We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Develop secure cloud infrastructure
      • Snyk Cloud
        Keep your cloud environment secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Support & services
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
EcosystemsApplication SecurityOpen SourceVulnerabilities

.NET open source security insights

Hayley DenbraverJuly 25, 2019

Welcome to our new security report: .NET open source security insights.

This report is split into three posts:

  • .NET open source security insights
  • Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating
  • Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities in .NET ecosystem

Our lovely handcrafted pdf report contains all of this information and more in one place. It is free to download:

DOWNLOAD .NET OPEN SOURCE SECURITY INSIGHTS

Summary

If you are short on time, check out the summary of the findings below. Otherwise, you can read on for an introduction to the growing ecosystem and get a view of a typical .NET project from an open source security standpoint.

.NET security insights

.NET is a growing ecosystem. Whether it is because it has strong industry support from Microsoft, because it has quality developer tools, or because it spans multiple languages and uses, there is no doubt that .NET is holding strong. NuGet is .NET’s widely used package manager. It boasts 154,385 unique packages, 1,663,564 package versions, and more than 20 billion package downloads as of the time of this writing. Snyk’s 2019 State of Open Source Security reported a 26% growth in indexed NuGet packages between 2018 and 2019.

Snyk’s 2019 State of Open Source Security reported a 26% growth in indexed NuGet packages between 2018 and 2019.

You can learn a lot about your .NET project and how to make it more secure by scanning your repository with Snyk. But you may still have questions. You may be wondering how your project compares to others that have been scanned or you may be wondering about trends within the .NET ecosystem as a whole.

This report aims to cover these questions and includes the following:

  • The security footprint of a typical .NET project
  • The most common vulnerabilities seen in .NET applications, including information about the corresponding libraries
  • An examination of the known vulnerabilities on the ecosystem level, including vulnerability types, severity levels, and more

The security footprint of a typical .NET project

Snyk has already performed thousands of scans for .NET projects since releasing support for the ecosystem in 2017. We can now describe a composite average project, to give our users an idea of what they might find when they try to scan one of their .NET projects.

We have found 5,744 unique direct dependencies and 1,819 indirect dependencies within all of the .NET project scans we have performed. An average project has around 11 direct dependencies and 76 indirect dependencies.

The following graphs describe the projects in which we found vulnerabilities. From the scans that have been performed by Snyk, it is clear that for a given project, a vulnerability is likely to be introduced via multiple paths. For instance, you may specify a given package as a direct dependency, but it may show up a second time as an indirect dependency if that same package is also used or referenced by another package within your app. Both cases must be addressed if we want to truly remediate the vulnerability.

All of the known vulnerabilities found in the .NET ecosystem have available remediation, meaning that once our users knew of the security vulnerabilities, there were steps they could take to secure their project.

But the best news is that all of the known vulnerabilities found in the .NET ecosystem have available remediation, meaning that once our users knew of the security vulnerabilities, there were steps they could take to secure their project.

Want to learn more?

You can find the next portion of the report here. It covers the vulnerabilities (and their associated libraries) that Snyk has most often seen in scans of .NET projects.

Curious to see a bird’s eye view of known vulnerabilities in the ecosystem? You can find the final portion of our report here.

And of course, you can download the entire report for free.

DOWNLOAD .NET OPEN SOURCE SECURITY INSIGHTS

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

GO TO DISCORD
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
  • Code Checker
  • Python Code Checker
  • JavaScript Code Checker
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2023 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom