Python Security
In this course you will learn to
- Understand web application security issues
- Analyze the OWASP top ten elements
- Put web application security in the context of Python
- Go beyond the low hanging fruit
- Handle security challenges in your Python code
- Identify vulnerabilities and their consequences
- Learn the security best practices in Python
- Understand security testing methodology and approaches
- Get familiar with common security testing techniques and tools
Training materials
All Python training students will receive comprehensive courseware.
Suggested attendees
Students who have general Python development experience.
Course Outline
- Cybersecurity basics
- What is security?
- Threat and risk
- Cybersecurity threat types
- Consequences of insecure software
- Constraints and the market
- The dark side
- The OWASP top ten (Part I)
- OWASP Top 10 – 2017
- Injection
- Injection principles
- Injection attacks
- SQL injection
- SQL injection best practices
- Input validation
- Parameterized queries
- Additional considerations
- Case study – Hacking Fortnite accounts
- Testing for SQL injection
- SQL injection and ORM
- Parameter manipulation
- CRLF injection
- Code injection
- Injection best practices
- Broken authentication
- Authentication basics
- Authentication weaknesses
- Spoofing on the Web
- Testing for weak authentication
- Case study – PayPal 2FA bypass
- User interface best practices
- Password management
- The OWASP top ten (Part II)
- Broken authentication
- Password management
- Session management
- Cookie security
- Sensitive data exposure
- Information exposure
- Exposure through extracted data and aggregation
- Case study – Strava fitness app data exposure
- System information leakage
- Information exposure best practices
- Error and exception handling principles
- Information exposure through error reporting
- Information leakage via error pages
- XML external entities (XXE)
- DTD and the entities
- Entity expansion
- Attribute blowup
- External entity attack (XXE)
- Broken access control
- Access control basics
- Failure to restrict URL access
- Testing for authorization issues
- Confused deputy
- File upload
- Unrestricted file upload
- Good practices
- Testing for file upload vulnerabilities
- Security misconfiguration
- Configuration principles
- Configuration management
- Server misconfiguration
- Python configuration best practices
- Cross-site scripting (XSS)
- Cross-site scripting basics
- Cross-site scripting types
- XSS protection best practices
- Protection principles – escaping
- XSS protection APIs in Python
- XSS protection in Jinja2
- Additional protection layers
- Client-side protection principles
- Blacklisting-based XSS protection evasion
- Testing for XSS
- Broken authentication
- The OWASP top ten (Part III)
- Insecure deserialization
- Serialization and deserialization challenges
- Deserializing untrusted streams
- Deserialization with pickle
- Deserialization with PyYAML
- Deserializing best practices
- Testing for insecure deserialization
- Using components with known vulnerabilities
- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Malicious packages in Python
- Importing JavaScript
- Case study – The British Airways data breach
- Vulnerability management
- Insufficient logging and monitoring
- Logging and monitoring principles
- Insufficient logging
- Plaintext passwords at Facebook
- Logging best practices
- Monitoring best practices
- Insecure deserialization
- Web application security beyond the top ten
- Client-side security
- Same origin policy
- Frame sandboxing
- Cross-frame scripting (XFS) attack
- Clickjacking beyond hijacking a click
- Clickjacking protection best practices
- Common software security weaknesses
- Input validation
- JSON security
- JSON injection
- Dangers of JSONP
- JSON/JavaScript hijacking
- Best practices
- ReactJS vulnerability in HackerOne
- Security testing
- Security testing vs functional testing
- Manual and automated methods
- Security testing techniques and tools
- Code analysis
- Dynamic analysis
No software needs to be installed for this class. The class will be conducted in a remote environment. Students need a local computer with a web browser (recent version of Microsoft Edge, Mozilla Firefox, or Google Chrome) and a stable Internet connection.