Python Security

Intermediate 3 days

In this course you will learn to

  • Understand web application security issues
  • Analyze the OWASP top ten elements
  • Put web application security in the context of Python
  • Go beyond the low hanging fruit
  • Handle security challenges in your Python code
  • Identify vulnerabilities and their consequences
  • Learn the security best practices in Python
  • Understand security testing methodology and approaches
  • Get familiar with common security testing techniques and tools

Training materials

All Python training students will receive comprehensive courseware.

Suggested attendees

Students who have general Python development experience.

Course Outline

  • Cybersecurity basics
    • What is security?
    • Threat and risk
    • Cybersecurity threat types
    • Consequences of insecure software
    • Constraints and the market
    • The dark side
  • The OWASP top ten (Part I)
    • OWASP Top 10 – 2017
    • Injection
      • Injection principles
      • Injection attacks
      • SQL injection
    • SQL injection best practices
      • Input validation
      • Parameterized queries
      • Additional considerations
      • Case study – Hacking Fortnite accounts
      • Testing for SQL injection
    • SQL injection and ORM
      • Parameter manipulation
      • CRLF injection
      • Code injection
      • Injection best practices
    • Broken authentication
      • Authentication basics
      • Authentication weaknesses
      • Spoofing on the Web
      • Testing for weak authentication
      • Case study – PayPal 2FA bypass
      • User interface best practices
      • Password management
  • The OWASP top ten (Part II)
    • Broken authentication
      • Password management
      • Session management
      • Cookie security
    • Sensitive data exposure
      • Information exposure
      • Exposure through extracted data and aggregation
      • Case study – Strava fitness app data exposure
      • System information leakage
    • Information exposure best practices
      • Error and exception handling principles
      • Information exposure through error reporting
      • Information leakage via error pages
    • XML external entities (XXE)
      • DTD and the entities
      • Entity expansion
      • Attribute blowup
      • External entity attack (XXE)
    • Broken access control
      • Access control basics
      • Failure to restrict URL access
      • Testing for authorization issues
      • Confused deputy
    • File upload
      • Unrestricted file upload
      • Good practices
      • Testing for file upload vulnerabilities
    • Security misconfiguration
      • Configuration principles
      • Configuration management
      • Server misconfiguration
      • Python configuration best practices
    • Cross-site scripting (XSS)
      • Cross-site scripting basics
      • Cross-site scripting types
    • XSS protection best practices
      • Protection principles – escaping
      • XSS protection APIs in Python
      • XSS protection in Jinja2
      • Additional protection layers
      • Client-side protection principles
      • Blacklisting-based XSS protection evasion
      • Testing for XSS
  • The OWASP top ten (Part III)
    • Insecure deserialization
      • Serialization and deserialization challenges
      • Deserializing untrusted streams
      • Deserialization with pickle
      • Deserialization with PyYAML
      • Deserializing best practices
      • Testing for insecure deserialization
    • Using components with known vulnerabilities
      • Using vulnerable components
      • Assessing the environment
      • Hardening
      • Untrusted functionality import
      • Malicious packages in Python
      • Importing JavaScript
      • Case study – The British Airways data breach
      • Vulnerability management
    • Insufficient logging and monitoring
      • Logging and monitoring principles
      • Insufficient logging
      • Plaintext passwords at Facebook
      • Logging best practices
      • Monitoring best practices
  • Web application security beyond the top ten
    • Client-side security
    • Same origin policy
    • Frame sandboxing
      • Cross-frame scripting (XFS) attack
      • Clickjacking beyond hijacking a click
      • Clickjacking protection best practices
  • Common software security weaknesses
    • Input validation
  • JSON security
    • JSON injection
    • Dangers of JSONP
    • JSON/JavaScript hijacking
    • Best practices
    • ReactJS vulnerability in HackerOne
  • Security testing
    • Security testing vs functional testing
    • Manual and automated methods
    • Security testing techniques and tools
      • Code analysis
      • Dynamic analysis

No software needs to be installed for this class. The class will be conducted in a remote environment. Students need a local computer with a web browser (recent version of Microsoft Edge, Mozilla Firefox, or Google Chrome) and a stable Internet connection.