Talks - Cheuk Ting Ho: Making Python safer than ever

Learn how Python is evolving to meet modern security needs through 2FA requirements, malware detection, vulnerability monitoring, and essential best practices for developers.

Key takeaways
  • Python’s diverse user base (data scientists, students, government workers) creates unique security challenges since many users lack formal engineering backgrounds

  • Two-Factor Authentication (2FA) is now mandatory for PyPI accounts to protect package publishing and maintenance

  • Common security risks include:

    • Name confusion attacks (typosquatting)
    • Unmaintained/outdated dependencies
    • Compromised legitimate packages
    • Untracked dependencies
    • License compliance issues
  • The Python Software Foundation (PSF) has hired full-time security engineers focused on CPython and PyPI security

  • Key security improvements include:

    • PSF Advisory Database
    • Malware detection improvements
    • Faster vulnerability response times (under 60 minutes)
    • Signed Python releases using Sigstore
    • Package verification tools
  • Best practices for users:

    • Keep dependencies up to date
    • Use package management tools
    • Subscribe to security advisories
    • Verify software authenticity
    • Enable 2FA everywhere
  • Organizations should:

    • Educate employees on security practices
    • Support open source projects
    • Implement security audits
    • Use trusted publishers
    • Monitor vulnerability databases
  • The Python ecosystem now provides tools like:

    • pip audit for checking vulnerabilities
    • Software Bill of Materials (SBOM) support
    • OSV vulnerability database integration