Securing Python Projects Supply Chain

Explore the critical topic of securing Python projects' supply chain in this DevConf.CZ 2023 conference talk. Delve into the rising threat of supply chain attacks targeting third-party Python software and learn about emerging standards for attesting to the integrity and provenance of software dependencies. Discover the latest tools and best practices for securing Python projects throughout their lifecycle, from development to building, packaging, and distribution. Gain insights into cryptographic signatures, Software Bills of Materials (SBOMs), and SLSA attestations. Examine real-world examples like the SolarWinds attack and understand the true cost of vulnerable supply chains. Investigate secure supply chain frameworks, software signing techniques, vulnerability databases, and the challenges surrounding PyPI and malicious packages. Learn about Python container images, vulnerability scanning in source code, and important Python community initiatives such as PEP 458, PEP 480, PEP 708, and PEP 710. Explore the concept of Supply-chain Levels for Software Artifacts (SLSA) and the Graph for Understanding Artifact Composition to enhance your understanding of secure Python project management.

Intro
The real cost of a vulnerable supply chain
SolarWinds attack
Secure supply chain frameworks
Software signing
Vulnerability databases
Vulnerabilities and PyPI
PyPI and malicious packages
SBOMS and VEX
Python container images
Scanning for vulnerabilities in source code
Python community initiatives
PEP 458 & PEP 480
PEP 708: Extending the Repository API to Mitigate Dependency Confusion Attacks
PEP 710: Recording the provenance of installed packages
SLSA Supply-chain Levels for Software Artifacts
Graph for Understanding Artifact Composition