We've spoken previously about security and software supply chains and we are back at it this episode. We're diving in again with Charles Coggins. Charles works at a software supply chain company and is on to give us the insiders and defender's perspective on how to keep our Python apps and infrastructure safe.

Talk Python To Me

Michael Kennedy (@mkennedy)

#457: Software Supply Chain Security with Phylum

APR 19, 202468 MIN
Talk Python To Me

#457: Software Supply Chain Security with Phylum

APR 19, 202468 MIN

Description

We've spoken previously about security and software supply chains and we are back at it this episode. We're diving in again with Charles Coggins. Charles works at a software supply chain company and is on to give us the insiders and defender's perspective on how to keep our Python apps and infrastructure safe.<br/> <br/> <strong>Episode sponsors</strong><br/> <br/> <a href='https://talkpython.fm/sentry'>Sentry Error Monitoring, Code TALKPYTHON</a><br> <a href='https://talkpython.fm/mailtrap'>Mailtrap</a><br> <a href='https://talkpython.fm/training'>Talk Python Courses</a><br/> <br/> <strong>Links from the show</strong><br/> <br/> <div><b>Series: How Malicious Python Code Gains Execution</b>: <a href="https://blog.phylum.io/how-malicious-python-code-gains-execution/" target="_blank" rel="noopener">blog.phylum.io</a><br/> <br/> <b>Pick a Python Lockfile and Improve Security</b>: <a href="https://blog.phylum.io/pick-a-python-lockfile-and-improve-security/" target="_blank" rel="noopener">blog.phylum.io</a><br/> <b>Bad Beat Poetry</b>: <a href="https://blog.phylum.io/bad-beat-poetry/" target="_blank" rel="noopener">blog.phylum.io</a><br/> <b>PEP 665 – A file format to list Python dependencies for reproducibility of an application</b>: <a href="https://peps.python.org/pep-0665/" target="_blank" rel="noopener">peps.python.org</a><br/> <b>PEP 517 – A build-system independent format for source trees</b>: <a href="https://peps.python.org/pep-0517/" target="_blank" rel="noopener">peps.python.org</a><br/> <b>PEP 518 – Specifying Minimum Build System Requirements for Python Projects</b>: <a href="https://peps.python.org/pep-0518/" target="_blank" rel="noopener">peps.python.org</a><br/> <b>Lockfiles should be committed on all projects</b>: <a href="https://classic.yarnpkg.com/blog/2016/11/24/lockfiles-for-all/" target="_blank" rel="noopener">classic.yarnpkg.com</a><br/> <b>An Overview of Software Supply Chain Security</b>: <a href="https://tldrsec.com/p/supply-chain-security-overview" target="_blank" rel="noopener">tldrsec.com</a><br/> <b>Typosquatting</b>: <a href="https://docs.phylum.io/analytics/typosquatting" target="_blank" rel="noopener">docs.phylum.io</a><br/> <b>Common Attack Pattern Enumeration and Classification</b>: <a href="https://capec.mitre.org/data/definitions/693.html" target="_blank" rel="noopener">capec.mitre.org</a><br/> <b>Dependency Confusion</b>: <a href="https://docs.phylum.io/analytics/dependency_confusion" target="_blank" rel="noopener">docs.phylum.io</a><br/> <b>Expired Author Domains</b>: <a href="https://docs.phylum.io/analytics/expired_author_domains" target="_blank" rel="noopener">docs.phylum.io</a><br/> <b>Unverifiable Dependency</b>: <a href="https://docs.phylum.io/analytics/odd_dependency" target="_blank" rel="noopener">docs.phylum.io</a><br/> <b>Repo Jacking: Hidden Danger in Broken Links</b>: <a href="https://blog.phylum.io/repojacking-software-supply-chain-vulnerability/" target="_blank" rel="noopener">blog.phylum.io</a><br/> <b>Software Libraries Are Terrifying</b>: <a href="https://medium.com/@dmrickert/software-libraries-are-terrifying-4875b6a74be6" target="_blank" rel="noopener">medium.com</a><br/> <b>phylum 0.43.0</b>: <a href="https://pypi.org/project/phylum/" target="_blank" rel="noopener">pypi.org</a><br/> <b>linguist</b>: <a href="https://github.com/github-linguist/linguist" target="_blank" rel="noopener">github.com</a><br/> <b>rich-codex ⚡️📖⚡️</b>: <a href="https://ewels.github.io/rich-codex/" target="_blank" rel="noopener">ewels.github.io</a><br/> <b>Phylum Community Discord</b>: <a href="https://discord.gg/Fe6pr5eW6p" target="_blank" rel="noopener">discord.gg</a><br/> <b>The dream is dead?</b>: <a href="https://mastodon.social/@tveskov/111289358585305218" target="_blank" rel="noopener">mastodon.social</a><br/> <b>When "Everything" Becomes Too Much: The npm Package Chaos of 2024</b>: <a href="https://socket.dev/blog/when-everything-becomes-too-much?utm_source=tldrnewsletter" target="_blank" rel="noopener">socket.dev</a><br/> <b>pip-tools</b>: <a href="https://github.com/jazzband/pip-tools" target="_blank" rel="noopener">github.com</a><br/> <b>Watch this episode on YouTube</b>: <a href="https://www.youtube.com/watch?v=uB-2nMphYBI" target="_blank" rel="noopener">youtube.com</a><br/> <b>Episode transcripts</b>: <a href="https://talkpython.fm/episodes/transcript/457/software-supply-chain-security-with-phylum" target="_blank" rel="noopener">talkpython.fm</a><br/> <br/> <b>--- Stay in touch with us ---</b><br/> <b>Subscribe to us on YouTube</b>: <a href="https://talkpython.fm/youtube" target="_blank" rel="noopener">youtube.com</a><br/> <b>Follow Talk Python on Mastodon</b>: <a href="https://fosstodon.org/web/@talkpython" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>talkpython</a><br/> <b>Follow Michael on Mastodon</b>: <a href="https://fosstodon.org/web/@mkennedy" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>mkennedy</a><br/></div>