PyCon Sweden 2021

Security considerations in Python Packaging
2021-10-21 , Software

Live stream: https://youtu.be/tHlMw9zFgQE

Popular programming language index websites (TIOBE index) and developer surveys (Stack Overflow) place Python as one of the fastest-growing programming languages. However, this popularity also puts in the target range of attackers. The attackers perform malicious dependency attacks and use misconfiguration tools to reveal confidential information. In this talk, we will discuss identifying common security issues in Python code and handling malicious dependency attacks using safety.


Popular programming language index websites (TIOBE index) and developer surveys (Stack Overflow) place Python as one of the fastest-growing programming languages. However, this popularity also puts in the target range of attackers. The attackers perform malicious dependency attacks and use misconfiguration tools to reveal confidential information. Jukka Ruohonen, Kalle Hjerppe, and Kalle Rindell in their research paper "A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI" claimed that they scanned PyPI for security issues in Python packages and found the presence of at least one security issue in about 46% of the Python packages. In addition, security vulnerabilities can be present in the source code of the package. In this talk, we will address the security issues related to python packaging and possible solutions to make python packages secure. The talk begins with the importance of a secure package and vulnerabilities in the Python package index. Then, I will discuss Python packages such as Bandit for identifying common security issues in Python code and “safety” for dependency check. Next, I will discuss verifying and signing Python packages using GPG. Finally, I will discuss general guidelines for secure coding practices in Python.

Outline
1. Importance of a secure package and vulnerabilities in python package index. (05 Minutes)
2. Bandit for identifying common security issues in Python code (03 Minutes)
3. safety for dependency check (04 Minutes)
4. Verifying and signing PyPI and conda packages using GPG and Twine(05 Minutes)
5. General guidelines for secure coding practices in Python (05 Minutes)
6. Summary and Questions (03 Minute )

I hold M.Tech. in Computer Science and Engineering and PG Diploma in Cyber Law and Cyber Forensics from National Law School of India University, Bengaluru India. I have presented talks/posters/papers at prestigious conferences including JuliaCon, London, PyCon France, PyCon Hong Kong, PyCon Taiwan, COSCUP Taiwan, PyCon Africa, BuzzConf Argentina, EuroPython, PiterPy Russia, SciPy USA, SciPy India, NIT Goa, and IIT Gandhi Nagar. Worked as a Reviewer and Program Committee member for reputed International conferences including SciPy USA, SciPy Japan, JuliaCon, JupyterCon, PyData Global, and PyCon India, and publishers include Manning USA and Oxford Univesity Press. I am also a GitHub Certified Campus Advisor. I lead the PyData Belagavi chapter and the OWASP Belagavi chapter.