Talks - Cheuk Ting Ho: Making Python safer than ever

Cheuk Ting Ho

Learn how Python is evolving to meet modern security needs through 2FA requirements, malware detection, vulnerability monitoring, and essential best practices for developers.

Key takeaways
  • Python’s diverse user base (data scientists, students, government workers) creates unique security challenges since many users lack formal engineering backgrounds

  • Two-Factor Authentication (2FA) is now mandatory for PyPI accounts to protect package publishing and maintenance

  • Common security risks include:

    • Name confusion attacks (typosquatting)
    • Unmaintained/outdated dependencies
    • Compromised legitimate packages
    • Untracked dependencies
    • License compliance issues
  • The Python Software Foundation (PSF) has hired full-time security engineers focused on CPython and PyPI security

  • Key security improvements include:

    • PSF Advisory Database
    • Malware detection improvements
    • Faster vulnerability response times (under 60 minutes)
    • Signed Python releases using Sigstore
    • Package verification tools
  • Best practices for users:

    • Keep dependencies up to date
    • Use package management tools
    • Subscribe to security advisories
    • Verify software authenticity
    • Enable 2FA everywhere
  • Organizations should:

    • Educate employees on security practices
    • Support open source projects
    • Implement security audits
    • Use trusted publishers
    • Monitor vulnerability databases
  • The Python ecosystem now provides tools like:

    • pip audit for checking vulnerabilities
    • Software Bill of Materials (SBOM) support
    • OSV vulnerability database integration