, but people always tell me like, "yeah, I'm OWASP compliant," and that's the biggest BS, to be honest. Because a top ten could not like, it should be an awareness piece and you should work from it. And there are better ways of dealing with that. But I think a security scorecard should never be a goal. It should be a means to reach the goal, to have better understanding, right? And hopefully they can change stuff and be more expressive. — Niels TanisWelcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor.
In this episode, Niels Tanis returned to the show. He was previous on the show back in episode 69 - The Risks of Third Party Code With Niels Tanis - which was released back in February of 2021. I asked Niels to back on the show to talk more about securing the software development supply chain and SBoMs (Software Bills of Materials).
Yeah, that makes sense. It's funny.
So I think when I started out talking about supply chain, and there were some tools that have been introduced to do SBoM data, and then you also come into an area called provenance, which tells more about the build and about "this build server was used. And I've run on GitHub actions, or I run on a GitLab instance, or I have stuff done differently," right? Maybe even the Redhat one: Tekton, that kind of thing. And based on that, I'm producing an SBoM.
And I did a talk and I concluded with that, "it's like, these are cool tools, you need to look into it." And then somebody at the end asked me the question, "and the what? You have all the data? And then what?" I said, "yeah, that's solid question because that will be the next step." And it's funny that you mentioned it as well.
So over the time, I think it was around already when I started out talking. But there's a project that Google created called Guac.
— Niels TanisSo let's sit back, open up a terminal, type in dotnet new podcast and we'll dive into the core of Modern .NET.
Supporting the ShowIf you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show.
Full Show NotesThe full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-6/building-secure-software-unveiling-the-hidden-dependencies-with-niels-tanis/
Useful Links- Getting started with Tekton
- Guac
- NDC in London
- NDC security
- Vercaode
- BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps
- Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET
- Charles Lamb - To Be Creative, Don't Think So Hard
- Log4j vulnerability - what everyone needs to know
- Google SALSA
- CycloneDX
- Open Source Security Foundation
- ossf/scorecard: OpenSSF Scorecard
- securityscorecards.dev
- Newtonsoft.Json
- Open Source Insights
- nielstanis/Fennec.NetCore: Fennec.NetCore
- Metalnem/sharpfuzz: AFL-based fuzz testing for .NET
- AFL)
- libfuzzer
- Five years of fuzzing .NET with SharpFuzz
- CodeQL
- SonarCube
- Cargo Vet
- Common Vulnerabilities and Exposures defintion
- OpenVas
- RLBox
- Emscripten
- Extending Webassembly to the Cloud with .NET
- Microsoft Build 2023 - Hyperlight
- Bytecode Alliance
- Wasmtime
- CyberBunker
- WasmCon 2023 Talks Playlist
- XKCD - Dependency
- Connecting with Niels:
- Supporting the show:
- Getting in touch:
- Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show
Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend.
And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch.
You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.
The AI-powered Podcast Player
