Overview
Explore the critical issue of software supply chain security in this PyCon US talk. Delve into the world of bad actors exploiting package managers like PyPI to distribute malware. Learn about various attack techniques including typosquatting, social engineering, dependency confusion, and account hijacking. Discover a large-scale vetting system that analyzes millions of software package versions for malicious content and risky attributes. Gain insights into the development of this system and examine real-world malware detection case studies. Get introduced to OSSIE, a free Python PyPI package for auditing project dependencies and receiving notifications about malicious dependencies. Understand the importance of usable security tools in defending against software supply chain attacks and explore how Packj, a developer-friendly vetting tool, can help protect your projects through API and metadata analysis.
Syllabus
Intro
Open-source software is eating the world
Package managers
Bad actors exploit this trust
Software supply chain attack
Attack Technique: Typosquatting
Case study: mitmpraxy2
Technique: Social Engineering
Technique: Dependency Confusion
Technique: Account Hijacking
How to defend against these attacks
Manual vetting is infeasible
Existing tools report KNOWN CVES
Vanity stats are not enough
Packj: a dev-friendly vetting tool
API Analysis
Metadata Analysis
Enabling package vetting at scale
Taught by
PyCon US