#319: Typosquatting and Supply Chains Vulnerabilities

59:43
 
Chia sẻ
 

Manage episode 294273625 series 2453836
Thông tin tác giả Michael Kennedy and Michael Kennedy (@mkennedy) được phát hiện bởi Player FM và cộng đồng của chúng tôi - bản quyền thuộc sở hữu của nhà sản xuất (publisher), không thuộc về Player FM, và audio được phát trực tiếp từ máy chủ của họ. Bạn chỉ cần nhấn nút Theo dõi (Subscribe) để nhận thông tin cập nhật từ Player FM, hoặc dán URL feed vào các ứng dụng podcast khác.
One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy?
That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes.
Links from the show
Overview topics
SolarWinds: csoonline.com
XCodeGhost: macrumors.com
Python Package Index nukes 3,653 malicious libraries uploaded: theregister.com
Dependency confusion: medium.com
Typosquatting Is About More Than Typos: iqt.org
Approaches to Protecting the Software Supply Chain: iqt.org
A Quant’s View of Software Supply Chain Securityz: usenix.org
Organizations
Open Source Security Foundation (OpenSSF): openssf.org
Python Security Response Team: python.org
Proposed solutions and tools
pypi-scan: github.com
AuraBorealis App: github.com
Project Aura: aura.sourcecode.ai
Aura source code: github.com
Reduce Typosquatting Harm via Social Distancing for Top PyPI Packages: github.com
Have I Been Pwned: haveibeenpwned.com
Snyk Package Advisor: snyk.io
Backstabbers-Knife-Collection: dasfreak.github.io
NetworkML Package: github.com
Misc
Google as a Visionary Sponsor: pyfound.blogspot.com
Episode transcripts: talkpython.fm

Sponsors
Square
Talk Python Training
AssemblyAI

334 tập