I work in the Dept of Navy. I have been tasked by my leadership to get information and guidance on DoD policy and resources for using open source software libraries. Especially Python libraries. Most developers go to PyPI.org (Python package index) to download, install and run Python libraries. It is the reality that PyPI.org contributors have found malware in approved python open source libraries.
Here is PyPI.org’s policy and stance:
“PyPI has a procedure for reporting security concerns. If someone reports a malicious package or a problem within PyPI it is addressed, but packages added to PyPI do not undergo review—this would be an unrealistic expectation of the volunteers who maintain PyPI. Therefore it is wise to assume that there are malicious packages within PyPI and behave accordingly. Reasonable steps include doing a bit of research on the package you want to install and ensuring that you carefully spell out the package name (a package named for a common misspelling of a popular package could execute malicious code).”
My main question(s).
Does the DoD maintain a repository of approved Python libraries?
If not, what is the DoD’s policy for developers to download and install open source packages on the internet on to their Govt machines?
Does the DoD recommend any software vulnerability scanners that can be installed on Govt machines for developers to scan for vulnerabilities of the open source libraries they are using?
Any help, guidance and resources would be greatly appreciated?
To Whom It may concern,
I work in the Dept of Navy. I have been tasked by my leadership to get information and guidance on DoD policy and resources for using open source software libraries. Especially Python libraries. Most developers go to PyPI.org (Python package index) to download, install and run Python libraries. It is the reality that PyPI.org contributors have found malware in approved python open source libraries.
Here is PyPI.org’s policy and stance: “PyPI has a procedure for reporting security concerns. If someone reports a malicious package or a problem within PyPI it is addressed, but packages added to PyPI do not undergo review—this would be an unrealistic expectation of the volunteers who maintain PyPI. Therefore it is wise to assume that there are malicious packages within PyPI and behave accordingly. Reasonable steps include doing a bit of research on the package you want to install and ensuring that you carefully spell out the package name (a package named for a common misspelling of a popular package could execute malicious code).”
My main question(s).