Niels Tanis
@niels.fennec.dev
Security Researcher @ Veracode
Microsoft MVP
Familyman & Renovator @ N28
Microsoft MVP
Familyman & Renovator @ N28
Reposted by Niels Tanis
🎤 Meet one of our VISUG XL 2025 speakers: 𝐍𝐢𝐞𝐥𝐬 𝐓𝐚𝐧𝐢𝐬!
We’re excited to welcome 𝐍𝐢𝐞𝐥𝐬 this year at Visug XL, our yearly, free, community-driven .NET conference.
📅 November 28, 2025
📍 UCLL Leuven
👉 More information and tickets: www.visug.be/Events/102
#VisugXL #DotNet #Community #Conference
We’re excited to welcome 𝐍𝐢𝐞𝐥𝐬 this year at Visug XL, our yearly, free, community-driven .NET conference.
📅 November 28, 2025
📍 UCLL Leuven
👉 More information and tickets: www.visug.be/Events/102
#VisugXL #DotNet #Community #Conference
November 7, 2025 at 8:30 AM
🎤 Meet one of our VISUG XL 2025 speakers: 𝐍𝐢𝐞𝐥𝐬 𝐓𝐚𝐧𝐢𝐬!
We’re excited to welcome 𝐍𝐢𝐞𝐥𝐬 this year at Visug XL, our yearly, free, community-driven .NET conference.
📅 November 28, 2025
📍 UCLL Leuven
👉 More information and tickets: www.visug.be/Events/102
#VisugXL #DotNet #Community #Conference
We’re excited to welcome 𝐍𝐢𝐞𝐥𝐬 this year at Visug XL, our yearly, free, community-driven .NET conference.
📅 November 28, 2025
📍 UCLL Leuven
👉 More information and tickets: www.visug.be/Events/102
#VisugXL #DotNet #Community #Conference
Reposted by Niels Tanis
With 80% of modern #apps built on third-party #code, supply chain #security has become critical. Don't miss
@niels.fennec.dev "Beyond Trust: Building Community-Driven Security Analysis for Your .NET Software Supply Chain" at #NDCManchester!
ndcmanchester.com/agenda/beyon...
@niels.fennec.dev "Beyond Trust: Building Community-Driven Security Analysis for Your .NET Software Supply Chain" at #NDCManchester!
ndcmanchester.com/agenda/beyon...
Beyond Trust: Building Community-Driven Security Analysis for Your .NET Software Supply Chain | NDC Manchester 2025
With 80% of modern applications built on third-party code, supply chain security has become critical. Traditional security tools like OpenSSF Security Scorecard provide surface-level metrics, but fail...
ndcmanchester.com
November 6, 2025 at 3:26 PM
With 80% of modern #apps built on third-party #code, supply chain #security has become critical. Don't miss
@niels.fennec.dev "Beyond Trust: Building Community-Driven Security Analysis for Your .NET Software Supply Chain" at #NDCManchester!
ndcmanchester.com/agenda/beyon...
@niels.fennec.dev "Beyond Trust: Building Community-Driven Security Analysis for Your .NET Software Supply Chain" at #NDCManchester!
ndcmanchester.com/agenda/beyon...
Reposted by Niels Tanis
Chatbots — LLMs — do not know facts and are not designed to be able to accurately answer factual questions. They are designed to find and mimic patterns of words, probabilistically. When they’re “right” it’s because correct things are often written down, so those patterns are frequent. That’s all.
June 19, 2025 at 11:21 AM
Chatbots — LLMs — do not know facts and are not designed to be able to accurately answer factual questions. They are designed to find and mimic patterns of words, probabilistically. When they’re “right” it’s because correct things are often written down, so those patterns are frequent. That’s all.
Reposted by Niels Tanis
We are increasing the length of support offered for .NET Standard Term Support (STS) releases from 18 months to 24 months. This change is effective starting with .NET 9 and there is no change for LTS releases.
Get all the details you need: msft.it/63328t6MeM
Get all the details you need: msft.it/63328t6MeM
October 27, 2025 at 9:33 PM
We are increasing the length of support offered for .NET Standard Term Support (STS) releases from 18 months to 24 months. This change is effective starting with .NET 9 and there is no change for LTS releases.
Get all the details you need: msft.it/63328t6MeM
Get all the details you need: msft.it/63328t6MeM
Reposted by Niels Tanis
Microsoft is expanding transparency in vulnerability management. We are now publishing VEX (Vulnerability Exploitability eXchange) attestations for third-party CVEs associated with the Azure Linux Distribution (formerly CBL-Mariner).
Learn why VEX matters in our blog post: msft.it/6014shEmn
Learn why VEX matters in our blog post: msft.it/6014shEmn
October 22, 2025 at 11:12 PM
Microsoft is expanding transparency in vulnerability management. We are now publishing VEX (Vulnerability Exploitability eXchange) attestations for third-party CVEs associated with the Azure Linux Distribution (formerly CBL-Mariner).
Learn why VEX matters in our blog post: msft.it/6014shEmn
Learn why VEX matters in our blog post: msft.it/6014shEmn
Reposted by Niels Tanis
"A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called #GlassWorm that has been installed an estimated 35,800 times."
#CyberSecurity #VSCode #SupplyChainAttack
www.bleepingcomputer.com/news/securit...
#CyberSecurity #VSCode #SupplyChainAttack
www.bleepingcomputer.com/news/securit...
Self-spreading GlassWorm malware hits OpenVSX, VS Code registries
A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm that has been installed an estimated ...
www.bleepingcomputer.com
October 22, 2025 at 3:53 PM
"A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called #GlassWorm that has been installed an estimated 35,800 times."
#CyberSecurity #VSCode #SupplyChainAttack
www.bleepingcomputer.com/news/securit...
#CyberSecurity #VSCode #SupplyChainAttack
www.bleepingcomputer.com/news/securit...
Reposted by Niels Tanis
"Researchers [...] said today that it takes only 250 specially crafted documents to force a generative AI model to spit out gibberish when presented with a certain trigger phrase."
#AI #LLM #GenAI #ModelPoisoning #AISecurity #CyberSecurity
www.theregister.com/2025/10/09/i...
#AI #LLM #GenAI #ModelPoisoning #AISecurity #CyberSecurity
www.theregister.com/2025/10/09/i...
Data quantity doesn't matter when poisoning an LLM
: Just 250 malicious training documents can poison a 13B parameter model - that's 0.00016% of a whole dataset
www.theregister.com
October 15, 2025 at 8:33 AM
"Researchers [...] said today that it takes only 250 specially crafted documents to force a generative AI model to spit out gibberish when presented with a certain trigger phrase."
#AI #LLM #GenAI #ModelPoisoning #AISecurity #CyberSecurity
www.theregister.com/2025/10/09/i...
#AI #LLM #GenAI #ModelPoisoning #AISecurity #CyberSecurity
www.theregister.com/2025/10/09/i...
Reposted by Niels Tanis
It's Patch Tuesday and ASP.NET Core has a doozy, with a CVSS score of 9.9, our highest ever. Let's examine why.
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability · Issue #371 · dotnet/announcements
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability i...
github.com
October 14, 2025 at 6:01 PM
It's Patch Tuesday and ASP.NET Core has a doozy, with a CVSS score of 9.9, our highest ever. Let's examine why.
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
The bug enables http request smuggling, which on its own for ASP.NET Core would be nowhere near that high, but that's not how we rate things...
* Thread- (1/7)
Reposted by Niels Tanis
And while we're talking about .NET security we have another announcement.
Do you build and distribute your own version of .NET? Then you wanted to get early access to upcoming patch information sooner to protect your customers at the same time as we release patches.
Do you build and distribute your own version of .NET? Then you wanted to get early access to upcoming patch information sooner to protect your customers at the same time as we release patches.
October 14, 2025 at 6:06 PM
And while we're talking about .NET security we have another announcement.
Do you build and distribute your own version of .NET? Then you wanted to get early access to upcoming patch information sooner to protect your customers at the same time as we release patches.
Do you build and distribute your own version of .NET? Then you wanted to get early access to upcoming patch information sooner to protect your customers at the same time as we release patches.
Reposted by Niels Tanis
⏳ #𝐕𝐢𝐬𝐮𝐠𝐗𝐋 𝟐𝟎𝟐𝟓 is approaching!
We’re gearing up for our annual 𝐜𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲-𝐝𝐫𝐢𝐯𝐞𝐧 .𝐍𝐄𝐓 𝐜𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞! 💜
The 𝐚𝐠𝐞𝐧𝐝𝐚 𝐢𝐬 𝐚𝐥𝐦𝐨𝐬𝐭 𝐫𝐞𝐚𝐝𝐲, and we can’t wait to share the amazing lineup with you soon!
📅 𝐍𝐨𝐯𝐞𝐦𝐛𝐞𝐫 𝟐𝟖, 𝟐𝟎𝟐𝟓 — 𝐔𝐂𝐋𝐋 𝐋𝐞𝐮𝐯𝐞𝐧
🎟️ Get your 𝐭𝐢𝐜𝐤𝐞𝐭𝐬 here 👉 www.visug.be/Events/102
We’re gearing up for our annual 𝐜𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲-𝐝𝐫𝐢𝐯𝐞𝐧 .𝐍𝐄𝐓 𝐜𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞! 💜
The 𝐚𝐠𝐞𝐧𝐝𝐚 𝐢𝐬 𝐚𝐥𝐦𝐨𝐬𝐭 𝐫𝐞𝐚𝐝𝐲, and we can’t wait to share the amazing lineup with you soon!
📅 𝐍𝐨𝐯𝐞𝐦𝐛𝐞𝐫 𝟐𝟖, 𝟐𝟎𝟐𝟓 — 𝐔𝐂𝐋𝐋 𝐋𝐞𝐮𝐯𝐞𝐧
🎟️ Get your 𝐭𝐢𝐜𝐤𝐞𝐭𝐬 here 👉 www.visug.be/Events/102
October 13, 2025 at 7:15 AM
⏳ #𝐕𝐢𝐬𝐮𝐠𝐗𝐋 𝟐𝟎𝟐𝟓 is approaching!
We’re gearing up for our annual 𝐜𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲-𝐝𝐫𝐢𝐯𝐞𝐧 .𝐍𝐄𝐓 𝐜𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞! 💜
The 𝐚𝐠𝐞𝐧𝐝𝐚 𝐢𝐬 𝐚𝐥𝐦𝐨𝐬𝐭 𝐫𝐞𝐚𝐝𝐲, and we can’t wait to share the amazing lineup with you soon!
📅 𝐍𝐨𝐯𝐞𝐦𝐛𝐞𝐫 𝟐𝟖, 𝟐𝟎𝟐𝟓 — 𝐔𝐂𝐋𝐋 𝐋𝐞𝐮𝐯𝐞𝐧
🎟️ Get your 𝐭𝐢𝐜𝐤𝐞𝐭𝐬 here 👉 www.visug.be/Events/102
We’re gearing up for our annual 𝐜𝐨𝐦𝐦𝐮𝐧𝐢𝐭𝐲-𝐝𝐫𝐢𝐯𝐞𝐧 .𝐍𝐄𝐓 𝐜𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞! 💜
The 𝐚𝐠𝐞𝐧𝐝𝐚 𝐢𝐬 𝐚𝐥𝐦𝐨𝐬𝐭 𝐫𝐞𝐚𝐝𝐲, and we can’t wait to share the amazing lineup with you soon!
📅 𝐍𝐨𝐯𝐞𝐦𝐛𝐞𝐫 𝟐𝟖, 𝟐𝟎𝟐𝟓 — 𝐔𝐂𝐋𝐋 𝐋𝐞𝐮𝐯𝐞𝐧
🎟️ Get your 𝐭𝐢𝐜𝐤𝐞𝐭𝐬 here 👉 www.visug.be/Events/102
Reposted by Niels Tanis
Was this DEFCON eBPF bug talk hallucinated?
www.thestack.technology/defcon-ebpf-...
www.thestack.technology/defcon-ebpf-...
DEFCON talk on Linux kernel bugs drives AI slop row
"The code would not compile or run. This all points to LLM hallucination..."
www.thestack.technology
October 10, 2025 at 1:36 PM
Was this DEFCON eBPF bug talk hallucinated?
www.thestack.technology/defcon-ebpf-...
www.thestack.technology/defcon-ebpf-...
Reposted by Niels Tanis
For the SecurityConversations show, I interviewed appsec and software supply chain security expert Chris Eng @ceng.bsky.social
LISTEN securityconversations.com/episode/chri...
LISTEN securityconversations.com/episode/chri...
Chris Eng on lessons learned from the NSA, @Stake, Veracode, and 20 years in cybersecurity - Security Conversations
This week on Security Conversations, Ryan sits down with Chris Eng, former Chief Research Officer at Veracode, to talk about life after nearly two decades […]
securityconversations.com
October 8, 2025 at 3:08 PM
For the SecurityConversations show, I interviewed appsec and software supply chain security expert Chris Eng @ceng.bsky.social
LISTEN securityconversations.com/episode/chri...
LISTEN securityconversations.com/episode/chri...
Reposted by Niels Tanis
"We want AI agents that can discover like we can, not which contain what we have discovered. Building in our discoveries only makes it harder to see how the discovering process can be done." - The Bitter Lesson (2019), by Rich Sutton www.incompleteideas.net/IncIdeas/Bit...
September 29, 2025 at 2:48 AM
"We want AI agents that can discover like we can, not which contain what we have discovered. Building in our discoveries only makes it harder to see how the discovering process can be done." - The Bitter Lesson (2019), by Rich Sutton www.incompleteideas.net/IncIdeas/Bit...
Reposted by Niels Tanis
I'm hiring! Looking for an #aspnetcore dev, ideally with identity/oidc experience. Role is support, tech presales, advisory, docs, ...
East coast US ideally for timezone overlap in the team
Small team and company, big ambition. Reach out if you're interested! duendesoftware.com/careers/cust...
East coast US ideally for timezone overlap in the team
Small team and company, big ambition. Reach out if you're interested! duendesoftware.com/careers/cust...
Customer Success Engineer
Duende software looking to fill Customer Success Engineer position
duendesoftware.com
September 25, 2025 at 4:57 PM
I'm hiring! Looking for an #aspnetcore dev, ideally with identity/oidc experience. Role is support, tech presales, advisory, docs, ...
East coast US ideally for timezone overlap in the team
Small team and company, big ambition. Reach out if you're interested! duendesoftware.com/careers/cust...
East coast US ideally for timezone overlap in the team
Small team and company, big ambition. Reach out if you're interested! duendesoftware.com/careers/cust...
Reposted by Niels Tanis
Alternative MFA...
September 19, 2025 at 5:04 PM
Alternative MFA...
Reposted by Niels Tanis
.NET STS releases are now supported for 2 years instead of 18 months starting with .NET 9 (the current STS). STS releases now go out-of-support on the same day as the previous LTS release. Upgrading to an STS release will no longer cause you to lose support!
devblogs.microsoft.com/dotnet/dotne...
devblogs.microsoft.com/dotnet/dotne...
.NET STS releases supported for 24 months - .NET Blog
.NET STS releases will be supported for 24 months
devblogs.microsoft.com
September 16, 2025 at 5:56 PM
.NET STS releases are now supported for 2 years instead of 18 months starting with .NET 9 (the current STS). STS releases now go out-of-support on the same day as the previous LTS release. Upgrading to an STS release will no longer cause you to lose support!
devblogs.microsoft.com/dotnet/dotne...
devblogs.microsoft.com/dotnet/dotne...
Reposted by Niels Tanis
The WebAssembly 3.0 spec is complete!
webassembly.org/news/2025-09...
This includes major features like GC, 64-bit memories, exceptions, and tail calls.
webassembly.org/news/2025-09...
This includes major features like GC, 64-bit memories, exceptions, and tail calls.
Wasm 3.0 Completed - WebAssembly
WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the...
webassembly.org
September 17, 2025 at 5:04 PM
The WebAssembly 3.0 spec is complete!
webassembly.org/news/2025-09...
This includes major features like GC, 64-bit memories, exceptions, and tail calls.
webassembly.org/news/2025-09...
This includes major features like GC, 64-bit memories, exceptions, and tail calls.
Reposted by Niels Tanis
CVE-2025-9708: Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks -
CVE-2025-9708: Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks · Issue #134063 · kubernetes/kubernetes
CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N — Medium (6.8) A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certi...
github.com
September 16, 2025 at 6:06 PM
CVE-2025-9708: Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks -
Reposted by Niels Tanis
nuget trusted publishing from GitHub actions is rolling out.
No more api keys needed to publish from your release process.
learn.microsoft.com/en-us/nuget/...
No more api keys needed to publish from your release process.
learn.microsoft.com/en-us/nuget/...
Trusted Publishing
Trusted Publishing on nuget.org
learn.microsoft.com
September 10, 2025 at 10:30 PM
nuget trusted publishing from GitHub actions is rolling out.
No more api keys needed to publish from your release process.
learn.microsoft.com/en-us/nuget/...
No more api keys needed to publish from your release process.
learn.microsoft.com/en-us/nuget/...
Reposted by Niels Tanis
Don't miss out on all the new stuff in C# with @fekberg.bsky.social at NDC Copenhagen next week 🇩🇰 See the full agenda and get your tickets at ndccopenhagen.com
September 4, 2025 at 3:25 PM
Don't miss out on all the new stuff in C# with @fekberg.bsky.social at NDC Copenhagen next week 🇩🇰 See the full agenda and get your tickets at ndccopenhagen.com
Reposted by Niels Tanis
Some notes on the insecurity baked into Perplexity's Comet "AI Browser" - the Brave security team reported serious prompt injection vulnerabilities in it, but Brave themselves are developing a similar feature that looks doomed to have similar problems simonwillison.net/2025/Aug/25/...
Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet
The security team from Brave took a look at Comet, the LLM-powered "agentic browser" extension from Perplexity, and unsurprisingly found security holes you can drive a truck through. The vulnerability...
simonwillison.net
August 25, 2025 at 9:42 AM
Some notes on the insecurity baked into Perplexity's Comet "AI Browser" - the Brave security team reported serious prompt injection vulnerabilities in it, but Brave themselves are developing a similar feature that looks doomed to have similar problems simonwillison.net/2025/Aug/25/...
Reposted by Niels Tanis
Come get your post quantum algorithms.
And key wrapping.
And key wrapping.
.NET 10 Preview 7 is now available! - .NET Blog
Find out about the new features in .NET 10 Preview 7 across the .NET runtime, SDK, libraries, ASP.NET Core, Blazor, C#, .NET MAUI, and more!
devblogs.microsoft.com
August 20, 2025 at 2:27 PM
Come get your post quantum algorithms.
And key wrapping.
And key wrapping.
Reposted by Niels Tanis
Excited to share what my team and I have been working on for the past year 🎉
The new Dependabot NuGet updater is here to help keep your .NET dependencies secure and up-to-date. Check out all the details in our blog post
devblogs.microsoft.com/dotnet/the-n...
The new Dependabot NuGet updater is here to help keep your .NET dependencies secure and up-to-date. Check out all the details in our blog post
devblogs.microsoft.com/dotnet/the-n...
The new Dependabot NuGet updater: 65% faster with native .NET - .NET Blog
Discover the new Dependabot NuGet updater that improves performance, accuracy, and developer experience by leveraging native .NET tooling.
devblogs.microsoft.com
August 4, 2025 at 4:18 PM
Excited to share what my team and I have been working on for the past year 🎉
The new Dependabot NuGet updater is here to help keep your .NET dependencies secure and up-to-date. Check out all the details in our blog post
devblogs.microsoft.com/dotnet/the-n...
The new Dependabot NuGet updater is here to help keep your .NET dependencies secure and up-to-date. Check out all the details in our blog post
devblogs.microsoft.com/dotnet/the-n...
Reposted by Niels Tanis
The S in MCP stands for security
August 2, 2025 at 5:29 AM
The S in MCP stands for security
Reposted by Niels Tanis
I wrote up some things I learned about vulnerabilities in .NET Base Class Libraries (BCL)
#dotnet #security #appsec #cve #blog
jamiemagee.co.uk/blog/underst...
#dotnet #security #appsec #cve #blog
jamiemagee.co.uk/blog/underst...
Understanding .NET Base Class Library Vulnerabilities
When you create a new .NET project and start writing code, you might find yourself using classes like System.Text.Json.JsonSerializer without ever explicitly adding a reference to System.Text.Json in ...
jamiemagee.co.uk
July 19, 2025 at 6:54 PM