Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing secure code in Python

Writing secure code in Python

Slides for the talk "Writing secure code in Python" presented in EuroPython 2022.

yyyyyyyan

July 15, 2022
Tweet

More Decks by yyyyyyyan

Other Decks in Programming

Transcript

  1. eval(expression[, globals[, locals]]) Evaluates a Python expression and return the

    result. Optional parameters: globals: dict locals: Any mapping object
  2. So when should we use eval()? When there is no

    other viable way to accomplish a task
  3. So when should we use eval()? When there is no

    other viable way to accomplish a task (never)
  4. Serializes a Python object to a sequence of bytes. Optional

    parameters: protocol: int denoting the protocol used for the serialization. Currently goes from 0 (oldest) to 5 (Python 3.8) pickle.dump(obj, file, protocol=None, *) pickle.dumps(obj, protocol=None, *)
  5. The magic method __reduce__() Used to customize how class instances

    are serialized. Should return a str or a tuple containing a callable and its parameters.
  6. The magic method __reduce__() Used to customize how class instances

    are serialized. Should return a str or a tuple containing a callable and its parameters. ⚠
  7. What happens when we run pip install? 1. Identification of

    base requirements and given parameters 2. Resolution of dependencies and determination of what will be installed 3. Determination of installation method 4. Installation of packages
  8. Determination of installation method If wheel is available: Download wheel

    and install from it; Else: Download package source code; If it's possible to build wheel from source code: Build wheel and install from it; Else: Install from setup.py;
  9. Prevention - Keep up with the releases of packages we

    use - Keep up with the CVE vulnerabilities list (cve.mitre.org)
  10. Lots of options! • Codacy (free for open source projects)

    • Horusec (open source) • Pyre/Pysa (open source) • Coverity Scan (exclusive for open source projects) • Bandit (open source)