Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Is your Python application
secure?
Frédéric Harper
@fharper
http://immun.io
Sr. Technical Evangelist @ IMMUNIO
Pycon Canad...
is security important?
Creative Commons: https://flic.kr/p/s8hvJo
do you have time?
CreativeCommons:https://flic.kr/p/b7wRTX
do you have the expertise?
Creative Commons: https://flic.kr/p/n7qDvJ
do you have the money?
Creative Commons: https://flic.kr/p/rAG5dm
is your app that secure?
CreativeCommons:https://flic.kr/p/bY6uU7
what about legacy apps?
Creative Commons: https://flic.kr/p/7fFQug
it’s probably happening, now
Creative Commons: https://flic.kr/p/acnkbU
...
warning
Creative Commons: https://flic.kr/p/oosB
I succeed if…
Creative Commons: https://flic.kr/p/ehZRGj
mess
with the best
die like the rest
SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltrat...
MIT: http://j.mp/1kKuced
no
password
require
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers...
MIT: http://j.mp/1kKuced
Search
or not
Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of R...
•  Brute force
•  Common username
•  Cookie tampering
•  CSRF tampering
•  Excessive 4XX & 5XX
•  HTTP method tampering
• ...
follow
the
white rabbit
anything from users is unsafe
Creative Commons: https://flic.kr/p/m2BKPn
cp = subprocess.Popen(['ls', '-l'], shell=True)
# disables shell based features (like no pipe)
cp= subprocess.Popen(['ls',...
# unsafe flask example
@app.route("/")
def hello():
name = request.args.get('name')
return "Hello %s" % name
# using escap...
use a framework
Creative Commons: https://flic.kr/p/cHto9S
# unsafe flask example
@app.route("/")
def hello():
name = request.args.get('name')
return "Hello %s" % name
# using templ...
# Unsafe example using the Python DB API
cmd = "update people set name='%s' where id='%s'" % (name, id)
curs.execute(cmd)
...
# Unsafe example using the Python DB API
cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode)
curs.execute(cmd)
# U...
# My awesome Python skills
s = "print("Hello, World!")"
exec s
# Refactor using function
def print_hello_world():
print("H...
ORM libraries
Source: http://www.fullstackpython.com/object-relational-mappers-orms.html
OWASP XSS Cheat Sheet
Strengths
•  Scales Well
•  Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
•  Many...
MIT: http://j.mp/1kKuced
XSScrapy
Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or applica...
IMMUNIO
Developers
§  Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
§  Stored procedures if possi...
to infinity... and beyond!
Creative Commons: https://flic.kr/p/8Z1Cxm
thanks
but
no thanks
stop
Creative Commons: https://flic.kr/p/gpVdD
I’m serious!
CreativeCommons:https://flic.kr/p/9CG51N
plan for it
Creative Commons: https://flic.kr/p/5bn2nD
now.
Creative Commons: https://flic.kr/p/fA6vnM
nothing is 100% bulletproof
Creative Commons: https://flic.kr/p/hpE97
IMMUNIO – Real-time web application security - https://www.immun.io/
OWASP (Open Web Application Security Project) - https...
Frédéric Harper
fharper@immun.io
@fharper
http://outofcomfortzone.net
http://immun.io
Upcoming SlideShare
Loading in …5
×

Is your python application secure? - PyCon Canada - 2015-11-07

663 views

Published on

In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Python application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Is your python application secure? - PyCon Canada - 2015-11-07

  1. 1. Is your Python application secure? Frédéric Harper @fharper http://immun.io Sr. Technical Evangelist @ IMMUNIO Pycon Canada – 2015-11-07 CreativeCommons:https://flic.kr/p/34T4Z
  2. 2. is security important? Creative Commons: https://flic.kr/p/s8hvJo
  3. 3. do you have time? CreativeCommons:https://flic.kr/p/b7wRTX
  4. 4. do you have the expertise? Creative Commons: https://flic.kr/p/n7qDvJ
  5. 5. do you have the money? Creative Commons: https://flic.kr/p/rAG5dm
  6. 6. is your app that secure? CreativeCommons:https://flic.kr/p/bY6uU7
  7. 7. what about legacy apps? Creative Commons: https://flic.kr/p/7fFQug
  8. 8. it’s probably happening, now Creative Commons: https://flic.kr/p/acnkbU
  9. 9. ...
  10. 10. warning Creative Commons: https://flic.kr/p/oosB
  11. 11. I succeed if… Creative Commons: https://flic.kr/p/ehZRGj
  12. 12. mess with the best die like the rest
  13. 13. SQL injection vulnerabilities allow attackers to modify the structure of SQL queries in ways that allow for data exfiltration or manipulation of existing data. SQL Injection (SQLi)
  14. 14. MIT: http://j.mp/1kKuced no password require
  15. 15. Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on your pages in your customers' browsers. §  Hijack of legitimate user sessions §  Disclosure of sensitive information §  Access to privileged services and functionality §  Delivery of malware and browser exploits from our trusted domain Cross-Site Scripting
  16. 16. MIT: http://j.mp/1kKuced Search or not
  17. 17. Remote Command Execution vulnerabilities allow attackers to run arbitrary code on your servers. There are two classes of Remote Command Execution: 1.  Shell Command Execution 2.  Eval Execution. Remote Command Execution
  18. 18. •  Brute force •  Common username •  Cookie tampering •  CSRF tampering •  Excessive 4XX & 5XX •  HTTP method tampering •  HTTP response splitting •  Redirect •  Session farming •  Session hijack •  Stolen account •  Shellshock •  Suspicious Exception •  Suspicious HTTP header •  Unauthorized file access •  Username hijack …
  19. 19. follow the white rabbit
  20. 20. anything from users is unsafe Creative Commons: https://flic.kr/p/m2BKPn
  21. 21. cp = subprocess.Popen(['ls', '-l'], shell=True) # disables shell based features (like no pipe) cp= subprocess.Popen(['ls', '-l’) filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(filename) print(command) # noooooooooo >>> ls -l somefile; rm -rf ~ filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(quote(filename)) print(command) # better luck next time >>> ls -l 'somefile; rm -rf ~’ shell & quote
  22. 22. # unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using escape function from flask import escape @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % escape(name) escape
  23. 23. use a framework Creative Commons: https://flic.kr/p/cHto9S
  24. 24. # unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using template @app.route("/") def hello(): name = request.args.get('name') return render('hello.html', name=name) # where hello.html is: # <html>Hello {{ name }}</html> templates
  25. 25. # Unsafe example using the Python DB API cmd = "update people set name='%s' where id='%s'" % (name, id) curs.execute(cmd) # Sanitize your parameters cmd = "update people set name=%s where id=%s" curs.execute(cmd, (name, id)) # Placeholder syntax depends on the database sanitize
  26. 26. # Unsafe example using the Python DB API cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode) curs.execute(cmd) # Using Django ORM, we assign the data to users variable users = Users.objects.filter(zip_code=zipcode) object-relational mapper
  27. 27. # My awesome Python skills s = "print("Hello, World!")" exec s # Refactor using function def print_hello_world(): print("Hello, World!") print_hello_world() avoid exec (if possible)
  28. 28. ORM libraries Source: http://www.fullstackpython.com/object-relational-mappers-orms.html
  29. 29. OWASP XSS Cheat Sheet
  30. 30. Strengths •  Scales Well •  Find issues like buffer overflows, SQL Injection Flaws with high confidence Weaknesses •  Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. •  High numbers of false positives. •  Frequently can't find configuration issues, since they are not represented in the code. •  Difficulty analyzing code that can't be compiled (using librairies as an example). static code analysis
  31. 31. MIT: http://j.mp/1kKuced XSScrapy
  32. 32. Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. RASP
  33. 33. IMMUNIO
  34. 34. Developers §  Use a cryptographically slow hash function (bcrypt & PBKDF2) to store password §  Stored procedures if possible §  Up-to-date frameworks & libraries Devops §  HTTPS §  Web Application Firewall (WAF) §  Intrusion prevention systems (IPS) §  Up-to-date platform & infrastructure truist… or not
  35. 35. to infinity... and beyond! Creative Commons: https://flic.kr/p/8Z1Cxm
  36. 36. thanks but no thanks
  37. 37. stop Creative Commons: https://flic.kr/p/gpVdD
  38. 38. I’m serious! CreativeCommons:https://flic.kr/p/9CG51N
  39. 39. plan for it Creative Commons: https://flic.kr/p/5bn2nD
  40. 40. now. Creative Commons: https://flic.kr/p/fA6vnM
  41. 41. nothing is 100% bulletproof Creative Commons: https://flic.kr/p/hpE97
  42. 42. IMMUNIO – Real-time web application security - https://www.immun.io/ OWASP (Open Web Application Security Project) - https://www.owasp.org/ Security in Django - http://j.mp/1Q8VMBP Security system in Pyramid - http://j.mp/1Q8VHxT Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/ XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW XSScrapy - https://github.com/DanMcInerney/xsscrapy www
  43. 43. Frédéric Harper fharper@immun.io @fharper http://outofcomfortzone.net http://immun.io

×