Explore the critical topic of secure software supply chains in Python during this PyCon US talk. Delve into the robust ecosystem of open-source Python packages and the security challenges they present. Examine common supply chain attacks, including man-in-the-middle, typosquatting, and dependency confusion. Learn about protective measures such as HTTPS implementation, lockfile usage, and vulnerability notifications. Discover potential improvements to enhance ecosystem security, including package signing, audited repositories, and the Update Framework. Gain insights into the importance of funding open-source projects and the implementation of namespaces on PyPI to strengthen the overall Python software supply chain.
Overview
Syllabus
Intro
Secure Software Supply Chains for Python PyCon US 2021
Developer Advocate @ Google • Director @ Python Software Foundation • Maintainer @ Python Package Index
Software Supply Chain Everything it takes to produce your software
Secure Software Supply Chain What is it?
Supply Chain Attacks Let's see some examples
Supply Chain Attack: Man-in-the-middle
Supply Chain Attack: Typosquatting
Supply Chain Attack: Dependency Confusion
Supply Chain Attack: Being a target of "research"
Supply Chain Attack: Getting SolarWinded
What we can do: HTTPS everywhere
What we can do: Use lockfiles
Version pins • Hashes X • Full dependency tree
An underused workflow Compiled Dependencies
What can we prevent with lockfiles?
What we can do: Vulnerability notifications
Improvemnt: Package Signing
Improvement: Fully audited/curated
Improvement: The slow but inevitable death of setup.py
Improvement: The Update Framework
Improvement: Namespaces on PyPI
Improvement: More funding for projects
Taught by
PyCon US
Related Courses
-
Hardening Your Soft Software Supply Chain
-
Bad Actors vs Our Community - Detecting Software Supply Chain Attacks
-
Securing Python Projects Supply Chain
-
Securing the Open Source Software Supply Chain
-
Why You Should Care About Open Source Supply Chain Security
-
Unearthing Malicious and Risky OpenSource Packages Using Packj
