Zero Day Vulnerabilities and Supply Chain Attacks
AbdealiJK (~AbdealiJK) |
Description:
Abstract
All modern digital infrastructure is supported by a project some random person thanklessly maintains
It is impossible to build software today without open source software being a core component to it. Whether it is the language, libraries, or an application you are leveraging from the open source. With the rise in zero-day vulnerabilities, many people look at the open source ecosystem with suspicion and worry - as there is not as much compliance and regulation in the open source space. Well, open source has always been meant for developers to do their research and play around to build awesome and cool software !! Regulating it would break the open source eco-system.
Join me at PyCon India to discuss some of the security strategies that you can adopt to ensure your pyhton applications are not affected by these kind of supply chain attacks.
We will discus some of the most common techniques like pinning to using CVE databases to keep track of your dependencies (direct and transitive) But not just in theory, let's understand how these techniques (like pinning) can be implemented without compromising developer experience and making it a pain to manage / test your applications.
There is a common belief that security and ease-of-use are 2 sides of a coin, and one cannot be done without the other. But striking a good balance is still possible !!
Prerequisites:
- Baiscs of python - for example - what are packages.
- Basic understanding on pypi and how to install packages
Content URLs:
Some blogs and articles that are reference material and relevant to this topic:
- Increase of Zero Day and Supply chain attacks
- PyPIs focus on security
- dangers or supply chain attacks
Tools to help with audits and other benefits:
- python safety for python dependency audits
- owasp dependency check can check CVEs for any language (java, R, etc.)
- github's dependabot can check CVEs in requirement/package files
- scanning docker images to scan OS level dependencies
- curated lists for example from google of assured OSS
- Keeping track of versions and latest releases with endoflife.date
Speaker Info:
I have been working with Python for the part 14 years - Since 8th grade in school Worked with opensource projects for the past 10 years - Since GSoC while I was at IIT Madras. Some notable projects I have contributed to include flask, marshmallow, sqlalchemy, GNOME, Wikipedia, etc. I’ve dabbled a lot with Javascript and Python - and love mixing boundaries between the two languages to learn the best practices from both sides.
I work as the CTO at Corridor Platforms and work towards creating a Risk Management software which is used by some of the largest banks in the world. My main objective is to create a stable and performant system while allowing developers to have a good developer experience. I strongly believe that software needs to be fun to develop and have a great dev-exp for developers, while catering to “business” needs of Performance, Maintainability, and Stability.
Speaker Links:
Recent talks I have done