Securing Python Projects Supply Chain

Explore the critical topic of securing Python projects' supply chain in this DevConf.CZ 2023 conference talk. Delve into the rising threat of supply chain attacks targeting third-party Python software and learn about emerging standards for attesting to the integrity and provenance of software dependencies. Discover the latest tools and best practices for securing Python projects throughout their lifecycle, from development to building, packaging, and distribution. Gain insights into cryptographic signatures, Software Bills of Materials (SBOMs), and SLSA attestations. Examine real-world examples like the SolarWinds attack and understand the true cost of vulnerable supply chains. Investigate secure supply chain frameworks, software signing techniques, vulnerability databases, and the challenges surrounding PyPI and malicious packages. Learn about Python container images, vulnerability scanning in source code, and important Python community initiatives such as PEP 458, PEP 480, PEP 708, and PEP 710. Explore the concept of Supply-chain Levels for Software Artifacts (SLSA) and the Graph for Understanding Artifact Composition to enhance your understanding of secure Python project management.