PYTHON

PyCon Taiwan 2024 Keynote

Photo of testv testv Send an email 44 mins ago
0 0 1 minute read



PyCon Taiwan 2024 Keynote
















Here are my slides and overview of my PyCon Taiwan 2024 Keynote
titled “Bytes, Pipes, and People”. The video will be published to YouTube,
subscribe to the PyCon Taiwan YouTube channel to be notified when available.

Software security has historically been treated as extra or “nice-to-have”,
not a core feature that users expect. This means we have accumulated
plenty of tech debt. Now there are growing incentives and requirements
for producing secure software to meet user expectations.

Luckily for us, many of the tools, data, and systems already exist to
help us build a culture of security for Python. These tools help relay messages
between software creators and users so we can collaborate on this shared goal.

By actively participating you are starting the positive feedback loop of software security, making users safer faster!

Below is a list of items that actions can implement to build a culture of security for Python:

Maintainers§

  • Adopt Trusted Publishers if you use GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState to publish Python packages.
  • Use lock files for the build and publish workflow, such as pip-tools, Poetry, or PDM.
  • Adopt a lightweight security policy. Do not stress about CVEs: fix, release, publish a CVE.
  • Contribute new insecure code detections to Bandit.

Users§

  • Update dependencies that have vulnerabilities. Prioritize projects that are connected to the internet.
  • Update software on a semi-regular basis to avoid out-of-date and end-of-life software. Staying up-to-date helps you being able to upgrade to fixed versions in the future.
  • Run tests with PYTHONWARNINGS with DeprecationWarning and PendingDeprecationWarning set to errors to avoid missing deprecated features.
  • Create a secure open source usage policy, using verified data to evaluate open source projects. Do not install new projects without checking your policy first.
  • If you need a Software Bill-of-Materials document there are tools available to generate one. Those tools will improve over time from new Python package SBOM standards.
  • Add a vulnerability scanner like pip-audit, Grype, or Trivy.

References§

Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.

Photo of testv testv Send an email 44 mins ago
0 0 1 minute read
Photo of testv

testv

Related Articles

Free-Threading and a JIT Compiler Quiz – Real Python

8 hours ago

Displaying Pandas DataFrames in the Terminal

15 hours ago

Using Pandas to Read JSON from URL

22 hours ago

Using Python’s pip to Manage Your Projects’ Dependencies Quiz – Real Python

1 day ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button