phildini (49)
I have made it to my first talk at #PyConUS
First up: Python Security with @sethmlarson and @miketheman
"AI is changing everything"
Tools are getting much better at finding bugs and defects, so finding these vulns is cheaper, both time and resources.
Reminder: Attackers just have to be correct once, defenders have to be right all the time.
AI has made this asymmetry worse!
Hello #PyConUS! Do you want to come Ponder the Orbs?
The Orb Pondering open space, covering #Tarot, #Astrology, and beyond, is going to be in room 102C (that's the floor with registration in the main building) at 4pm tomorrow (Friday).
Come learn about making order from randomness, with paper and #Python!
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
Other things to do as maintainers:
- Do a threat model analysis on your own software -- "What isn't a vuln?"
- Create a security policy; github will support a SECURITY.md
- Having a CoC helps set standards for respecting maintainer time
- .well-known/security.txt, look at https://securitytxt.org/
- Handle vuln reporting, as internal tickets, to the best of your ability
Malware reports are going up and to the right -- in fact we're at 4x year over year (🙃)
The people involved (Mike and Seth) have not 4x'd in response.
So let's talk about some of the attacks we're seeing.
Starting with "Watering Hole Attacks" -- targeting places people are likely to return to.
Shai-Hulud, LiteLLM, Trivy are all examples.
A common loop is:
"Malicious release" -> "Cryptocoins/ransomware/credentials" -> "Get more accounts" -> repeat
Attacks in one ecosystem can spread, because so many companies ship multi-ecosystem packages.