UK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks

NCSC likens companies continuing to use Python 2 past its EOL to tempting another WannaCry or Equifax incident.
Written by Catalin Cimpanu, Contributor

The UK's cyber-security agency warned today developers to consider moving Python 2.x codebases to the newer 3.x branch due to the looming end-of-life (EOL) of the Python 2, scheduled for January 1, 2020.

The UK National Cyber Security Centre (NCSC) cited security risks and possible code breakage in existing apps as the primary reasons.

"If you're still using 2.x, it's time to port your code to Python 3," the NCSC said. "If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing."

"If you maintain a library that other developers depend on, you may be preventing them from updating to 3," the agency added. "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others."

SEE: Learn Python: Online training courses for beginning developers and coding experts (TechRepublic)

The agency is urging companies and developers alike to migrate their code to the newer Python version. The NCSC's blog post includes a summary of Python 3's most attractive features, but also a list of tools that can help developers with the migration, such as Can I Use Python 3, 2to3, Six, and others.

"If migrating your code base to Python 3 is not possible, another option is to pay a commercial company to support Python 2 for you," the NCSC said.

NCSC: If you don't migrate, you should expect security incidents

The agency warns that companies who don't invest in migrating their Python 2.x code might end up in the same position as Equifax or the WannaCry victims.

"At the NCSC we are always stressing the importance of patching. It's not always easy, but patching is one of the most fundamental things you can do to secure your technology," the agency said.

"The WannaCry ransomware provides a classic example of what can happen if you run unsupported software," it said. "By making the decision to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software, while knowing that a secure version is available."

Python's popularity makes updating code imperative

The reason the NCSC is warning companies about Python 2's impending EOL is because of the language's success.

Since its creation in the mid-90s, Python has conquered the programming world, being one of today's most in demand languages, best paid, most studied, and most talked about.

It is also widely used in production environments, in places such as Google, Facebook, and Netflix, and is constantly at the top of most programming language rankings, being predicted to overtake both C and Java  in the coming years, to become an undisputed leader of the programming world.

Currently, despite efforts from the Python team to get developers to migrate, quite a considerable amount of developers and Python libraries still prefer the older 2.x branch.

HackerOne's top 20 public bug bounty programs

Editorial standards