Learn Python with Talk Python's 270 hours of courses

Typosquatting and Supply Chains Vulnerabilities

Episode #319, published Sun, Jun 6, 2021, recorded Wed, May 26, 2021

One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy?

That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes.

Watch this episode on YouTube
Play on YouTube
Watch the live stream version


Guests
Bentz Tozer is a Vice President in In-Q-Tel’s Cyber Practice, where he identifies and works with startups with the potential for high impact on national security. In previous roles, he has performed security research and software development with a focus on IoT devices and embedded systems. He has a PhD in systems engineering from George Washington University. btozer@iqt.org

John Speed Meyers is an engineer in IQT Labs and a researcher who focuses on software security, especially open source software supply chain security. He holds a PhD in policy analysis from the Pardee RAND Graduate School. He’s ambivalent about computers. jmeyers@iqt.org
Links from the show

Overview topics
SolarWinds: csoonline.com
XCodeGhost: macrumors.com
Python Package Index nukes 3,653 malicious libraries uploaded: theregister.com
Dependency confusion: medium.com
Typosquatting Is About More Than Typos: iqt.org
Approaches to Protecting the Software Supply Chain: iqt.org
A Quant’s View of Software Supply Chain Securityz: usenix.org

Organizations
Open Source Security Foundation (OpenSSF): openssf.org
Python Security Response Team: python.org

Proposed solutions and tools
pypi-scan: github.com
AuraBorealis App: github.com
Project Aura: aura.sourcecode.ai
Aura source code: github.com
Reduce Typosquatting Harm via Social Distancing for Top PyPI Packages: github.com
Have I Been Pwned: haveibeenpwned.com
Snyk Package Advisor: snyk.io
Backstabbers-Knife-Collection: dasfreak.github.io
NetworkML Package: github.com

Misc
Google as a Visionary Sponsor: pyfound.blogspot.com
Watch this episode on YouTube: youtube.com
Episode transcripts: talkpython.fm

--- Stay in touch with us ---
Subscribe to us on YouTube: youtube.com
Follow Talk Python on Mastodon: talkpython
Follow Michael on Mastodon: mkennedy

Want to go deeper? Check out our courses

Episode sponsored by
Ads served ethically
Talk Python's Mastodon Michael Kennedy's Mastodon