Python Security: Because "Nobody Would Hack my Project" is not a Security Strategy

Python is everywhere! With its success comes increasing security risks. Malicious actors are exploiting our open-source ecosystem: PyPI is being misused, CI/CD pipelines are under attack, and even trusted maintainers have gone rogue. Join us to learn how to contribute to a safer Python ecosystem.

Open Source Software (OSS) and with it Python, has become ubiquitous. From universities to businesses, the world is depending on Python. This prominence is attracting malicious actors and we have been seeing an increased number of attacks. Our Open Source culture is arguably one of Python’s greatest strength. With it also comes various attack vectors. PyPi is being misappropriated, Continuous Integration systems are being abused, contributors are infiltrating packages. There are even cases of maintainers going rogue.

Securing the software supply chain is a challenge. From policy makers, with the notable introduction in Europe of rules for commercial OSS (Cyber Resiliance Act); to the Python Packaging Authority; and the new position of PSF Security Developer-in-Residence. There has been a lot of changes in the space.

After an introduction on the security challenges, we as the Python community are facing, we will walk through some scenarios and go from a user to a maintainers’ perspective. We will focus on actionable actions that can be done to effectively use Python more safely. The talk closes with a general call to action towards both maintainers and users to follow best practices and engage with security experts.

The Python community is vibrant and individuals with security expertise coming from the PSF to smaller organizations or projects are here to help and support us to stay safe.

We’ve seen these threats firsthand. Pamphile Roy, a SciPy core maintainer and member of Scientific Python’s SPEC Steering Council, knows the impact of security risks as a maintainer of an OSS library. Benjamin Müllner, a Staff IT Security Engineer, specializes in vulnerability and patch management, securing development environments while building in-house security tooling. Together, we bring deep expertise from both the research and security worlds.