PyCon Hong Kong 2025

Motivation

As a cybersecurity professional, I want to raise awareness of known Python security concerns in an easy-to-understand manner, especially for those who are new to the language. Intermediate-level learners are also welcome, if they wish to refresh their memory.

Especially in this era of “vibe coding”, I feel there is an overemphasis on “what works”, and a lack of consideration of “what might go wrong”. I hope this talk will inspire listeners to start coding with good cybersecurity hygiene.

Scope

This talk will cover security considerations unique to Python. This means that, instead of touching on general concepts like SQL injection or hardcoding secrets, I will focus on known security concerns and considerations in the Python ecosystem.

Talk outline

Breakdown of why your code might be unsafe (20min)

1. Unsafe third-party packages (supply chain attack on pip)
2. Unsafe data (XML, zip, pickle)
3. Unsafe algorithms (random, hashlib)
4. Unsafe versions (using deprecated Python versions and libraries)

In this section, to demonstrate the relevance and danger of these cases, I will supply real-life examples where possible. I will also recommend safer equivalents where available (for example, use JSON instead of pickle).

Mitigation strategies (10min)

I will recommend some tools to address these concerns, such as using a linter to automatically detect these vulnerabilities, and setting up a private repository for trusted packages.

References

Official list of modules with security considerations: https://docs.python.org/3/library/security_warnings.html
Example of the ruff linter detecting dangerous pickle use: https://docs.astral.sh/ruff/rules/suspicious-pickle-usage/