With our complete software development process becoming more complex we also got a lot more security problems to deal with. What starts with code and ends with releasing/deploying software is also being referred at as the software-supply chain. The software supply-chain consists of a lot of moving parts. Each of them facing their own security risks starting from access to source code, compromised third-party libraries and tools, or even hacked build servers. For example with SolarWinds the compromised build server added malicious functionality to the end product used by their customers. And the supply-chain of the 3CX voice-over-IP software was even compromised via a piece of software installed on one of it's developers machine.
In this session we'll get hands-on with securing a .NET application it's supply chain and look how we can limit the security risks in all the different area's. We're going to look into reproducible builds, signing artifacts, creating (and validating) provenance and software bill of materials (SBOM) with guidance of Google SLSA and the Secure Supply Chain Consumption Framework (S2C2F).