This critical role would not be possible without funding from the Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

Here are my slides and overview of my PyCon Taiwan 2024 Keynote titled "Bytes, Pipes, and People". The video will be published to YouTube, subscribe to the PyCon Taiwan YouTube channel to be notified when available.

Software security has historically been treated as extra or "nice-to-have", not a core feature that users expect. This means we have accumulated plenty of tech debt. Now there are growing incentives and requirements for producing secure software to meet user expectations.

Luckily for us, many of the tools, data, and systems already exist to help us build a culture of security for Python. These tools help relay messages between software creators and users so we can collaborate on this shared goal.

By actively participating you are starting the positive feedback loop of software security, making users safer faster!

Below is a list of items that actions can implement to build a culture of security for Python:

Maintainers§

• Adopt Trusted Publishers if you use GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState to publish Python packages.
• Use lock files for the build and publish workflow, such as pip-tools, Poetry, or PDM.
• Adopt a lightweight security policy. Do not stress about CVEs: fix, release, publish a CVE.
• Contribute new insecure code detections to Bandit.

Users§

• Update dependencies that have vulnerabilities. Prioritize projects that are connected to the internet.
• Update software on a semi-regular basis to avoid out-of-date and end-of-life software. Staying up-to-date helps you being able to upgrade to fixed versions in the future.
• Run tests with PYTHONWARNINGS with DeprecationWarning and PendingDeprecationWarning set to errors to avoid missing deprecated features.
• Create a secure open source usage policy, using verified data to evaluate open source projects. Do not install new projects without checking your policy first.
• If you need a Software Bill-of-Materials document there are tools available to generate one. Those tools will improve over time from new Python package SBOM standards.
• Add a vulnerability scanner like pip-audit, Grype, or Trivy.

Tools and Links§

• What is Software Bill-of-Materials ("SBOM")?
• Trusted Publishers
• PyPI blog
• Bandit
• Warnings in Python
• pip-audit
• Scientific Python SPEC-8: "Securing the Release Process"
• Supply chain security threats (SLSA)
• Grype
• Trivy
• Ecosyste.ms
• Libraries.io
• Deps.dev
• Trusty
• pip-tools
• Poetry
• PDM
• uv
• Sigstore Python
• Yanking Python packages

References§

• HTTP Archive
• Sonatype 2023 Annual State of Software Supply Chain Report
• Kushal Das for Python Language Summit photos
• StackOverflow

That's all for this post! 👋 If you're interested in more you can read the last report.

Wow, you made it to the end!

• Share your thoughts with me on Mastodon, email, or Bluesky.
• Browse this blog’s archive of 176 entries.
• Check out this list of cool stuff I found on the internet.
• Follow this blog on RSS or the email newsletter.
• Go outside (best option)