News

The February 2022 edition of IndyPy — Indiana’s largest Python meetup founded in 2007 by Six Feet Up CTO and Amazon Web Services (AWS) Community Hero, Calvin Hendryx-Parker — featured Python Dependency Security. In his presentation, Justin Womersley, CEO of PyUp.io, discusses software supply chain security — what it is, why it's important and how to do it right. Justin also addresses some of the gotchas/nuances of dependency management and security in the Python ecosystem.

As discussed at the Meetup, next-gen cyberattacks against open source tools jumped 650% last year, a figure that has caught the eye of federal authorities. Understanding how to protect your software supply chain involves knowing the software supply chain. Every piece of software that you did not write — if it’s used to develop, test, deploy, distribute, monitor, maintain, and run a system — could be vulnerable.

“Just one line of code in any of these projects could leak really important data from your development machines or your supply chain machines,” Justin says.

The pros and cons of a number of package maintenance tools — specifically pip, pipenv, and Poetry — are examined, and Justin shares a number of helpful security-related tidbits, such as:

• attacks to watch for such as typosquatting and pytosquatting;
• best practices for general software supply chain security; and
• where software supply chain security is heading.

Watch the presentation:

Did you miss the presentation? Watch the recording and explore tidbits via @IndyPy’s live Twitter thread.

Links and Resources

Find Justin Womersley on GitHub: https://github.com/Jwomers
Learn more about Safety from PyUp: https://pyup.io/safety/
Detailed documentation for:

• pip - https://pip.pypa.io/en/stable/
• pipenv - https://pipenv.pypa.io/en/latest/
• Poetry - https://python-poetry.org/docs/