2019-09-16, 11:30–12:00, Ferrier Hall
Python, being dynamic and not type safe, is hard to write securely. Vulnerabilities such as injections, XSS, CSRF etc. are hard to find through static analysis tools. This talk is a comprehensive guide on how to write secure code in Python and also how to catch bugs.
Python is inherently dynamic and lacks type safety. Therefore, Python code can have security vulnerabilities which are hard to catch without manual inspection of code.It is notoriously famous for being hard to run static code analysis against. Most of the open source and commercial tools generate a lot of false positives such that the signal to noise ratio questions their effectiveness.
In this talk, I present a comprehensive guide on how to write secure code in Python. I will cover several categories of vulnerabilities such as SQLi, XSS, CSRF, LDAP injection, command injection, XXE, Timing attacks and other OWASP Top 10 bugs etc. I will also highlight techniques and tools to catch bugs in a more effective manner. Attendees will be able to leave with a much better understanding of how to secure their Python code and applications.