Open Source Software (OSS) and with it Python, has become ubiquitous. From universities to businesses, the world is depending on Python. This prominence is attracting malicious actors and we have been seeing an increased number of attacks. Our Open Source culture is arguably one of Python’s greatest strength. With it also comes various attack vectors. PyPi is being misappropriated, Continuous Integration systems are being abused, contributors are infiltrating packages. There are even cases of maintainers going rogue.

Securing the software supply chain is a challenge. From policy makers, with the notable introduction in Europe of rules for commercial OSS (Cyber Resiliance Act); to the Python Packaging Authority; and the new position of PSF Security Developer-in-Residence. There has been a lot of changes in the space.

After an introduction on the security challenges, we as the Python community are facing, we will walk through some scenarios and go from a user to a maintainers’ perspective. We will focus on actionable actions that can be done to effectively use Python more safely. The talk closes with a general call to action towards both maintainers and users to follow best practices and engage with security experts.

The Python community is vibrant and individuals with security expertise coming from the PSF to smaller organizations or projects are here to help and support us to stay safe.