UK National Cyber Security Centre urge to drop Python 2

The UK National Cyber Security Centre (NCSC) urges developers to drop Python 2 due to imminent End-of-Life to avoid attacks on a large scale.

The UK National Cyber Security Centre (NCSC) is recommending developers to drop Python 2.x due to the imminent End-of-Life. Attackers could start targeting applications based on Python 2 on a large scale because they will not receive security updates in the future.

The end-of-life (EOL) of the Python 2 is scheduled for January 1, 2020.

“Python 2.7 will not be maintained past 2020. Originally, there was no official date. Recently, that date has been updated to January 1, 2020. This clock has been updated accordingly. My original idea was to throw a Python 2 Celebration of Life party at PyCon 2020, to celebrate everything Python 2 did for us. That idea still stands. (If this sounds interesting to you, email pythonclockorg@gmail.com).” reads the announcement on the official website.

Developers have to migrate to the newer 3.x branch to avoid security risks, the NCSC warns of the dangers for organizations that will not move to the new version.

“So, if you’re still using 2.x, it’s time to port your code to Python 3. If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing.” reads the announcement of the NCSC.

“If you maintain a library that other developers depend on, you may be preventing them from updating to 3. By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others. You may not publish any code outside of your organisation but consider your colleagues who may also be using your code internally.”

The NCSC provided a list of the latest features implemented with Python 3, also suggested some tools that could be used by developers to migrate their code.

“If migrating your code base to Python 3 is not possible, another option is to pay a commercial company to support Python 2 for you.” continues the NCSC.

“At least one company has already announced a support package for Python 2 and Python 2 third-party packages.”

The UK agency is stressing the importance of migrating to a newer version, patching is one of the most fundamental things users can do to secure their applications and infrastructure.

The NCSC warns that delay in the migration could create the condition for incidents like WannaCry ransomware or the Equifax hack.

“The WannaCry ransomware provides a classic example of what can happen if you run unsupported software. It infected more than 230,000 computers, causing major disruption around the globe. More recently, the Equifax breach has resulted in a settlement of up to $700 million.” concludes the agency.

“By making the decision to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software, while knowing that a secure version is available.“

Experts pointed out that many popular projects such as NumPy and Requests, will no longer support Python 2.x by 2020, this means that if users that want to includes their modules need to migrate to Python 3. 

“The longer you wait to update, the more the Python 3 versions of your dependencies will have changed, and the more difficult updating will become.”

Hurry Up! Move to Python 3!

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Python, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]