PyCon Taiwan 2024 Keynote
Here are my slides and overview of my PyCon Taiwan 2024 Keynote
titled “Bytes, Pipes, and People”. The video will be published to YouTube,
subscribe to the PyCon Taiwan YouTube channel to be notified when available.
Software security has historically been treated as extra or “nice-to-have”,
not a core feature that users expect. This means we have accumulated
plenty of tech debt. Now there are growing incentives and requirements
for producing secure software to meet user expectations.Luckily for us, many of the tools, data, and systems already exist to
help us build a culture of security for Python. These tools help relay messages
between software creators and users so we can collaborate on this shared goal.By actively participating you are starting the positive feedback loop of software security, making users safer faster!
Below is a list of items that actions can implement to build a culture of security for Python:
Maintainers§
- Adopt Trusted Publishers if you use GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState to publish Python packages.
- Use lock files for the build and publish workflow, such as pip-tools, Poetry, or PDM.
- Adopt a lightweight security policy. Do not stress about CVEs: fix, release, publish a CVE.
- Contribute new insecure code detections to Bandit.
Users§
- Update dependencies that have vulnerabilities. Prioritize projects that are connected to the internet.
- Update software on a semi-regular basis to avoid out-of-date and end-of-life software. Staying up-to-date helps you being able to upgrade to fixed versions in the future.
- Run tests with
PYTHONWARNINGS
withDeprecationWarning
andPendingDeprecationWarning
set to errors to avoid missing deprecated features. - Create a secure open source usage policy, using verified data to evaluate open source projects. Do not install new projects without checking your policy first.
- If you need a Software Bill-of-Materials document there are tools available to generate one. Those tools will improve over time from new Python package SBOM standards.
- Add a vulnerability scanner like pip-audit, Grype, or Trivy.
Tools and Links§
References§
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.