PyCon Israel 2024

Your locale preferences have been saved. We like to think that we have excellent support for English in pretalx, but if you encounter issues or errors, please contact us!

Malicious Needle in a Haystack - PyPi Security Pitfalls
09-16, 11:00–11:20 (Asia/Jerusalem), Hall 1
Language: English

Every developer uses open-source packages and models. Only a fraction of us validate their security. This session will cover the supply chain security issues that Python developers face, show attacks, and recommend how to avoid them.


PyPi has 1.5 billion packages downloaded daily. This huge number is the perfect opportunity to disguise a malicious needle in the package haystack. Due to its popularity among Python developers, PyPi is also extremely popular among attackers. Same for HuggingFace, which gains its popularity with skyrocketed usage of models.
Attackers may target masses using techniques like typosquatting or perform targeted campaigns against maintainers of the top projects and even the whole developer communities.
One of the crucial skills that a Python developer must have nowadays is the responsible use of open-source dependencies.
The talk will focus on the issues that may happen to the developers and the way of avoiding them.


Expected experience level of participants

Intermediate

Target audience

Developers

Brings 13+ years of experience in all the aspects of information security. Currently, manages two security research teams in supply chain and application security. Passionate about diving deep and understanding how things work under the hood, whether it's complicated systems, code, or a person's mind.