Play all

Intro

Secure Software Supply Chains for Python PyCon US 2021

Developer Advocate @ Google • Director @ Python Software Foundation • Maintainer @ Python Package Index

Software Supply Chain Everything it takes to produce your software

Secure Software Supply Chain What is it?

Supply Chain Attacks Let's see some examples

Supply Chain Attack: Man-in-the-middle

Supply Chain Attack: Typosquatting

Supply Chain Attack: Dependency Confusion

Supply Chain Attack: Being a target of "research"

Supply Chain Attack: Getting SolarWinded

What we can do: HTTPS everywhere

What we can do: Use lockfiles

Version pins • Hashes X • Full dependency tree

An underused workflow Compiled Dependencies

What can we prevent with lockfiles?

What we can do: Vulnerability notifications

Improvemnt: Package Signing

Improvement: Fully audited/curated

Improvement: The slow but inevitable death of setup.py

Improvement: The Update Framework

Improvement: Namespaces on PyPI

Improvement: More funding for projects

Description:

Explore the critical topic of secure software supply chains in Python during this PyCon US talk. Delve into the robust ecosystem of open-source Python packages and the security challenges they present. Examine common supply chain attacks, including man-in-the-middle, typosquatting, and dependency confusion. Learn about protective measures such as HTTPS implementation, lockfile usage, and vulnerability notifications. Discover potential improvements to enhance ecosystem security, including package signing, audited repositories, and the Update Framework. Gain insights into the importance of funding open-source projects and the implementation of namespaces on PyPI to strengthen the overall Python software supply chain.

Secure Software Supply Chains for Python

PyCon US

Add to list

#Conference Talks #PyCon US #Information Security (InfoSec) #Cybersecurity #Supply Chain Attacks #Software Security #The Update Framework

0:00 / 0:00