1.
Is your Python application
secure?
Frédéric Harper
@fharper
http://immun.io
Sr. Technical Evangelist @ IMMUNIO
Pycon Canada – 2015-11-07
CreativeCommons:https://flic.kr/p/34T4Z

2.
is security important?
Creative Commons: https://flic.kr/p/s8hvJo

3.
do you have time?
CreativeCommons:https://flic.kr/p/b7wRTX

4.
do you have the expertise?
Creative Commons: https://flic.kr/p/n7qDvJ

5.
do you have the money?
Creative Commons: https://flic.kr/p/rAG5dm

6.
is your app that secure?
CreativeCommons:https://flic.kr/p/bY6uU7

7.
what about legacy apps?
Creative Commons: https://flic.kr/p/7fFQug

8.
it’s probably happening, now
Creative Commons: https://flic.kr/p/acnkbU

9.
...

10.
warning
Creative Commons: https://flic.kr/p/oosB

11.
I succeed if…
Creative Commons: https://flic.kr/p/ehZRGj

12.
mess
with the best
die like the rest

13.
SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)

14.
MIT: http://j.mp/1kKuced
no
password
require

15.
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
§ Hijack of legitimate user sessions
§ Disclosure of sensitive information
§ Access to privileged services and functionality
§ Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting

16.
MIT: http://j.mp/1kKuced
Search
or not

17.
Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution

18.
• Brute force
• Common username
• Cookie tampering
• CSRF tampering
• Excessive 4XX & 5XX
• HTTP method tampering
• HTTP response splitting
• Redirect
• Session farming
• Session hijack
• Stolen account
• Shellshock
• Suspicious Exception
• Suspicious HTTP header
• Unauthorized file access
• Username hijack
…

19.
follow
the
white rabbit

20.
anything from users is unsafe
Creative Commons: https://flic.kr/p/m2BKPn

21.
cp = subprocess.Popen(['ls', '-l'], shell=True)
# disables shell based features (like no pipe)
cp= subprocess.Popen(['ls', '-l’)
filename = 'somefile; rm -rf ~’
command = 'ls -l {}'.format(filename)
print(command) # noooooooooo
>>> ls -l somefile; rm -rf ~
filename = 'somefile; rm -rf ~’
command = 'ls -l {}'.format(quote(filename))
print(command) # better luck next time
>>> ls -l 'somefile; rm -rf ~’
shell & quote

22.
# unsafe flask example
@app.route("/")
def hello():
name = request.args.get('name')
return "Hello %s" % name
# using escape function
from flask import escape
@app.route("/")
def hello():
name = request.args.get('name')
return "Hello %s" % escape(name)
escape

23.
use a framework
Creative Commons: https://flic.kr/p/cHto9S

24.
# unsafe flask example
@app.route("/")
def hello():
name = request.args.get('name')
return "Hello %s" % name
# using template
@app.route("/")
def hello():
name = request.args.get('name')
return render('hello.html', name=name)
# where hello.html is:
# <html>Hello {{ name }}</html>
templates

25.
# Unsafe example using the Python DB API
cmd = "update people set name='%s' where id='%s'" % (name, id)
curs.execute(cmd)
# Sanitize your parameters
cmd = "update people set name=%s where id=%s"
curs.execute(cmd, (name, id))
# Placeholder syntax depends on the database
sanitize

26.
# Unsafe example using the Python DB API
cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode)
curs.execute(cmd)
# Using Django ORM, we assign the data to users variable
users = Users.objects.filter(zip_code=zipcode)
object-relational mapper

27.
# My awesome Python skills
s = "print("Hello, World!")"
exec s
# Refactor using function
def print_hello_world():
print("Hello, World!")
print_hello_world()
avoid exec (if possible)

28.
ORM libraries
Source: http://www.fullstackpython.com/object-relational-mappers-orms.html

29.
OWASP XSS Cheat Sheet

30.
Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis

31.
MIT: http://j.mp/1kKuced
XSScrapy

32.
Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP

33.
IMMUNIO

34.
Developers
§ Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
§ Stored procedures if possible
§ Up-to-date frameworks & libraries
Devops
§ HTTPS
§ Web Application Firewall (WAF)
§ Intrusion prevention systems (IPS)
§ Up-to-date platform & infrastructure
truist… or not

35.
to infinity... and beyond!
Creative Commons: https://flic.kr/p/8Z1Cxm

36.
thanks
but
no thanks

37.
stop
Creative Commons: https://flic.kr/p/gpVdD

38.
I’m serious!
CreativeCommons:https://flic.kr/p/9CG51N

39.
plan for it
Creative Commons: https://flic.kr/p/5bn2nD

40.
now.
Creative Commons: https://flic.kr/p/fA6vnM

41.
nothing is 100% bulletproof
Creative Commons: https://flic.kr/p/hpE97

42.
IMMUNIO – Real-time web application security - https://www.immun.io/
OWASP (Open Web Application Security Project) - https://www.owasp.org/
Security in Django - http://j.mp/1Q8VMBP
Security system in Pyramid - http://j.mp/1Q8VHxT
Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/
XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW
XSScrapy - https://github.com/DanMcInerney/xsscrapy
www

43.
Frédéric Harper
fharper@immun.io
@fharper
http://outofcomfortzone.net
http://immun.io