Building Secure Software: Unveiling the Hidden Dependencies with Niels Tanis
Release Date: 04/19/2024
The Modern .NET Show
Avalonia XPF This episode of The Modern .NET Show is supported, in part, by , a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes Yeah, so .NET MAUI is the .NET stack, framework, whatever you want to call it, for writing one code base that runs on what we call client devices, client platforms. So you have the web, you have ASP .NET Blazor and all that stuff. You have the console apps, you can write with C#, of course, so many backends and APIs and all of that stuff running in the cloud. But with...
info_outline Building Secure Software: Unveiling the Hidden Dependencies with Niels TanisThe Modern .NET Show
Avalonia XPF This episode of The Modern .NET Show is supported, in part, by , a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes And keep in mind that, not to bash OWASP and the top ten at all because I'm a big fan of OWASP, but people always tell me like, "yeah, I'm OWASP compliant," and that's the biggest BS, to be honest. Because a top ten could not like, it should be an awareness piece and you should work from it. And there are better ways of dealing with that. But I think a security scorecard...
info_outline Code, Coffee, and Clever Debugging: Leslie Richardson's Microsoft Journey and the C# Dev Kit in Visual Studio Code with Leslie RichardsonThe Modern .NET Show
Avalonia XPF This episode of The Modern .NET Show is supported, in part, by , a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes Yeah, so C# Dev Kit, it is a pretty new extension in VS Code. We just GA'd it back in early October. And it's an extension that basically enables you to be productive writing C# applications in VS Code. —Leslie Richardson Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your...
info_outline From .NET to DuckDB: Unleashing the Database Evolution with Giorgi DalakishviliThe Modern .NET Show
NService Bus This episode of The Modern .NET Show is supported, in part, by , the ultimate tool to build robust and reliable systems that can handle failures gracefully, maintain high availability, and scale to meet growing demand. Make sure you click the link in the show notes to learn more about NServiceBus. Show Notes Yeah. So what I was thinking the other day is that what we want is to concentrate on the business logic that we need to implement and spend as small as little time as possible configuring, installing and figuring out the tools and libraries that we are using for this specific...
info_outline Navigating the Web of HATEOAS and HTMX: Unleashing the Power of Hypermedia and Simplified Front-End Wizardry with Sander ten BrinkeThe Modern .NET Show
Avalonia XPF This episode of The Modern .NET Show is supported, in part, by , a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes Hateos allows you to add links to the actions you can perform with the data you're returning. So imagine a tweet and imagine, for example, just a links. It's just an object with some arrays. And one of the links could be a retweet link or like a favourite link or like a delete link. And each link contains a type, which is like the HTTP type, it contains the URL to where...
info_outline nanoFramework: Unleashing the Power of C# in Embedded Systems and IoT with José SimõesThe Modern .NET Show
Avalonia XPF This episode of The Modern .NET Show is supported, in part, by , a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor. In this episode, I spoke with José Simões about the , a powerful platform for embedded systems and IoT development. I was incredibly impressed when José spoke about just how quickly you can get...
info_outline From Mono to Wilderness: Unleashing the Wild Side of .NET in IoT with Bryan CostanichThe Modern .NET Show
Show Notes Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor. In this episode, I spoke with Bryan Costanich about both IoT and Wilderness Labs. We discussed what IoT actually is, and the many differences between developing systems for IoT devices and developing modern .NET applications which run on servers, desktops, and mobile phones. Yeah, you know, it's funny. It's one of those terms that is so broad and encompassing. I mean, really "Internet of things." So things...
info_outline The .NET Trilogy and Learning .NET with Mark J PriceThe Modern .NET Show
NService Bus This episode of The Modern .NET Show is supported, in part, by , the ultimate tool to build robust and reliable systems that can handle failures gracefully, maintain high availability, and scale to meet growing demand. Make sure you click the link in the show notes to learn more about NServiceBus. Show Notes Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor. In this episode, I spoke with Mark J Price, a software developer and educator with over 20 years of...
info_outline From Code Generation to Revolutionary RavenDB Unveiling the Database Secrets with Oren EiniThe Modern .NET Show
RJJ Software's Podcasting Services This episode of The Modern .NET Show is supported, in part, by , where your podcast becomes extraordinary. We take a different approach here, just like we do with our agile software projects. You see, when it comes to your podcast, we're not just your editors; we're your collaborators. We work with you to iterate toward your vision, just like we do in software development. If you're ready to take your podcast to the next level, don't hesitate. to explore how we can help you create the best possible podcast experience for your audience, elevate your brand,...
info_outline Breaking Barriers: Unleashing Accessible Software for All with Dennie DeclercqThe Modern .NET Show
RJJ Software's Podcasting Services This episode of The Modern .NET Show is supported, in part, by , where your podcast becomes extraordinary. We take a different approach here, just like we do with our agile software projects. You see, when it comes to your podcast, we're not just your editors; we're your collaborators. We work with you to iterate toward your vision, just like we do in software development. If you're ready to take your podcast to the next level, don't hesitate. to explore how we can help you create the best possible podcast experience for your audience, elevate your brand,...
info_outlineAvalonia XPF
This episode of The Modern .NET Show is supported, in part, by Avalonia XPF, a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility.
Show Notes
And keep in mind that, not to bash OWASP and the top ten at all because I'm a big fan of OWASP, but people always tell me like, "yeah, I'm OWASP compliant," and that's the biggest BS, to be honest. Because a top ten could not like, it should be an awareness piece and you should work from it. And there are better ways of dealing with that. But I think a security scorecard should never be a goal. It should be a means to reach the goal, to have better understanding, right? And hopefully they can change stuff and be more expressive.
Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor.
In this episode, Niels Tanis returned to the show. He was previous on the show back in episode 69 - The Risks of Third Party Code With Niels Tanis - which was released back in February of 2021. I asked Niels to back on the show to talk more about securing the software development supply chain and SBoMs (Software Bills of Materials).
Yeah, that makes sense. It's funny.
So I think when I started out talking about supply chain, and there were some tools that have been introduced to do SBoM data, and then you also come into an area called provenance, which tells more about the build and about "this build server was used. And I've run on GitHub actions, or I run on a GitLab instance, or I have stuff done differently," right? Maybe even the Redhat one: Tekton, that kind of thing. And based on that, I'm producing an SBoM.
And I did a talk and I concluded with that, "it's like, these are cool tools, you need to look into it." And then somebody at the end asked me the question, "and the what? You have all the data? And then what?" I said, "yeah, that's solid question because that will be the next step." And it's funny that you mentioned it as well.
So over the time, I think it was around already when I started out talking. But there's a project that Google created called Guac.
So let's sit back, open up a terminal, type in dotnet new podcast
and we'll dive into the core of Modern .NET.
Supporting the Show
If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show.
Full Show Notes
The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-6/building-secure-software-unveiling-the-hidden-dependencies-with-niels-tanis/
Useful Links
- Getting started with Tekton
- Guac
- NDC in London
- NDC security
- Vercaode
- BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps
- Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET
- Charles Lamb - To Be Creative, Don't Think So Hard
- Log4j vulnerability - what everyone needs to know
- Google SALSA
- CycloneDX
- Open Source Security Foundation
- ossf/scorecard: OpenSSF Scorecard
- securityscorecards.dev
- Newtonsoft.Json
- Open Source Insights
- nielstanis/Fennec.NetCore: Fennec.NetCore
- Metalnem/sharpfuzz: AFL-based fuzz testing for .NET
- AFL)
- libfuzzer
- Five years of fuzzing .NET with SharpFuzz
- CodeQL
- SonarCube
- Cargo Vet
- Common Vulnerabilities and Exposures defintion
- OpenVas
- RLBox
- Emscripten
- Extending Webassembly to the Cloud with .NET
- Microsoft Build 2023 - Hyperlight
- Bytecode Alliance
- Wasmtime
- CyberBunker
- WasmCon 2023 Talks Playlist
- XKCD - Dependency
- Connecting with Niels:
- Supporting the show:
- Getting in touch:
- Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show
Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend.
And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch.
You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.