The course aims to educate participants on detecting and defending against software supply chain attacks in the Python ecosystem. By analyzing millions of software package versions for malware and risky attributes, attendees will learn how bad actors exploit package managers like PyPi to propagate malware. The course covers various attack techniques such as typosquatting, social engineering, dependency confusion, and account hijacking. Participants will also be introduced to a free tool called OSSIE, designed to help developers audit project dependencies and identify malicious changes. The teaching method includes technical presentations, case studies, and the demonstration of the OSSIE tool. This course is intended for developers, software engineers, and cybersecurity professionals looking to enhance their understanding of software supply chain security.
Bad Actors vs Our Community - Detecting Software Supply Chain Attacks
Overview
Syllabus
Intro
Open-source software is eating the world
Package managers
Bad actors exploit this trust
Software supply chain attack
Attack Technique: Typosquatting
Case study: mitmpraxy2
Technique: Social Engineering
Technique: Dependency Confusion
Technique: Account Hijacking
How to defend against these attacks
Manual vetting is infeasible
Existing tools report KNOWN CVES
Vanity stats are not enough
Packj: a dev-friendly vetting tool
API Analysis
Metadata Analysis
Enabling package vetting at scale
Taught by
PyCon US
