An organization’s web presence is one of the most valuable and most vulnerable parts of their network, as being able to interact with customers online is crucial to the success of the modern business. However, every piece of code that the organization exposes to the Internet is a potential entry point for attackers.
When considering web application and web API security, most organizations focus on current threats, like recently discovered vulnerabilities in their web-facing infrastructure. However, longer-term events, like the upcoming end of life of Python 2, can have significant ramifications for the security of an organization’s web applications and web APIs.
Python 2 End of Life Approaches
Currently, Python is really two different “languages”. In 2006, the Python Software Foundation released Python 3, which implemented a “hard fork” from Python 2. While the overall structure of the programming language was the same, many of the implementation details differed. Over time, the two have diverged further so that programs written in one version were not valid in the other. The Python Software Foundation has been trying to get developers to switch over from Python 2 to Python 3 for years now. However, the final deadline is now approaching, since Python 2 will no longer be supported after January 1, 2020.
This end of life for Python 2 means that it will no longer receive support from developers. If a security issue is discovered in the Python 2 code, no official patch will be released, though some organizations may “unofficially” support Python 2 past the deadline. As a result, the 13% of developers who still use Python 2 as their programming language will be on their own.
However, the impacts of the Python 2 end of life are not limited to new code. All of an organization’s existing code base that is dependent upon Python 2 code will be potentially vulnerable. Since Dropbox, which had the creator of Python on staff for a while, took 3 years to make the transition from Python 2 to Python 3, the expense of making the transition can be significant.
API Security Impacts of the End of Python 2
The Python 2 API end of life has far-reaching impacts. Python is one of the most widely-used programming languages in the world, and a significant percentage of applications use Python 2. In fact, millions of downloads of Python 2 packages occur every month, and, for operating systems like Mac OS X Catalina, Python 2.7 is the version of the programming language that comes installed by default. Many organizations also have existing codebases using Python 2.x that will be difficult and time-consuming to migrate to Python 3.
However, one type of software that may be significantly impacted by the Python 2 end of life is APIs. While NodeJs is the most common API programming language in use, Python comes in second, accounting for 21.7% of APIs. And while many of these APIs may be written in Python 3, a significant number are likely using the soon-to-be-deprecated Python 2.
An organization’s web APIs are probably the most vulnerable part of their network. An API is intentionally exposed to the public Internet and is designed to allow a user to access potentially sensitive information or processing capabilities without going through the organization’s web page. This can be a huge asset since it dramatically decreases the overhead associated with responding to requests, allows automation, and permits more flexible queries. However, all of these features can also be an asset to an attacker, who can use them to steal data or perform a Denial of Service attack against an organization.
For APIs written using Python 2.x, the upcoming end of life can have significant security impacts. If vulnerabilities are discovered in Python 2, and no official patch is available, organizations will have to make the difficult decision between accepting the risk of the vulnerability, making the effort to migrate API functionality to Python 3 (or another programming language), or using an “unofficial” patch, which may be malware in disguise. With the end of Python 2 fast approaching, it is important to make these decisions and start the process as soon as possible since, as in the case of Dropbox, full migration could take months or even years.
Securing Deprecated Languages
In general, the primary focus when a language reaches end of life is usually the functionality issues. After January 1, 2020, anything that breaks in Python 2 will not be fixed, which can have significant implications for organizations using the language in critical systems. However, these implications are not limited to functionality. The Python developers have been warning programmers for years that Python 2 will be deprecated (and even pushed out the deadline at one point), so they are unlikely to be sympathetic if a security vulnerability is discovered that requires patching. Unlike other cases with “deprecated” software, Python 2 is unlikely to receive any official patches starting in 2020, regardless of potential repercussions.
Organizations using Python 2 in web APIs need to start considering their options now. Currently, Python 2 is not considered vulnerable, but this can change rapidly. Securing an organization’s web presence requires either a move to a different, supported programming language or deploying security solutions for web APIs that could help to identify and block potential exploitation of future vulnerabilities.