Python Security

Course Outline

• Cybersecurity basics
  • What is security?
  • Threat and risk
  • Cybersecurity threat types
  • Consequences of insecure software
  • Constraints and the market
  • The dark side

• The OWASP top 10 (Part I)
  • OWASP top 10 – 2017
  • Injection
    • Injection principles and attacks
    • SQL injection
  • SQL injection best practices
    • Input validation
    • Parameterized queries
    • Additional considerations
    • Case study – Hacking Fortnite accounts
    • Test for SQL injection
  • SQL injection and ORM
    • Parameter manipulation
    • CRLF and code injection
    • Injection best practices
  • Broken authentication
    • Authentication basics
    • Authentication weaknesses
    • Spoofing on the web
    • Test for weak authentication
    • Case study – PayPal 2FA bypass
    • User interface best practices
    • Password management

• The OWASP top 10 (Part II)
  • Broken authentication
    • Password and session management
    • Cookie security
  • Sensitive data exposure
    • Information exposure
    • Exposure through extracted data and aggregation
    • Case study – Strava fitness app data exposure
    • System information leakage
  • Information exposure best practices
    • Error and exception handling principles
    • Information exposure through error reporting
    • Information leakage via error pages
  • XML external entities (XXE)
    • DTD and the entities
    • Entity expansion
    • Attribute blowup
    • External entity attack (XXE)
  • Broken access control
    • Access control basics
    • Failure to restrict URL access
    • Test for authorization issues
    • Confused deputy
  • File upload
    • Unrestricted file upload
    • Best practices
    • Test for file upload vulnerabilities
  • Cross-site scripting (XSS)
    • Cross-site scripting basics
    • Cross-site scripting types

• • Security misconfiguration
    • Configuration principles
    • Configuration management
    • Server misconfiguration
    • Python configuration best practices
  • XSS protection best practices
    • Protection principles – escaping
    • XSS protection APIs in Python
    • XSS protection in Jinja2
    • Additional protection layers
    • Client-side protection principles
    • Blacklist-based XSS protection evasion
    • Test for XSS

• Web application security beyond the top 10
  • Client-side security
  • Same origin policy
  • Frame sandboxing
    • Cross-frame scripting (XFS) attack
    • Clickjack beyond hijacking a click
    • Clickjack protection best practices

• Common software security weaknesses
  • Input validation

• JSON security
  • JSON injection
  • Dangers of JSONP
  • JSON/JavaScript hijacking
  • Best practices
  • ReactJS vulnerability in HackerOne

• Security testing
  • Security testing vs. functional testing
  • Manual and automated methods
  • Security testing techniques and tools
    • Code analysis
    • Dynamic analysis

• The OWASP top 10 (Part III)
  • Insecure deserialization
    • Serialization and deserialization challenges
    • Deserialize untrusted streams
    • Deserialization with pickle
    • Deserialization with PyYAML
    • Deserialize best practices
    • Test for insecure deserialization
  • Use components with known vulnerabilities
    • Use vulnerable components
    • Assess the environment
    • Hardening
    • Untrusted functionality import
    • Malicious packages in Python
    • Import JavaScript
    • Case study – The British Airways data breach
    • Vulnerability management
  • Insufficient logging and monitoring
    • Logging and monitoring principles
    • Insufficient logging
    • Plaintext passwords at Facebook
    • Logging best practices
    • Monitoring best practices