PyCon UK 2019

Charming the Snake - Writing Secure Python Code
2019-09-16, 11:30–12:00, Ferrier Hall

Python, being dynamic and not type safe, is hard to write securely. Vulnerabilities such as injections, XSS, CSRF etc. are hard to find through static analysis tools. This talk is a comprehensive guide on how to write secure code in Python and also how to catch bugs.

Python is inherently dynamic and lacks type safety. Therefore, Python code can have security vulnerabilities which are hard to catch without manual inspection of code.It is notoriously famous for being hard to run static code analysis against. Most of the open source and commercial tools generate a lot of false positives such that the signal to noise ratio questions their effectiveness.

In this talk, I present a comprehensive guide on how to write secure code in Python. I will cover several categories of vulnerabilities such as SQLi, XSS, CSRF, LDAP injection, command injection, XXE, Timing attacks and other OWASP Top 10 bugs etc. I will also highlight techniques and tools to catch bugs in a more effective manner. Attendees will be able to leave with a much better understanding of how to secure their Python code and applications.

Is your proposal suitable for beginners? – yes

Kashish Mittal is a Security Researcher and Engineer. He currently is the Head of Security at MileIQ, a Microsoft startup. He has worked for companies such as Elevate Security, Duo Security, Bank of America, Deutsche Bank etc. By choice, he is an ethical hacker and an addicted CTF player. Prior to joining Duo, he did Security Research at Cylab, Pittsburgh. He has a BS and a MS from Carnegie Mellon University with a focus on Security. He is passionate about delivering Security awareness and training for employees, college students and high schoolers etc. He has been invited to presented his research and work at various national and International Security conferences.