Ramblings from a .NET Security PM

Sign in Subscribe

Latest — 08 Jun 2026

When is a guid not a guid?

This started with an email Sahad NK over in Azure Security about an unexpected behaviour when comparing Guid types in .NET. I had thought was widely understood, but a quick search through GitHub suggested otherwise. Because the pattern can lead to security bugs, it is worth explaining clearly. Before getting

More issues

Protecting your .NET app from Server-Side Request Forgery (SSRF) vulnerabilities.

A couple of weeks ago a friend asked what Server-Side Request Forgery (SSRF) was, how worried they should be, and how to fix it, as GitHub Copilot had told them that their application was vulnerable. This sent me down a rabbit hole thinking about my own .NET Bluesky SDK and

Generating SBOMs in NuGet packages with Microsoft.Sbom.Targets

How to use the Microsoft.SBOM.Targets NuGet package to produce a Software Bill of Materials (SBOM) during your release builds.

Enabling Source Control integration in Windows File Explorer

Windows Explorer can now show Git commit messages, the last changed date, and a version status of the file is modified and needs to be committed, as well as branch information in the status bar.

Publishing NuGet packages from a Github Action without secrets

This guide will walk you through using a combination of GitHub actions and NuGet publishing policies to push packages to nuget.org from within an action without needing to worry about API keys.

.NET code & nupkg signing in GitHub Actions

This guide will walk you through using a combination of GitHub actions and Entra managed identities to enable signing code and NuGet packages from within an action without needing to worry about access tokens.

Post Quantum Support in .NET

.NET 10 added ML-KEM, ML-DSA, SLH-DSA and Composite ML-KEM. Here I break down the support and its current limitations.

The year in .NET Security

A breakdown the year in .NET CVEs, including the code that caused the vulnerability, the fixes, and links to the GitHub PRs or commits that fixed the issues.