DiscoverTalk Python To Me#319: Typosquatting and Supply Chains Vulnerabilities
#319: Typosquatting and Supply Chains Vulnerabilities

#319: Typosquatting and Supply Chains Vulnerabilities

Update: 2021-06-061
Share

Description

One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy?





That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes.



Links from the show



Overview topics

SolarWinds: csoonline.com

XCodeGhost: macrumors.com

Python Package Index nukes 3,653 malicious libraries uploaded: theregister.com

Dependency confusion: medium.com

Typosquatting Is About More Than Typos: iqt.org

Approaches to Protecting the Software Supply Chain: iqt.org

A Quant’s View of Software Supply Chain Securityz: usenix.org



Organizations

Open Source Security Foundation (OpenSSF): openssf.org

Python Security Response Team: python.org



Proposed solutions and tools

pypi-scan: github.com

AuraBorealis App: github.com

Project Aura: aura.sourcecode.ai

Aura source code: github.com

Reduce Typosquatting Harm via Social Distancing for Top PyPI Packages: github.com

Have I Been Pwned: haveibeenpwned.com

Snyk Package Advisor: snyk.io

Backstabbers-Knife-Collection: dasfreak.github.io

NetworkML Package: github.com



Misc

Google as a Visionary Sponsor: pyfound.blogspot.com

Episode transcripts: talkpython.fm


Sponsors



Square

Talk Python Training

AssemblyAI
Comments 
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

#319: Typosquatting and Supply Chains Vulnerabilities

#319: Typosquatting and Supply Chains Vulnerabilities

Michael Kennedy (@mkennedy)