Mitigating Security Risks in Software Supply Chain

7min Snip

00:00

Play full episode

Summary

Transcript

Episode notes

The chapter explores the challenges posed by third-party code dependencies in software development, emphasizing the risks of arbitrary code execution and malware introduction. It discusses the importance of securing the software supply chain, from source control management to package deployment, and the need to be cautious with third-party plugins in popular IDEs. The conversation highlights the intricacies of software supply chain security, stressing the importance of vetting software components and maintaining vigilance throughout the development process.

We've spoken previously about security and software supply chains and we are back at it this episode. We're diving in again with Charles Coggins. Charles works at a software supply chain company and is on to give us the insiders and defender's perspective on how to keep our Python apps and infrastructure safe.

Episode sponsors

Sentry Error Monitoring, Code TALKPYTHON
Mailtrap
Talk Python Courses

Links from the show

Series: How Malicious Python Code Gains Execution: blog.phylum.io

Pick a Python Lockfile and Improve Security: blog.phylum.io
Bad Beat Poetry: blog.phylum.io
PEP 665 – A file format to list Python dependencies for reproducibility of an application: peps.python.org
PEP 517 – A build-system independent format for source trees: peps.python.org
PEP 518 – Specifying Minimum Build System Requirements for Python Projects: peps.python.org
Lockfiles should be committed on all projects: classic.yarnpkg.com
An Overview of Software Supply Chain Security: tldrsec.com
Typosquatting: docs.phylum.io
Common Attack Pattern Enumeration and Classification: capec.mitre.org
Dependency Confusion: docs.phylum.io
Expired Author Domains: docs.phylum.io
Unverifiable Dependency: docs.phylum.io
Repo Jacking: Hidden Danger in Broken Links: blog.phylum.io
Software Libraries Are Terrifying: medium.com
phylum 0.43.0: pypi.org
linguist: github.com
rich-codex ⚡️📖⚡️: ewels.github.io
Phylum Community Discord: discord.gg
The dream is dead?: mastodon.social
When "Everything" Becomes Too Much: The npm Package Chaos of 2024: socket.dev
pip-tools: github.com
Watch this episode on YouTube: youtube.com
Episode transcripts: talkpython.fm

--- Stay in touch with us ---
Subscribe to us on YouTube: youtube.com
Follow Talk Python on Mastodon: talkpython
Follow Michael on Mastodon: mkennedy