How Python's New Security Developer Hopes To Help All Software Supply Chains

Long-time Slashdot reader destinyland writes: The Linux Foundation recently funded a new 'security developer in residence' position for Python. (It's funded through the Linux Foundation's own 'Open Software Security foundation', which has a stated mission of partnering with open source project maintainers 'to systematically find new, as-yet-undiscovered vulnerabilities in open source code, and get them fixed to improve global software supply chain security.') The position went to the lead maintainer for the HTTP client library urllib3, the most downloaded package on the Python Package Index with over 10 billion downloads. But he hopes to create a ripple effect by demonstrating the impact of security investments in critical communities — ultimately instigating a wave of improvements to all software supply chains. (And he's also documenting everything for easy replication by other communities...)



So far he's improved the security of Python's release processes with signature audits and security-hardening automation. But he also learned that CVE numbers were being assigned to newly-discovered vulnerabilities by the National Cyber Security Division of the America's Department of Homeland Security — often without talking to anyone at the Python project. So by August he'd gotten the Python Software Foundation authorized as a CVE Numbering Authority, which should lead to more detailed advisories (including remediation information), now reviewed and approved by Python's security response teams.

'The Python Software wants to help other Open Source organizations, and will be sharing lessons learned,' he writes in a blog post. And he now says he's already been communicating with the Curl program about his experiences to help them take the same step, and even authored a guide to the process for other open source projects.

Read more of this story at Slashdot.