In the early days, breaking into systems (hacking) mostly consisted of finding machines that where connected to the internet and exposed all their services. In some way the industry became better in locking down infrastructure and access and the attacks focused more on applications finding issues like SQL injection and Cross-Site Scripting. With the latest move to ‘DevOps’ and the use of build pipelines for CI/CD, with Azure DevOps or GitHub Actions, attacks even have become a lot more sophisticated. What if the used container images and/or 3rd party libraries contain vulnerabilities? With cloud native approaches like Azure Functions our application landscapes have become a lot more complex giving hackers more opportunities because of the increased attack surface. All steps we need to take to develop, test and release our software can be referred to as the software supply chain, which has become a lot more complicated.
In this session we’ll take a .NET application and go through the different area’s of the supply chain, identify the security issues, and possible ways of resolving those issues!