Alpha-Omega × Python Software Foundation (PyCon US 2026 Sponsor Presentation)

Transcript

1. [email protected] WHAT WE’VE DONE AI IS CHANGING EVERYTHING HOW WE’RE

   PLANNING TO SURVIVE Python Security

2. Alpha-Omega “Protect society by catalyzing sustainable security improvements to the

   most critical open source software projects and ecosystems”

3. Python Software Foundation Security Developer Seth Larson Mike Fiedler PyPI

   Safety & Security Engineer

4. “AI is changing everything” ≈ Security Tools + LLMs

5. What to expect: • Security Focus Areas • What’s the

   Plan? • How YOU can Prepare • Q&A

6. Malware goes up and to the right

7. Watering Hole Attacks

8. “Watering Hole Attacks” Shai-Hulud, LiteLLM, Trivy, Phishing API Tokens Accounts

   CI/CD Pipelines Cryptocurrency Ransomware Credentials Repeat 🔁 Malicious Release 📦😈
9. None

10. 40-50% of installs are not locked/pinned!!!

11. Trusted Reporters & Quarantine

12. Python Package Index Audit #2

13. PyPI: Second Audit

14. Dependency Cooldowns Now in pip v26.1+ Available in uv, dependabot,

    renovate

15. Security Vulnerabilities

16. Vulnpocalypse # Vuln Reports 📈 # Patches, Advisories 📈 Time

    to Exploit 📉

17. ~65 CVEs

18. None
19. None

20. 7+ vulnerabilities in CPython, pip, uv 1 Critical, 3 High

    Mitigated with PyPI 💡 Hypothesis + OSS-Fuzz

21. What’s next for PSF × Alpha-Omega?

22. Goal: Mitigate “Watering Hole” Attacks

23. Stop Watering Hole Attacks • Python Package Index: ◦ Trusted

    Reporters (Auto-Quarantine) ◦ More Trusted Publishing providers ◦ Relinquishing Privileges? ( sudo Mode) ◦ “Staged Releases” • CPython: ◦ “Secure Distributions”

24. Goal: Improve Ecosystem Vulnerability “Capacity”

25. Threat Model Guide Scanning Projects Sec. Engineer Time Incident Response

26. How to prepare ...as a maintainer?

27. How to prepare ...as a maintainer? Know who to call:

    [email protected] [email protected]

28. How to prepare ...as a maintainer? #1: Zizmor #2: CodeQL,

    Semgrep, Fuzzer, LLM

29. How to prepare ...as a maintainer? Threat Model “What isn’t

    a vuln?”

30. How to prepare ...as a maintainer? Security Policy “CoC. Respect

    maintainer time”

31. How to prepare ...as a maintainer? Vulnerability Reporting (Tickets)

32. How to prepare ...as a user?

33. How to prepare ...as a user? Lock your deps! pylock.toml,

    uv.lock requirements.txt w/hashes

34. How to prepare ...as a user? Dependency Cooldowns

35. How to prepare ...as a user? Vulnerability Scanning

36. How to prepare ...as a user? Prepare for faster vuln.

    patching and exploitation

37. [email protected] 8 TALKS! Saturday, May 16th 10:30am-5:30pm Room 103ABC NEW

    Security Talk Track

38. THANK YOU! Q&A PSF Alpha-Omega PyPI