Software Supply Chain Security with Phylum - Talk Python to Me Ep.457
We've spoken previously about security and software supply chains and we are back at it this episode. We're diving in again with Charles Coggins. Charles works at a software supply chain company and is on to give us the insiders and defender's perspective on how to keep our Python apps and infrastructure safe.
▬▬▬▬ About the podcast ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
This video is the uncut, live recording of the Talk Python To Me podcast ( https://talkpython.fm ). We cover Python-focused topics every week and publish the edited and polished version in audio form. Subscribe in your podcast player of choice (100% free) at https://talkpython.fm/subscribe.
▬▬▬▬ Guests ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Charles Coggins
▬▬▬▬ Links and resources from the show ▬▬▬▬▬▬▬▬▬▬▬▬
Pick a Python Lockfile and Improve Security: (https://blog.phylum.io/pick-a-python-...)
Bad Beat Poetry: (https://blog.phylum.io/bad-beat-poetry/)
PEP 665 – A file format to list Python dependencies for reproducibility of an application: (https://peps.python.org/pep-0665/)
PEP 517 – A build-system independent format for source trees: (https://peps.python.org/pep-0517/)
PEP 518 – Specifying Minimum Build System Requirements for Python Projects: (https://peps.python.org/pep-0518/)
Lockfiles should be committed on all projects: (https://classic.yarnpkg.com/blog/2016...)
An Overview of Software Supply Chain Security: (https://tldrsec.com/p/supply-chain-se...)
Typosquatting: https://docs.phylum.io/analytics/typo...)
Common Attack Pattern Enumeration and Classification: (https://capec.mitre.org/data/definiti...)
Dependency Confusion: (https://docs.phylum.io/analytics/depe...)
Expired Author Domains: (https://docs.phylum.io/analytics/expi...)
Unverifiable Dependency: (https://docs.phylum.io/analytics/odd_...)
Repo Jacking: Hidden Danger in Broken Links: (https://blog.phylum.io/repojacking-so...)
Software Libraries Are Terrifying: ( / software-libraries-are-terrifying )
phylum 0.43.0: (https://pypi.org/project/phylum/)
linguist: (https://github.com/github-linguist/li...)
rich-codex ⚡️📖⚡️: (https://ewels.github.io/rich-codex/)
Phylum Community Discord: ( / discord )
The dream is dead?: (https://mastodon.social/@tveskov/1112...)
When "Everything" Becomes Too Much: The npm Package Chaos of 2024: (https://socket.dev/blog/when-everythi...)
pip-tools: (https://github.com/jazzband/pip-tools)
Listen this episode on Talk Python: https://talkpython.fm/episodes/show/4...
Episode transcripts:
▬▬▬▬ Dive deeper ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Listen to the Talk Python To Me podcast at https://talkpython.fm Over 250 hours of Python courses at https://training.talkpython.fm/courses Follow us on on Mastodon. Michael: https://fosstodon.org/@mkennedy & Talk Python https://fosstodon.org/@talkpython
