Reducing Third-Party Security Risk in .NET Core Applications – CFS2024


TURNED OFF, SO THAT’S A SIGN FOR ME TO BEGIN. WELCOME, EVERYBODY. WELCOME TO WEDNESDAY OF BUILD. THE LAST DAY I SEE YOU ALL STILL AROUND ENJOYING MY SESSION. I’LL BE TALKING ABOUT REDUCING SECURITY RISK IN . NET CORE. IT’S WHAT I WILL BE COVERING THE NEXT 60 MINUTES. A BRIEF INTRODUCTION, A REALLY LARGE PICTURE. WHO AM I? I’M NIELS TANIS. I WORK AS A SECURITY RESEARCHER FOREVER CORP. I WORK IN SECURITY CONSULTANCY. AT VERACODE I COMBINE IT INTO ONE AND I HELP OUT CUSTOMERS DOING A BETTER JOB TRYING TO TALK ABOUT IT, COME SEE ME AFTERWARDS. TODAY’S TOPIC IS GOING TO BE REDUCING THIRD-PARTY SECURITY RISK IN THE . NET CORE APPLICATION. AS YOU KNOW, IF YOU START OUT DEVELOPING AN APPLICATION AND YOU SAY IN YOUR CONSOLE, YOU START, THEN ONCE YOU START BUILDING IT, THE FIRST THING IT WILL DO, IT WILL DO A RESTORE AND IT WILL FETCH ALL THE DEPENDENCIES IT NEEDS TO GET THE APPLICATION TOGETHER IN ORDER TO RUN IT, RIGHT? FIRST QUESTION I WOULD ALWAYS ASK, LIKE, OKAY. ALL OF THESE PROJECTS, HOW DID IT DEAL WITH SECURITY. ARE THERE ANY PROBLEMS INSIDE OF IT. OF COURSE, WHEN YOU ARE DEVELOPING, YOU NEED TO HAVE SOME SENSE OF WHAT THE LIBRARIES ARE DOING FOR YOU. YOU KNOW SOME IDEA OF THE INTENTS OF THE LIBRARY. YOU NEED TO USE IT IN THE RIGHT WAY. YOU CANNOT USE IT IN A WAY THAT THE DEVELOPER ITSELF HASN’T INT INTENDED IT TO BE USED WHICH MIGHT RESULT IN PROBLEMS. YOU NEED TO MAKE SURE YOU HAVE THE LATEST VERSION. THERE MIGHT BE A SECURITIES PATCH OUT BECAUSE SOMETHING HAPPENED AND THERE WAS A FIX FOR IT. IF YOU HAVE IT IN YOUR COMPONENTS, THERE IS A RISK, OF COURSE. RIGHT? SO, ALL OF THIS COMBINED, WILL THIS BE SUFFICIENT TO DEAL WITH THE RISK OR DEAL WITH SECURITY PROBLEMS. I THINK THERE IS SOME IS ROOM FOR IMPROVEMENT. CONSIDER THE FACT THAT LATELY I SEE IN THE NEWS, PACKAGES ARE COMPROMISED, RIGHT? AND PEOPLE WITH BAD INTENT DO STUFF WITH THE PACKAGES. MAYBE ADD MALICIOUS THINGS THAT DO STUFF THAT YOU DON’T WANT TO. THERE IS A LOT MORE. IN THIS SESSION I’LL TALK YOU THROUGH SOME SEVERE THE RISKS I JUST IDENTIFIED. , GIVE YOU EXAMPLES OF WHAT THERE IS AND WHAT YOU THINK WOULD HELP OUT AND WHAT DOESN’T HELP OUT IN THAT SITUATION. THE LAST BIT WOULD BE WE’LL MOVE TO AN APP. WE’LL DO SOME CODE CHANGES. I WANT TO FOCUS ON DOING STUFF IN . NET CORE AND REDUCING THE RISK. AT THE END WE’LL MOVE TO REVIEWING COMPONENTS. THAT’S THE TAKE AWAY THAT WILL BE THE STORYLINE SUPPORTED BY THIS AGENDA. RISKS. THEN I’LL MOVE TO A DEMO THAT I CREATED. OF COURSE, THERE IS A PACKAGE USED IN THE DEMO APP THAT HAS PROBLEMS INSIDE OF IT. WE NEED TO KNOW WHAT IS HAPPENING. WE NEED TO KNOW WHAT TYPE OF THINGS WE CAN TAKE CARE OF BY CHANGING AN APPLICATION. WE’LL DO THAT BY COMPARTMENTALIZING THE PACKAGE ITSELF. THEN I’LL MOVE TO AN EASY WAY TO REVIEW APIs TO IDENTIFY SECURITY PROBLEMS. THERE WILL BE A COMPLETION AT THE END THAT WILL BE Q AND A. LET’S SEE HOW IT GOES. TO GENERALIZE, I SAID YOU BUILD ON TOP OF DEPENDENCIES, RIGHT? THAT’S HOW WE DEVELOP NOWADAYS. IT HELPS BECAUSE IT HELPS US BE MORE PRODUCTIVE. PEOPLE HAVE SOLVED PROBLEMS WE DON’T NEED TO SOLVE ANYMORE. THAT CAN BE A BIG PLUS. AS I ALSO SAID, IT’S IMPORTANT TO KNOW WHAT THE INTENT OF THE LIBRARY IS, IF YOU ARE DOING IMAGE PROCESSING IN SOME LIBRARY THAT YOU ARE USING IN YOUR APPLICATION. IT DOESN’T MAKE SENSE IF IT DOES AN REQUEST TO AN EXTERNAL SOURCE LIKE A WEB ADDRESS TO FETCH DATA THAT HAPPENS SNIPE THAT LIBRARY, THEN SOMETHING IS GOING ON. YOU NEED TO DIG INTO IT A BIT FURTHER. OONL THE THIRD IS WHAT DO THE PROJECTS DO FOR SECURITY. LIKE MOST OF THE OPEN SOURCE THINGS, PEOPLE DO IN THEIR SPARE TIME. THEY HAVE A JOB. THEY WILL DO THAT ON THE SIDE BECAUSE THEY LIKE TO DO IT. THEY LIKE TO HELP OUT.
THEY LIKE TO SHARE WHAT THEY HAVE DONE ALREADY. IT’S A BIG PLUS FOR EVERYBODY. FIXING STUFF TAKES TIME, RIGHT? YEAH, IT’S A BIT OF A SKILL COMPARED TO A BIG ORGANIZATION THAT PRODUCES SOFTWARE AND IT HAS A FULL, BIG TEAM THAT FOCUSES ON APPLICATIONS SECURITY. IT HELPS OUT THE DEVELOPERS DOING A BETTER JOB, RIGHT? OF COURSE, ALSO, IF WE ARE DEVELOPING APPS, WE PROBABLY HAVE A SECURITY LIFE CYCLE, I HOPE YOU HAVE SOMETHING INSIDE YOUR DEVELOPMENT PROCESS THAT HELPS UP WITH THE SECURITY NEEDS YOU NEED TO MEET. IT’S IMPORTANT THAT YOU ANALYZE WATER SOLUTIONS FOR DEPENDENCIES. THERE ARE COMMERCIAL PROJECTS THAT DO IT. THERE ARE OTHERS THAT CAN DO THE SAME. BUT IT’S IMPORTANT THAT YOU KEEP YOUR LIBRARIES UP TO DATE, RIGHT? THE LAST WORD IN THIS PIECE IS ALSO BE AWARE OF THE FACT THAT YOU MIGHT WANT TO USE A SINGLE LIBRARY THAT YOU GET FROM NuGet, THREW THERE MAY BE A LIST, A WHOLE TREE OF EXTRA ADVANTAGES BLEW GET FOR FREE BECAUSE YOU ARE USING THAT ONE. THAT’S JUST WHAT IT BRINGS. IF YOU THINK YOU ARE ADDING ONE SINGLE THING, USUALLY IT’S A BIT MORE. THROWING IN SOME METRICS. THIS IS A REPORT WE PRODUCED. IT CONTAINS SOME OF THE STATISTICS THAT WE HAVE ANALYZED. IN ADDITION TO LAST YEAR, IT TURNED OUT ALMOST 86 OF THE . NET APPLICATIONS WE ANALYZE HAVE AT LEAST ONE VULNERABLE COMPONENT INSIDE IT. JAVA IS ALMOST 88. ANOTHER IS 92. IT’S QUITE SIGNIFICANT. IF YOU WANT TO SEE THE REPORT, GO TO THE LINK. IF THERE IS A COMPONENT INSIDE YOUR APPLICATION WHICH IS VULNERABLE TO SOMETHING. WHAT IS THE WORST THAT MIGHT HAPPEN? I THINK THIS IS ONE YOU PROBABLY ARE FAMILIAR WITH. THE EQUIFAX DATA BREACH. IT WAS SOLELY BASED ON THE FACT THAT A COMPONENT ON THE SERVER WAS UPDATED. IN TIME WE KNOW IN TWO MONTHS, THE FIX WAS DONE BETWEEN MAR AND MAY AND EQUIFAX GOT HACKED AND GOT HACKED, 14 PLUS MILLION RECORDS WERE STOLEN. KEEP IN MIND FIXING STUFF, HAVING THE PACKAGE BEING USED BY EVERYBODY, THAT TAKES TIME. TWO MONTHS IS NOT THAT LONG, OF COURSE. SO THIS HAPPENS. WHAT IS ANOTHER SECURITY RISK WE NEED TO BE AWARE OF. THIS WAS LAST WEEK IN A WIRE ARTICLE ABOUT SUPPLY CHAIN ATTACKS, RIGHT? INSTEAD OF FOCUSING ON HACKING APPS, PEOPLE ARE MORE FOCUSED SO HACKING THE SUPPLY CHAIN. WE ARE BUILDING A DevOps WORLD IN WHICH WE HAVE INFRASTRUCTURE AS COLD AND BUILD PIPELINES WITH ARTIFACTS THAT MAKE UP THE SOFTWARE. PEOPLE WILL MOVE THROUGH THAT. IT’S VULNERABLE, THE APPLICATION ITSELF. AND PEOPLE WITH BAD INTENTIONS MIGHT DO FUNNY THINGS WITH THE LIBRARIES, ITSELF. KEEP IN MIND, YOUR OWN SUPPLY CHAIN IS IN THE COMPONENTS YOU ARE USING. IF ONE OF THOSE IS COMPROMISED, THEN THAT MEANS YOU ARE ALSO IN TROUBLE, RIGHT? SO THERE IS A REALLY TIGHT RELATIONSHIP THERE. THAT IS ONE EXAMPLE OF THIS INSTANCE THAT HAPPENED NOVEMBER OF LAST YEAR. IT WAS PUBLISHED NOVEMBER OF LAST YEAR. A PACKAGE CALLED EVENT STREAM. TURNED OUT SOMEBODY JOINED THE TEAM AND IT WAS A PROJECT, THERE WAS NOT MUCH DONE ON IT. EVENTUALLY THEY DID SOME WORK AND EVERYBODY WAS HAPPY. THEN YOU GOT OWNERSHIP OF IT. THEN IN THE TIME IT WENT ON, HE DECIDED TO ADD ADDITIONAL FUNCTIONALITY TO THE LIBRARY, WHICH WAS A BIT COIN WALLET AND THEY STOLE EVERYTHING THAT WAS INSIDE OF IT. A PERSPECTIVE $200 MILLION A WEEK. THE REASON WHY THAT HAPPENED, THIS IS A PACKAGE THAT IS HAS DEPENDENCIES OF $2, 000. YOU CAN SEE WHY THIS CAN BE REALLY GOOD FOR AN ATTACKER, IF YOU WANT TO HIT A LOT OF SYSTEMS, A LIBRARY THAT’S WIDELY USED. A PERSON THAT MIGHT BE ABLE TO GET THIS, RIGHT? SUPPLY CHAIN EFFECTS. IF WE SIGN PACKAGES, THEN WE ARE PROBABLY GOOD. THE ANSWER WOULD BE NO. A HACKER, ABOUT A MONTH AGO IN APRIL, IN WHICH HE EXPLAINED HOW SIGN IN WORKS. NOT EVERYBODY SIGNS ISEN IT’S EXPENSIVE. HE GAVE OTHER ALTERNATES HOW TO DO IT WITH THEIR PACKAGES. KEEP IN MIND, IF A SUPPLY CHAIN IS ATTACKED, THEN HOW DOES THE SIGNING HELP YOU OUT, RIGHT? ANOTHER GOOD EXAMPLE WAS ONE THAT HAPPENED IN MARCH OF THIS YEAR. AT LEAST IT WAS PUBLISHED IN MARCH OF THIS YEAR. SOME PEOPLE PUBLISHED THE ASUS SOFTWARE HAD THE SUPPLY CHAIN ATTACK. THE PACKAGES WERE FULLY SIGNED. THERE WAS NOTHING WRONG WITH IT. THE ONLY WAY TO FIGURE OUT SOMETHING WAS WRONG WAS TO LOOK AT THE INTERNALS AND SEE THERE IS PIECE OF CODE WITH MALICIOUS BEHAVIOR INSIDE OF IT. FUNNY FACT, THEY SAY IT’S MILLIONS, TURNED OUT THERE WERE 600 THAT WERE TARGETED. IT WAS SOMETHING SPECIFIC. I’M WONDERING WHO WANTS TO DO SOMETHING LIKE THAT. AT REALLY TARGETED ATTACK DONE BASED ON THIS. IT WAS HARD TO DISTINGUISH BECAUSE EVERYTHING WAS JUST RIGHT UP UNTIL THE PACKAGES THAT WERE PRODUCED. SO ENOUGH SAID. SOME OF THE RISKS. LET’S MOVE TO THE DEMO THAT WILL BE THE SUBJECT OF THIS PRESENTATION. I WILL DO THE FIRST THING THAT MIGHT GO WRONG WHICH IS THE SWITCH GOING TO NO. 7. AND, YES. THAT’S GOOD. SO, FIRST, I’VE GOT A PROJECT, WHICH IS JUST AN ORDINARY PROJECT. YOU PROBABLY ARE AWARE OF THE COMMAND WHICH CAN ALLOW YOU TO SHOW ALL OF THE PACKAGES THAT ARE INSIDE THIS THING, RIGHT? WHAT WE SEE OVER HERE, THESE ARE THE TOP LEVEL PACKAGES. THE FIRST ONE, PDF, THAT IS THE LIBRARY THAT WILL BE THE THING WE’LL TALK ABOUT. BUT THIS IS THE TOP LEVEL. IF YOU SAY I WOULD LIKE TO SEE THE TRANCETIVE ONES, YOU WILL SEE THIS SCROLLS OUT. THERE IS A LOT MORE IN THERE. PDF, THERE IS A LIBRARY WHICH IS PRETTY SMALL. IT USES ONE WHICH WILL BE THE ONE WE’LL FOCUS ON WHICH IS IT’S A C SHARP LIBRARY TO CREATE PDF THINGS. IF YOU SCROLL DOWN, THERE IS INCLUDED FOR LOGIN. THIS IS INCLUDED. KEEP IN MIND, THERE IS A LOT MORE BY JUST ADDING A SINGLE PACKAGE, THERE IS A LOT MORE UNDERNEATH YOU NEED TO TAKE CARE OF. LET’S START OUT. LET’S SEE WHAT IT IS. THE — I NEED TO COME UP WITH A DEMO, SO I’M TRAVELING NOW AND THEN TO DIFFERENT CITIES. THIS IS LIKE A SOCIAL THING THAT YOU CAN WRITE DOWN THE STUFF YOU HAVE EXPERIENCED IN THAT CITY AND STUFF THAT YOU LIKE ABOUT THIS. SO IT’S JUST A REGULAR APP. YOU CAN DO THE EDITING. IT’S NOTHING FANCY. IT’S A TEMPLATE. THERE IS ONE THING WHICH YOU CAN DO WHICH IS GENERATING A REPORT. CLICK ON THIS, THIS IS A P DOES F. IT HAS A PICTURE. IT TALKS ABOUT THE PLACE I’M LIVING RIGHT NOW. THERE IS SOME TEXT. THERE IS ONE THAT NEEDS SPECIAL MENTION BECAUSE AT THE BOTTOM, YOU SEE THIS, IT WILL LET ME GENERATE THE REPORT FOR THAT. FIRST 20 YEARS OF MY LIFE I GREW UP IN MIRAMAR. IF YOU GO OUTSIDE OF THE CITY THIS IS THE SIGHT THAT YOU SEE. IF YOU CREATE AN INSTANCE, THIS IS THE FIRST PART OF MY LIFE. 20 YEARS, I HAVE LIVED THERE. RIGHT NOW WEST EUROPE, ONE OF THE BEST CENTERS OF AZURE. PRETTY COOL STUFF. WHAT ARE THE PROBLEMS THIS LIBRARY HAS. FIRST OF ALL, IT GENERATES A PDF. TURNS OUT THE NAME WHICH WE CAN TYPE IN HERE IS USED IN ORDER TO CONSTRUCT THE PATH. WHAT WOULD THAT RESULT IN. IT’S A PAC PROBLEM. .. SLASH, THIS WILL BE A PDF WRITTEN ON A DIRECTORY HIGHER THAN IT’S SUPPOSED TO WRITTEN ON TO. IF I DO THIS, THAT’S THE FORM OF THE APP ITSELF. BUILD 2019. SAVE IT. LY GENERATE THE REPORT. YOU WILL SEE THAT. IF I THEN OPEN UP THIS ONE, YOU WILL SEE IT’S EXACTLY THE SAIL. BASED ON THE INPUT THAT HAS BEEN GIVEN, NOW I’M TYPING THIS, IMAGINE THIS IS COMMUNITY DRIVEN AND EVERYONE CAN SHARE INFORMATION WITH EACH OTHER. YOU HAVE THIS WHICH IS USEFUL. I DON’T RECAP. THE SECOND PROBLEM LIES IN THE FACT THAT IT USES AN IMAGE. AS YOU SEE, THERE IS A POND WHICH LOOKS LIKE IT’S POINTING, IT’S A FORWARD WITH PICTURES INSIDE OF IT. THIS IS STILL PART OF IT, EXACTLY THE SAME. IT’S A LOCAL FILE PAD. WHAT IF I CHANGED THIS AND PUT IN THIS URL, WHICH I CAN SHOW YOU. THIS IS A PICTURE ON THE INTERNET BELONGING TO THE AMISH FORT WHICH SHOWS YOU THE NICE SQUARE WITH THE CAFÉS. IF I PUT THAT IN AND SAFE IT AND THEN GENERATE THE REPORT, WE WILL SEE THAT WILL TAKE LONGER. IT’S GENERATING WITH THE PICTURE INSIDE OF IT. WHAT IS THE ISSUE HERE? THE NAME IS A SURFACE NAME REQUEST MEANING YOU ARE ABLE TO MANIPULATE A REQUEST DONE BY THE APPLICATION ITSELF. IT CAN GO TO AN EXTERNAL RESOURCE AND CAN YOU DO A LOT THINGS WITH IT. I’LL GET INTO THE DETAILS. IF WE QUICKLY PEEK INTO THE CODE. IT’S A SINGLE CONTROLLER THERE IS ONE WE WILL FOCUS ON, THE REPORT METHOD. IT GENERATES A PDF. IT SUBSTANTIATES YOUR COMPONENT. THERE IS ONE ARGUMENT, WHICH IS THE FIFTH ELEMENT IN THE CONSTRUCT WHICH HAS THE NAME — WE CAN GENERATE IT. IT WILL GET BACK THE CONTENT. IT WILL OPEN UP THE FILE. THAT’S WHAT IS HAPPENING IN THIS CASE. SWITCHING BACK . SO WE CAP. THIS MEANS SOMEBODY WITH MANIPULATE A PAC AND IT’S DONE INSIDE THE LIBRARY. YOU CANNOT CONTROL IT. YOU CANNOT CHANGE IT. THAT’S WHAT WE’LL FIGURE OUT IN THE NEXT PART OF THE PRESENTATION. IT ADDS THE EXTENSION OF PDF. THERE MIGHT BE SITUATIONS WHERE YOU CAN HAVE FILE NAMES OR FOLDER NAMES IF YOU EXCEED THE LINES. YOU CAN WRITE FILES WITH DIFFERENT NAILS. THE COMPONENT ITSELF GENERATES A PDF. IF YOU WANT TO GENERATE SOMETHING ELSE, THAT WILL BE HARD. CAN YOU OVERWRITE FILES. THE SECOND ONE WE SAW IS THE SURFACE APP, I WANT TO SPEND MORE TIME IN THIS ONE. IT’S THE ABILITIES FOR AN ATTACKER TO MANIPULATE SOMETHING USE TODAY DO A REQUEST. USUAL THOSE ARE USE TODAY DO INFORMATION DISCLOSURE. IF YOU CAN PROBABLY SEE, I’M TYPING IN THE URL. SAY I’M DOING A FILE AND OPENING UP THIS FILE, DEPENDING ON THE TYPE OF API IN C# IT WILL GIVE YOU BACK THE RESULTS IF THAT’S THE WAY HOW THE REQUEST IS DONE. IT CAN ACCESS LOCAL SERVERS, RIGHT? IF THAT IS RUNNING INSIDE OF A HOSTED ENVIRONMENT, INSIDE OF AZURE, YOU CAN PROBABLY DO THE SAME. I WOULD LIKE TO GRAB THE RESPONSE OF LOCAL HOST AND SEE IF THERE IS A SERVER RUNNING ON THAT. THE LAST URL ON THIS SLIDE. YOU RECOGNIZE ON AZURE, IT’S THE METADATA SERVICE FROM AZURE. IF YOU PUT THAT IN, YOU MIGHT GET DATA BACK. LUCKILY AZURE — I THINK THEY THOUGHT ABOUT IT BECAUSE YOU NEED TO ADD AN ADDITIONAL HEADER TO THAT REQUEST TO GET THAT DATA BACK. IF SOMEBODY IS ABLE TO DO THIS INSIDE OF YOUR APPLICATION THAT METADATA IS NOT ACCESSIBLE UNLESS YOU HAVE CONTROL OVER THE HEADER. ON THE CLOUD, CAN YOU ISSUE THE REQUEST AND YOU WILL GET THE METADATA BACK. KEEP IN MIND, THESE TYPE OF THINGS LOOK PRETTY HARMLESS BUT THEY ARE A STEPPING STONE FOR SOMEONE ELSE TO DO SOMETHING INSIDE YOUR APP. THE WRITEUPS OF WEB BOSTON, BOWEN TEES, YOU WILL TELL STORIES EXPLAINING HOW THEY USE IT AND HOW THEY GOT REMOTE ACCESS AND HOW THEY MADE MONEY OUT OF IT. THAT’S THE WHOLE PART OF IT. WE ARE USING A BLIND VARIANT. BECAUSE THE OUTPUT WE REQUEST AT THAT POINT IS NOT SOMETHING THAT IS GIVEN BACK TO US, RIGHT? IT’S PART OF THAT MSIX IS. WE CAN KEEP AN EYE ON HOW LONG IT TAKES TO EXECUTE. BLIND TIMING THINGS, A PORT WHICH IS OPEN WILL PROBABLY RESPOND QUICKER F WE LOOK AT A LOCAL HOST URL, THAN A PORT THAT IS CLOSED. THE TIMING YOU ARE ABLE TO HAVE SOME DISTINCT. IT CAN BE USED AS A SIDE CHANNEL. A LOT OF POSSIBILITIES. WHAT I WANT TO DO RIGHT NOW IS SEE IF THERE MIGHT BE WAYS FOR US TO ISOLATE THIS FUNCTIONALITY WITHIN THE APPLICATION ITSELF. RIGHT? MAYBE WE ARE ABLE TO DO SOME KIND OF SANDSBOXING AND PUT THE PDF LOGIC INSIDE OF THAT AND EXECUTE IT WITH MORE CONTROL THERE. AND IT WILL BE EVEN BETTER IF IT’S A SANDBOX WE CAN LIMIT CAPABILITIES. MAYBE WE TAKE OUT STUFF AND THEN SEE WHAT HAPPENS. IF WE TALK ABOUT THIS IN THE . NET WORLD, THERE IS ONE PIECE THAT IS PROBABLY ABLE, OR SHOULD BE ABLE TO HELP US OUT. IF WE LOOK THE NAME AND THE DEFINITION, IT’S BEEN DEFINED AS SOMETHING THAT CAN BE USED IN ISOLATION FOR SECURITY, LIABILITY, VERSIONING AND LOADING, RIGHT? SOUNDS PRETTY GOOD. IF WE LOOK AT SOME OF THE EXAMPLES IN THE PAST, LIKE IF YOU START OUT AN APP, YOU GET ONE SINGLE DOMAIN, YOU CAN CREATE A SECOND ONE OUTSIDE OF IT. THIS ONE HAS PRIVILEGE OR HAS LESS PRIVILEGES BECAUSE YOU ARE SELECTING IT TO RUN THE CONTEXT AS IF THE DATA COMES FROM THE INTERNET, RIGHT? THAT’S THE CODE ACCESS SECURITY HELPS YOU OUT IN LOCKING DOWN THE APIS. I DON’T TALK ABOUT CODE OR ALL OF THOSE DETAILS. IT WAS QUITE COMPLEX. IT WILL BE A LONG STORY. ONE EXAMPLE THAT SPEAKS SOUGHT WHICH IS SOMETHING CALLED ASP NET. I THINK WAS 3. 5 OR 4-POINT 5A SP NET. YOU CONFIGURE IN MEDIUM. THAT MEANS YOUR APP WOULD HAVE LESS APIs AVAILABLE. IF YOU WOULD HAVE RUN THIS IN A HOSTED ENVIRONMENT, A SHARE-HOSTING WHICH WE HAD AT THAT POINT. AND SINGLE PROCESS WAS RESPONSE FOR ALL THE . NET STUFF. WITH MEDIUM TRUST YOU CAN DIRECT THE API. YOU CAN’T GET ALL THE TEMPORARY FILES ON THE SYSTEM. BECAUSE YOU GET A SECURITY ATTRACTION ONCE YOU TRY THAT. SO AS OF 2017 MICROSOFT VITSZED YOU SHOULD NOT USE THAT FOR SECURITY. THAT IS UNFORTUNATE. THE OTHER THING WHICH WAS THE LAST ON THE SLIDE, . NET CORE DOESN’T SUPPORT APP DOMAINS. YOU CANNOT CREATE A SECOND ONE AND DO SOME THINGS WITH IT. WHAT WILL BE NEXT? LUCKILY THERE WAS AN ALTERNATIVE. ONE OF THE INTERNALS OF A DOMAIN, ONCE THE CONTEXT WAS EXPOSED, EVERY HAS APIs WHICH LOOK PROMISING FOR THE THING WE WANT TO ACHIEVE. THE CONTEXT CAN BE USED AS A SCOPE FOR LOADING THIS WHOLE THING AND POTENTIALLY UNLOADING. THAT’S . NET CORE 3. 0. AND LOADING ASSEMBLIES. THE NICE THING IT CAN BE USED, MULTIPLE VERSIONS OF ASSEMBLIES WITH THE SAME PROCESS. AND THEN PART OF THE TEAM WROTE A NICE LIBRARY WHICH ALLOWS TO YOU DO ANOTHER TYPE OF THINGEN IN THE EXAMPLE YOU WILL SEE HE HAS AN APP WHICH CONTROLS FROM ONE VERSION AND ANOTHER HAS A DIFFERENT ONE. SHOWING THIS IS A WAY THAT YOU CAN LOAD SOMETHING IN A CONTAINER AND HAVE IT SMALLER. ANOTHER ASPECT THAT WE ARE GOING TO PULL INTO THIS CONVERSATION IS SOMETHING WE CALL SELF-CONTAINED DEPLOYMENT. WHEN PUBLISHING AN APP, YOU CAN CHOOSE TO TARGET THE PLATFORM AND SAY IT NEEDS TO BE SELF-CONTAINED. THE OUTPUT WILL CONTAIN WHAT YOU NEED TO EXECUTE YOUR APPLICATION ON THAT PLATFORM. IN MY CASE, I’M TARGETING TO A FOLDER. I HAVE AN EXECUTED ROLE IN THAT FOLDER THAT WILL DO ALL THE THINGS IT NEEDS. THAT IS ONE OF THE KEY THINGS WE ARE INTERESTED IN WORKING WITH. SO A LOT OF POINTS. A LOT OF THINGS I’VE SAID. LET’S MOVE INTO CODE AND SEE HOW IT POSSIBLY CAN WORK. SWITCHING BACK TO NO. 7. I WILL YOU LOAD A DIFFERENT SPACE. WHAT WE WANT TO DO, WE WANT TO HAVE AN ASSEMBLY LOAD CONTEXT THAT WILL TAKE CARE OF THE PDF STUFF WE ARE DOING. THAT’S THE MAIN GOAL. THE FIRST BITS WE NEED IS WE NEED TO MAKE SURE WE ARE ISOLATING THE FUNCTIONALITY. THE WAY THAT OUR HOST WILL PLUG IN A USUALLY BASED ON THE INTERFACE. THERE IS A PROJECT HEAD WE ARE A SINGLE INTERFACE WHICH MEETS UP WITH THE THINGS WE HAVE ALREADY SEEN, RIGHT? IT’S NOT THE BEST CHOICE, MAYBE, BUT FITS THE NEED RIGHT NOW. IT CAN GENERATE THE PDF WITH THE INTERFACE. WHAT I HAVE ALSO DONE, THERE IS A PDF LIBRARY PROJECT THAT IMPLEMENTS THE INTERFACE. AND THAT WILL HAVE THE INSTANCE OF OUR LIBRARY INSIDE OF IT. THIS IS EXACTLY THE SAME. THERE ARE STATEMENTS I WILL USE IN MY DEMO, SO DON’T WORRY ABOUT THOSE. THE OTHERS ARE 10 AND 11. IT’S SIMILAR CODE WE HAVE SEEN IN OTHER APPLICATIONS. THIS IS A LIBRARY PROJECT. WE WILL TAKE THIS AND SELF-CONTAINED DEPLOYMENT, PUT IT IN A FOLDER. AND THEN USE THE PLUG-IN LOADER TO DO SOME THINGS, RIGHT? IF WE DON’T LOOK AT THE WEB PROJECT, THE HOST, BECAUSE WE WANT TO KEEP IT INSIDE A SINGLE PROCESS AND HAVE A SINGLE THING, LIKE THE OTHER STUFF, YOU WILL SEE THAT THE ONLY THING WE ADDED WAS ANOTHER COMPONENT. I’M DEALING WITH SECURITY AND COMPONENTS AND ADDING ANOTHER COMPONENT. MAYBE SOMEWHERE HERE WE CAN ASK HIM FACE TO FACE IF WE CAN TRUST HIM OR NOT. THE OTHER THING, OF COURSE, IS THE REFERENCE TO THE SERVICES LIBRARY BECAUSE WE NEED TO INTERFACE. THEN ALL THE MAGIC HAPPENS INSIDE. CONFIGURE SERVICES. I WILL SPEND SOME TIME TALKING YOU THROUGH WHAT I AM DOING HERE. WE WILL CREATE A CUSTOM ASSEMBLY LOAD CONTEXT WHICH WILL GIVE US THE PDF SERVICE. FIRST, WE WILL DO A CREATE FORM ASSEMBLY. PDF ASSEMBLY CONTAINS THE FULL PATH AND IT’S THE FORWARD THE SELF-CONTAINED WITH THE DEPLOYMENT INSIDE OF IT. WE WILL SAY THE TYPE THAT I WANT TO SHARE IN THIS CASE. THE NEXT THING WOULD BE GET THE PIPES OUT OF THE ASSEMBLY LOAD CONTEXT AND SAY I WOULD LIKE EVERYTHING THAT IS ASSIGNABLE FOR THIS INTERFACE WITH THE FIRST DEFAULT. THEN WE’LL ADD THAT ONE TO OUR SERVICES COLLECTION. RIGHT? SO THIS SHOULD BE SUFFICIENT FOR THE PLUG-IN MAGIC TO CREATE AN INSTANCE MUCH THE PDF SERVICE, WHICH HAS THE PDF LIBRARY INSIDE OF IT WHICH HAS ALL THE THINGS FOR US. TAKE A LOOK AT THE CONTROLLER, OF COURSE. WE REPLACED THAT. YOU WILL SEE THAT THE CONTROLLER AND THE CONSTRUCTER GETS THE PDF SERVICE INJECTED. THEN IF WE GO DOWN TO THE REPORT, WE WILL SEE REPLACED THIS CODE WITH CALLING THE INTERFACE AND DOING EXACTLY THE SAME. THE FIRST QUESTION IS WILL THIS WORK? LIKE I SAID, WE’LL DO SELF-CONTAINED DEPLOYMENTS. WHAT I WILL DO, I HAVE TWO PowerShell SCRIPTS THAT WILL DO ALL THE THINGS. WE’LL DO THE PUBLISH. FIRST WE’LL TAKE THE HOST. AND IT WILL DO THE SELF-CONTAINED DEPLOYMENT OF THIS. THERE IS RELATION BETWEEN THE DEFAULT ASSEMBLY CONTEXT YOU HAVE AND THE WAY THAT THE PROGRAM LOG IN WORKS. OTHERWISE IS FALLS BACKS TO SHARED LOCATIONS. THAT’S NOT WHAT I WANT. ASIDE FROM THE FACT THAT SECURITY WAS ABLE TO BLOCK US FROM API USAGE. I WANT TO TAKE THAT OUT. I THINK THAT MIGHT BE THE WAY TO FIX THIS. WE WANT TO DO THE SAME WITH THE LIBRARY. THERE IS YOUR BUILD REPORT. IT IS SAYING — NOW THIS IS FULLY PUBLISHED. I WILL START THE APP. LET ME QUICKLY ATTACH TO THE PROCESS. MAKE SURE WE HAVE A BREAK POINT. YES, IT IS. COOL. SO I CAN STILL RUN THE REPORT. WE CAN SEE LIKE WE STARTED OUT, THIS IS THE SAME CONTROLLER. THAN IS THE INTERFACE. I WILL GO INSIDE AND WE WILL SEE THAT IT CALLS THIS. ONE IMPORTANT KEY. WHAT’S THE CURRENT LOCATION OF THE PDF. WHERE IS IT LOADED FROM? I’M HOPING THAT EVERYBODY CAN READ THIS. IT SAYS LIKE IT’S THE PUBLISHED DIRECTORY/MY PDF LIBRARY. THAT IS THE PUBLISHED FOLDER WE USED. THE SECOND QUESTION IS WHERE IS HTTP CLIENT COMING FROM. THIS IS SELF-CONTAINED. A SYSTEM THAT HTTP CONTAINS THE HTTP CLIENT. INTERNALLY IT USES THAT. WE WANT TO FOCUS ON THAT TYPE. HAVING DONE THIS. WHAT WILL BE THE NEXT THING WE ARE ABLE TO DO? AS I SAID, I WOULD LIKE MAYBE TO TAKE OUT THIS PIECE OF FUNCTIONALITY AND ONLY ALLOW PEOPLE TO USE IMAGES WHICH ARE LOCAL AND NOT ALLOW THEM TO USE AN STTP CLIENT. MAYBE WE CAN MOVE FORWARD BY SAYING LET’S REMOVE THE DLL TO THE NEAREST CLIENT TO THE PLUG-IN AND SEE WHAT HAPPENS. SYSTEM. NET. HTTP. LET’S START THE APPLICATION AGAIN. THIS IS THE PUBLISHED HOST. THEN IT WILL BE ATTACHED IN THE SAME WAY. LET’S SEE WHAT IT’S DOING. WHAT HAPPENS IF I NOW TAKE THIS. LET’S CHANGE THIS ONE BACK. I WILL PUT IN THE URL WHICH IS EXTERNAL. THAT’S THE IMAGE FROM THE INTERNET. I PRESS REPORT. THEN WE SEE THIS. IT WANTS TO DO IT ON THE STTP CLIENT. KNOWING THE MOVEMENT OF THE DLL WE KNOW WHAT WE HAVE ACHIEVED. WE WANT PEOPLE TO USE THE LOCAL SYSTEM IN THEIR REPORTS AND WE DON’T WANT PEOPLE TO PUT IN URLs. YOU CAN VALIDATE INPUT BUT I WANT TO TAKE OUT THAT PIECE OF THE LIBRARY THAT IS NOT USEABLE ANYMORE. IF WE NOW WANT TO DO ONE BASED ON A FILE, WHAT WILL HAPPEN, WE GET THE SAME EXCEPTIONS. IT TURNS OUT THAT INSIDE THAT URL IN I-TEXT THERE IS A CODE THAT TOUCHES THE LOCAL FILES. REMOVAL OF THIS CLIENT IS NOT A POSSIBLE WAY FOR US TO FIX THIS. MAYBE WE CAN PUT IN A STUB THAT HELPS US OUT. I WILL QUICKLY OPEN ANOTHER SOLUTION. THIS IS SYSTEM. NET/HTTP. I AM DOING EXACTLY WHAT IT WANTS. THE ONLY THING I’M DOING, GO IN IN AND REPORT, YOU ARE NOT ALLOWED TO DO THIS. SO THIS ONE ALSO HAD A MAGIC DEPLOYMENT SCRIPT. NOW I WILL ONLY DO RESULTING IN ERRORS. THIS ONE HAS PUT THIS DLL INSIDE MY PDF LIBRARY THAT YOU SAW EARLIER. IF YOU GO BACK TO THE CONSOLE AND RESTART. START THE APP AGAIN. GOING BACK TO THE BROWSER. SO CAN WE NOW GENERATE THE REPORT WHICH IS USING A FILE. SO THIS IS THE LOCAL IMAGE FILE BASED INSIDE THE FOLDER, RIGHT? THIS IS IMAGES OF JPEG. WHAT IF THIS IS WITH THE WEB REQUEST. THIS SAYS, HEY, THIS IS NOT SUPPORTED. I THINK THAT IS EXACTLY WHAT WE WANT TO ACHIEVE, RIGHT? WITH THIS WHOLE GETTING RID OF THE DLL AND REPLACING IT, WE WERE ABLE TO STILL USE THIS LIBRARY. GET FILES, THE LOCAL FILES LOADED. AND NOT ALLOW TO DO ANY INTERNAL REQUEST BY TAKING OUT THE SINGLE. LET’S RECAP THAT. GO BACK TO THE SLIDES SO IS, STORYLINE, CREATED A SEPARATE PDF LIBRARY THAT IMPLEMENTS AN INTERFACE. THEN WE HAVE THE PLUG-IN LOADER THAT WE USED TO CREATE AN INSTANCE THAT REPORT DISMIE THE CONTAINER THAT HAD THE DEPLOYMENT OF THE HOST APPLICATION AND THE PDF LIBRARY ITSELF. THEN WE STARTED OUT REMOVING AND REPLATING THE HTTP CLIENT. IS THERE SOMETHING WE CAN WORK WITH, I THINK. I THINK IT IT HAS POTENTIAL, IF YOU KNOW I’M DEPLOYING A SINGLE APP AND I WANT TO TAKE OUT PARTS OF THE BASE LIBRARY. ONE THING THAT HAS A SIMILAR INTEREST IS SOMETHING WHICH THEY ARE WORKING ON, WHICH IS THE MODEL INCA. ALL THE DEMOS WE HAVE SEEN WITH THE WINDOWS APPS PUBLISHED FOR ALL BIG FOLDERS, A LOT OF FILES. THE LINKER SHOULD BE ABLE TO CUT OUT THAT CODE PATHS AND CUT OUT THE STUFF THAT WE DON’T NEED. WHY NOT USE IT ALSO TO CULT — TO CUT OUT THE APIs THAT WE DON’T WANT THE LIBRARIES TO USE. THAT MIGHT BE SOMETHING THAT’S WORKABLE. STILL, THERE IS A NEED IF YOU ARE DOING THIS, TO MAKE SURE THAT IT BEHAVES AS EXPECTED. MAKE SURE IT WORKS. IT HAS POTENTIAL. THERE IS AN APP CALLED HARMONY WHICH HELPS YOU REWRITE IN MEMORY. I WOULD BE MORE IN FAVOR OF DOING IT WITH THE I LIENK UP AND DOING IT INSIDE THE BINARIES BECAUSE IT MIGHT BE A BIT MORE PRONE TO ERRORS. HARMONY DOESN’T HAVE THE FULL FORWARD . NET CORE. WE ARE RELEASING FOR BITS TO BE RELEASED TO CONTINUE. IT HAS POTENTIAL. THIS IS A CONCEPT, RIGHT? GOING TO USE THIS ANYWAY. I’M WILLING TO WORK ON THIS TO MAKE IT EVEN BETTER. MAYBE TO DO THE PLUG-IN LIBRARY A DIFFERENT WAY TO REFINE STUFF AND TAKE OUT STUFF. IT HAS A LOT OF POTENTIAL. SEEING THIS SOLUTION. WHAT WILL BE AN ALTERNATIVE THAT WE CAN FOLLOW? RIGHT? AND THE NEXT BITS WOULD BE MAYBE TAKE THE PDF LIBRARY AND PUT IT IN A SEPARATE PROCESS. I THINK THAT’S THE MOST LOGICAL THING IF YOU LOOK AT THIS. I WAS TRYING HARD TO KEEP IT WITH THE FIRST DEMO. LET’S SAY YOU ARE ABLE TO DO IS SECOND PROCESS THAT HAS LIMITED RIGHTS. YOU CAN DECIDE TO CUT OUT THE HTTP CLIENTS THE WAY I HAVE BEFORE. WITH THE OTHER PROCESS YOU CAN LIMIT ACCESS TO FOLDERS AND TAKE CARE OF THE WHOLE PACKAGE THAT’S INSIDE. IN MY DEMO PROJECT, BECAUSE THE TIME IS NOT SUFFICIENT TO SHARE THIS DEMO. BUT I WILL SHARE AT THE END. YOU CAN SEE ANOTHER IMPROVEMENT ALSO BECAUSE IF YOU DON’T WANT TO HAVE FILE PADS RETURNED, YOU WANT TO RETURN THE RESULT, ITSELF. THEN IT DOES A META, OR THE PDF DOES INTERNALLY AND GIVES YOU BACK RESULTS, RIGHT? FIXING IT IN CODE, HAVING A SECOND PROCESS, WHICH IS PRETTY OBVIOUS. WHAT WILL BE SOMETHING ELSE WE CAN DO? IF WE LOOK AT ARCHITECTURES IN THE SOFTWARES, I THINK THE THING THAT HAS BEEN HAPPENING, LIKE WHEN I STARTED OUT DEVELOPING WITH . NET 1. 30 WE CREATED MONO LITHES WHICH WENT INTO EACH APPLICATION. WHAT WE HAVE SEEN WE HAD SEVERAL ORIENTATION, THEN WE MOVED TO SURFACE IS, WHICH WE HAVE NOW. THAT WAS HOWING YOU TO CREATE MORE SMALL KREAFER COMPONENTS THAT WOULD GO IN THE BUSINESS. IT’S SCALED MORE EASILY. CAN YOU LEVERAGE CLOUD-BASED PLATFORMS LIKE AZURE. WHY NOT USE SIMILAR APPROACHES TO ISOLATE THIS KIND OF PDF THAT I HAVE CREATED. YES, I KNOW IT SOUNDS IS OBVIOUS. I THINK IT’S DEFINITELY GOOD TO BE AWARE THAT YOUR APPLICATION NEEDS TO BE AS SMALL AS POSSIBLE WITH THE APIs IT USES. AND IF IT RUNS INSIDE A DOCKER CONTAINER OR KUBERNETES, IT HAS SUFFICIENT RIGHTS, IT HAS EGRESS INTERNET, IT CANNOT MAKE REQUESTS TO THE OUTSIDE WORLD, THAT ALSO SOLVES A LOT OF PROBLEM. MOVING IN THIS SPACE, I THINK THAT’S THE STORY. WE CAN CHANGE THE CODES. WE CAN MOVE THROUGH A DIFFERENT PROCESS, WHICH IS OBVIOUS. OR ONE OF THE ARCHITECTURES WE ARE CREATING NOWADAYS. I TALKED A LOT ABOUT LIBRARIES AND HOW YOU WILL BE ABLE TO ISOLATE. NEXT UP WILL BE, LIKE, I WANT TO FOCUS MORE ON GETTING REVIEWS THAN LIBRARIES. OF COURSE, YOU CAN ALWAYS SAY, YES, I CAN GO TO GET IF THE PROJECT IS PUBLIC. DO A SEARCH CODE AND DO A CLONE LOCALLY AND GO TO REVIEW THE SOURCE CODE. HONESTLY, MYSELF, I’M LAZY. I WOULD LIKE TO DO A MORE EFFICIENT THING. I WANT TO SHOW YOU THERE ARE DIFFERENT WAYS HOW YOU CAN DO THIS WITH THE HELP OF SOME SMALL TOOLS. IT’S IMPORTANT TO HAVE STILL SOME KNOWLEDGE OF INTERNALS. OF HOW A LIBRARY BEHAVES. WHAT IT DOES. WHAT YOU EXPECT FROM THE LIBRARY. THE SECOND DISTINCTION, THE THINGS THAT YOU HAVE SEEN BEFORE IS A SINGLE COMPONENT THAT DOES THAT PDF GENERATION, BUT WE ARE DEVELOPING, ONE EXAMPLE WHICH HAS A MUCH MORE HIGHER INTEGRATION THAN THE SOFTWARE THAT WE WRITE. IT HAS MORE INVOLVEMENT IN HOW YOU CODE IS USED, RIGHT? THE LAST SENTENCE I DID PUT IN ON PURPOSE HERE BECAUSE WE’LL DO COMPILATION OF COMPONENTS SAWN BE AWARE THAT COMPONENTS HAVE LICENSES. IF YOU GET ONE AND IT’S NOT NECESSARILY ALLOWED THAT YOU LOOK INSIDE THE INTERNALS. IF YOU ARE PLANNING ON DOING THAT, AND MAKE SURE YOU CHARACTER THE RIGHT LEGAL PERSON TO CONFIRM. I’M NOT AWARE OF EVERYTHING. REVIEW. FIRST A SMALL SIDESTEP. BY THAT I MEAN I WOULD LIKE TO RECALL A SNIPPET AND LOOK AT THE INTENT OF ANOTHER PIECE OF CODE. SO IS, QUESTION. WHAT’S THIS? WHAT WE SEE OVER HERE LOOKS LIKE A CONTROLLER, RIGHT? AND IF I WOULD ASK DOES THIS THING HAVE AN ISSUE, THEN THE FILE DATA AS PART OF THE CONTROLLER, IT’S PUBLIC. IT OPENS UP A FILE. ALL THE TEXT IS INSIDE IN TERMS OF THE RESULT. SO IF WE PAY ATTENTION, THIS IS PROBABLY AN ISSUE, ALSO, BECAUSE THE INPUT IS USED IN OPENING A FILE. THEN THERE IS AN ISSUE. THIS IS REALLY A CONTROLLER. THE QUESTION, OF COURSE, BE THAT DEPENDS ON THE CONTEXT WHICH IT IS EXECUTED IN. IF THIS IS PART OF A PROJECT WITH REFERENCE OR A PROJECT THAT HAS REFERENCE IN ONE OF THE COMPONENTS, IT WILL DO A CONVENTIONAL RESULT. EVERYTHING NA ENDS WITH A CONTROLLER WILL BE FOUND AND EXPOSED BY DEFAULT. EVEN LIBRARIES THAT YOU ARE PULLING FROM YOUR AND IF THEY HAVE SOMETHING INSIDE WITH CONTROLLER, IT WILL BE FOUND AND EXPOSED. IT’S NICE. IT HELPS OUT. I WOULD RATHER SEE IT CHANGED. LAST WEEK, DAVID FOWLER TWEETED ABOUT THE FACT THEY WANT TO DO THIS AS A COMPILER STEP. I’M CURIOUS THEY WILL CHANGE, BECAUSE IF IT ENDS UP BEING A MARKER, LIKE AN INTERFACE, IT’S STILL POSSIBLE, RIGHT? THIS IS MORE LIKE A SIDESTEP. WE HAVE A CLASS WHICH SUPPOSEDLY LOOKS LIKE A CONTROLLER. IT’S BASED ON CONTEXT. THIS IS LIKE A PIECE OF INTENTS. AND YOU NEED TO BE AWARE OF IT, RIGHT? MOVING ON. I WILL GO BACK TO CODE. WE WILL DO SOME CODE REVIEW. LET ME SWITCH TO ANOTHER PROJECT. THIS IS CALLED FENNUC, LIKE THE DESERT FOX. THIS IS THE THING WE WILL TALK ABOUT TODAY. THIS PROJECT TAKES THE LIBRARY THAT CAN OPEN UP ASSEMBLIES AND READ THE URL INSIDE OF IT. MAYBE I CAN CREATE A TOOL WHICH IS SMALL THAT HELPS OUT SOMETHING, THE STUFF THAT IS INSIDE OF THE DLR. I AM ITERATING OVER ALL THE MODULES OF THE LIBRARY AND GETTING OUT OF IT AND FOR EACH BODY THAT IS INSIDE OF THAT, I WILL SAY, OKAY. LOOK AT THE INSTRUCTIONS AND SEE IF THERE ARE ANY INVOKATIONS. OR IF THERE IS A NEW OBJECT SUB SUB STAN SHAITION. WE’LL SEE THE EXAMPLE. AND WHAT IS DONE INSIDE, IT WILL CREATE A LIST AND DO IT WITH EVERY TYPE THAT IS INSIDE OF IT. SO IT’S A GLOBAL TOOL THAT YOU CAN USE. IT’S IN NUGET. WHAT WE CAN DO, WE CAN GO TO PDF LIBRARY DIRECTORY AND SAY, OKAY, LET’S RUN THE TOOL. I WOULD LIKE TO HAVE THE OUTPUT WRITTEN TO A FOLDER. AND LET’S ANALYZE PDF AND TAKE ALL THE I-TEXT DLLs BECAUSE I KNOW THOSE ARE BEING USED. WHAT IT HAS DONE. IT HAS CREATED A ITS OF FILES, PLAIN TEXT FILES. IF WE ARE GOING TO LOOK THROUGH THE DETAILS OF THAT. BEAR WITH ME, I’M OPENING UP AND THERE WILL BE A HARD TO INTERPRET WHAT YOU ARE SEEING. LOOKING AT THE FIRST LINE. LET ME MARK THIS. YOU WILL SEE A BLOCK OF THINGS. LIKE THIS FILE CONTAINS A CLASS NAME, A META NAME, THE SIGNATURE ITSELF, LIKE INSIDE THE BODY. BEHIND THAT, YOU WILL SEE ALL THE INVOCATIONS THAT ARE DONE. INSIDE THAT PDF GENERATION, CAN YOU SEE IT CREATES A PDF DOCUMENT, A PDF WRITER, CAN YOU SEE AN IMAGE FACTORY. WE PROBABLY SHOULD DIG INTO THAT LATER. BUT IMAGINE THAT YOU JUST RUN THIS TOOL WITH THE OUTPUT AND DO IT ON EVERY LIBRARY THAT YOU USE. LIKE THE LIBRARIES YOU ARE USING AND UPDATING. YOU CAN EASILY DO A DIF THAT YOU CREATED ON THE PREVIOUS VERSION AND THE NEW ONE. I’VE SHOWN YOU ALPHABETICALLY. HEY, YOU CAN SEE THIS IS CHANGED. WHY DOES THIS METHOD NOW USE — WHY DOES IT SUBSTANTIATE A BINARY FORMAT. WHY DOES IT — THOSE ARE ALL RISKY THINGS TO DO. BY USING THIS TEXT FILE YOU MAY BE ABLE TO GET A HOLD OF IT MUCH EASIER. ANOTHER THING, LET’S SAY I WILL SEARCH FOR A CLIENT. YOU WILL SEE THE ANSWER OF THE THINGS THAT WE HAVE BEEN FOCUSING ON IN THE FIRST PART
OF THE PRESENTATION. THERE IS A METHOD OVER HERE, IT’S THE URL YOU PROBABLY RECOGNIZE. THIS EXACTLY MIMICS THE BEHAVIOR WE HAVE JUST CHANGED. IT SEEMS THAT IS A CHECK ON THE PATH SAYING THIS IS A LOCAL FILE OR NOT. OTHERWISE OPEN THE FILE STREAM. GET BACK THE RESULTS. OR CONSTRUCT AN HTTP CLIENT. SO THIS ALLOWS YOU TO QUICKLY TAKE A PEEK. CAN YOU REVIEW STUFF. ANOTHER ONE WOULD BE LIKE ONCE YOU HAVE IDENTIFIED SOMETHING THAT NEEDS ATTENTION, WHY NOT MAYBE CREATE ANNALSER AND SHARE WITH EVERYBODY ELSE ON THE PROJECT. SAYING, HEY, IF YOU USE THIS API, IT’S THE SECOND ARGUMENT BECAUSE THIS WILL BE USED AND THE PATH WILL GENERATE A FILE. WE CANNOT CHANGE IT RIGHT NOW. MAKE SURE UL DO THE RIGHT THING BEFORE THE DATA IS BEING EXECUTED INSIDE THAT FUNCTION. A LOT OF THINGS THAT MIGHT BE HELPFUL IN THAT PARTICULAR CASE. SAME COUNTS FOR USING THIS, YOU CAN RUN THIS TOOL AND JUST GET ALL THE CALLS TO YOUR SPECIFIC LIBRARY OUT OF IT AND JUST DIG INTO IT. BECAUSE IT’S A SINGLE STRING, IT’S EASILY READABLE. YOU CAN CONNECT ONE WITH THE OTHER BY DOING SIMPLE TEXT SEARCH. IT’S LIKE API SKIMMING THROUGHOUT THE DLLs. I THINK IT MIGHT BE HELPFUL IF YOU ARE ABLE TO DO IT AND WORK FROM THAT.>> MOVING ON. APPEAR RECAP OF THE REVIEW. AS YOU HAVE SEEN T WAS A PRETTY MILLENIAL IMPLEMENTATION. WAS A PRETTY MINIMAL IMPLEMENTATION. IT USES THE LIBRARY AND WE WERE ABLE TO HAVE MORE CONTROL OF HOW IT BEHAVED BY TAKING OUT THOSE TYPES. WE WERE ABLE TO IDENTIFY, HEY F WE HAVE A SEPARATE PROCESS WE HAVE MORE CONTROL WHERE THE FILES ARE AND THAT RISK WILL BE REDUCED. WE SAW THERE WERE, LIKE, TWO DIFFERENT SPOTS THERE WAS A RANDOM INSIDE OF IT WHICH USES THE SAME TIME OF CONSTRUCT. IF IT’S URL, GO FETCH IT. IF NOT, DO IT LOCALLY. SO, ALL OF THIS IS CAPTURED INSIDE, THIS IS CALLED 15 FENNUC. YOU CAN FIND THIS ON THE URL. IT CAN BE USED TO DO THE DISH BETWEEN THE DLLs AND SEEP WHAT THE DIFFERENCES ARE INTERNALLY PRETTY QUICK. AND SOME FUTURE PLANS, LIKE WHAT WE ARE ABLE TO CHANGE, YOU PROBABLY IMAGINE IF YOU ARE DOING A MORE STRUCTURED WAY AND IF YOU HAVE JSON DATA OUT OF IT INSTEAD AFTER TEXT FILE, THEN YOU CAN LOAD THAT INSIDE OF A DOCUMENT DATABASE, AZURE, COSMOS, APIs FOR THE QUERIES AND TO CONNECT DOTS. CAN YOU HAVE CODE BEING IDENTIFIED INSIDE THOSE LIBRARIES PRETTY EASILY. IF THIS IS AUTOMATED, LIKE I SAID, I’M LAZY. IF YOU CAN AUTOMATE IT, THEN DO CONTINUALLY THE SAME FOR THE OUTPUT IT CREATES. IF YOU CAN HAVE OTHER ANALYZERS HELPING, THE DEVELOPERS MAKE BETTER DECISIONS THOSE ARE THE SPOTS THAT NEED TO BE FIXED. THEY DON’T WANT THEM TO POP UP LATER ON IF YOU ARE DOING A PEN TEST OR DOING NORMAL STATIC ANALYSIS. IF SOMEONE CAN FIX IT, THAT’S A BIG ONE. SO, MOVING ON. WE’LL COME TO THE CONCLUSION, THE THINGS THAT I WOULD LIKE TO YOU TAKE AWAY FROM THIS TALK, IS THAT I WOULD ENCOURAGE EVERYBODY TO START REVIEWING COMPONENTS IN A WAY, OR IN A WAY THAT WORKS FOR YOU. MAKE SURE THAT YOU HAVE SOME IDEAS OF THE INTERNALS AND WHAT YOU EXPECT OF THE EXPOANTS. USING THE TOOL THAT I SHARED AND BE AWARE THAT YOU CAN ISOLATE FUNCTIONALITY BY MAKING BETTER CHOITIONS. IF YOU WANT TO TAKE THE CODE OUT, THEN YOU SHOULD HAVE SOMETHING LOW CONTEXT INSIDE AFTER PACKAGE THAT EVERYBODY CAN USE THERE ARE WAYS TO IMPROVE AND REDUCE THE RISK. THE LAST ONE IS A BIT OF AN OPEN DOOR. I CAN SEE THAT. USING INTEGRATED SECURITY. WHAT I MEAN BY THAT THIS IS JUST A SMALL PORTION, RIGHT. IF SOMEBODY DEVELOPS SOFTWARE AND MAKES BETTER CHOICES AND STUFF IS FIXED, YOU STILL HAVE DEPENDING ON THE ORGANIZATION, A PROCESS THAT WILL TAKE CARE IFER THE SECURITY THAT INVOLVES THE ANALYSIS AND INVOLVES COMPONENT ANALYSIS. MAYBE SOME PEN TESTING. ALSO IF WE LOOK AT ARCHITECTS, IT’S AS IMPORTANT BECAUSE YOU CAN SMASH IN EVERY SECURITY CONFIRMATION YOU CAN FIND IN AZURE, BUT THAT DOESN’T NECESSARILY MEAN IT WILL BE A MORE SECURE SYSTEM. IT MAY WORK COUNTER AND WORK IN THE OPPOSITE DIRECTION. SO, THIS IS THE TAKE AWAYS THAT I WANT YOU TO THINK ABOUT. I WILL WRAP UP AND I WOULD LIKE TO THANK EVERYBODY FOR YOUR INTENTIONEN I HOPE YOU ENJOY THE PARTY TONIGHT. I KNOW I WILL. IF YOU WANT TO FIND THE CODE SNIPPETS, THEY WILL BE UP RIGHT NOW. YOU CAN REACH OUT TO ME OR STICK AROUND FOR THE NEXT HALF AN HOUR, I WILL BE HERE TO ANSWER YOUR QUESTIONS. IF THERE ARE QUESTIONS, YOU CAN WALK UP TO THE MIC. IT WILL BE OPEN FOR AUDIO AND CAN YOU SHOUT

1 thought on “Reducing Third-Party Security Risk in .NET Core Applications – CFS2024

Leave a Reply

Your email address will not be published. Required fields are marked *