Cheuk Ting Ho
Developer advocate / Data Scientist - support open-source and building the community.
Making Python safer than ever
Grab the slides:
slides.com/cheukting_ho/python-safer
Hello I am Cheuk
-
Open-Source contributor
-
Organisers of community events
-
PSF director and fellow
- Community manager at OpenSSF
- Part of the Linux Foundation
- Focus on Open Source Security
- Not for Profit
- Security newsletters and blog
- Free courses:
What is important when choosing a place to live?
Safety is important
Even when using software at home
Security in Python
If you ask me, it is extra important
Who is using Python?
- Researchers
- Data Scientist
- Bank - financial industry
- Government
- Teachers
- Anyone - you and me
What makes Python vulnerable?
- Board adaptation
- Diverse user profile
- First programming language
- Users not nesscery having engineering background
There are also policies to protect consumers
- US Executive Order 14028 Minimum Elements for an SBOM
- CRA is being effective in a few years
- AI act, PLD etc
We need to protect Python users and devlopers
Do you know what are the most commmon issues in OSS?
Top 10 risks with OSS
drum rolls.....
Top 10 risks with OSS
- Known Vulnerabilities
- Compromise of Legitimate Package
- Name Confusion Attacks
- Unmaintained Software
- Outdated Software
- Untracked Dependencies
- License Risk
- Immature Software
- Unapproved Changes (mutable)
- Under/over-sized Dependency
PSF has hired 2 full-time engineers to help us
Seth Michael Larson
Security Developer-in-Residence
(funded by Alpha-Omega)
Mike Fiedler
PyPI Safety & Security Engineer
(funded by AWS)
This is what we do
How do you know if a
Python release artifact is legitimate?
Signed Releases
with Sigstore
Sigstore
- Sign and verify software
- identity-based, “keyless” signing
- Signing events are logged in Rekor
- transparency log providing an auditable record
Starting with the Python 3.11.0, Python 3.10.7, Python 3.9.14, Python 3.8.14, and Python 3.7.14 releases
CPython release artifacts are additionally signed with Sigstore
Use Sigstore to varify
jobs:
sigstore-python:
steps:
- uses: sigstore/gh-action-sigstore-python@v0.2.0
with:
inputs: foo.txtDo you know we have a Python Security
Response Team (PSRT)?
The PSRT accepts security reports for
- CPython
(supported and end-of-life) - pip
Vulnerability handled by PSRT
- The reporter reports the vulnerability privately
- If the report constitutes a vulnerability, the PSRT will work privately with the reporter
- The project creates a new release
- The project publicly announces the vulnerability and describes how to apply the fix via an advisory (public)
PSF has become a CVE Numbering Authority (CNA)
CVEs are numbers for documenting vulnerabilities
- A unique, alphanumeric identifier
e.g. CVE-2022-48564 - Enhance communication to discuss, share, and correlate information about a specific vulnerability
By becoming a CNA we can assign CVE IDs to vulnerabilities in CPython and Pip
Open Source Vulnerability DBs
PyPA Advisory Database
- for CPython from CVEs
- can use pip-audit for packages on PyPI
- now published to the OSV Vulnerability Database
- compatible with the OSV API to scan vulnerabilities
- more visibility
But that's not it!
We have action items for you
Securing our community
Maintainers of Python projects:
- Enable 2FA everywhere
(email, PyPI, GitHub, GitLab, etc) - Learn about secure development best practices
(OpenSSF Guides!) - Use tools like Scorecard and Sigstore
- Subscribe to the PyPI Blog for new security features
(or follow Seth's blog)
Users of Python projects:
- Keep your dependencies locked and up-to-date
- Subscribe for advisories:
security-announce@python.org - Use pip-audit to audit your dependencies for known vulnerabilities
- Alternatively you can use OSV API
Companies using Python (or any OSS) projects:
- Support OpenSSF's work by becoming a member
- Support Python Software Foundation
- Educate their employees - free courses on LF catalogue
- Encourage engineering and data science teams to follow best practices
Thank you
Alpha-Omega and AWS
For supporting PSF to have Seth and Mike to help us
It would be great to have more support!
Thank you ❤️
Grab the slides:
slides.com/cheukting_ho/python-safer
Making Python safer than ever
By Cheuk Ting Ho
