The NCSC cites WannaCry ransomware as a classic example of what can happen when organisations run unsupported software, adding, "By making the decision to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software, while knowing that a secure version is available."
Python 2 will no longer be supported as of the 1st of January 2020, with no security updates or bug fixes, hence the call to port code to Python 3 now. Continuing to use unsupported modules risks the security of your organisation and data, "as vulnerabilities will sooner or later appear which nobody is fixing," says the NCSC.
Demonstrating the scale of the problem, a blog attributed to Rich M, platform security researcher at the NCSC provides a table of ten popular Python packages and their stats from the Python Package Index, showing most package downloads are still for Python 2.x versions. It notes that even if only a portion of these downloads are being used in live projects, the Python 2 EOL (end of life) could potentially affect the security of millions of systems.
Projects such as NumPy, Requests, and TensorFlow have pledged to drop support for 2.x by 2020 and some already have. The longer an organisation waits to update, the more the Python 3 versions of its dependencies will have changed, and the more difficult updating will become.
And those who maintain a library that other developers depend on may be preventing them from updating to Python 3 with both missing out on new functionality.
The blog acknowledges that Porting Python 2.x code to Python 3 can be a daunting process, but it lists tools and resources available to make it easier. These include: Supporting Python 3: An in-depth guide a free, open source eBook that guides you through the process of adding Python 3 support. The book explains some common migration problems that might be encountered and lists ways to improve source code using the new features in Python 3.
Another option is to pay a commercial company for Python 2 support If migrating code base to Python 3 is not possible. CentOS 7 and Debian 10 both use Python 2 and will be supported into 2024 but no further details were given.
In an email to SC Media UK, Jonathan Knudsen, senior security strategist at Synopsys, commented: "Supply chain management is critically important for organisations that create any type of product. Software is no different, as it is assembled from myriad components that each have their own risks in terms of licensing and inherent vulnerabilities.
"The impending end-of-life of Python 2 illustrates both the importance of managing a complex software supply chain of third-party components and platforms, as well as the critical need for updates. Customers will avoid or ignore updates that are not drop-dead simple, or automatic, which can result in stale deployments that are plagued by bugs that have already been fixed.
"Automated tools can ease the task of effectively managing a product's software supply chain, and thoughtful design as part of a secure software development life cycle (SDLC) can ensure that the upgrade path for a product is as easy as possible."