Security considerations in Python packing

Gajendra Deshpande
Founder & Managing Director at Eyesec Cyber Security Solutions

Popular programming language index websites (TIOBE index) and developer surveys (Stack Overflow) place Python as one of the fastest-growing programming languages. However, this popularity also puts in the target range of attackers. The attackers perform malicious dependency attacks and use misconfiguration tools to reveal confidential information. Jukka Ruohonen, Kalle Hjerppe, and Kalle Rindell in their research paper “”A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI”” claimed that they scanned PyPI for security issues in Python packages and found the presence of at least one security issue in about 46% of the Python packages.

In addition, security vulnerabilities can be present in the source code of the package. In this talk, we will address the security issues related to python packaging and possible solutions to make python packages secure. The talk begins with the importance of a secure package and vulnerabilities in the Python package index. Then, I will discuss Python packages such as Bandit for identifying common security issues in Python code and “safety” for dependency check. Next, I will discuss verifying and signing Python packages using GPG. Finally, I will discuss general guidelines for secure coding practices in Python.

Outline
1. Importance of a secure package and vulnerabilities in python package index. (05 Minutes)
2. Bandit for identifying common security issues in Python code (4 Minutes)
3. Safety for dependency check (4 Minutes)
4. Verifying and signing PyPI and conda packages using GPG and Twine (4 Minutes)
5. General guidelines for secure coding practices in Python (5 Minutes)
6. Summary and Questions (3 Minutes)

Other talks at this conference 🚀🪐 https://www.conf42.com​/python2022

Why attackers in Code packages are getting a pass

Tzachi Zornstain
Head of CxDustico at Checkmarx

Presentation Outline
1. Refresher on recent OSS attack, establishing:
– A quick baseline of terminology and concepts, plus a focus on recent major attack found (PHP, Dependency confusion, etc)
2. Lack of visibility
The Python Package Index (PyPI) deals with this issue by simply removing the malicious packages without publishing its code or metadata to a central point where the package could be found and researched.
Quite similarly, NPM removes all Code and Metadata and place a generic “security holding package” label on the package webpage, although it does publish a security advisory with varying levels of specificity.

Researchers are unable to learn from detected malicious packages. no IOC/contributor data = no hunting for more code packages.

3. Lack of validation
One example is the process of publishing a python package to PyPi allows the publisher to link a GitHub repository to the package, then, PyPi pulls the repository statistics straight from GitHub and presents it on the package web page. The problem is, there is no validation of the connection between the package and the repository.
We will demonstrate this technique we came to call StarJacking .
4. Lack of awareness
The entire ecosystem is focused on detecting known Vulnerabilities, many security teams believe this risk Is cover under SCA products.
This is not the case, Vulnerabilities ≠ Malware.
We need a mindset shift and new technology stack to detect attackers in code packages.
Reactive Vs Proactive, Static signature Vs Dynamic execution
5. Looking ahead
Most of what we do today in the field of malicious open-source software can best be described as patch management. The “cyber” point of view has yet to enter this game.
In this spirit, some thoughts of where we should be heading:
• Malware zoo – code package hatchery
• Sandbox for files – detonation chambers for dynamic analysis of code
• Cross language detection
• TTP’s
• Bonus – contributors’ reputation

Other talks at this conference 🚀🪐 https://www.conf42.com​/python2022

Minimum Viable Security for Python Applications

David Melamed
Co-Founder & CTO at Jit

The minimum viable security (MVS) approach, enables us to easily bake security into our config files, apps, and CI/CD processes with a few simple controls built for Python applications.

In this talk we will focus on five critical security controls that will be integrated as part of the CI/CD pipeline: Bandit for static application security (SAST), Gitleaks to detect hard-coded or insufficiently secured secrets, Python dependency checks (SCA), infrastructure as code (IaC) and ZAP for API and dynamic application security (DAST), in addition to custom controls to ensure proper enforcement of MFA via Github Security. These controls will provide a foundational framework for securing Python applications, from the first line of code, that will make it possible to continuously iterate and evolve our security maturity, for advanced layers of security that often comes with time, as well as increased experience.

Code examples will be showcased as part of this session.

Other talks at this conference 🚀🪐 https://www.conf42.com​/python2022

What I learnt when a system no one knew how to maintain started failing, and I was on-call — GripDev

A system is failing. People rely on it. You are on-call to fix it. You don’t know how it works, your team don’t know how it works and the last person to work on it has left the company. Fun times! I’ll be upfront. This was an intense on-call shift. It wasn’t much fun but […]

What I learnt when a system no one knew how to maintain started failing, and I was on-call — GripDev

Why Engineers Should Invest in Decision-Making Skills Early

Early in our careers as engineers, we’re told to invest in technical skills. We learn languages, implement patterns and frameworks, architect across the stack, and learn how to scale. Getting into the weeds of the work is what gets you credibility and clout with your teammates.

But to make more successful technical calls and advance careers, engineers actually need to develop better strategic decision-making skills — not just technical execution skills. In fact, an over-reliance on technical execution skills early in a career leads to untapped impact and stalled growth opportunities down the road. We consider this getting stuck in a downward strategy spiral, which we discuss in detail here.

Instead, the number one thing engineers can do today to become strategic leaders is to make more deliberate and effective decisions. In this post, we’ll share:

• The dreaded debate: How engineers stall growth
• How to move past this wall with the “watershed” framework
• The impact of investing in decision-making skills

https://www.reforge.com/blog/technical-decision-making