We've spoken previously about security and software supply chains and we are back at it this episode. We're diving in again with Charles Coggins. Charles works at a software supply chain company and is on to give us the insiders and defender's perspective on how to keep our Python apps and infrastructure safe.<br/>
<br/>
<strong>Episode sponsors</strong><br/>
<br/>
<a href='https://talkpython.fm/sentry'>Sentry Error Monitoring, Code TALKPYTHON</a><br>
<a href='https://talkpython.fm/mailtrap'>Mailtrap</a><br>
<a href='https://talkpython.fm/training'>Talk Python Courses</a><br/>
<br/>
<strong>Links from the show</strong><br/>
<br/>
<div><b>Series: How Malicious Python Code Gains Execution</b>: <a href="https://blog.phylum.io/how-malicious-python-code-gains-execution/" target="_blank" rel="noopener">blog.phylum.io</a><br/>
<br/>
<b>Pick a Python Lockfile and Improve Security</b>: <a href="https://blog.phylum.io/pick-a-python-lockfile-and-improve-security/" target="_blank" rel="noopener">blog.phylum.io</a><br/>
<b>Bad Beat Poetry</b>: <a href="https://blog.phylum.io/bad-beat-poetry/" target="_blank" rel="noopener">blog.phylum.io</a><br/>
<b>PEP 665 – A file format to list Python dependencies for reproducibility of an application</b>: <a href="https://peps.python.org/pep-0665/" target="_blank" rel="noopener">peps.python.org</a><br/>
<b>PEP 517 – A build-system independent format for source trees</b>: <a href="https://peps.python.org/pep-0517/" target="_blank" rel="noopener">peps.python.org</a><br/>
<b>PEP 518 – Specifying Minimum Build System Requirements for Python Projects</b>: <a href="https://peps.python.org/pep-0518/" target="_blank" rel="noopener">peps.python.org</a><br/>
<b>Lockfiles should be committed on all projects</b>: <a href="https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/" target="_blank" rel="noopener">classic.yarnpkg.com</a><br/>
<b>An Overview of Software Supply Chain Security</b>: <a href="https://tldrsec.com/p/supply-chain-security-overview" target="_blank" rel="noopener">tldrsec.com</a><br/>
<b>Typosquatting</b>: <a href="https://docs.phylum.io/analytics/typosquatting" target="_blank" rel="noopener">docs.phylum.io</a><br/>
<b>Common Attack Pattern Enumeration and Classification</b>: <a href="https://capec.mitre.org/data/definitions/693.html" target="_blank" rel="noopener">capec.mitre.org</a><br/>
<b>Dependency Confusion</b>: <a href="https://docs.phylum.io/analytics/dependency_confusion" target="_blank" rel="noopener">docs.phylum.io</a><br/>
<b>Expired Author Domains</b>: <a href="https://docs.phylum.io/analytics/expired_author_domains" target="_blank" rel="noopener">docs.phylum.io</a><br/>
<b>Unverifiable Dependency</b>: <a href="https://docs.phylum.io/analytics/odd_dependency" target="_blank" rel="noopener">docs.phylum.io</a><br/>
<b>Repo Jacking: Hidden Danger in Broken Links</b>: <a href="https://blog.phylum.io/repojacking-software-supply-chain-vulnerability/" target="_blank" rel="noopener">blog.phylum.io</a><br/>
<b>Software Libraries Are Terrifying</b>: <a href="https://medium.com/@dmrickert/software-libraries-are-terrifying-4875b6a74be6" target="_blank" rel="noopener">medium.com</a><br/>
<b>phylum 0.43.0</b>: <a href="https://pypi.org/project/phylum/" target="_blank" rel="noopener">pypi.org</a><br/>
<b>linguist</b>: <a href="https://github.com/github-linguist/linguist" target="_blank" rel="noopener">github.com</a><br/>
<b>rich-codex ⚡️📖⚡️</b>: <a href="https://ewels.github.io/rich-codex/" target="_blank" rel="noopener">ewels.github.io</a><br/>
<b>Phylum Community Discord</b>: <a href="https://discord.gg/Fe6pr5eW6p" target="_blank" rel="noopener">discord.gg</a><br/>
<b>The dream is dead?</b>: <a href="https://mastodon.social/@tveskov/111289358585305218" target="_blank" rel="noopener">mastodon.social</a><br/>
<b>When "Everything" Becomes Too Much: The npm Package Chaos of 2024</b>: <a href="https://socket.dev/blog/when-everything-becomes-too-much?utm_source=tldrnewsletter" target="_blank" rel="noopener">socket.dev</a><br/>
<b>pip-tools</b>: <a href="https://github.com/jazzband/pip-tools" target="_blank" rel="noopener">github.com</a><br/>
<b>Watch this episode on YouTube</b>: <a href="https://www.youtube.com/watch?v=uB-2nMphYBI" target="_blank" rel="noopener">youtube.com</a><br/>
<b>Episode transcripts</b>: <a href="https://talkpython.fm/episodes/transcript/457/software-supply-chain-security-with-phylum" target="_blank" rel="noopener">talkpython.fm</a><br/>
<br/>
<b>--- Stay in touch with us ---</b><br/>
<b>Subscribe to us on YouTube</b>: <a href="https://talkpython.fm/youtube" target="_blank" rel="noopener">youtube.com</a><br/>
<b>Follow Talk Python on Mastodon</b>: <a href="https://fosstodon.org/web/@talkpython" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>talkpython</a><br/>
<b>Follow Michael on Mastodon</b>: <a href="https://fosstodon.org/web/@mkennedy" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>mkennedy</a><br/></div>