We're streaming live right now.
Join in to be part of the show.

Typosquatting and Supply Chains Vulnerabilities

Episode #319, published Sun, Jun 6, 2021, recorded Wed, May 26, 2021.

This episode is carbon neutral.
One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy?

That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes.

Bentz Tozer is a Vice President in In-Q-Tel’s Cyber Practice, where he identifies and works with startups with the potential for high impact on national security. In previous roles, he has performed security research and software development with a focus on IoT devices and embedded systems. He has a PhD in systems engineering from George Washington University. btozer@iqt.org

John Speed Meyers is an engineer in IQT Labs and a researcher who focuses on software security, especially open source software supply chain security. He holds a PhD in policy analysis from the Pardee RAND Graduate School. He’s ambivalent about computers. jmeyers@iqt.org

Links from the show

Overview topics
SolarWinds: csoonline.com
XCodeGhost: macrumors.com
Python Package Index nukes 3,653 malicious libraries uploaded: theregister.com
Dependency confusion: medium.com
Typosquatting Is About More Than Typos: iqt.org
Approaches to Protecting the Software Supply Chain: iqt.org
A Quant’s View of Software Supply Chain Securityz: usenix.org

Open Source Security Foundation (OpenSSF): openssf.org
Python Security Response Team: python.org

Proposed solutions and tools
pypi-scan: github.com
AuraBorealis App: github.com
Project Aura: aura.sourcecode.ai
Aura source code: github.com
Reduce Typosquatting Harm via Social Distancing for Top PyPI Packages: github.com
Have I Been Pwned: haveibeenpwned.com
Snyk Package Advisor: snyk.io
Backstabbers-Knife-Collection: dasfreak.github.io
NetworkML Package: github.com

Google as a Visionary Sponsor: pyfound.blogspot.com
Watch this episode on YouTube: youtube.com
Episode transcripts: talkpython.fm

--- Stay in touch with us ---
Subscribe on YouTube: youtube.com
Follow Talk Python on Twitter: @talkpython
Follow Michael on Twitter: @mkennedy

Want to go deeper? Check out our courses

Episode sponsored by
Ads served ethically
Become a friend of the show
Stay in the know and get a chance to win our contests.
See our privacy statement about email communications.