Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Bad Actors vs Our Community - Detecting Software Supply Chain Attacks

PyCon US via YouTube

Overview

Explore the critical issue of software supply chain security in this PyCon US talk. Delve into the world of bad actors exploiting package managers like PyPI to distribute malware. Learn about various attack techniques including typosquatting, social engineering, dependency confusion, and account hijacking. Discover a large-scale vetting system that analyzes millions of software package versions for malicious content and risky attributes. Gain insights into the development of this system and examine real-world malware detection case studies. Get introduced to OSSIE, a free Python PyPI package for auditing project dependencies and receiving notifications about malicious dependencies. Understand the importance of usable security tools in defending against software supply chain attacks and explore how Packj, a developer-friendly vetting tool, can help protect your projects through API and metadata analysis.

Syllabus

Intro
Open-source software is eating the world
Package managers
Bad actors exploit this trust
Software supply chain attack
Attack Technique: Typosquatting
Case study: mitmpraxy2
Technique: Social Engineering
Technique: Dependency Confusion
Technique: Account Hijacking
How to defend against these attacks
Manual vetting is infeasible
Existing tools report KNOWN CVES
Vanity stats are not enough
Packj: a dev-friendly vetting tool
API Analysis
Metadata Analysis
Enabling package vetting at scale

Taught by

PyCon US

Reviews

Start your review of Bad Actors vs Our Community - Detecting Software Supply Chain Attacks

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.