2021 July Reading List

3 minute read

I decided to try taking a bit of inspiration from the Jo Walton’s Reading List series, who publicly keeps notes on books she has read. I won’t be tracking everything I read related to coding (and will include some video and podcasts). Instead, what I am going to try is keeping notes on things I come across that stick with me, or push me to experiment with a new library or technique.

Maarten Balliauw - Building a supply chain attack with .NET, NuGet, DNS, source generators, and more!

Discussed several surprising things that could be done in supply chain attacks. In particular he showed several ways that malicious code could be hidden from users, by masking it from IntelliSense and debugging.

The most interesting point was what you could with Source Generators. Normally, visual studio makes it easy to inspect the generated code. But he pointed out that the generator could attempt detect when a CI build is running and only in that case would it add malicious code to your output. In that situation, the dev team may never see the code is being added.

Incidentally, his blog gave me a push to move my blog onto Jekyll.

Alex Birsan - Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies The Story of a Novel Supply Chain Attack

Demonstrates how private dependencies may be hijacked by creating a public library with an identical name. Provides an interesting look into hacking for bug bounties.

Microsoft - 3 ways to mitigate risk when using private package feeds Whitepaper

Gives some details on avoiding the attack in the previous article.

Amadeusz Sadowski - List of C# Source Generators

A list of C# source generators, mostly available as NuGet packages. Also has a few projects that use generators internally.

Mark Seemann - Property-based testing is not the same as partition testing

I hadn’t heard of partition testing before. Though its interesting in that a lot of my tdd process revolves around partitioning into examples. I haven’t done any true property based testing (true here meaning randomly generating the test data) and really should look into FsCheck more, which Mark reminded me can be used from C# even though it works better in F#.

Nick Chapsas

I have found Nick’s YouTube channel to be consistently interesting since I first ran across it this month. His essential NuGet packages series in particular has pointed me to some libraries I hadn’t looked into before, that I am planning to try.