In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Python application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.
13. SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)
15. Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
Hijack of legitimate user sessions
Disclosure of sensitive information
Access to privileged services and functionality
Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting
17. Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution
24. # unsafe flask example
@app.route("/")
def hello():
name = request.args.get('name')
return "Hello %s" % name
# using template
@app.route("/")
def hello():
name = request.args.get('name')
return render('hello.html', name=name)
# where hello.html is:
# <html>Hello {{ name }}</html>
templates
25. # Unsafe example using the Python DB API
cmd = "update people set name='%s' where id='%s'" % (name, id)
curs.execute(cmd)
# Sanitize your parameters
cmd = "update people set name=%s where id=%s"
curs.execute(cmd, (name, id))
# Placeholder syntax depends on the database
sanitize
26. # Unsafe example using the Python DB API
cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode)
curs.execute(cmd)
# Using Django ORM, we assign the data to users variable
users = Users.objects.filter(zip_code=zipcode)
object-relational mapper
27. # My awesome Python skills
s = "print("Hello, World!")"
exec s
# Refactor using function
def print_hello_world():
print("Hello, World!")
print_hello_world()
avoid exec (if possible)
30. Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis
32. Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP
34. Developers
Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
Stored procedures if possible
Up-to-date frameworks & libraries
Devops
HTTPS
Web Application Firewall (WAF)
Intrusion prevention systems (IPS)
Up-to-date platform & infrastructure
truist… or not