Python security and you(Pythonのセキュリティとあなた)

Hello I am Cheuk

  • Open-Source contributor

  • Organisers of community events

  • PSF director and fellow
  • Community manager at OpenSSF

What is important when choosing a place to live?

Safety is important

Even when using software at home

Security in Python

If you ask me, it is extra important

Who is using Python?

  • Researchers
  • Data Scientist
  • Bank - financial industry
  • Government
  • Teachers
  • Anyone - you and me

What makes Python vulnerable?

  • Board adaptation
  • Diverse user profile
  • First programming language
  • Users not nesscery having engineering background

We need to protect Python users

Do you know what are the most commmon issues in OSS?

Top 10 risks with OSS

drum rolls.....

Top 10 risks with OSS

  1. Known Vulnerabilities
  2. Compromise of Legitimate Package
  3. Name Confusion Attacks
  4. Unmaintained Software
  5. Outdated Software
  6. Untracked Dependencies
  7. License Risk
  8. Immature Software
  9. Unapproved Changes (mutable)
  10. Under/over-sized Dependency

PSF has hired 2 full-time engineers to help us

Seth Michael Larson

Security Developer-in-Residence
(funded by Alpha-Omega)

Mike Fiedler

PyPI Safety & Security Engineer
(funded by AWS)

This is what we do

How do you know if a
    Python release artifact is legitimate?

Signed Releases
with Sigstore


  • Sign and verify software
  • identity-based, “keyless” signing
  • Signing events are logged in Rekor
  • transparency log providing an auditable record

Starting with the Python 3.11.0, Python 3.10.7, Python 3.9.14, Python 3.8.14, and Python 3.7.14 releases


 CPython release artifacts are additionally signed with Sigstore

Use Sigstore to varify

      - uses: sigstore/gh-action-sigstore-python@v0.2.0
          inputs: foo.txt

Do you know we have a Python Security
Response Team (PSRT)?

The PSRT accepts security reports for

  • CPython
    (supported and end-of-life)
  • pip

Vulnerability handled by PSRT

  • The reporter reports the vulnerability privately 
  • If the report constitutes a vulnerability, the PSRT will work privately with the reporter
  • The project creates a new release
  • The project publicly announces the vulnerability and describes how to apply the fix via an advisory (public)

PSF has become a CVE Numbering Authority (CNA)

CVEs are numbers for documenting vulnerabilities

  • A unique, alphanumeric identifier
    e.g. CVE-2022-48564
  • Enhance communication to discuss, share, and correlate information about a specific vulnerability

By becoming a CNA we can assign CVE IDs to vulnerabilities in CPython and Pip

Open Source Vulnerability DBs

PyPA Advisory Database

  • for CPython from CVEs
  • can use pip-audit for packages on PyPI
  • now published to the OSV Vulnerability Database
  • compatible with the OSV API to scan vulnerabilities
  • more visibility

But that's not it!

We have action items for you

Maintainers of Python projects:

Users of Python projects:

  • Keep your dependencies locked and up-to-date
  • Subscribe for advisories:
  • Use pip-audit to audit your dependencies for known vulnerabilities
  • Alternatively you can use OSV API

Companies using Python (or any OSS) projects:

  • Support OpenSSF's work by becoming a member
  • Educate their employees - free courses on LF catalogue
  • Encourage engineering and data science teams to follow best practices

Securing our community

Thank you

OpenSSF and Alpha-Omega

For supporting PSF to have Seth to help us


Glab the slides:

Thank you ❤️

Python security and you(Pythonのセキュリティとあなた)

By Cheuk Ting Ho

Python security and you(Pythonのセキュリティとあなた)

  • 195