Supply-Chain-Security

Comprehensive Python Security Guide

Comprehensive Python Security Guide A practitioner’s defensive reference for securing Python applications — dangerous APIs, deserialization pitfalls, framework-specific risks, supply chain attacks, LLM-era CVEs, static analysis tooling, and hardening patterns. Compiled from 81 research sources. Table of Contents Fundamentals Dangerous Built-in APIs Insecure Deserialization Command & Code Injection SSRF & URL Parsing in Python Path Traversal, Tarfile, Zipfile Cryptography & Randomness Flask Security Django Security FastAPI & Other Frameworks Jinja2 & Server-Side Template Injection Package Supply Chain Attacks LLM / AI Framework CVEs ML Model Deserialization Attacks Notable Python CVEs (Stdlib) Static Analysis & SAST Secure Coding Patterns Hardening Checklist Tool Reference Detection Quick Reference 1. Fundamentals Python’s dynamism is both its selling point and its largest security footgun. Classes can be instantiated from strings, modules can be imported at runtime, objects can rewrite their own deserialization hooks, and the default serializer is Turing-complete. A defender cannot rely on the language to fail safe — every dangerous capability is a first-class primitive. ...

April 10, 2026 · 28 min · Carl Sampson

Software Supply Chain Security Guide

Software Supply Chain Security Guide A defender’s reference for software supply chain risks — threat model across the SDLC, package-registry attack patterns, CI/CD hardening, artifact provenance and signing, SBOMs, dependency scanning, case studies, and a checklist. Compiled from 29 research articles, advisories, and incident writeups. Table of Contents Fundamentals Threat Model Across the SDLC Package Registry Risks Dependency Confusion, Typosquatting, Slopsquatting Maintainer Account Compromise CI/CD Pipeline Hardening Container Image Provenance & Verification SLSA Framework Sigstore, Cosign, in-toto SBOMs (SPDX, CycloneDX) Dependency Scanning Tooling Developer Host Hardening Admission Control & Runtime Verification Case Studies — Defensive Lessons Detection Signals & IOCs Defender Checklist Reference Configurations 1. Fundamentals A software supply chain attack compromises a dependency, tool, build system, or distribution channel that the target trusts, rather than attacking the target directly. The malicious payload rides in on a routine npm install, pip install, docker pull, or CI build — bypassing perimeter defenses because the artifact appears legitimate. ...

April 10, 2026 · 29 min · Carl Sampson