Overview
Syllabus
Intro
Secure Software Supply Chains for Python PyCon US 2021
Developer Advocate @ Google • Director @ Python Software Foundation • Maintainer @ Python Package Index
Software Supply Chain Everything it takes to produce your software
Secure Software Supply Chain What is it?
Supply Chain Attacks Let's see some examples
Supply Chain Attack: Man-in-the-middle
Supply Chain Attack: Typosquatting
Supply Chain Attack: Dependency Confusion
Supply Chain Attack: Being a target of "research"
Supply Chain Attack: Getting SolarWinded
What we can do: HTTPS everywhere
What we can do: Use lockfiles
Version pins • Hashes X • Full dependency tree
An underused workflow Compiled Dependencies
What can we prevent with lockfiles?
What we can do: Vulnerability notifications
Improvemnt: Package Signing
Improvement: Fully audited/curated
Improvement: The slow but inevitable death of setup.py
Improvement: The Update Framework
Improvement: Namespaces on PyPI
Improvement: More funding for projects
Taught by
PyCon US