13:40 - 14:40 


Talk (60 min)

Securing your .NET application software supply-chain, the practical approach!

With our complete software development process becoming more complex we also got a lot more security problems to deal with. What starts with code and ends with releasing/deploying software is also being referred at as the software supply chain.

Over the last years we've seen some big security incidents tied to the software supply chain and the software industry acknowledged there was a need for action. And today there is a lot to choose from, but what will be the most effective things to do? We'll start out with a GitHub repository that contains a .NET application and work our way through in securing the supply chain by covering the following subjects:

- Defining the software supply-chain security risks
- Git commit signing
- Reproducible Builds
- Understanding used 3rd party libraries
- Creating Software-Bill of Materials (SBOM)
- Google SLSA
- Signing code and artifacts
- My supply chain got hacked, now what?

A side from having access to GitHub you also need to bring your own .NET development machine to participate in this workshop.

Niels Tanis

Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of two and lives in a small village just outside Amersfoort, The Netherlands.