Talk Python to Me: #319: Typosquatting and Supply Chains Vulnerabilities

One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy? <br/> <br/> That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes.<br/> <br/> <strong>Links from the show</strong><br/> <br/> <div><b>Overview topics</b><br/> <b>SolarWinds</b>: <a href="https://ift.tt/2We0bvj" target="_blank" rel="noopener">csoonline.com</a><br/> <b>XCodeGhost</b>: <a href="https://ift.tt/3f3V4qm" target="_blank" rel="noopener">macrumors.com</a><br/> <b>Python Package Index nukes 3,653 malicious libraries uploaded</b>: <a href="https://ift.tt/2Ola89e" target="_blank" rel="noopener">theregister.com</a><br/> <b>Dependency confusion</b>: <a href="https://ift.tt/3cYg7LQ" target="_blank" rel="noopener">medium.com</a><br/> <b>Typosquatting Is About More Than Typos</b>: <a href="https://ift.tt/2GAhLor" target="_blank" rel="noopener">iqt.org</a><br/> <b>Approaches to Protecting the Software Supply Chain</b>: <a href="https://ift.tt/39JY89M" target="_blank" rel="noopener">iqt.org</a><br/> <b>A Quant’s View of Software Supply Chain Securityz</b>: <a href="https://ift.tt/3fW0nKh" target="_blank" rel="noopener">usenix.org</a><br/> <br/> <b>Organizations</b><br/> <b>Open Source Security Foundation (OpenSSF)</b>: <a href="https://openssf.org/" target="_blank" rel="noopener">openssf.org</a><br/> <b>Python Security Response Team</b>: <a href="https://ift.tt/2T4cYBW" target="_blank" rel="noopener">python.org</a><br/> <br/> <b>Proposed solutions and tools</b><br/> <b>pypi-scan</b>: <a href="https://ift.tt/3fUfvYn" target="_blank" rel="noopener">github.com</a><br/> <b>AuraBorealis App</b>: <a href="https://ift.tt/3iicgvD" target="_blank" rel="noopener">github.com</a><br/> <b>Project Aura</b>: <a href="https://ift.tt/3w0iyE5" target="_blank" rel="noopener">aura.sourcecode.ai</a><br/> <b>Aura source code</b>: <a href="https://ift.tt/3gbtzMh" target="_blank" rel="noopener">github.com</a><br/> <b>Reduce Typosquatting Harm via Social Distancing for Top PyPI Packages</b>: <a href="https://ift.tt/2TNEmoj" target="_blank" rel="noopener">github.com</a><br/> <b>Have I Been Pwned</b>: <a href="https://ift.tt/1l33Xi1" target="_blank" rel="noopener">haveibeenpwned.com</a><br/> <b>Snyk Package Advisor</b>: <a href="https://ift.tt/2SdrLdC" target="_blank" rel="noopener">snyk.io</a><br/> <b>Backstabbers-Knife-Collection</b>: <a href="https://ift.tt/3x2O2K0" target="_blank" rel="noopener">dasfreak.github.io</a><br/> <b>NetworkML Package</b>: <a href="https://ift.tt/3uXdcs7" target="_blank" rel="noopener">github.com</a><br/> <br/> <b>Misc</b><br/> <b>Google as a Visionary Sponsor</b>: <a href="https://ift.tt/2OvvTn9" target="_blank" rel="noopener">pyfound.blogspot.com</a><br/> <b>Episode transcripts</b>: <a href="/episodes/transcript/319/typosquatting-and-supply-chains-vulnerabilities" target="_blank" rel="noopener">talkpython.fm</a><br/></div><br/> <strong>Sponsors</strong><br/> <br/> <a href='https://ift.tt/3ovvope> <a href='https://ift.tt/2PVc9qH Python Training</a><br> <a href='https://ift.tt/3x0z72P>

from Planet Python
via read more