Skip to main content

.NET open source security insights

Escrito por:
Hayley Denbraver

Hayley Denbraver

25 de julho de 2019

0 minutos de leitura

Welcome to our new security report: .NET open source security insights. This report is split into three posts:

Our lovely handcrafted pdf report contains all of this information and more in one place, and it's free to download.

Summary

If you are short on time, check out the summary of the findings below. Otherwise, you can read on for an introduction to the growing ecosystem and get a view of a typical .NET project from an open source security standpoint.

blog/tldr

.NET security insights

.NET is a growing ecosystem. Whether it is because it has strong industry support from Microsoft, because it has quality developer tools, or because it spans multiple languages and uses, there is no doubt that .NET is holding strong. NuGet is .NET's widely used package manager. It boasts 154,385 unique packages, 1,663,564 package versions, and more than 20 billion package downloads as of the time of this writing. Snyk’s 2019 State of Open Source Security reported a 26% growth in indexed NuGet packages between 2018 and 2019.

Snyk’s 2019 State of Open Source Security reported a 26% growth in indexed NuGet packages between 2018 and 2019.

You can learn a lot about your .NET project and how to make it more secure by scanning your repository with Snyk. But you may still have questions. You may be wondering how your project compares to others that have been scanned or you may be wondering about trends within the .NET ecosystem as a whole.This report aims to cover these questions and includes the following:

  • The security footprint of a typical .NET project

  • The most common vulnerabilities seen in .NET applications, including information about the corresponding libraries

  • An examination of the known vulnerabilities on the ecosystem level, including vulnerability types, severity levels, and more

The security footprint of a typical .NET project

Snyk has already performed thousands of scans for .NET projects since releasing support for the ecosystem in 2017. We can now describe a composite average project, to give our users an idea of what they might find when they try to scan one of their .NET projects.We have found 5,744 unique direct dependencies and 1,819 indirect dependencies within all of the .NET project scans we have performed. An average project has around 11 direct dependencies and 76 indirect dependencies.

blog/01_share_of_direct_vs_indirect
blog/02_average_makeup_dep_tree

The following graphs describe the projects in which we found vulnerabilities. From the scans that have been performed by Snyk, it is clear that for a given project, a vulnerability is likely to be introduced via multiple paths. For instance, you may specify a given package as a direct dependency, but it may show up a second time as an indirect dependency if that same package is also used or referenced by another package within your app. Both cases must be addressed if we want to truly remediate the vulnerability.

wordpress-sync/03_vuln_sev_breakdown
blog/04_vuln_paths

All of the known vulnerabilities found in the .NET ecosystem have available remediation, meaning that once our users knew of the security vulnerabilities, there were steps they could take to secure their project.

But the best news is that all of the known vulnerabilities found in the .NET ecosystem have available remediation, meaning that once our users knew of the security vulnerabilities, there were steps they could take to secure their project.

Want to learn more?

You can find the next portion of the report here. It covers the vulnerabilities (and their associated libraries) that Snyk has most often seen in scans of .NET projects.Curious to see a bird's eye view of known vulnerabilities in the ecosystem? You can find the final portion of our report here.

And of course, you can download the entire report for free.

Quer experimentar?

Find out what 500+ organizations shared on supply chain security's current and future state, giving organizations a way forward as the software supply chain industry grows.