Are You Safe from Malicious and Vulnerable Python Packages?
Can you spot the difference between colorama and colourama?
Sure, one is American English and the other is aimed at British-English users.
One of these is a malicious python package designed to trick users and the other is legitimate.
Chances are that you’ve heard about vulnerable packages before—and may even be using a vulnerability scanner like OSS Index—but the truth of the matter is that vulnerable and malicious packages are different things and need different ways to protect from them.
Malicious Packages and the Package Approval Workflow
Malicious packages boil down to intent. They’re made with the intent to do harm. Malicious packages will do as much harm as they can for as long as they stay hidden.
Back to our example of colorama vs. colourama; the former is designed to help Python users “make ANSI escape character sequences work under Windows”. The latter is a malicious package that uses British English to trick users. It copied colorama’s original code and added malware that checks the Windows clipboard for bitcoin addresses.
It’s obvious that no one wants malware on their system.
The good news is that you’re probably already avoiding malicious packages with tools like PyPI-scan—but a package approval workflow with ProGet is a better fit. A package approval workflow protects your organization against malicious packages by helping you create a verification system for any downloaded packages.
Read: How to Vet and Approve PyPI Packages
Vulnerable Packages and Vulnerability Scanning
You know that malicious packages are intentionally made security risks, but their cousins—vulnerable packages—are packages that were made with no ill will, however, vulnerabilities are discovered over time, whether it’s a week later, a month, or a year.
A WhiteSource paper reported that a large majority of vulnerable packages are low-severity—but high-severity vulnerabilities do exist.
All Python users—yes, we mean everyone—will encounter vulnerable packages. The real danger of vulnerable packages is not being aware of their effect.
Consider Log4Shell on Java. To repair this vulnerability, all users had to do was upgrade to the latest version. But which applications were affected? And what libraries depended on them? How in the world can you update and fix all of that while ensuring that nothing in your application breaks?
Instead, a faster and easier solution is to use ProGet with its built-in vulnerability scanner feature. ProGet’s automated vulnerability scanning ensures that you’ll stay safe from any vulnerabilities as they’re discovered.
Read: HOWTO: Scan & Block Packages with OSS Index
Staying safe against Malicious and Vulnerable Packages
Malicious packages are easy to avoid, especially when you enact a package approval workflow as a part of your organization’s system.
By vetting third-party Python packages with a package approval workflow, you can be more confident that your organization is protected against malicious packages.
There’s no way to predict what vulnerabilities will be discovered tomorrow. While vulnerability scanning is useful, it can’t protect you 100% of the time. But scanning cuts down on a lot of the time of the manual process. Not to mention, ProGet automates itself and remembers your previous decisions, applying them to newly scanned packages.
ProGet teaches you—step-by-step—how to scan for vulnerabilities.
Sign up for our Python in the Enterprise eBook for more best practices: