Best practices for securely consuming open source in Python - TIB AV-Portal

Best practices for securely consuming open source in Python

00:00

1

Related Material

Formal Metadata

Title

Best practices for securely consuming open source in Python

Title of Series

EuroPython 2024

Number of Parts

131

Author

License

CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this

Identifiers

10.5446/69408 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

The Python development landscape thrives on the extensive use of open-source libraries and frameworks. However, the growing prevalence of attacks targeting OSS underscores the need for robust security measures to consume open source. In this talk, we'll examine how the Secure Supply Chain Consumption Framework (S2C2F) can guide organizations in securely consuming Python OSS, utilizing tools such as pip, artifact managment, sboms and Dependabot. The S2C2F Framework was developed by Microsoft and later donated to the Open Source Security Foundation (OpenSSF). It provides a structured approach to enhancing the security of OSS consumption. We'll provide an overview of its core principles and maturity levels and discuss practical strategies for implementing S2C2F principles within Python projects, including dependency management with pip, artifact management, sboms, signatures, deny rules, forking policies and automated security updates with Dependabot. The S2C2F is a pragmatic approach to securing how you consume OSS. It emphasizes the fundamental principles of knowing your OSS, preventing the introduction of vulnerable packages, and maintaining robust patch management. You will come away from this talk with practical tips and best practices on how to securely consume open source in python.

Speech

Text

Image

00:00

Successive over-relaxationOptical character recognitionOpen sourcePresentation of a groupSlide ruleSoftwareChainVulnerability (computing)Vector spaceBootingNumberSource codeRepository (publishing)Exploit (computer security)Cross-site scriptingMalwareSpywareComputing platformBackdoor (computing)Open setSoftwareFlow separationSingle-precision floating-point formatProjective planeStrategy gameRepository (publishing)CodeStructural loadExploit (computer security)MereologyNumberType theoryProcess (computing)Vector spaceMetadataPhysical systemDistributed computingVulnerability (computing)Different (Kate Ryan album)MalwareIncidence algebraInformation securityElectronic mailing listData managementChainHydraulic jumpOpen sourceSimilarity (geometry)Centralizer and normalizerRegulator geneInformationGame controllerEnterprise architectureDistribution (mathematics)Software frameworkSoftware developerElectronic signatureVector potentialCASE <Informatik>Software maintenanceProduct (business)MathematicsMachine visionMobile appTheory of relativityLibrary (computing)Position operatorCybersexWebsitePoint cloudComputer-aided designInstance (computer science)Goodness of fitDiagramComplete metric spaceVirtual machineGastropod shellReverse engineeringTheory of everythingMetra potential methodCondition numberProper mapComputer animation

09:04

Open sourceSystem of linear equationsDesign of experimentsDependent and independent variablesGoogolAuthorizationExplosionAuthenticationDeterministic finite automatonData storage deviceInformation securityMalwareTrigonometric functionsComputer hardwareIncidence algebraInformation securityDependent and independent variablesRepository (publishing)Different (Kate Ryan album)MalwareInsertion lossSoftware maintenanceGroup actionJava appletType theoryVulnerability (computing)Vector spaceGastropod shellChainOpen sourceNumberSoftwareAuthenticationInformationProjective planeControl flowVideo gameOpen setElectronic mailing listStreaming mediaEvent horizonRemote procedure callCodeStandard deviationGame controllerSelf-organizationInternet service providerPasswordPhysical systemInternet forumKey (cryptography)System administratorIntegrated development environmentToken ringQuicksortClassical physicsOrder (biology)Normal (geometry)PlanningMetadataFile formatMaterialization (paranormal)BuildingCybersexLibrary (computing)Structural loadBlogSoftware developerLattice (order)Data storage deviceSoftware frameworkWave packetComputer animation

18:08

Dependent and independent variablesInformation securityComputer hardwareGoogolSurfaceDesign of experimentsSoftwareOperations support systemChainCybersexOrder (biology)Vector spaceExploit (computer security)Process (computing)Computer programFocus (optics)Open sourceCollaborationismTrailSystem identificationVulnerability (computing)Streamlines, streaklines, and pathlinesRouter (computing)Software frameworkLevel (video gaming)Data managementPhysical systemSelf-organizationControl flowStandard deviationPort scannerMalwareFormal verificationVector potentialMathematical analysisCodeExtreme programmingPersonal digital assistantScale (map)Reduction of orderImplementationInformation securityLevel (video gaming)Data managementChainSoftware frameworkOrder (biology)Standard deviationSoftware developerSound effectSelf-organizationGoodness of fitMereologyPhysical systemForcing (mathematics)Uniform resource locatorVulnerability (computing)Focus (optics)Execution unitProjective planeCodeMalwarePort scannerProcess (computing)Electronic mailing listFile formatRepository (publishing)Electronic program guideRepetitionComputer file1 (number)SoftwarePlanningBasis <Mathematik>Regulator geneOpen sourceComputer hardwareRevision controlDirection (geometry)Hydraulic jumpComputer programmingLine (geometry)Extension (kinesiology)Exploit (computer security)CybersexScaling (geometry)Reduction of orderService (economics)Product (business)Windows RegistryCASE <Informatik>Dependent and independent variablesIncidence algebraPrice indexImplementationNational Institute of Standards and TechnologyDivisorSurfaceRight angleSign (mathematics)MeasurementMultiplication signComputer animation

27:12

Inclusion mapGroup actionGoogolComputer fileRevision controlCompilerData managementSoftwareControl flowOperations support systemInformation securityProxy serverWindows RegistryCache (computing)Vulnerability (computing)Point cloudEnterprise architecturePower (physics)Self-organizationRule of inferenceAuthenticationAuthorizationToken ringIntegrated development environmentIdentity managementStandard deviationTerm (mathematics)ChainOpen sourceAutomationFormal verificationSign (mathematics)Patch (Unix)Information securityPersonal identification numberData managementComputer fileRevision controlPort scannerMereologyGroup actionPoint (geometry)Regulator geneOpen sourceSoftware maintenanceLevel (video gaming)InformationNavigationRepository (publishing)Sheaf (mathematics)LoginType theoryTrailOrder (biology)Different (Kate Ryan album)Sign (mathematics)Configuration spaceVulnerability (computing)ImplementationGame controllerProjective planePlastikkarteUniform resource locatorLine (geometry)Block (periodic table)Condition numberAxiom of choiceSoftware repositoryMetra potential methodQuicksortInstallation artData storage deviceComputer animation

32:43

Computer animationLecture/Conference

Transcript: English(auto-generated)