Talks - Cheuk Ting Ho: Making Python safer than ever

Python’s diverse user base (data scientists, students, government workers) creates unique security challenges since many users lack formal engineering backgrounds

Two-Factor Authentication (2FA) is now mandatory for PyPI accounts to protect package publishing and maintenance

Common security risks include:

• Name confusion attacks (typosquatting)
• Unmaintained/outdated dependencies
• Compromised legitimate packages
• Untracked dependencies
• License compliance issues

The Python Software Foundation (PSF) has hired full-time security engineers focused on CPython and PyPI security

Key security improvements include:

• PSF Advisory Database
• Malware detection improvements
• Faster vulnerability response times (under 60 minutes)
• Signed Python releases using Sigstore
• Package verification tools

Best practices for users:

• Keep dependencies up to date
• Use package management tools
• Subscribe to security advisories
• Verify software authenticity
• Enable 2FA everywhere

Organizations should:

• Educate employees on security practices
• Support open source projects
• Implement security audits
• Use trusted publishers
• Monitor vulnerability databases

The Python ecosystem now provides tools like:

• pip audit for checking vulnerabilities
• Software Bill of Materials (SBOM) support
• OSV vulnerability database integration