Security Implications of Python 2.7 End of Life

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Jan. 1, 2020 marks the date on which all versions of 2.x Python will no longer be supported. According to Serdar Yegulap of InfoWorld, it "marks a transition from the older, less capable, widely used version of Python to a newer, more powerful version that still trails its predecessor in adoption". Most people believe this is a good thing. Python 3 fixes some design flaws and redundancies that existed in the ever-popular 2.7 version. It makes the code sleeker and more elegant. But those changes also mean that old scripts written in 2.x will not automatically be compatible with Python 3. It should be understood that just because EOL support will cease on January 1, 2020 that not all 2.x code will be rendered completely useless. It just means there won't be dedicated support to make needed functional or security-related fixes. The UK National Cyber Security Centre (NCSC) is making an effort to get the word out ahead of the EOL date to give organizations ample time to port their code to Python 3. This doesn't just go for scripters enhancing operational tools or automating internal tasks, but also for those that maintain libraries on which others' scripts are dependent. Delaying the update requires others to assume that risk until a viable Python 3 version of the library exists. The NSCS has even suggested that those who don't invest in this migration will be exposed to another WannaCry or Equifax-level incident. In an official statement, the NSCS stated: "At the NCSC we are always stressing the importance of patching. It’s not always easy, but patching is one of the most fundamental things you can do to secure your technology." The WannaCry ransomware provides a classic example of what can happen if you run unsupported software. By deciding to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software.