Description
Avalonia XPF This episode of The Modern .NET Show is supported, in part, by Avalonia XPF, a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility.
Show Notes And keep in mind that, not to bash OWASP and the top ten at all because I'm a big fan of OWASP, but people always tell me like, "yeah, I'm OWASP compliant," and that's the biggest BS, to be honest. Because a top ten could not like, it should be an awareness piece and you should work from it. And there are better ways of dealing with that. But I think a security scorecard should never be a goal. It should be a means to reach the goal, to have better understanding, right? And hopefully they can change stuff and be more expressive.
— Niels Tanis Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor.
In this episode, Niels Tanis returned to the show. He was previous on the show back in episode 69 - The Risks of Third Party Code With Niels Tanis - which was released back in February of 2021. I asked Niels to back on the show to talk more about securing the software development supply chain and SBoMs (Software Bills of Materials).
Yeah, that makes sense. It's funny.
So I think when I started out talking about supply chain, and there were some tools that have been introduced to do SBoM data, and then you also come into an area called provenance, which tells more about the build and about "this build server was used. And I've run on GitHub actions, or I run on a GitLab instance, or I have stuff done differently," right? Maybe even the Redhat one: Tekton, that kind of thing. And based on that, I'm producing an SBoM.
And I did a talk and I concluded with that, "it's like, these are cool tools, you need to look into it." And then somebody at the end asked me the question, "and the what? You have all the data? And then what?" I said, "yeah, that's solid question because that will be the next step." And it's funny that you mentioned it as well.
So over the time, I think it was around already when I started out talking. But there's a project that Google created called Guac.
— Niels Tanis So let's sit back, open up a terminal, type in dotnet new podcast and we'll dive into the core of Modern .NET.
Supporting the Show If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show.
Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-6/building-secure-software-unveiling-the-hidden-dependencies-with-niels-tanis/
Useful Links Getting started with Tekton Guac NDC in London NDC security Vercaode BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET Charles Lamb - To Be Creative, Don't Think So Hard Log4j vulnerability - what everyone needs to know Google SALSA CycloneDX Open Source Security Foundation ossf/scorecard: OpenSSF Scorecard securityscorecards.dev Newtonsoft.Json Open Source Insights What deps.dev has to say about OwaspHeaders.Core nielstanis/Fennec.NetCore: Fennec.NetCore Metalnem/sharpfuzz: AFL-based fuzz testing for .NET AFL) libfuzzer Five years of fuzzing .NET with SharpFuzz CodeQL SonarCube Cargo Vet Common Vulnerabilities and Exposures defintion OpenVas RLBox Emscripten Extending Webassembly to the Cloud with .NET Microsoft Build 2023 - Hyperlight Bytecode Alliance Wasmtime CyberBunker WasmCon 2023 Talks Playlist XKCD - Dependency Connecting with Niels: on Mastodon his website Supporting the show
RJJ Software's Software Development Service This episode of The Modern .NET Show is supported, in part, by RJJ Software's Podcasting Services, whether your company is looking to elevate its UK operations or reshape its US strategy, we can provide tailored solutions that exceed expectations.
Show...
Published 11/22/24
Metalama This episode of The Modern .NET Show is supported, in part, by Metalama, reduce your boilerplate code by up to 15% with Metalama's C#-to-C# template engine and reduce your code complexity today!
Show Notes "Like the whole point is to learn a system of thinking, like to learn how to...
Published 11/08/24