Reviewing NuGet Packages security easily using OpenSSF Scorecard - Niels Tanis - NDC Oslo 2024

OpenSSF Scorecard helps assess open source projects for security practices, providing a score between 0-10 based on automated checks

Typical code bases consist of 20% custom code and 80% dependencies from others, highlighting the importance of supply chain security

Key security checks include:

• Binary artifact analysis
• Dependency update automation
• Code review practices
• License verification
• Dangerous workflow detection
• Package signing
• Testing coverage

Common supply chain risks include:

• Malicious packages
• Outdated dependencies
• Typosquatting attacks
• Compromised build servers
• Insufficient code reviews
• Missing reproducible builds

The Fennec CLI tool helps analyze NuGet packages by:

• Dumping APIs inside libraries
• Comparing binary artifacts
• Identifying reproducibility issues
• Checking dependencies

Reproducible builds are important to verify that source code matches published artifacts

Package signing provides trust but doesn’t guarantee security - review of internals is still needed

Regular dependency updates and vulnerability monitoring should be automated

Static analysis and fuzzing help identify security issues before production

Organizations should set minimum security score requirements for dependencies and continuously monitor their supply chain