Reviewing NuGet Packages security easily using OpenSSF Scorecard - Niels Tanis - NDC Oslo 2024

Niels Tanis

Learn how to evaluate NuGet package security using OpenSSF Scorecard. Discover key security checks, supply chain risks, and tools like Fennec CLI for safer dependencies.

Key takeaways
  • OpenSSF Scorecard helps assess open source projects for security practices, providing a score between 0-10 based on automated checks

  • Typical code bases consist of 20% custom code and 80% dependencies from others, highlighting the importance of supply chain security

  • Key security checks include:

    • Binary artifact analysis
    • Dependency update automation
    • Code review practices
    • License verification
    • Dangerous workflow detection
    • Package signing
    • Testing coverage
  • Common supply chain risks include:

    • Malicious packages
    • Outdated dependencies
    • Typosquatting attacks
    • Compromised build servers
    • Insufficient code reviews
    • Missing reproducible builds
  • The Fennec CLI tool helps analyze NuGet packages by:

    • Dumping APIs inside libraries
    • Comparing binary artifacts
    • Identifying reproducibility issues
    • Checking dependencies
  • Reproducible builds are important to verify that source code matches published artifacts

  • Package signing provides trust but doesn’t guarantee security - review of internals is still needed

  • Regular dependency updates and vulnerability monitoring should be automated

  • Static analysis and fuzzing help identify security issues before production

  • Organizations should set minimum security score requirements for dependencies and continuously monitor their supply chain