Safeguard
Tag

python

Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.

76 articles

Open Source Security

Python setuptools Security Considerations

setuptools is the default Python packaging backend and its security properties matter for anyone who builds, installs, or runs Python code. Here is what to watch.

Oct 5, 20237 min read
Open Source Security

Python Packaging Authority and the Security of pip install

Every pip install is a trust decision. The Python Packaging Authority has spent years hardening the ecosystem, but the attack surface remains vast and the threat actors are persistent.

Sep 15, 20237 min read
Supply Chain Attacks

Massive PyPI Malware Campaign Targets Developers with Credential Stealers

A sustained campaign flooded PyPI with hundreds of malicious packages using typosquatting and dependency confusion to steal credentials and cryptocurrency from developers.

Sep 5, 20235 min read
Open Source Security

Pipenv Security Posture Review

Pipenv is still in production at many companies. Here is an honest look at its security model, its maintenance status, and when it is time to migrate away.

Aug 30, 20236 min read
Software Supply Chain Security

pip Install Hooks Security: The Python Packaging Backdoor

Python's setup.py runs arbitrary code during package installation. Despite efforts to move to declarative metadata, the risk persists.

Aug 18, 20234 min read
Software Supply Chain Security

Python Wheel Security Verification: What You Are Missing

Python wheels are the standard packaging format, but their security verification story has significant gaps that most developers never consider.

Jul 22, 20235 min read
Best Practices

Flask Application Security: A Deep Dive

Flask gives you room to make mistakes. This is a long look at the patterns that keep Flask apps safe in 2023, covering sessions, extensions, Werkzeug, and Jinja.

Jun 18, 20237 min read
Application Security

Django Security and Supply Chain Guide

Securing Django applications with built-in security features, dependency management, and supply chain protections.

May 15, 20234 min read
Open Source Security

The March 2023 PyPI Malware Wave

PyPI paused new user registration for most of May 20-23 after a March wave of typosquats and info-stealers flooded the index. Here is what happened and why.

Mar 28, 20235 min read
Open Source Security

PyPI Malware Campaigns Surge in Q4 2022: A Roundup of the Worst Offenders

Python's package registry saw an explosion of malicious packages in late 2022, from credential stealers to reverse shells. Here's what we found.

Dec 5, 20226 min read
Dependency Security

Python Package Security Best Practices

Practical techniques for securing your Python supply chain, from pip and PyPI to virtual environments and hash verification.

Nov 18, 20225 min read
Software Supply Chain Security

PyPI Namespace Squatting: How Attackers Exploit Python's Flat Package Namespace

Python's package registry has no namespace protection. Attackers exploit this with typosquatting, namespace confusion, and abandoned name reclamation. Here is how to protect your Python supply chain.

Nov 5, 20225 min read
python (Page 6) — Safeguard Blog