Skip to main content This is the website for an older EuroPython. Looking for the latest EuroPython? Click here!
EuroPython logo

Best practices for securely consuming open source in Python

Track:
Security
Type:
Talk
Level:
intermediate
Room:
Terrace 2B
Start:
11:20 on 11 July 2024
Duration:
30 minutes

Abstract

The Python development landscape thrives on the extensive use of open-source libraries and frameworks. However, the growing prevalence of attacks targeting OSS underscores the need for robust security measures to consume open source.

In this talk, we’ll examine how the Secure Supply Chain Consumption Framework (S2C2F) can guide organizations in securely consuming Python OSS, utilizing tools such as pip, artifact managment, sboms and Dependabot.

The S2C2F Framework was developed by Microsoft and later donated to the Open Source Security Foundation (OpenSSF). It provides a structured approach to enhancing the security of OSS consumption.

We’ll provide an overview of its core principles and maturity levels and discuss practical strategies for implementing S2C2F principles within Python projects, including dependency management with pip, artifact management, sboms, signatures, deny rules, forking policies and automated security updates with Dependabot.

The S2C2F is a pragmatic approach to securing how you consume OSS. It emphasizes the fundamental principles of knowing your OSS, preventing the introduction of vulnerable packages, and maintaining robust patch management.

You will come away from this talk with practical tips and best practices on how to securely consume open source in python.

Recording

Play