Reputation: 3166
Ensuring confidential data is protected from Nuget Packages
How can we ensure that packages downloaded through Nuget Package Manager are safe to use with customer confidential data? From what I know is that anybody can contribute to Nuget and there has been some cases where Malicious code was introduced and could've been downloaded through Visual Studio.
We are trying to figure out a way to vet the packages from Nuget to ensure that the packages are safe to use.
Is there any reliable company/source that says that these packages are safe to use?
Or is anybody currently using a vetting process that is working for them? The last thing we want to is to go through each package we use and research on their vulnerabilities because that's time consuming.
Upvotes: 1
Views: 624
Answers (1)
Reputation: 76720
Ensuring confidential data is protected from Nuget Packages
When we publish the NuGet package to the nuget.org, nuget will check each package to determine if it is safe. You can get below message from the document of nuget.org:
Before being made public, all packages uploaded to nuget.org are scanned for viruses and rejected if any viruses are found. All packages listed on nuget.org are also scanned periodically.
So the packages from the nuget.org are safe to use.
Update for comment:
Even though the packages are scanned, that doesn't mean they aren't vulnerable. An outdated package could use vulnerable processes that can be exploited.
Your uneasiness should apply to software you obtain from any source, Even software downloaded from 'app stores' (e.g. Apple iTunes, Android Market) could feasibly contain malicious code. NuGet team comes up with conventions and mechanisms for ensuring that Nuget becomes a trustworthy source of software libraries for .Net developers, but still could not guarantee that all packages are absolutely secure.
The ultimate responsibility rests with yourself as a user to ensure that your IT security isn't compromised, and the precautions you take are are crucial.
There are some precautions which I could like provide to you:
Lock in the semantic version number completely. Explicitly specify the major, minor, and patch numbers. Don't assume that new updates will be safe or that their semantic version will be accurate.
Use only well known current versions for production.
Experiment with anything in a test environment with limited access.
Check the vendor.
Frankly, the Microsoft developer community is very different from the typical internet user community where predators are lurking at every corner. Also, the knowledge level of the developer community is considerably higher. If someone knowingly puts out virulent code through trusted channels like Nuget and Github, he or she will be found, exposed and even prosecuted. Software written with an intent to harm cannot be protected directly or indirectly by any agreement.
Hope this helps.
Upvotes: 1
Related Questions
- Visual Studio : NuGet Package Source requires credentials
- Nuget Security Vulnerabilities?
- How to publish a nuget package privately using Nuget Gallery
- Allow only Nuget packages with verified package owners
- Obfuscated NuGet Packages and Deployment considerations
- NuGet official package source: Should I be worried about the safety of the packages?
- nuget security - malware installed by nuget packages?
- What if someone submits a 'malware' nuget package?
- prevent nuget package modifications
- Questions reguarding keeping a NuGet Package Private