PYTHON

EuroPython 2024 talks about security

EuroPython 2024 which occurred back in July 2024
has published the talk recordings to YouTube earlier this week.
I’ve been under the weather for most of this week, but have had a chance to
listen to a few of the security-related talks in-between resting.

Counting down for Cyber Resilience Act: Updates and expectations§

This talk was delivered by Python Software Foundation Executive Director Deb Nicholson and and Board Member Cheuk Ting Ho.
The Cyber Resilience Act (CRA) is coming, and it’ll affect more software than just the software written in the EU.
Deb and Cheuk describe the recent developments in the CRA like the creation of a new entity called the “Open Source Steward”
and how open source foundations and maintainers are preparing for the CRA.

For the rest of this year and next year I am focusing on getting the Python ecosystem ready for
software security regulations like the CRA and SSDF from the United States.

Starting with improving the
Software Bill-of-Materials (SBOM) story for Python, because this is required by both (and likely, future)
regulations. Knowing what software you are running is an important first step towards being able to secure that same software.

To collaborate with other open source foundations and projects on this work, I’ve joined the
Open Regulatory Compliance Working Group hosted by the Eclipse Foundation.

Towards licensing standardization in Python packaging§

This talk was given by Karolina Surma and it detailed all the work that goes into researching, writing,
and having a Python packaging standard accepted (spoiler: it’s a lot!). Karolina is working on PEP 639 which
is for adopting the SPDX licensing expression and identifier standards in Python as they are the current
state of the art for modeling complex licensing situations accurately for machine (and human) consumption.

This work is very important for Software Bill-of-Materials, as they require accurate license information
in this exact format. Thanks to Karolina, C.A.M. Gerlach, and many others for working for years on this PEP, it will be useful to so many uers once adopted!

The Update Framework (TUF) joins PyPI§

This talk was given by Kairo de Araujo and Lukas Pühringer
and it detailed the history and current status of The Update Framework (TUF)
integration into the Python Package Index.

TUF provides better integrity guarantees for software repositories like PyPI
like making it more difficult to “compel” the index to serve the incorrect artifacts
and to make a compromise of PyPI easier to roll-back and be certain that files hadn’t been modified.
For a full history and latest status, you can view PEP 458 and the top-level GitHub issue for Warehouse.

I was around for the original key-signing ceremony for the PyPI TUF root keys which was live-streamed
back in October 2020. Time flies, huh.

Writing Python like it’s Rust: more robust code with type hints§

This talk was given by Jakub Beránek about using type hints for
more robust Python code. Having written
a case-study on urllib3’s adoption of type hints
to find defects that testing and other tooling missed I highly recommend type hints for Python code as well:

Accelerating Python with Rust: The PyO3 Revolution§

This talk was given by Roshan R Chandar about using PyO3
and Rust in Python modules.

Automatic Trusted Publishing with PyPI§

This talk was given by Facundo Tuesca on using Trusted Publishing for authenticating with PyPI to publish packages.

Zero Trust APIs with Python§

This talk was given by Jose Haro Peralta on how to design and implement secure web APIs using Python,
data validation with Pydantic, and testing your APIs using tooling for detecting common security defects.

Best practices for securely consuming open source in Python§

This talk was given by Cira Carey which highlights many of today’s threats targetting open source consumers.
Users should be aware of these when selecting projects to download and install.

Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button