Announced in early July, the security-driven consideration has been largely well received by Python’s community members, although one well-known developer opted to delete their code from PyPI before republishing it as a new project that’s free of its designated ‘critical’ status.
As the data above shows, Python has outmuscled many leading programming languages to become the world’s favorite language in recent years, and the move to protect its most valuable projects with an extra layer of security has helped to implement an additional element of trust. Following the new security measure’s implementation, any PyPI project accounting for the top 1% of downloads over the past six months, as well as any of PyPI’s dependencies, have been labelled ‘critical’ and thus require two-factor authentication. “In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months,” noted PyPI admins on the project’s website. This jump to 2FA comes in the wake of a series of security incidents that have caused legitimate software libraries to get hijacked within the PyPI ecosystem and sprawling npm library. Throughout 2021, npm libraries that saw significant levels of traffic, such as ‘ua-parser-js,’ ‘coa’ and ‘rc’ found themselves fundamentally altered by malware after their maintainer accounts became compromised. This caused GitHub, npm’s parent company, to take the measure of rolling out 2FA security for developers towards the end of last year – with further procedures added in May 2022. Things came to a head in recent weeks following the news that PyPI project, ‘ctx’ was hijacked by hackers, as reported by BleepingComputer. Subsequently, it was revealed that ‘ctx’ was the victim of an ‘ethical’ hacking experiment that had gone wrong – but the platform took the incident seriously enough to roll out a comprehensive update to how its projects operate.
Free Hardware Security Keys for Critical Projects
To help smooth the transition towards 2FA, the Python Package Index is giving away 4,000 Google Titan security keys as part of its bid to transport all critical projects built using the Python programming language. Although the open-source language is wildly popular and largely secure due to the large number of programmers who work on continually improving the language, hackers have latched onto the large number of updates that the program undergoes as a means of backdooring their Windows, Linux, and Apple machines through false packages that are similarly names to official releases in a move that’s popularly known as software supply chain attacks. With the help of the Linux Foundation’s Open Source Security Foundation (OpenSSF), Google is aiming to take on the threat of malicious language packages and open-source software supply chain attacks. In the space of just one month, the search engine giants identified more than 200 malicious JavaScript and Python packages, and highlighted the ‘devastating consequences’ for developers and organizations they write code for when installing them.
Python’s Open-Source Framework Remains the Best for Businesses
Despite the recent announcement that 2FA authentication is set to be introduced to Python’s leading projects, the programming language remains one of the very best options for businesses seeking to build their presence online today. The fundamental reason for this is Python’s open-source framework, and the fact that many more eyes can look at, identify, and fix emerging problems quickly. Whilst some onlookers argue that open-source programs can mean that the code is open for hackers to target, this generally works more in the favor of the far larger volumes of problem solvers who work around the clock in spotting and remedying vulnerabilities. In the case of Python, white hat hackers, contributors, and users alike can work in tandem by finding issues and acting on them instantly. It can also be a significant benefit for businesses looking to take on Python development services whereby developers have the benefit of working closely and directly with the programming language in a way that more close-ended commercial languages are unable to offer. This latest iteration of security for Python has instantly helped to protect the most heavily used projects operating within the ecosystem. Although the remaining 99% of projects won’t be required to make the switch to 2FA, their users can rest assured that updates are continuing in being rolled out at a rapid rate. As the global push towards digital transformation continues to accelerate, Python has proved itself as a market leader in terms of web development – owing to its sprawling network of open-source libraries. The push to accommodate 2FA among its biggest projects represents a key consideration for the platform’s busiest projects – and a considerable step in the right direction for a programming language that still has plenty of room for growth.
