Here are my slides and overview of my PyCon Taiwan 2024 Keynote titled "Bytes, Pipes, and People". The video will be published to YouTube, subscribe to the PyCon Taiwan YouTube channel to be notified when available.

Software security has historically been treated as extra or "nice-to-have", not a core feature that users expect. This means we have accumulated plenty of tech debt. Now there are growing incentives and requirements for producing secure software to meet user expectations.

Luckily for us, many of the tools, data, and systems already exist to help us build a culture of security for Python. These tools help relay messages between software creators and users so we can collaborate on this shared goal.

By actively participating you are starting the positive feedback loop of software security, making users safer faster!

Below is a list of items that actions can implement to build a culture of security for Python:

Maintainers

• Adopt Trusted Publishers if you use GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState to publish Python packages.
• Use lock files for the build and publish workflow, such as pip-tools, Poetry, or PDM.
• Adopt a lightweight security policy. Do not stress about CVEs: fix, release, publish a CVE.
• Contribute new insecure code detections to Bandit.

Users

• Update dependencies that have vulnerabilities. Prioritize projects that are connected to the internet.
• Update software on a semi-regular basis to avoid out-of-date and end-of-life software. Staying up-to-date helps you being able to upgrade to fixed versions in the future.
• Run tests with PYTHONWARNINGS with DeprecationWarning and PendingDeprecationWarning set to errors to avoid missing deprecated features.
• Create a secure open source usage policy, using verified data to evaluate open source projects. Do not install new projects without checking your policy first.
• If you need a Software Bill-of-Materials document there are tools available to generate one. Those tools will improve over time from new Python package SBOM standards.
• Add a vulnerability scanner like pip-audit, Grype, or Trivy.

Tools and Links

• What is Software Bill-of-Materials ("SBOM")?
• Trusted Publishers
• PyPI blog
• Bandit
• Warnings in Python
• pip-audit
• Scientific Python SPEC-8: "Securing the Release Process"
• Supply chain security threats (SLSA)
• Grype
• Trivy
• Ecosystem.ms
• Libraries.io
• Deps.dev
• Trusty
• pip-tools
• Poetry
• PDM
• uv
• Sigstore Python
• Yanking Python packages

References

• HTTP Archive
• Sonatype 2023 Annual State of Software Supply Chain Report
• Kushal Das for Python Language Summit photos
• StackOverflow

Thanks for reading!♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.