Menu
Free Pack
Download BuildMaster Free Trial

Are you safe from Malicious and Vulnerable Python Packages?

by Crista Perlton, on Sep 16, 2022 1:59:29 AM

Can you spot the difference between colorama and colourama 

Sure, one is American English and the other is aimed toward British-English users.  

One of these is a malicious python package designed to trick users and the other is legitimate. 

Chances are that you've heard about vulnerable packages before—and may even be using a vulnerability scanner like OSS Index—but the truth of the matter is that vulnerable and malicious packages are different things and need different ways to protect from them.  

Malicious Packages and the Package Approval Workflow 

Malicious packages boil down to intent. They’re made with the intent to do harm. Malicious packages will do as much harm as they can for as long as they stay hidden.  

Back to our example of colorama vs. colourama; the former is designed to help Python users “make ANSI escape character sequences work under Windows”. The latter is a malicious package that uses British English to trick users. It copied colorama's original code and added malware that checks the Windows clipboard for bitcoin addresses. 

It's obvious that no one wants malware on their system.  

The good news is that you’re probably already avoiding malicious packages with tools like PyPI-scan—but a package approval workflow with ProGet is a better fit.  A package approval workflow protects your organization against malicious packages by helping you create a verification system for any downloaded packages.

Read: How to Vet and Approve PyPI Packages

Vulnerable Packages and Vulnerability Scanning 

You know that malicious packages are intentionally made security risks, but their cousins—vulnerable packages—are packages that were made with no ill will, however, vulnerabilities are discovered over time, whether it’s a week later, a month, or a year. 

A WhiteSource paper reported that a large majority of vulnerable packages are low-severity—but high-severity vulnerabilities do exist. 

All Python users—yes, we mean everyone—will encounter vulnerable packages. The real danger of vulnerable packages is not being aware of their effect.  

Consider Log4Shell on Java. To repair this vulnerability, all users had to do was upgrade to the latest version. But which applications were affected? And what libraries depended on them? How in the world can you update and fix all of that while ensuring that nothing in your application breaks?  

Instead, a faster and easier solution is to use ProGet with its built-in vulnerability scanner feature. ProGet’s automated vulnerability scanning ensures that you’ll stay safe from any vulnerabilities as they're discovered.  

Read: HOWTO: Scan & Block Packages with OSS Index

Staying safe against Malicious and Vulnerable Packages 

Malicious packages are easy to avoid, especially when you enact a package approval workflow as a part of your organization’s system.  

By vetting third-party Python packages with a package approval workflow, you can be more confident that your organization is protected against malicious packages.  

There’s no way to predict what vulnerabilities will be discovered tomorrow. While vulnerability scanning is useful, it can’t protect you 100% of the time. But scanning cuts down on a lot of the time of the manual process. Not to mention, ProGet automates itself and remembers your previous decisions, applying them to newly scanned packages. 

ProGet teaches you—step-by-step—how to scan for vulnerabilities 

Sign up for our Python in the Enterprise eBook for more best practices:

 

 

Related Posts

About Inedo

Inedo is a software product company bringing you the "tech behind the tech."

Makers of Windows-first, enterprise DevOps tools BuildMaster CI/CD, ProGet private package management, and Otter IaC. Maximize developer time, minimize release risk, and empower stakeholders to bring their vision to life faster, all with the people and technology you have right now.

Follow us on social media

Follow Inedo on YouTube Follow Inedo on Facebook Follow Inedo Twitter New call-to-action

Free e-books

Free PowerShell Book NuGet for the Enterprise Guide Jenkins CICD Guide Free CICD Book Free dotnet book free IaC book