Python is one of the programming languages that has a huge open-source supply chain. There are over 400,000 Python packages on Python Package Index (PyPI) and many more on other registries like conda-forge, mostly for scientific libraries. Making sure this and the wider Python ecosystem are secure is a huge job and requires consistent contributions.

Thanks to OpenSSF’s Alpha-Omega project and AWS, we now have a PSF Security Developer-in-Residence and PyPI Safety & Security Engineer whose responsibility includes a security audit of the PyPI codebase and infrastructure, improving security practices, and establishing metrics on security posture to show the impact.

In this talk, we will go over the work that has been done by the PSF security team and what the best practices for Python library maintainers and users are.

Goal

The goal of this talk is to draw awareness of security, especially in Python's ecosystem. It highlights how PSF is helping the community, on the other hand, it also provides advice for a user or community member on what can be done to make sure they are using Python safely.

Target audiences

Ths talk is for anyone in the Python community. If you are using Python, or your company is using Python. This talk is for you.