Zero Day Vulnerabilities and Supply Chain Attacks

AbdealiJK (~AbdealiJK)


1

Vote

Description:

Abstract

All modern digital infrastructure is supported by a project some random person thanklessly maintains

Ref: https://xkcd.com/2347/

It is impossible to build software today without open source software being a core component to it. Whether it is the language, libraries, or an application you are leveraging from the open source. With the rise in zero-day vulnerabilities, many people look at the open source ecosystem with suspicion and worry - as there is not as much compliance and regulation in the open source space. Well, open source has always been meant for developers to do their research and play around to build awesome and cool software !! Regulating it would break the open source eco-system.

Join me at PyCon India to discuss some of the security strategies that you can adopt to ensure your pyhton applications are not affected by these kind of supply chain attacks.

We will discus some of the most common techniques like pinning to using CVE databases to keep track of your dependencies (direct and transitive) But not just in theory, let's understand how these techniques (like pinning) can be implemented without compromising developer experience and making it a pain to manage / test your applications.

There is a common belief that security and ease-of-use are 2 sides of a coin, and one cannot be done without the other. But striking a good balance is still possible !!

Prerequisites:

  1. Baiscs of python - for example - what are packages.
  2. Basic understanding on pypi and how to install packages

Content URLs:

Some blogs and articles that are reference material and relevant to this topic:

  1. Increase of Zero Day and Supply chain attacks
  2. PyPIs focus on security
  3. dangers or supply chain attacks

Tools to help with audits and other benefits:

  1. python safety for python dependency audits
  2. owasp dependency check can check CVEs for any language (java, R, etc.)
  3. github's dependabot can check CVEs in requirement/package files
  4. scanning docker images to scan OS level dependencies
  5. curated lists for example from google of assured OSS
  6. Keeping track of versions and latest releases with endoflife.date

Speaker Info:

I have been working with Python for the part 14 years - Since 8th grade in school Worked with opensource projects for the past 10 years - Since GSoC while I was at IIT Madras. Some notable projects I have contributed to include flask, marshmallow, sqlalchemy, GNOME, Wikipedia, etc. I’ve dabbled a lot with Javascript and Python - and love mixing boundaries between the two languages to learn the best practices from both sides.

I work as the CTO at Corridor Platforms and work towards creating a Risk Management software which is used by some of the largest banks in the world. My main objective is to create a stable and performant system while allowing developers to have a good developer experience. I strongly believe that software needs to be fun to develop and have a great dev-exp for developers, while catering to “business” needs of Performance, Maintainability, and Stability.

Speaker Links:

Recent talks I have done

  • Pycon DE & Pydata Berlin 2023: Monorepos in Python - video, slides, schedule
  • PyDelhi Conference 2023: Playwright and E2E - slides, schedule
  • FlaskCon 2022: Enabling multi-tenancy with werkzeug - video, slides
  • Bangpypers 2022: Using sqlalchemy+marshmallow for faster queries - schedule, slides

Section: Python in Platform Engineering and Developer Operations
Type: Talk
Target Audience: Beginner
Last Updated: