Python security best practises

Overview of the common security issues that can be faced during daily developer work

Michał Wodyński

Best Practice Programming Python 3 Security Tooling

See in schedule: Fri, Jul 30, 11:10-11:55 CEST (45 min) Download/View Slides

Have you ever have a feeling that you are able to write code that solves problem but your not sure whether is safe? How much of your time you spend on investigating whether your code is not vulnerable ? Do you know what kind of risks you can face during parsing XML files? If those questions appeared into your mind this presentation will clarify your doubts and bring your skills closer to writing more safe code. There are many repeatable routines during developing code like: saving user data, reading files or pickles. Those routines can lead to a drop in vigilance which may lead to very terrible consequences for our application or data.

During presentation I will explain what are aims of the attackers and go through security issues that can appear in:
• not verified user input,
• parsing XML,
• assert statements,
• using temporary files,
• reading yaml and pickles

and I will compare it OWASP TOP 10. In each of this topics I will:
• show examples of codes that can break your application,
• describe what are the risks and how to solve it,
• talk about tools that help detect issues in your code,
• present XML libraries overview which shows what specific library is vulnerable for.

Major of presentation will be focused on XML issues as it is wide problem not only in Python language.

If you want to increase your programming security skills, see how certain attacks can be performed and how to defend against them this presentation is for you.

Type: Talk (45 mins); Python level: Intermediate; Domain level: Beginner


Michał Wodyński

Symphony Solutions

I am Python developer for 7 years. As student I started my work as tester using pytest and selenium. After graduation I stated my work at Wrocław University of Science and Technology where I was working on indoor localization by using DecaWave and DiZiC technology Then I worked for 3 years at Nokia and I was developing internal platform for testing BTS hardware. After Nokia I have worked in PGS software house for 2 years where I was programming on AWS using Python. In my projects I was using technology like AWS AppSync (GraphQL AWS server), terraform, docker and Python. I also was making security static code analysis by using Checkmarks. Currently I am working in Symphony Solutions software house where I am working for Graphyte which creates recommendation system for gaming industry.
Privately I am interested in security and indoor localization. My interests started at University. First I had project related to the possibility of hacking contactless MIFARE cards and then I was investigating security issues in wireless sensor networks. Besides of IT I like skiing, swimming and jogging.