The UK National Cyber Security Centre (NCSC) has warned developers to migrate from Python 2.X to Python 3.X based code due to an upcoming end of life date of January 1st, 2020. By continuing to use unsupported versions of Python, there can be serious security implications for organizations using Python 2.X as of January 1st, 2020.
Technical detail and additional information
What is the threat?
As of January 1st,2020, bug fixes and security updates will no longer be provided from Python’s core developers. Any organization that continues to use Python 2.X based code in their production environment is increasing their security risk.
Why is this noteworthy?
Released in 2000, Python 2.X has been one of the most popular and successful modern programming languages. Python’s team has attempted to get developers to migrate away from Python 2.X for quite some time but have been unsuccessful due to its popularity. It is commonly used within production environments of organizations.
What is the exposure or risk?
Migrating away from existing 2.X Python-based code can be a massive undertaking for any organization. Millions of Python packages are downloaded per month with the majority being Python 2.X based. Some of the most popular Python Projects such as NumPy, Requests & TensorFLow have pledged to drop support for 2.X by 2020. By continuing to use Python 2.X in production environments, companies are exposing themselves potential data breaches.
What are the recommendations?
The NCSC warns that companies that don’t invest in migrating to Python 3.X are “are accepting all the risks that come with using unsupported software, while knowing that a secure version is available”. If migrating existing code to Python 3.X is not possible, another option is to pay a commercial company to support Python 2.X for your organization. Python’s website has provided further documentation on migrating code: https://docs.python.org/3/howto/pyporting.html.
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.