Wednesday
Room 2
10:20 - 11:20
(UTC±00)
Talk (60 min)
Beyond Trust: Building Community-Driven Security Analysis for Your .NET Software Supply Chain
With 80% of modern applications built on third-party code, supply chain security has become critical. Traditional security tools like OpenSSF Security Scorecard provide surface-level metrics, but fail to detect planted malware, risky API usage, and vulnerabilities buried deep in dependency chains.
This session explores the limitations of current NuGet security approaches and introduces Fennec Labs — an open-source project for comprehensive dependency analysis. We'll demonstrate automated detection of security risks within NuGet packages, collaborative threat intelligence sharing, and practical techniques for making informed decisions about package adoption.
Key topics include:
- Identifying hidden security threats in NuGet packages
- Automated analysis of risky API patterns and behaviors
- Community-driven security intelligence for .NET dependencies
- Practical integration strategies for development workflows
You'll leave with actionable tools and methodologies to strengthen your application's supply chain security posture and defend against sophisticated package-based attacks.
Niels Tanis
Niels Tanis has got a background in .NET development, pentesting and security consultancy. He is Microsoft MVP and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security researcher on a variant of languages and technologies related to Veracode’s Binary Static Analysis service. He is married, father of two and lives in a small village just outside Amersfoort, The Netherlands.