פייקון ישראל 2024

עברת לעבוד בעברית. התמיכה עדיין חלקית מאוד, הטפסים לא מתורגמים, וייתכנו שגיאות מערכת, אבל אפשר לכתוב מימין לשמאל, ואנחנו על זה. אם נתקלת בשגיאה, אפשר בדרך כלל לחזור צעד אחורה, לעבור לאנגלית ולהשלים את הפעולה.

Malicious Needle in a Haystack - PyPi Security Pitfalls
16/09, 11:00–11:20 (Asia/Jerusalem), אולם 1
Language: English

Every developer uses open-source packages and models. Only a fraction of us validate their security. This session will cover the supply chain security issues that Python developers face, show attacks, and recommend how to avoid them.


PyPi has 1.5 billion packages downloaded daily. This huge number is the perfect opportunity to disguise a malicious needle in the package haystack. Due to its popularity among Python developers, PyPi is also extremely popular among attackers. Same for HuggingFace, which gains its popularity with skyrocketed usage of models.
Attackers may target masses using techniques like typosquatting or perform targeted campaigns against maintainers of the top projects and even the whole developer communities.
One of the crucial skills that a Python developer must have nowadays is the responsible use of open-source dependencies.
The talk will focus on the issues that may happen to the developers and the way of avoiding them.


Expected experience level of participants

Intermediate

Target audience

Developers

Brings 13+ years of experience in all the aspects of information security. Currently, manages two security research teams in supply chain and application security. Passionate about diving deep and understanding how things work under the hood, whether it's complicated systems, code, or a person's mind.