Talk Python To Me

#457: Software Supply Chain Security with Phylum

Apr 19, 2024

01:08:21

Snipd AI

Charles Coggins from a software supply chain company discusses securing Python apps. Topics include Rust adoption, dependency risks, lock files, and mitigating malware through analysis. Learn about safeguarding against threats and the importance of software security measures.

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Lock files ensure dependency stability and security in Python apps.

Managing transitive dependencies is crucial for project security.

Having lock files for libraries promotes reproducibility and controlled updates.

Deep dives

Importance of Lock Files for Dependency Management

Using lock files in managing dependencies is crucial to ensure the fully resolved set of dependencies used by an application. Lock files provide a clear and reproducible set of dependencies, allowing developers to know exactly what is going into their code. By pinning dependencies to specific versions, lock files help prevent unexpected changes or security vulnerabilities that could arise from dynamically resolving dependencies.

Introduction

2min

Mitigating Software Security Risks and Learning Programming Languages

7min

Exploring Rust adoption and software supply chain security in Python development

4min

Mitigating Security Risks in Software Supply Chain

7min

Software Security and Dependency Verification in Application Development

3min

Managing Dependencies for Software Stability and Security

15min

Optimizing Package Management and Build Backends in Software Development

10min

Securing Software Dependencies in Python

17min

Securing Software Dependencies and Preventing Malware through Analysis

3min

We've spoken previously about security and software supply chains and we are back at it this episode. We're diving in again with Charles Coggins. Charles works at a software supply chain company and is on to give us the insiders and defender's perspective on how to keep our Python apps and infrastructure safe.

Episode sponsors

Sentry Error Monitoring, Code TALKPYTHON
Mailtrap
Talk Python Courses

Links from the show

Series: How Malicious Python Code Gains Execution: blog.phylum.io

Pick a Python Lockfile and Improve Security: blog.phylum.io
Bad Beat Poetry: blog.phylum.io
PEP 665 – A file format to list Python dependencies for reproducibility of an application: peps.python.org
PEP 517 – A build-system independent format for source trees: peps.python.org
PEP 518 – Specifying Minimum Build System Requirements for Python Projects: peps.python.org
Lockfiles should be committed on all projects: classic.yarnpkg.com
An Overview of Software Supply Chain Security: tldrsec.com
Typosquatting: docs.phylum.io
Common Attack Pattern Enumeration and Classification: capec.mitre.org
Dependency Confusion: docs.phylum.io
Expired Author Domains: docs.phylum.io
Unverifiable Dependency: docs.phylum.io
Repo Jacking: Hidden Danger in Broken Links: blog.phylum.io
Software Libraries Are Terrifying: medium.com
phylum 0.43.0: pypi.org
linguist: github.com
rich-codex ⚡️📖⚡️: ewels.github.io
Phylum Community Discord: discord.gg
The dream is dead?: mastodon.social
When "Everything" Becomes Too Much: The npm Package Chaos of 2024: socket.dev
pip-tools: github.com
Watch this episode on YouTube: youtube.com
Episode transcripts: talkpython.fm

--- Stay in touch with us ---
Subscribe to us on YouTube: youtube.com
Follow Talk Python on Mastodon: talkpython
Follow Michael on Mastodon: mkennedy

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Talk Python To Me

#457: Software Supply Chain Security with Phylum

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Importance of Lock Files for Dependency Management

Critical Role of Transitive Dependency Management

Benefits of Lock Files for Libraries and Applications

Transition from setup.py to pyproject.toml

Security Risks and Solutions for Open Source Software

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Talk Python To Me

#457: Software Supply Chain Security with Phylum

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Importance of Lock Files for Dependency Management

Critical Role of Transitive Dependency Management

Benefits of Lock Files for Libraries and Applications

Transition from setup.py to pyproject.toml

Security Risks and Solutions for Open Source Software

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights