	{"id":64948,"date":"2021-10-29T08:24:28","date_gmt":"2021-10-29T07:24:28","guid":{"rendered":"https:\/\/www.artefact.com\/?post_type=news&#038;p=64948"},"modified":"2024-09-20T17:45:46","modified_gmt":"2024-09-20T16:45:46","slug":"how-to-secure-your-python-software-supply-chain","status":"publish","type":"blog","link":"https:\/\/www.artefact.com\/br\/blog\/how-to-secure-your-python-software-supply-chain\/","title":{"rendered":"Como proteger sua cadeia de suprimentos de software Python"},"content":{"rendered":"<p><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling article-author\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-background-color:#ffffff;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_2 1_2 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:50%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:50%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-title title fusion-title-1 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Autor<\/h2><\/div><img decoding=\"async\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27150%27%20height%3D%270%27%20viewBox%3D%270%200%20150%200%27%3E%3Crect%20width%3D%27150%27%20height%3D%270%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/benoit-goujon.jpeg\" alt=\"Image\" class=\"lazyload artefact-elegant-image align-left article-author-image\" style=\"width: 150px; border-radius: 54% 46% 77% 23% \/ 74% 40% 60% 26%; overflow: hidden;\" width=\"150\" height=\"auto\" \/><div class=\"fusion-title title fusion-title-2 fusion-sep-none fusion-title-text fusion-title-size-three article-author-name-title\" style=\"--awb-margin-bottom-small:8px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;line-height:1.2;\">Beno\u00eet Goujon<\/h3><\/div><div class=\"fusion-text fusion-text-1 article-author-description\"><p>Data engenheiro da Artefact<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-2 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-margin-top:40px;--awb-margin-bottom:40px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-center fusion-flex-justify-content-center fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-1 fusion_builder_column_1_1 1_1 fusion-flex-column fusion-flex-align-self-center fusion-column-inner-bg-wrapper\" style=\"--awb-padding-top:20px;--awb-padding-right:20px;--awb-padding-bottom:20px;--awb-padding-left:20px;--awb-overflow:hidden;--awb-inner-bg-size:cover;--awb-border-color:rgba(10,17,40,0.1);--awb-border-top:1px;--awb-border-right:1px;--awb-border-bottom:1px;--awb-border-left:1px;--awb-border-style:solid;--awb-border-radius:4px 4px 4px 4px;--awb-inner-bg-border-radius:4px 4px 4px 4px;--awb-inner-bg-overflow:hidden;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><span class=\"fusion-column-inner-bg hover-type-none\"><a class=\"fusion-column-anchor\" href=\"https:\/\/medium.com\/artefact-engineering-and-data-science\/how-to-secure-your-python-software-supply-chain-81490f6e4ff9\" rel=\"noopener noreferrer\" target=\"_blank\"><span class=\"fusion-column-inner-bg-image\"><\/span><\/a><\/span><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-center fusion-content-layout-row fusion-flex-align-items-center\"><div class=\"fusion-text fusion-text-2\"><p><u>Leia nosso artigo sobre<\/u><\/p>\n<\/div><div class=\"fusion-image-element\" style=\"--awb-margin-right:20px;--awb-margin-left:20px;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-1 hover-type-none\"><img decoding=\"async\" width=\"4000\" height=\"992\" title=\"M\u00e9dio Blog\" src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog.png\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog.png\" alt class=\"lazyload img-responsive wp-image-60582\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%274000%27%20height%3D%27992%27%20viewBox%3D%270%200%204000%20992%27%3E%3Crect%20width%3D%274000%27%20height%3D%27992%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-200x50.png 200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-400x99.png 400w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-600x149.png 600w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-800x198.png 800w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog-1200x298.png 1200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/04\/Medium-Blog.png 4000w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 640px) 100vw, 4000px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-3\"><p>.<\/p>\n<\/div><\/div><\/div><\/div><\/div><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-3 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-2 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-text fusion-text-4 description\"><p>Um guia para estar ciente dos riscos aos quais o senhor est\u00e1 exposto e algumas dicas para se proteger contra eles.<br \/>\n Um novo tipo de amea\u00e7a cibern\u00e9tica surgiu recentemente: os ataques \u00e0 cadeia de suprimentos de software. Embora raros, eles t\u00eam impactos enormes, e a prote\u00e7\u00e3o contra eles \u00e9 uma preocupa\u00e7\u00e3o crescente. Devido \u00e0 variedade de casos de uso, n\u00e3o h\u00e1 uma regra \u00fanica a ser aplicada aos seus projetos python para garantir a seguran\u00e7a e, como sempre, isso depende do seu contexto.<\/p>\n<\/div><\/div><\/div><\/div><\/div><article class=\"fusion-fullwidth fullwidth-box fusion-builder-row-4 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-flex-start fusion-flex-justify-content-center fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-3 fusion_builder_column_1_1 1_1 fusion-flex-column\" style=\"--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column\"><div class=\"fusion-title title fusion-title-3 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Introdu\u00e7\u00e3o<\/h2><\/div><div class=\"fusion-text fusion-text-5\"><p>Nos setores tradicionais, uma cadeia de suprimentos \u00e9 tudo o que permite que uma empresa entregue um produto ao cliente. Por exemplo, quando o senhor compra um croissant na padaria, todos os ingredientes, a embalagem e o transporte fazem parte da cadeia de suprimentos.<\/p>\n<\/div><div class=\"fusion-text fusion-text-6\"><p>No dom\u00ednio do software, uma cadeia de suprimentos \u00e9 tudo o que afeta o software antes de sua implanta\u00e7\u00e3o na produ\u00e7\u00e3o. Ela abrange tudo, desde a fase de desenvolvimento at\u00e9 o processo de lan\u00e7amento, incluindo o c\u00f3digo que o senhor escreveu, suas depend\u00eancias, seu ambiente de compila\u00e7\u00e3o, seu IDE, seu registro de imagem - todos os componentes com os quais seu software interage em qualquer ponto!<\/p>\n<\/div><div class=\"fusion-image-element\" style=\"--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-2 hover-type-none\"><img decoding=\"async\" width=\"700\" height=\"272\" title=\"artigo-benoit1\" src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit1.png\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit1.png\" alt class=\"lazyload img-responsive wp-image-64951\" srcset=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27700%27%20height%3D%27272%27%20viewBox%3D%270%200%20700%20272%27%3E%3Crect%20width%3D%27700%27%20height%3D%27272%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-srcset=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit1-200x78.png 200w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit1-400x155.png 400w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit1-600x233.png 600w, https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit1.png 700w\" data-sizes=\"auto\" data-orig-sizes=\"(max-width: 640px) 100vw, 700px\" \/><\/span><\/div><div class=\"fusion-text fusion-text-7\"><p>O termo \u201ccadeia de suprimentos\u201d veio \u00e0 tona recentemente devido a ataques cibern\u00e9ticos que tiveram um grande impacto. Entre todos os ataques, o da Solarwinds talvez seja o mais famoso. De fato, o governo dos EUA, grandes empresas de tecnologia como a Microsoft e a Intel, mas tamb\u00e9m hospitais, empresas de energia e institui\u00e7\u00f5es financeiras foram afetados.<\/p>\n<p>Ironicamente, a causa principal \u00e9 a infec\u00e7\u00e3o do Solarwinds Orion, um monitor de seguran\u00e7a de rede. O sistema de compila\u00e7\u00e3o foi comprometido e todas as novas vers\u00f5es entre mar\u00e7o e junho de 2020 foram infectadas por malware. O resultado \u00e9 que todos os clientes que atualizaram seu software durante esse per\u00edodo foram comprometidos.<\/p>\n<\/div><div class=\"fusion-text fusion-text-8\"><p>Embora o ataque da Solarwinds tenha sido amplamente coberto pela m\u00eddia, h\u00e1 dezenas de ataques semelhantes dos quais nunca ouvimos falar. Felizmente, a Cloud Native Computing Foundation mant\u00e9m o controle de todos eles em um\u00a0<a class=\"bv ig\" href=\"https:\/\/github.com\/cncf\/tag-security\/tree\/main\/supply-chain-security\/compromises\" target=\"_blank\" rel=\"noopener ugc nofollow\">reposit\u00f3rio p\u00fablico<\/a>. O senhor pode se surpreender com a acelera\u00e7\u00e3o desses ataques nos \u00faltimos anos.<\/p>\n<p>N\u00e3o \u00e9 poss\u00edvel cobrir tudo relacionado \u00e0 seguran\u00e7a da cadeia de suprimentos em uma \u00fanica postagem do blog, portanto, neste artigo, vamos nos concentrar principalmente em projetos que usam Python como linguagem principal.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-4 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-bottom-small:8px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;line-height:1.2;\">Como gerenciar suas depend\u00eancias em Python<\/h3><\/div><div class=\"fusion-text fusion-text-9\"><p>Embora o Python tenha uma filosofia de \u201cbaterias inclu\u00eddas\u201d, muitas vezes o usu\u00e1rio precisa de bibliotecas externas que podem ser baixadas do PyPI, o \u00edndice oficial de pacotes, e \u00e9 nesse ponto que o usu\u00e1rio precisa ser muito cuidadoso.<\/p>\n<p>O ecossistema Python j\u00e1 foi visado, especialmente por meio do uso de duas t\u00e9cnicas:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-1 fusion-checklist-default type-icons\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">Esbanjamento de erros de digita\u00e7\u00e3o<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">Confus\u00e3o de depend\u00eancia<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-10\"><p>A primeira t\u00e9cnica afeta um comando que todo desenvolvedor Python j\u00e1 executou pelo menos uma vez ao longo de sua carreira:<\/p>\n<pre class=\"hp hq hr hs ht ku gv be\"><span id=\"3357\" class=\"ej je jf dm kv b kw kx ky s kz\" data-selectable-paragraph=\"\">pip install <\/span><\/pre>\n<p>Os hackers publicam pacotes com quase o mesmo nome dos pacotes existentes, esperando que o usu\u00e1rio cometa um erro de digita\u00e7\u00e3o e instale o pacote deles em vez do pacote oficial. Por exemplo, um pacote chamado\u00a0<code class=\"kg la lb lc kv b\">python3-dateutil<\/code>\u00a0em vez do oficial\u00a0<code class=\"kg la lb lc kv b\">dateutil<\/code>\u00a0tem sido\u00a0<a class=\"bv ig\" href=\"https:\/\/snyk.io\/blog\/malicious-packages-found-to-be-typo-squatting-in-pypi\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">detectado recentemente<\/a>.<\/p>\n<p>A comunidade python \u00e9\u00a0<a class=\"bv ig\" href=\"https:\/\/lwn.net\/Articles\/834078\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">trabalhando duro<\/a>\u00a0para mitigar o risco, mas o risco ainda \u00e9 alto.<\/p>\n<p>A segunda t\u00e9cnica, confus\u00e3o de depend\u00eancias, \u00e9 mais sofisticada do que a primeira e tem a ver com a forma como o\u00a0<code class=\"kg la lb lc kv b\">pip<\/code>\u00a0funciona sob o cap\u00f4.<\/p>\n<p>Dessa vez, esse comando exp\u00f5e o senhor ao risco:<\/p>\n<pre class=\"hp hq hr hs ht ku gv be\"><span id=\"a769\" class=\"ej je jf dm kv b kw kx ky s kz\" data-selectable-paragraph=\"\">pip install --extra-index-url <\/span><\/pre>\n<p>Quando o senhor digita esse comando, o que acontece \u00e9 o seguinte:<\/p>\n<\/div><img decoding=\"async\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27400%27%20height%3D%270%27%20viewBox%3D%270%200%20400%200%27%3E%3Crect%20width%3D%27400%27%20height%3D%270%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit2.png\" alt=\"Image\" class=\"lazyload artefact-elegant-image align-left hover-enable\" style=\"width: 400px; border-radius: 59% 41% 41% 59% \/ 29% 48% 52% 71%; overflow: hidden;\" width=\"400\" height=\"auto\" \/><div class=\"fusion-text fusion-text-11\"><p>Vamos dar um exemplo:<\/p>\n<\/div><img decoding=\"async\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27400%27%20height%3D%270%27%20viewBox%3D%270%200%20400%200%27%3E%3Crect%20width%3D%27400%27%20height%3D%270%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/Article-benoit3.png\" alt=\"Image\" class=\"lazyload artefact-elegant-image align-left hover-enable\" style=\"width: 400px; border-radius: 59% 41% 41% 59% \/ 29% 48% 52% 71%; overflow: hidden;\" width=\"400\" height=\"auto\" \/><div class=\"fusion-text fusion-text-12\"><p>Neste exemplo, o pacote do hacker mal-intencionado ser\u00e1 instalado no computador. De fato, o n\u00famero de vers\u00e3o mais alto est\u00e1 no \u00edndice de pacotes p\u00fablicos.<\/p>\n<p>O senhor deve ter entendido o que pode dar errado nesse processo. Algu\u00e9m com m\u00e1s inten\u00e7\u00f5es pode publicar pacotes em um reposit\u00f3rio p\u00fablico com os mesmos nomes dos pacotes hospedados nos \u00edndices internos de pacotes e marc\u00e1-los com um n\u00famero de vers\u00e3o ridiculamente alto. Al\u00e9m disso, encontrar nomes de pacotes relevantes n\u00e3o \u00e9 t\u00e3o dif\u00edcil quanto\u00a0<a class=\"bv ig\" href=\"https:\/\/\/br\/&\/#47;&#x2f;&#109;&#x65;d&#x69;u&#109;&#x2e;&#99;&#x6f;m&#x2f;&#64;&#97;&#x6c;&#101;&#x78;&#46;&#x62;i&#114;&#x73;&#97;&#x6e;\/dependency-confusion-4a5d60fec610\" rel=\"noopener\" target=\"_blank\">demonstrado por este pesquisador de seguran\u00e7a<\/a>.<\/p>\n<p>Esse comando pode ser qualificado como \u201cinseguro por design\u201d. Esse ataque aproveita um recurso do gerenciador de pacotes Python e apenas alguns desenvolvedores est\u00e3o cientes desse comportamento.<\/p>\n<\/div><img decoding=\"async\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27400%27%20height%3D%270%27%20viewBox%3D%270%200%20400%200%27%3E%3Crect%20width%3D%27400%27%20height%3D%270%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit4.png\" alt=\"Image\" class=\"lazyload artefact-elegant-image align-left hover-enable\" style=\"width: 400px; border-radius: 59% 41% 41% 59% \/ 29% 48% 52% 71%; overflow: hidden;\" width=\"400\" height=\"auto\" \/><div class=\"fusion-title title fusion-title-5 fusion-sep-none fusion-title-text fusion-title-size-three\" style=\"--awb-margin-bottom-small:8px;\"><h3 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;line-height:1.2;\">Como se defender contra esses ataques \u00e0 cadeia de suprimentos<\/h3><\/div><div class=\"fusion-text fusion-text-13\"><p>Para se defender contra ataques de typo-squatting, o senhor pode usar um\u00a0<strong class=\"ij lj\">arquivo de bloqueio<\/strong>. A\u00a0<a class=\"bv ig\" href=\"https:\/\/www.youtube.com\/watch?v=VWWgkF-0cDQ\" target=\"_blank\" rel=\"noopener ugc nofollow\">bom arquivo de bloqueio<\/a>\u00a0tem os seguintes atributos:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-2 fusion-checklist-default type-icons\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p><strong>Pinos de vers\u00e3o:<\/strong>eles tornam suas compila\u00e7\u00f5es previs\u00edveis e determin\u00edsticas.<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p><strong>Hashes:<\/strong>\u00a0Eles s\u00e3o uma forma de verificar a integridade do pacote.<\/p>\n<\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p><strong>Gr\u00e1fico de depend\u00eancia completo:<\/strong> isso permite que o senhor tamb\u00e9m controle as depend\u00eancias das suas depend\u00eancias.<\/p>\n<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-14\"><p>A boa not\u00edcia \u00e9 que existe um pacote cuja finalidade \u00e9 criar um arquivo de bloqueio para o senhor:\u00a0<code class=\"kg la lb lc kv b\">pip-tools<\/code>. Com apenas alguns comandos, o senhor pode gerar um arquivo de bloqueio com todos os atributos que descrevemos anteriormente.<\/p>\n<\/div><div class=\"fusion-text fusion-text-15\"><pre class=\"hp hq hr hs ht ku gv be\"><span id=\"0af8\" class=\"ej je jf dm kv b kw kx ky s kz\" data-selectable-paragraph=\"\">$ python3 -m venv my-env # criar um novo ambiente virtual\n<\/span><span id=\"6e92\" class=\"ej je jf dm kv b kw lk ll lm ln lo ky s kz\" data-selectable-paragraph=\"\">$ source my-env\/bin\/activate # activate it\n<\/span><span id=\"eaf3\" class=\"ej je jf dm kv b kw lk ll lm ln lo ky s kz\" data-selectable-paragraph=\"\">$ pip install pip-tools==6.3.0 # instale o pacote que permitir\u00e1 ao senhor\no senhor gerenciar adequadamente suas depend\u00eancias\n<\/span><span id=\"497e\" class=\"ej je jf dm kv b kw lk ll lm ln lo ky s kz\" data-selectable-paragraph=\"\">$ echo \u201csacremoses==0.0.46\u201d &gt;&gt; requirements.in # adicione o pacote de sua escolha em requirements.in\nsua escolha em requirements.in\n<\/span><span id=\"fb7a\" class=\"ej je jf dm kv b kw lk ll lm ln lo ky s kz\" data-selectable-paragraph=\"\">$ pip-compile --generate-hashes # compila requirements.txt com\nhashes com base no que o usu\u00e1rio colocou em requirements.in<\/span><\/pre>\n<\/div><div class=\"fusion-text fusion-text-16\"><p>Seu arquivo requirements.txt deve ter a seguinte apar\u00eancia:<\/p>\n<\/div><img decoding=\"async\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27400%27%20height%3D%270%27%20viewBox%3D%270%200%20400%200%27%3E%3Crect%20width%3D%27400%27%20height%3D%270%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit5.png\" alt=\"Image\" class=\"lazyload artefact-elegant-image align-left hover-enable\" style=\"width: 400px; border-radius: 59% 41% 41% 59% \/ 29% 48% 52% 71%; overflow: hidden;\" width=\"400\" height=\"auto\" \/><div class=\"fusion-text fusion-text-17\"><p>Agora que o senhor tem esse arquivo que cont\u00e9m todas as depend\u00eancias com suas vers\u00f5es e hashes associados, pode executar o seguinte comando na pr\u00f3xima vez que fizer a implanta\u00e7\u00e3o:<\/p>\n<pre class=\"hp hq hr hs ht ku gv be\"><span id=\"7aa9\" class=\"ej je jf dm kv b kw kx ky s kz\" data-selectable-paragraph=\"\">pip install --require-hashes -r requirements.txt<\/span><\/pre>\n<p>Assim, o senhor tem certeza de que os pacotes que usa na produ\u00e7\u00e3o n\u00e3o foram alterados. Supondo que o senhor tenha sido cuidadoso ao escrever seu\u00a0<code class=\"kg la lb lc kv b\">requisitos.in<\/code>\u00a0o senhor tamb\u00e9m pode ter certeza de que far\u00e1 o download do pacote que realmente deseja, pois tudo \u00e9 automatizado. N\u00e3o h\u00e1 risco de erro de digita\u00e7\u00e3o!<\/p>\n<p>Essa pr\u00e1tica recomendada \u00e9 boa para se defender contra ataques de typo-squatting, mas e quanto \u00e0 confus\u00e3o de depend\u00eancias?<\/p>\n<p>Se o senhor observar o\u00a0<code class=\"kg la lb lc kv b\">pip<\/code>\u00a0o senhor ver\u00e1 que h\u00e1 duas op\u00e7\u00f5es que podem ser usadas para baixar pacotes de um reposit\u00f3rio interno:<\/p>\n<\/div><ul style=\"--awb-line-height:27.2px;--awb-icon-width:27.2px;--awb-icon-height:27.2px;--awb-icon-margin:11.2px;--awb-content-margin:38.4px;\" class=\"fusion-checklist fusion-checklist-3 fusion-checklist-default type-icons\"><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\"><code class=\"kg la lb lc kv b\">--extra-index-url<\/code><\/div><\/li><li class=\"fusion-li-item\" style=\"\"><span class=\"icon-wrapper circle-no\"><i class=\"fusion-li-icon awb-icon-check\" aria-hidden=\"true\"><\/i><\/span><div class=\"fusion-li-item-content\">\n<p><code class=\"kg la lb lc kv b\">--index-url<\/code><\/p>\n<\/div><\/li><\/ul><div class=\"fusion-text fusion-text-18\"><p>A documenta\u00e7\u00e3o diz:<\/p>\n<\/div><img decoding=\"async\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%27400%27%20height%3D%270%27%20viewBox%3D%270%200%20400%200%27%3E%3Crect%20width%3D%27400%27%20height%3D%270%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/10\/article-benoit6.png\" alt=\"Image\" class=\"lazyload artefact-elegant-image align-left hover-enable\" style=\"width: 400px; border-radius: 59% 41% 41% 59% \/ 29% 48% 52% 71%; overflow: hidden;\" width=\"400\" height=\"auto\" \/><div class=\"fusion-text fusion-text-19\"><p>Como o senhor pode ver, h\u00e1 uma pequena diferen\u00e7a entre os dois e ela n\u00e3o \u00e9 \u00f3bvia \u00e0 primeira vista. A diferen\u00e7a \u00e9 que, se o senhor especificou o\u00a0<code class=\"kg la lb lc kv b\">--index-url<\/code>\u00a0op\u00e7\u00e3o,\u00a0<code class=\"kg la lb lc kv b\">pip<\/code>\u00a0s\u00f3 extrairia pacotes do reposit\u00f3rio com a URL que o senhor forneceu, e n\u00e3o de reposit\u00f3rios p\u00fablicos. Portanto, se quiser evitar o comportamento que descrevemos anteriormente, use\u00a0<code class=\"kg la lb lc kv b\">--index-url<\/code>\u00a0em vez de\u00a0<code class=\"kg la lb lc kv b\">--extra-index-url<\/code>\u00a0e o senhor estar\u00e1 seguro!<\/p>\n<p>Por fim, para acompanhar as vulnerabilidades mais recentes que s\u00e3o descobertas em suas depend\u00eancias, o senhor pode optar por verificar periodicamente o\u00a0<a class=\"bv ig\" href=\"https:\/\/github.com\/advisories?query=ecosystem%3Apip\" target=\"_blank\" rel=\"noopener ugc nofollow\">Consultor do GitHub database<\/a>\u00a0Ou melhor, aproveite ferramentas como\u00a0<a class=\"bv ig\" href=\"https:\/\/dependabot.com\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">dependabot<\/a>\u00a0que enviar\u00e1 automaticamente um pull request em seu reposit\u00f3rio para atualizar uma depend\u00eancia na qual uma vulnerabilidade cr\u00edtica foi identificada recentemente.<\/p>\n<\/div><div class=\"fusion-title title fusion-title-6 fusion-sep-none fusion-title-text fusion-title-size-two\" style=\"--awb-margin-bottom-small:8px;\"><h2 class=\"fusion-title-heading title-heading-left fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:50;line-height:1.2;\">Resumo<\/h2><\/div><div class=\"fusion-text fusion-text-20\"><p>Neste artigo, apresentamos o conceito de cadeia de suprimentos para o mundo do software. Estudamos especificamente como esse conceito se aplica ao ecossistema Python. O typo-squatting e a confus\u00e3o de depend\u00eancias foram explicados e solu\u00e7\u00f5es foram propostas para mitigar o risco de comprometimento.<\/p>\n<p>Essa r\u00e1pida introdu\u00e7\u00e3o \u00e0 seguran\u00e7a da cadeia de suprimentos cobriu apenas a ponta do iceberg, pois n\u00e3o tivemos a chance de discutir como a\u00a0<a class=\"bv ig\" href=\"https:\/\/about.codecov.io\/security-update\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">sistemas de constru\u00e7\u00e3o<\/a>\u00a0ou at\u00e9 mesmo o seu\u00a0<a class=\"bv ig\" href=\"https:\/\/snyk.io\/blog\/vulnerable-visual-studio-code-extensions-marketplace\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">IDEs<\/a> pode ser comprometido, mas deixo isso para outro artigo!<\/p>\n<p>Obrigado pelo senhor ter lido at\u00e9 aqui! Ficaria feliz em ouvir seus coment\u00e1rios. Se o senhor gostou da leitura, fique \u00e0 vontade para conferir nosso\u00a0<a class=\"bv ig\" href=\"https:\/\/www.artefact.com\/br\/careers\/\" target=\"_blank\" rel=\"noopener ugc nofollow\">posi\u00e7\u00f5es em aberto<\/a>\u00a0em Artefact \ud83d\ude42<\/p>\n<\/div><\/div><\/div><\/div><\/article><div class=\"fusion-fullwidth fullwidth-box fusion-builder-row-5 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling\" style=\"--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;--awb-margin-top:40px;--awb-margin-bottom:40px;--awb-flex-wrap:wrap;\" ><div class=\"fusion-builder-row fusion-row fusion-flex-align-items-center fusion-flex-justify-content-center fusion-flex-content-wrap\" style=\"max-width:calc( 1440px + 20px );margin-left: calc(-20px \/ 2 );margin-right: calc(-20px \/ 2 );\"><div class=\"fusion-layout-column fusion_builder_column fusion-builder-column-4 fusion_builder_column_1_1 1_1 fusion-flex-column fusion-flex-align-self-center\" style=\"--awb-padding-top:40px;--awb-padding-right:40px;--awb-padding-bottom:40px;--awb-padding-left:40px;--awb-overflow:hidden;--awb-bg-position:left center;--awb-bg-size:cover;--awb-border-color:rgba(10,17,40,0.1);--awb-border-style:solid;--awb-border-radius:4px 4px 4px 4px;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:10px;--awb-margin-bottom-large:0px;--awb-spacing-left-large:10px;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:10px;--awb-spacing-left-medium:10px;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:10px;--awb-spacing-left-small:10px;\"><div class=\"fusion-column-wrapper lazyload fusion-column-has-shadow fusion-flex-justify-content-center fusion-content-layout-column fusion-column-has-bg-image\" data-bg-url=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/03\/background.jpg\" data-bg=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/03\/background.jpg\"><div class=\"fusion-image-element\" style=\"text-align:center;--awb-margin-right:20px;--awb-margin-left:20px;--awb-max-width:150px;--awb-caption-title-font-family:var(--h2_typography-font-family);--awb-caption-title-font-weight:var(--h2_typography-font-weight);--awb-caption-title-font-style:var(--h2_typography-font-style);--awb-caption-title-size:var(--h2_typography-font-size);--awb-caption-title-transform:var(--h2_typography-text-transform);--awb-caption-title-line-height:var(--h2_typography-line-height);--awb-caption-title-letter-spacing:var(--h2_typography-letter-spacing);\"><span class=\"fusion-imageframe imageframe-none imageframe-3 hover-type-none\"><img decoding=\"async\" width=\"72\" height=\"41\" title=\"m\u00e9dio\" src=\"data:image\/svg+xml,%3Csvg%20xmlns%3D%27http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%27%20width%3D%2772%27%20height%3D%2741%27%20viewBox%3D%270%200%2072%2041%27%3E%3Crect%20width%3D%2772%27%20height%3D%2741%27%20fill-opacity%3D%220%22%2F%3E%3C%2Fsvg%3E\" data-orig-src=\"https:\/\/www.artefact.com\/\/wp-content\/uploads\/2021\/03\/medium.png\" alt class=\"lazyload img-responsive wp-image-60927\"\/><\/span><\/div><div class=\"fusion-title title fusion-title-7 fusion-sep-none fusion-title-center fusion-title-text fusion-title-size-three\" style=\"--awb-margin-top:20px;--awb-margin-bottom:0px;--awb-margin-bottom-small:8px;\"><h3 class=\"fusion-title-heading title-heading-center fusion-responsive-typography-calculated\" style=\"margin:0;--fontSize:20;line-height:1.2;\">M\u00e9dia Blog por Artefact.<\/h3><\/div><div class=\"fusion-text fusion-text-21\" style=\"--awb-content-alignment:center;\"><p>Este artigo foi publicado inicialmente no <strong>Medium.com<\/strong>.<br \/>\nSiga-nos em nosso Medium Blog !<\/p>\n<\/div><div style=\"text-align:center;\"><a class=\"fusion-button button-flat button-medium button-default fusion-button-default button-1 fusion-button-default-span fusion-button-default-type\" target=\"_blank\" rel=\"noopener noreferrer\" href=\"https:\/\/medium.com\/artefact-engineering-and-data-science\/how-to-secure-your-python-software-supply-chain-81490f6e4ff9\"><span class=\"fusion-button-text awb-button__text awb-button__text--default\">Leia nosso artigo<\/span><\/a><\/div><\/div><\/div><\/div><\/div><\/p>","protected":false},"excerpt":{"rendered":"<p>Um guia para estar ciente dos riscos aos quais o senhor est\u00e1 exposto e algumas dicas para se proteger contra eles.<\/p>","protected":false},"featured_media":68687,"parent":0,"template":"","meta":{"_acf_changed":false,"ep_exclude_from_search":false},"blog-category":[21939],"blog-language":[2991],"class_list":["post-64948","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog-category-medium","blog-language-en"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog\/64948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/types\/blog"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/media\/68687"}],"wp:attachment":[{"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/media?parent=64948"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog-category?post=64948"},{"taxonomy":"blog-language","embeddable":true,"href":"https:\/\/www.artefact.com\/br\/wp-json\/wp\/v2\/blog-language?post=64948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}