Safeguard
Application Security

Python security best practices cheat sheet

A no-fluff cheat sheet of concrete Python security fixes—dependency pinning, pickle/eval risks, PyPI trust signals, and CI gates—with real CVEs and commands.

Priya Mehta
DevSecOps Engineer
1 min read

Python powers over 40% of new backend services started in 2025, according to the Stack Overflow Developer Survey, and it also sits behind some of the most consequential supply chain incidents of the last three years: the ctx and phpass typosquat campaigns, the ua-parser-js-style compromise of python-ua-parser, and thousands of PyPI packages caught mimicking popular libraries. Security teams inheriting Python codebases are usually fighting three problems at once: an ecosystem with no built-in package signing until recently, a dependency graph that balloons fast (a typical Django app pulls 60-120 transitive packages), and a language flexible enough that pickle.loads() or eval() calls slip into production without review. This cheat sheet skips the generic "keep dependencies updated" advice and gives specific commands, version thresholds, and configuration you can apply this week to close the gaps attackers actually use.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.