Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Learn about the "Phantom Dependency Problem" in Python packaging through this 36-minute conference talk that explores how bundled dependencies often remain invisible to security scanning tools. Discover why Python packages frequently include compiled C, C++, and Rust dependencies that aren't represented in package metadata, creating blind spots for software composition analysis (SCA), SBOM generation, and vulnerability scanning tools. Explore the prevalence of this issue across software package ecosystems, with particular focus on PyPI where the problem is most common. Understand how the absence of bundled software from package metadata can cause security vulnerabilities to be missed and complicate software supply chain management. Examine the standards and tooling work undertaken by the Python Software Foundation's Security Developer-in-Residence to address this challenge. Gain insights into how SBOM and SCA tools function, what solutions have been implemented to make bundled dependencies measurable and detectable, and the practical implications these improvements have for Python developers and security professionals managing software dependencies.
