Theme: Secure Supply Chain with NuGet #12502
Assignees
Labels
Priority:2
Issues for the current backlog.
Theme
Represents a .NET theme for themesof.net
Type:Tracking
This issue is tracking the completion of other related issues.
Comments
JonDouglas
added
Priority:2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Open Source is everywhere. It is in many proprietary codebases and community projects. For organizations and individuals, the question today is not whether you are or are not using open-source code, but what open-source code you are using, and how much.
One of our ongoing themes of .NET is to secure the software supply chain. To achieve a secure supply chain with NuGet, it is important to implement security best practices such as using only trusted package sources, scanning packages for vulnerabilities and malware, and verifying package signatures. Developers should also ensure that they are using the latest versions of packages to take advantage of security updates.
In .NET 8 we have a few areas that will help us make progress on that goal.
Guarantees of secure and trusted packages 🔒
To combat known vulnerabilities and active supply chain attacks, developers need to know that the package written by unknown individuals they are downloading from the internet can be secure and trusted enough to run on their trusted devices where they keep their most important data.
Maintainer best practices 📦🖋️
Many threats to the OSS supply chain happen at the maintainer level. This can be compromised identities, malicious code or dependencies contributed, or even accidents introduced by the maintainers themselves. Developers rely on maintainers to act in the best interests of everyone due to this being the top of the funnel and where the majority of incidents take place.
Assurance of package quality ✅
Developers constantly evaluate new packages through their own defined parameters. On the quantitative end, developers look for packages that meet certain criteria in terms of quality. Quality is defined as the completeness of a package following best practices and providing documentation. On the qualitative end, developers look for vetted “high quality” packages through online resources and word of mouth.
High quality known vulnerability data ℹ️
Known vulnerabilities are only as good to developers as the data contained within them. Many vulnerabilities may even exist without developers knowing otherwise because they were never categorized correctly or were delayed significantly due to their quality. Time is the essence when it comes to vulnerability information, and it is especially critical that this information is of the highest quality to share knowledge with the public.
Easier management for complex projects 🔧
As a technical project increases in size, so does its complexity. This can be the number of packages required, sources to pull packages from, projects included in a solution, or even mixture of legacy and modern technologies being used. Developers have a challenge of managing this complexity in many different locations through their project which can lead to diminished productivity, obscure issues, and less deterministic behavior.
Please 👍 or 👎 this issue to help us with the direction of this theme & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.
Related: https://themesof.net/about
The text was updated successfully, but these errors were encountered: