The Inner Circle

 View Only
  • 1.  Why the ecosystem of Python is in danger?

    Posted Jun 28, 2022 01:13:00 AM

    Python's PyPI repository is broken!

    What's PyPI?
    If you have used "pip install" to install any python package, you are downloading it from a PyPI repository.

    In 99% of your use cases, you have never opened the installed package to check its source code and that's fine, you aren't expected to.
    It's a library and it is supposed to provide a utility for you to build a more complex program where all your focus typically lies.

    But time and again its been discovered that many of these libraries are also installing either a crypto mining program or stealing your sensitive information like AWS keys and GitHub account credentials.

    This has been such a consistent problem that it has ceased to gather any attention altogether now.

    How is this possible you may ask? Well, it's because anyone can upload a new package on the PyPI repository and its maintainers do little to check for any malicious code being uploaded.

    The most common trap is libraries with similar-looking names. "requests" is a legitimate library, whereas "request" is malware which every now and then keeps popping up on PyPI.
    Now if you mistakenly happen to type the command
    "pip install request"
    you have successfully loaded a malware that steals your passwords stored in the system.

    Python was listed as one of the top 3 popular languages in the StackOverflow 2021 survey. Trust in the ecosystem is a big factor in Python's universal usage and PyPI's current condition has the capabilities to single-handedly destroy it.
    This needs a fix!



    ------------------------------
    Ashwani Paliwal
    CEO
    SecOps Solution
    ------------------------------



  • 2.  RE: Why the ecosystem of Python is in danger?

    Posted Jun 29, 2022 04:11:00 AM
    Interesting. Have any alerts, advisories, or something similar been issued for this? Could not find anything after a cursory look.

    I know there are both private and Government efforts looking at this class of problems.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    alex@sharpellc.com
    ------------------------------



  • 3.  RE: Why the ecosystem of Python is in danger?

    Posted Jun 29, 2022 04:27:00 AM

    There are advisories if the vulnerability has been identified inside python in-built libraries.

    But no advisories if a  3rd party and especially less-popular library has been identified as malware. Most security folks rely on whitepapers and publications to abreast them of any such findings like this one https://www.bleepingcomputer.com/news/security/pypi-python-packages-caught-sending-stolen-aws-keys-to-unsecured-sites/



    ------------------------------
    Ashwani Paliwal
    CEO
    SecOps Solution
    ------------------------------



  • 4.  RE: Why the ecosystem of Python is in danger?

    Posted Jun 29, 2022 04:39:00 AM
    If I am reading this correctly, advisories exist for vulnerabilities within Python itself but not the DevSecOps exploit. Did I get that right?

    Cheers,
    alex.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    alex@sharpellc.com
    ------------------------------



  • 5.  RE: Why the ecosystem of Python is in danger?

    Posted Jun 29, 2022 05:03:00 AM
    Yes, that is correct.
    However, there are few databases like ExploitDB that maintain popular exploits. So that is one good source for finding any malicious library that is popularly being exploited in the wild

    ------------------------------
    Ashwani Paliwal
    CEO
    SecOps Solution
    ------------------------------



  • 6.  RE: Why the ecosystem of Python is in danger?

    Posted Jun 29, 2022 05:10:00 AM
    Thank you, Ashwani. It is good to know about that resource.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    alex@sharpellc.com
    ------------------------------



  • 7.  RE: Why the ecosystem of Python is in danger?

    Posted Jun 30, 2022 08:16:00 AM
    I recommend using tools like Safety from pyup.io as part of your CI/CD pipelines to identify Python packages with vulnerabilities (which should also flag malicious packages). It won't stop developers from installing bad packages in their own development environments, but it might prevent them from getting deployed to your servers.

    Safety has a free database, but you can pay pyup.io for access to a more up-to-date database (recommended). Tools like Safety that examine dependencies are generally calls SCA (Software Composition Analysis) tools. Another popular tool that has both free and paid options is Snyk.

    Here's a recent article about activity that Ashwani described: PyPi python packages caught sending stolen AWS keys to unsecured sites

    Note that this issue is not just a Python issue! There have been similar issues with Ruby as well, and such issues can affect any programming language: Malicious RubyGems packages used in cryptocurrency supply chain attack

    ------------------------------
    Chris Herdt
    Senior Security Engineer
    University of Minnesota
    ------------------------------



  • 8.  RE: Why the ecosystem of Python is in danger?

    Posted Jul 05, 2022 07:09:00 AM
    This is a problem with every open-source tool, including everything from dotnet to node and its various JavaScript friends.
    Supply chain risk when building open source is a real concern and anyone not using suitable scanning tools is a fool and at risk. Thankfully many are available as a free option for open source to help you avoid these issues. Snyk and Sonar have tools that are able to support many different languages,, but using language-based ones should not be discounted as everything in security should be done defence in depth.

    Adding items to your build chain takes away from a developer forgetting to run the checks although it would be good practice for the safety report in this case to be part of a pull request. Doing builds as part of commits to the branch is a great thing as this could then have run safety and failed the build if any issues found


    ------------------------------
    Peter McLarty
    Data & IT Security Manager
    Redbourne Business Systems
    ------------------------------



  • 9.  RE: Why the ecosystem of Python is in danger?

    Posted Jul 05, 2022 08:41:00 AM
    Totally agree. If you are not  A) running your own local PYPI repo, B) scanning said repo on changes, and C) running scans on the entire dependency stack during CI/CD for any publicly contributor (or any at all) package repository, then you are doing DevSecOps wrong.

    ------------------------------
    ----
    Justin Bowen
    ------------------------------