Home
cover of episode #485: Secure coding for Python with SheHacksPurple

#485: Secure coding for Python with SheHacksPurple

2024/11/15
logo of podcast Talk Python To Me

Talk Python To Me

Chapters

Threat modeling is described as 'evil brainstorming' where security experts, developers, and product owners identify potential threats and discuss mitigation strategies. It's crucial for developers to understand threat modeling to build more secure applications.
  • Threat modeling involves identifying potential threats and discussing mitigation strategies.
  • It's important to involve security experts, developers, and product owners in the process.
  • Threat modeling should be done during the design phase to minimize costs and risks.

Shownotes Transcript

Translations:
中文

What developers need to know about up sex and building secure software. We have tonia janka A K A SHE hacks purple on the show to tell us all about IT. We talk about what developers should expect from threat model in sessions as well. The concrete tips for securing your apps and services. This is top python omy recorded november fifteen and two thousand twenty four.

You're listening to Michael Kennedy on top, python to me, life for important and organ. And this segment was made with python.

Welcome to you talk python omy a weekly pocket on pizon this is your host, Michael Kennedy. Follow me on master on where i'm at him Kennedy and follow the podcast using at talk python both accounts over at Foster on dot org and keep up with the show and listen over nine years of episodes at talk python D F M.

If you want to be part of our life episode is you can find the live streams over on youtube, subscribe to our youtube channel over talk with on the firm, slash youtube and get notified about upcoming shows. This epsom is sponsored by posit connect from the makers of shiny public share and deploy all of your data projects that you're creating using impact on streaming. Dash shiny for fast P, I class quarter reports, dashboards and A P.

I. Posit connect supports all of them. Try POS connect for free by going to talk by the out a film flash posit P O S I T.

And this episode brought you buy blue host. Do you need a website? Best get blue host.

Their A I building were press site in minutes, and there are built in tools. Optimize your growth. Don't wait.

Visit hacked by thon dom slash blue host. They gets started. I welcome to talk about that. I may is awesome to have you here.

Oh my god, i'm so excited to be here. Thank you for having me mico.

Yeah, you're very welcome and I am super excited, you know, in a good and bad way, excited to have you because I very excited to talk to you. But some of the stuff that we're onna talk about might be a little unnerving ing for people. Are there this name? They may pause the show and then run off to make some changes to what they're in and come back in. And that part might be a little excited in a different way.

yes.

Have you ever had that experience where you're giving a presentation or something and somebody goes gas in the audience and maybe runs?

I was doing a capture the flag contest once, and I was showing people how to do an equal injection. And then we just like walking bed in without a password. And this woman was like, oh my god. And she's literally just share, stood up, share like I have to go and SHE told me the next day, SHE fixed three of them at work and he just stayed all night.

All amazing. You made a huge impression.

IT was pretty cool. Yeah.

that's pretty awesome. I've never had that around security, but I was doing in person class once for databases, things which we touch on databases for sure and do with transaction. And I said, if you do things this way, IT doesn't actually use the transaction and less, oh yes, IT doesn't show that I did something, said i'll be back later and they just took off.

Oh my god, this is, this is not good. We to fix this now. So yeah, hopefully no one actually has to do that here.

But i'm sure there's a time for people to learn. Speaking of learning, let's start with a little bit about you. You have a domain SHE hacks, purple, that C A, that tells us several things about you. I believe purple is interesting.

Hacks is interesting .

and canada tell tell us about yourself.

Um so I was a software developer for a really long time and then I switched to security. And when as a software developer, I also play music in bars and music festivals as serve my hobby but there was a released albums and did all of that. So that's why i'm quite the public speaker because i've been on stage my whole life and so I switched to security and I became a pentel sor, which is red team and like that where you attack things and it's offensive security. And I don't mean we swear at people, but but it's the other .

way around, I believe, is the direction the swear in party goes.

But then as I was doing pan testing, I kept sitting with the debs, and I would like pair program with them, and I would help them fix things. And I make lovely threat model this before. And I kept doing upset essentially.

And people are like, you keep doing blue team. You keep doing defenses, is like you can't make up your mind and eventually one of them like your purple team. And so I was at a conference in europe, in on stage during the conference, this woman, SHE, kept playing with her phone on a panel, ignoring the audience and our super shocked. And finally, she's like, a really sorry, but SHE her company had created one to cry by accident yeah.

And IT is just broken out and she's like, so there's a virus and I just hit chess and took down the hospitals and this and that and oh my gosh and so everyone like ran out of the room freaking out and they all went to check twitter because that whatever one was talking and so people are like, you have to make a twitter account and so is like, what will I call myself? And I was like, SHE ask computers. And then he was too long because I was my email address, SHE acts, computers at g mail 点 com that used to be my email and but then basically was too long。 Sides like, i'll know.

And someone's like, well, you know, you have that like purple team thing going. I is like, potlid. Anyone ever follow me? So changed out if SHE hacks powful, and then turns out that I really like. So then I ve had some purple in my hair to teeth. My friend Kevin and IT went all from there like, yeah and a lot .

of people, yeah it's now part of part of the vibrate. It's awesome. It's a really cool story. So you think you've been a programmer for a while and then got into abseil, ity and pen testing, how do you get into all that?

He was tally an accident. So like I said, I was in a band, and we had this pentecost ter in our office and he was in a bit. And so we obviously became friends.

And one day I came to his deskin is like, hey, my band wrote this song le Mandatory dance party, and we want to make this mobile APP where where near someone else that has the appeal IT goes big b deo's party and then you both have to dance or else and then who over triggers to there are phone the most wins and like, did you want to make this up with me? I want to do more and our friendship began. And then for a year, and a happy, he just naked me to become a penteconter, he's keep, be so good.

You've been really good at IT. You've been doing you've been a difference like seventeen years. It's time for something new.

And I like, no, I am the king of software. This is the best. I make something out of nothing all day. It'll never be a cooler than this.

But then I turned out that was pretty cool um and you still get the right code sometimes and then eventually I figured out I was not meant to be a pentelicus meant to do obsess. So I still get to hang out with debs all day. I'm not alone. Freezing called in a data center at night um and I get to it's like more like a social butterfly type of drop.

yeah. Something looking for crash yeah .

that you're still get to break stuff in upset sometimes but like that's not all you do. You do a lot of conversations, a lot of brain storming and that's Better for my extravert person .

yeah that's also you have a newsletter, people can visit website and sign up and i'll put links, all those sorts of things and for you so yeah, a couple things I wanted to talk about. First of all, i've seen you given presentations about threat modeling. IT tells what is threat modeling and what are some of the takeaway obviously are audience years, largely python developers, data scientists and a generous ous assorted other that the orbits around those spaces ah but so that they probably be pretty set on the developer data sciences side of threat modeling. What is IT in and what's you like for dev?

So um threat modeling is sort of like evil brainstorming. So you get a security person like me in the room, you get a dev or one of the technical leads for your system and then you get the product owners.

So the person that understands the business of this APP, and like why IT exists in the world, and at least those three people, if more people coming Better, but that time, and then you talk about what could go wrong, and what are you gonna do about IT? If this friend name, adam, shows that who's written a venture books about IT and he, so I used to ask a turn, a questions, and then I met him. And now I asked four things, what are we doing? And so them, I usually draw out on a whipt. So like, oh, there's an A P I and IT talks to this and then this happens and .

then people steal bikes. okay. And then a .

ABS od a questions along the, so what could go wrong here? And that's like, you know, these two things are talking, do we have ticket first or do we just talk to any of the A. P. I? right? And we go through and we come up with some things that could go wrong and we make a list.

And then i'm like, okay, so what are we gonna do about these things? And you talk about basically, is this a serious risk? Is that scary? Or is IT like, you know what if that happens? This sound really a big deal in the likelihood is really, really rare.

So maybe we'll accept that risk. But a lot of them, it's like, you know, if we added a certificate here or we included identification there, like we can make some small changes. And if you're during the design phase of the system development later, le costume, nothing right, usually IT cost you nothing or very little.

And so then you basically improve your design and then then you read IT all out and then hopefully someone approves these these changes. Um and then at the end of thing that adam asks is did we do a good job? And that is the magical question because the very first time I did one of these in the government, I did not realize that that's what I was doing to my director.

I was like, well, what about this and what about that? And this could go wrong. And that because I was trying to kill the project because I thought was a terrible, and we did end up in.

But I brought up, like, all these huge existential risks to this ridiculous project they're thinking of doing and just kept saying, illi fine and i'll manage that risk. And I was like, he realized, manage that risk means nothing, right? You're going to do nothing.

So I brought up eight really big risks, and you want to do nothing about any of them. And like, we doing IT. Like, do you think we have done a good job here? Like you feel proud today? Because I don't.

And then start again. And then eventually, over the months, we cancelled the project because I was quite silly um just be clear, I usually love IT when software development projects go forward. This was a very special situation where I was not in the taxpayers interest. Ah yes, anyway, I like there's more there, but I .

like N D S.

But usually we come up with like a couple of changes that grossly reduced the risk of the system um and it's quite fun like once you start to win. The first time I went to a rot model, I came with my death background of I will fix any problem you want to me, I just need to do code and I can fix whatever you need, but it's different when it's like I going to try to break things. You have to learn kind of this new skills set of, like, how can I make you do so I should not do and IT took me a while and now i'm brutal like I go to the movies and like, we could have caught him free.

It's even the outside of technology now oh yeah.

oh, it's everywhere now my significant other other who does not work and take go billings. I'm just trying to threat model this for the kids. If we go to the pool, you'll have wet bathing suits.

Yeah ah very nice. You know I think there's two different ways to look at this. Obviously, from a developer perspective, you've got a look at, well, what packages or libraries am I using and how are we validating input in all those kinds of things. And I feel like that one level, but maybe the threat model is a little bit broader. Like are we store in self unencrypted where ah you .

could get that and .

it's the thing that makes me nervous. I said I would be someone nervous about this at the beginning. The stuff that makes me nervous about all of these things is the assembly of IT as a developer or a scientist, body of the information and the systems. You have to be right all the time, right? And if you're ever not right, little Bobby tables is like nothing.

It's like a goal. It's like a goal, right? Like you let into rules and everyone's like you are the worst and it's like, I defended against ds, do I get nothing?

exactly. Well, developers .

shouldn't be on their own in this, so that's the whole thing.

So like the job of the upset person, in my opinion, is to support the developers in making more secure apps, right? So booking as for at modeling time with them or know providing a stack analysis tool or secret scanner or whatever to scan their code so that they can make Better code so they have help giving them training um giving them like a list of super clear requirements at the beginning of the project rather than at the end telling them it's wrong. Um that is a huge one.

Like if someone's gna build an A P I, I would prefer the A P I B behind an A P I gateway if it's publicly accessible. And I wanted do things like turn on the dedication and authorization and rate limiting and also to fancy nice, awesome stuff that they offer. And so I tell them at the very beginning of the project, I don't wait until the end. And I like all these designs .

all wrong. Yeah.

but that's what we did back in the day. Like when I had my first vulnerability assessment done, I in our proposed to go to proud in two days, and they ran the world crap ous dynamic scanner on my, on my APP and they're like, you have crossed scripting. And this was so long ago, I searched for cross site scripting on the internet, and there is only three where pages. So i'm old, everyone.

And when was this thing called o asp? And I was like, what the heck is that? And IT took me quite a while to figure out how to fix IT, right?

Like we've come a long way. But yeah, the developer shouldn't be alone in this anymore. They should have help. And not saying that every company have dancing, every company should. If you have a bunch, that is, you should have eventually a security person that supports them.

right? Maybe sits set with them for a few hours a week or month or something and ort of, as you said, like a butterfly sort of moves around team hanging out with other people like, well, you work on the API. Okay, that's let me hang out with you bit this morning.

Ideally, that would be great. also. I mean, if you have a big enough company doing something like a security champions program, so like each dev team, there's one representative and you just give the way more training and way more time and you check in with them regularly, like if if I am working with only like fifty or sixty debs, like you can get to know a lot of them.

But I remember working at this one place and there were two thousand debs and me and I heard like, okay, so um how do I do this and just very quickly there is just like that one percent per team that I would talk to all the time. And I remember, ironically, I went to my well on this vacation trip and my cargo, a stuck in the mud because business big rainstorm. And I was like, tweet about IT and how is so sad in one of my death, came to me and dragged out the mother. I was like, he's to I know .

that's amazing. That's been in a large seems rents in there.

I know I like IT never occur red to me that like I would get an answer. He's like, hey, I live in montreal. Do you need help? And I like, I do and he's like, you hope all the time we'll be right. There is just so all yeah.

This portion atop ethon omy is brought you by posit the makers of shiny, formally, our studio, and especially shining for my thon. Let me ask you a question. Are you an awesome things? Of course, you are your developer or data scientist.

That's what we do. And you should check out posit connect. Basic connect is a way for you to publish, share and deploy all the data products that you're building using python.

People ask me the same question all the time. Michael, I have some cool data science project or no book that I built. How do I share with my users? Stakeholder teammates, I need to learn fast.

P, I, flash ker, maybe you will react. Now, those are called technologies, and i'm sure you benefit from them, but maybe stay focused on the data project. Let posit connect handle that side of things.

With power connect, you can rapidly and securely deploy the things you build in python streaming, dash, shiny boy, fast P, I, porto ports, dash wards and A P S. Posit connect supports. All of them in posit connect comes with all the bells and vessels to satisfy IT and other enterprise requirements.

Make deployment the easiest step in your workflow with posit connect for limited time. You can try posit connect for free for three months by going to talk by them that a film slash that's talk by on that F M slash P O S I T the link is in your pocket player shows. Thank you to the team at posit for and talk by one .

so you managed IT almost .

I don't want to indoor scm that, but I like a scrum of scrum equivalence sort of you found somebody or different people from who could also represent different segments or or and stuff and and got together with those groups.

Yeah yeah. So I didn't know what I was called when I started doing upset because I didn't have any training, right? I was just like, all our apps are total mess.

I just switched to the security team. I need to fix this. And so I was trying to talk to all of them.

But very quickly, there is like a person, this sort of self, identified as the the person who was totally willing to tolerate Tonya and all of her security. nervous. And I would hold these little unction learns where I was, like, oh my gosh, my first one.

I remember I, because I been on the dev team and then I switched to the security team. I was like, I going to break into a bank at lunch. Who wants to watch? I brought donuts and everyone's like, you're not going to and i'm like, it's it's a pretend bank, but i'm gna do IT and they're like, but donate right and .

like just got a is the right motivation I feel .

like pizza any sort of car but goes really like egos overwell but yeah I just slowly formed more and more relationships and then that is how I got a lot of security done because i'm not their boss. I can't make them priorities security. I need to persuade them that important. And one of those people from my very first program, he became an application security engineer, and he just started his first security chain programme this year. And I spoke for two months .

ago and I 在早 honestly, I think coming from the software dev side probably gets you a lot of credibility with the software teams .

yeah because I can just read code and stuff and the rest of the security team usually can't and also so i've gotten in trouble for that though. I've gotten in trouble with the security team at a couple places. I've worked where like you're always on their side and I were wrong because sometimes the security teams being so completely inflexible.

And I like, listen, this is like at my new risk. If you really think about IT, we're like if you look at the context of business, IT doesn't generate legitimate business risks. So no, i'm not onna.

Upgrade off of this vulnerable library because it's not actually explainable and there's this in this in this precaution. And like we're actually fine and it's going to cause like months and months of time. And so i'd rather use my social currency on something that really matters. And i've just had people get really pissed at me on the security like this.

Plus between user name and query, 就。 也就是 那个。 There is, you know, you see all the time, whether it's in pm, a pip, whatever package manager told you you might see, oh, or get up. This library using has this vulnerability and IT sounds scary, but if the vulnerability is an a portion of IT that you literally never use and you never expose the internet, you know it's there might be bigger fish to fry who know maybe not, but a lot of it's it's hard to .

decide insecurity, spend time yeah so we call that reach ability in the in posc field. And so my advice and everyone agrees is basically if something so let's see if the math library and the math library has like a thousand different math functions because we love math and one of them has a great big bug in IT.

but we're not calling that one right. And you could is probably like a denial service if you give IT this weird number .

of overflow and like never really bad. It's like real code execution like this sucks, okay, but if it's not table from within your code is probably not actually a risk. So let's say it's like the worst one is to remote code execution.

And like, listen, at some point, could you update off of this? And I need you to keep scanning IT with your software composition analysis is tool every time you check your code in to make sure you are not calling that dangerous function. So if you switch IT around and you are no going to prod.

Um but as long as it's not reached, then we're not causing ligia business risk. But I do want IT in the backlog because at some point, I like you up great off. But like let's say, it's a medium like there's all many bugs that I want people to fix and some of them are even books like some of them are.

I want you to use content current policy header. Is that a bug that you're not using IT? In my heart, that is. But technically no. But it's an additional layer of security that basically stopped across the scripting in its track, right? And so i'd rathers find my social currency getting, like at the entire organization, adopt S P, than to fit, like, upgrade off of tons of different dependencies that aren't .

actually hurting anyone. Yeah, I I agree. I think that .

makes sense.

Yeah, once seems solved all the other security problems, you can come back to the unreactive ones.

right? For sure. Yeah.

I want to dive into your book and you got a bunch good recommendations before. I do have a quick question. Do you think you know the White house you are a beginning this year released the things saying we call for memory safe languages.

And I know you started in in c and c plus plus. I also started c plus plus. I was kicked the ford train kick in and screaming for the, I went back to and then moved on. But you know, we got a lot more options these days, right? And I know focus at the P, S, F, actually working with the the people, the White house, to encourage them to consider python as one of the options, but do about this and its implications.

So a lot of software written and see a lot like maybe half, I get to know how much is written of our whole world is written and sea and they're like, oh, future software. So I if we're writing brand new software, yeah I wouldn't I wouldn't write IT and see unless I absolutely had, I would try to use rest. But do I think that everyone's gonna sudenly like rewrite everything and the rest? No, I don't believe that.

And it's because have a lot of reasons. One like i'm told it's difficult to develop in risk because basically there's like no libraries for IT compared to see, see, so rich, there are so many options in C, E, C, plus plus, right, because it's been around forever. There's a zillion code samples that you can copy from and then pass into your code what you should not do unless you understand that fully yeah, so many comments there.

So memory safety, like if you are gonna write a new APP, I wanted to be memory safe? Yes, absolutely. Do I expect everyone, all the old oh, no one's gona do that.

No one can afford to do that. no. But i'd love to see like a framework over top of cnc plus plus that provided memory safety. That would be amazing. I'd pay for that right um like A A library that just like I collect your garbage and you don't have to think about IT anymore, right? That would be be beautiful that would solve that would do a lot of backwards compatibility if we started turning that on in my water.

Yeah you the remote code execution issues, a lot of that has to do with exceeded ding, a buffer we've allocated using a freed buffer before the pointer was gone. A lot of IT has to with this memory ownership and stuff that you're talking about.

Yeah and sometimes my management of objects as well. And so basically you make a man, can I explain this? Is this yeah? great.

okay. So we we can overflow in induction, a string, a buffer. But basically like you declare a variable of some and let's say you're like, oh, my drinks. twenty. cool.

If you put twenty five in there, where do you think that extra five goes? right? And guess what, if you happen to do enough of IT, you'll find the stack pointer. And guess what the stack pointer does. IT tells you where the next instruction is.

And what if I tell IT where the next instruction is and it's in my overflow? And what if i've added my own shell code with instructions to do bad stuff, like open a web prompt? I would like a show, please.

A show would be nice. Thank you. And then you can execute code on the server remotely, which is the R C E worst in the world thing we do not want to have happen.

And this is because of memory safety, because it's not automatic checking the bounds for us and because we ourselves have not done perfect input validation, which is a hard thing to get right. I was teaching IT today and literally we spent one hour and fifteen minutes just on input validation. And they had a trillion questions.

And the lot of them, we're like, yeah, but we don't need to do input validation if it's just internal, right? And I like, are you handling the employee paychecks? Do you want me to see your employee paychecks? Then you probably need develop. I was free fish.

yeah. Are you reading from the databases that somebody else could have gotten into level up?

Yeah, there is a lot there. My god, there's so much and .

it's not good.

It's a negotiation, the ray, and it's about persuading and it's about what the threat model looks like because if you're handling hundreds of millions of dollars a day, your threats miles very different then, uh, I used to work at a place, and the entire job was to show videos to nurses and doctors that they had to watch each month so they could continue their certification. Like, did they see the video or did they not see yet? Threat model low.

You you don't want people to messed up in polluted or whatever or take IT down, but the same time is not going to make the front page .

of the news that exact exactly.

We now know everyone, we know that there seven, seven, two, five has not been up to date. I mean, it's not great, but it's it's not the same as yeah social security numbers and all that.

Exactly right.

Let's talk about your book. I think your book is really good. yes. Now to be clear, specifically the Alice and bob la and secure coding because I haven't read the other book but if it's in the same style IT seems you sure it's good, tells many .

books thank you um so my new books called Alice and bob la's cure coating and i'm this lexical and I am about to get diagnosed free hd too because why not .

they go well again here.

And so when I read a textbook, I find IT really hard. So I read a zilberman looks like I love books. Sitting still is hard for me.

Reading a textbook I find really, really hard. I want that knowledge to be in my brain very badly. But sitting my, but still for eight hours is really difficult.

And I I found traditional textbook really difficult. So I started because I, I, someone, double dog, dared me when I worked at microsoft. What else can I do?

right? There's no out. They ve done IT.

I know like there is nothing I could do rock you added me into a corner um but I just kept logging blogging and people kept telling me I should write a book and publisher or start reaching out to me on like jabot my blog very casual language. I use a lot of examples with alison bob. Alison bob were used by mathematicians to explain cripp graphs to Normal people.

So Alice wants to tell bob a secret, how does bob knew that was Alice? And so I just kept using them because we all use them. And so basically, he widely approached me and they are like, yeah, you can make the weird textbook in the whole world and like because like Alice was gonna a date people is like, okay um and is so my first book was about IT was for obsess engineers and people that want to become like work in application security because there was no book of how to do that.

So I wrote a book for past me. And so then when I thought about alison bob having A C Q L, I was like, I wanna write a book for really past me for when I was a software developer. And so is like, what should I cover? And so I covered the ten top programing languages and the eight most popular frameworks within reason. So like some framework, IT was hard to pick the frameworks because I was like that.

I was good about that when I was reading like this.

Not so easy was hard. I asked a lot of my followers, and so you might disagree with me about the framework I chose. But really, like dt, natta was obviously gonna be in there.

Flask obviously gonna be in there. But I was like, should I put pandas in here? Should I put? I put in jakie? And my advice, don't use j query. But document .

ready was so good.

Come on. Um and so so IT was hard to choose. Um and then I wanted to cover like all the different notice programing advice because to be quickly there is a lot of stuff like input validation that applies to every single language in the world in every framework IT just doesn't matter and I don't care of some of them say they do some input validation for you.

It's not enough. Trust me. And so I wanted so like the first third of the book is just completely diagnostic, and i've been giving secure coding training basically since before the first book.

And I just keep refining and refining and improving and improving IT. And I was like, what I have a lot to say on this subject now. And so then I asked all my followers, like, what do you want to see in the book? And they added up.

And like, they're like, all I want see this topic. I can see that topic. So I got even bigger. But in the end of the book, the last third is the system development life cycle, all the security steps.

But from a developers point of view, because when I was a dev, IT was like, why am I being subjected to this liquid? What's a threat model? I remember being in a meeting, and this woman was like, you want to do a penetration test on me? And then SHE turned red, red, and was like, I don't know if I should be in this reading. 你好。

快乐。

I know I was like your web up, your web up. She's like you're just here's a lot of words that were uncomfortable and like i'm so sorry. And so it's like what to expect when the penetration has happens or like in a threat model, like bring your awesome ideas of how you would hack your APP, and like this is maybe how much we will be expected from you and why we like what all these tools are and what they do and how you might want to use them.

Because I feel like sometimes we just i've heard a lot of security teams said to me, well, they should know. Why do you think if they knew they would have done that thing? No, did you did you tell them me explicit boy felt IT was implied. Dude, that's not good and enough.

This portion of talk python me is brunch by blue host, got ideas, but no idea on a little website, get blue host with their A I design tool, you can quickly generate a high quality, fast loading or preside instantly once you know the look just hit inner and your site goes live. It's really that simple. And IT doesn't matter whether you're a hobby est entrepreneur or just starting your side hustle, blue host has you covered with built in marketing and e commerce tools to help you grow and scale your website for the long hall.

Since you'll listen to my show, you probably know python, but sometimes Better to focus on what you're creating rather than a custom build website and add another month till you launch your idea when you are great, the blue host cloud, you get a hundred percent of time and twenty four seven support to ensure your site stays online through heavy traffic. Blue host really makes building your dream website easier than ever. So what's stop in you? You've already got the vision.

Make IT real visit talk by thon ndf m slash blue host right now and get started today and thank you to blue host for supporting the show. Yeah, I totally agree you and there's a really let me do a quick search. There's a really interesting, in fact, at least from the python space, if you look at the latest a survey from the psf and jeerin, how long have you been programing? There's a little one somewhere yeah how long have been programmed professionally? Thirty three percent less than a year.

And if you look at less than two years, that's fifty as half of the people doing often are just got started. They pray, don't even get the little Bobby table jokes. You.

D, K.

I know, but you know, serious. Ly, they how would they propose to know they're struggling to just figure out how does the compile where do I get a virtual environment? Why won't import that? They're just they're not at the place whether they're polishing IT and they're are protect and they have had the experience. Oh, I put on the internet was hacked in eight seconds.

You know that hurt, man. I like I remember. So the guy that became my mentor, he gave a talk for my death team because I ran the community of practice where I work shocker, me being an an extra wanting to an community practice. And I invaded him to come and talk. And he took one of our apps, and he is at the logan screen and he's like, i'm going to break into your APP without a password and it's gna take over a minute just because i'm talking and then he just in as kill injection and he just got in and I like, no, no, no, no, no. And then he is like telling then of course, like all the s ku codes going in my head and like, oh my got.

My name what if my name was quote dash that no quote ma job tvs and dash dash that's that's interesting .

name is in IT we all have special names. But yeah so um I I forgot when you asked about my book part of why IT is weird as I try to make a casual language that is really easy to understand and I I did .

honest I didn't I didn't put that together, but I had that experience reading IT. So I think you know that thank you .

and I tried to use like different ways of explaining the same thing, like with a story and then like the technical explanation and then maybe um there is like a funny story from Alice and bob um because Alice will not put up with unethical dates with pantai ers and bob really worships this really cool guy um and like seeing IT how IT applies to people's real lives. I felt like hit home with a lot of people um and so yeah I just I want I feel like security can be really hard and I was like how can I make IT a lot easier for people so that was my goal with the book yeah yeah.

Well, I think it's I think it's really proactive. So I wanted pull a few quotes out of IT that I thought we could sort of riff on that I think would be fun here. So you start out the book by talking about humans and how humans are implicated, trusting of each other in general, right? general.

But you know, that's why we have societies in groups rather than every time we see a person whether run away or you know like that's just not how IT works to be a person, right? And that trust is not necessarily appropriately transferred to computer systems and communication systems. And you gave some examples of implicit trust, and you also gave A A warning or an important news, maybe tell us about this.

So basically, when we start designing things like we didn't even have passwords at first, like I remembering college, my sister telling her friend, my sister so crazy, SHE has a password on her computer. Like, who wants to log in the stupid computer?

And SHE I was a on right.

And so now we all have passwords on our computers, and but we design our systems the way that our society Operates with implicit trust. Like just imagine, like someone comes to your door with the package and they ring the door, bill, you open IT. But in the animal kingdom, which I have watched a lot of nature documentary because I have small children at home, pandas if they see another pansa, it's going down.

They're gna buy or make a new baby panthers or both. That's what happens in the animal kingdom um and so like they have no translate, some of them like try to kill each other after they try to make baby panthers, like they the place because they have no implant trust. So you see them alone a lot.

And so when we started designing networks, one of the things we would do is we would verbal a lot of networks in this world today are still flat, which means one firewall around the outside, and that's IT. So if you can get to anything in the network, you can get to everything in the network, and that is an implied trust. So then we came up with zoning, like the data, the databases are all in one zone and there's a fire wall around that.

And then we have like a public access zone and then we have A D military zone because we think we're about asses. It's a true right. And but what happened is if you have an actual injection, you've gotten behind the firewall and now you every single data base on the entire we're going you have hit the gold mind rates that is bad.

Um and then we came up with zero trust. The idea of everything is closed by default and unless there's a business requirement, you don't open IT, right? So um let's say you have uh a database in an API and IT has a front end and then you have a service account for those. So the service account only contact to those three things oh, and IT contact to the secret management tool to get your secrets. Because you store your secrets in a correct place.

you don't put those in source code and just check .

you when they get up. Please do not do that. I only do that when i'm trying to for a point but but then I the API checks that whose calling IT is its front end and not someone else, right? And then if edicated an authorized to the database and we have and nothing else, no one else can call that API.

Why would you be calling IT unless you're malicious actor or your a tester, right? So once the testing phases over where in production, no, what else should be talking to IT. So you only accept connections from there.

And if if we do zero trust perfectly, IT is amazing. But quite often we have partial implementations because it's quite a lot work to implement. And if you get IT wrong, IT can be painfull. Yeah.

yeah. What do you think about a things like things to Carry and in those types things, maybe 他 给 我的 yeah。

So there goes on risky business all the time, which is a part cast. They like .

patch gray and alex. What's guys first name is not Alice. Is IT nick .

the guy that he chatted with? I haven't listened to IT and like .

a year yeah i'm sorry, I last name below, but the first name, forget IT anyway they do a good show .

yeah so yeah go on there are really good IT is a find and there's so like Katie, I love IT like they make fun of everything. Nothing is sacred and so fun but basically um things can Carry the company that her and mean works for which why I ve heard so much Better because he is on the show. They make um basically like these things that go on your network.

So for instinct, IT could be like a fake word file. Um IT could be a some sort of fake file somewhere on your network and then you see if I get stolen and shows up somewhere because a calls home and so people go. So imagine like you have a data breach and then you can see because IT phone home or you search the internet all the time to look for that and you see o crap that there I actually was on stack overflow today as if you are because I been for life. That's a long story. I tried to ask for all the some real questions in one day, and they didn't like IT.

I feel like they should still give you a war, not a bay and .

but okay, it's I agree, right someone way answers they didn't like like don't suppress that result. You've cross the script and here's how you fix your code though you didn't answer his but anyway.

you know, that could be harsh. What would you say about the trust?

yeah. But so basically, like this guy was saying, his website hee's getting scraped by all his competitors rather than than typing out the information himself. So he puts sake musical artists into his database, and then he goes to other companies and searches for those fake musical artists.

And then he tends them, ceases and desist. And so like the idea of a canaria, is that like the canary in the code? But basically, someone steal s IT. And then, if I can, and I believe that some of them can call home, basically, if if they use IT somewhere, you can see it's yours and then you're like, oh, we are in trouble.

Yes, it's a early, early alarm in the area, in the code.

I think that is a cool idea. But I think that if the kenyans ls out to you, you're already pretty screwed, right? I think that is cool, but IT wouldn't be the first security measure.

I would do IT like, I have an advanced program that's like, good. And I want to be super create. Yeah, yeah.

Sounds good. right? You say, if you only learn one single thing from your book or of this podcast up.

So let's put IT adapt. I hope IT. Is this design every system with as little implied trust as possible? I highlighted that impossible for years .

that it's true we wanted. So in my first book, I like trust and that when not even your mom, because my mom accidentally ly sent me a virus one day, and I opened IT because I was from my mom. And so you can't even trust your mom, even if your moms, a brilliant mathematician chemist, because SHE could still get a virus on her computer. Yeah, because they turned her .

prime son to her. yeah. SHE just grama not even sophisticated of virus.

IT turned he was. But anyway, so, so don't trust anyone. So when you get input to your to your API, whatever IT comes from.

So that can mean getting stuff out of your database. So unless it's a static table that you know for sure is trusted, you should be checking the stuff from the database. So let's say someone's like filling out a form and then you save IT to the database.

So you would want to validate those values. You see IT to the database. So then let's say an A P, I goes and get some of that data to go do stuff with that. I would validate that those values again.

And then they put IT on a weapons, and that has a java script in brackets in IT. Yes.

then put in code before I put IT out there. And I would have contents. Current policy had to in a bunch of other things, but I digress.

But if we could not trust anything that we get and always validate that, that is what we are expecting. And if it's not, we rejected. So we don't try to fix IT.

Is that what we're expecting? And so this can mean like, so that says a date of birth. Uh, so is IT first.

What is IT a day is IT in the past? Is IT more than one hundred and fifty years in the past because that's less likely. Is IT in the format you're expecting? Those are some of the things that we could check.

And if it's not any if any one of those things are wrong, reject and just say, hey, actually we're expecting this, but let's say you need A A person's name. So I work with someone named lugo meli. Well, he has a single quote in his last name, which is a special character.

If we are going to use an SQL database. So what am I expecting? I am expecting letters lower and upper case, and i'm expecting a hyphen and or a single quote.

All those are on my yes approved list, my allow list. So I check IT against my allow list, not a block list, because a block list of bad characters. Guess what's gona happen? Ten years goes around you. I mean.

use a unicode escape sequence for or some render thing.

Yes, there is illius around IT. And like I remember. When I learned that, how sad I was for all my past apps. And so you use an approved list of good stuff, and you accept the single character, and you accept the, and then you sand tize or escape them. So if sanative ze means if changing IT for a different value. So you might want to change the hyphen a pipe and you might probably on a pipe, maybe that's so special character, but it's like, let's say, the carrot and then you change the single clue to the top symbol and then those are not a problem and then you pass that on so you validate that's what you're expecting. And then you have either escape and the times they or escape them to just put like a backlash .

in front of the special characters or maybe HTML or U R L and code m to that in percent, some numbers, which is the quote. I don't ever whatever results to IT .

depends on what you wanted do with that. So if you are going to take that and then put IT into a premier and Anita prime prize query, maybe maybe want to escape IT. Um it's gonna cape IT for you. When IT gets there, there's a lot of options, but single .

quotes are kinds. Alright, next section, this is the python section. So you have, as you said, a bunch of different technologies and there they're quite of today.

You ve you've got no js, you've got gotten ck, cor, not the crust, windows only dot net. You got python, python ourself. So I think that's great. So let's talk about some of the what to do. Maybe just pick a few off this list that jump out of you that you want to talk about.

Okay, so some of them are really obvious like please use python three. It's time to say goodbye to python two. I know that we can still love IT in our hearts, but new apps to be paid on three um in updating our environment.

Often this goes for every framework. One thing is as if you find a real security bug reporting IT to the security folks from python. That is a valuable thing to do, whatever programing language or a framework here.

And if you feel you found a real legit bug, you should support IT or you should report IT. Because as a result, when they fix IT, they're fixing IT for thousands, thousands and thousands of death. And you, our wonderful human.

so that for you, I wanna give a shut out to the P, F and python folks. They've made a lot of efforts in putting more time and energy into the security of python. Both mike favor got hard as the security person behind hype on the package index and set last got hard for more broadly python.

Hopefully that right. But we now have two full time people working on IT words. Before I was kind of court, I was another people contributing their spare time.

Hopefully they could grab IT, you know. So that's good. And you put out that there's a security at python at work. Email address or legitimate reports are not hassling busy people.

Yes, don't hassle them. Test and make sure it's repeatable. Like these people are very busy. There are so many things. So one of the things was so like, let's say you're tip because we are talking about these are input and we're taking so the bomb of that page, we're taking user input as a spring from your code and we can use the template class from the string module rather than other functions for string manipulation. So if we do that, it's safer. There's less string overloads like if we avoid using, for instance, if string and shrink format for handling user input because that can be manipulated by the user so IT sounds wear, but like using the temper class from the string module can't be manipulated as easily. And yeah, I know I did do a lot of research for this.

I yeah they just added a new type to the python type system called a literal string, which works for sequence for things. They are not meant to accept user input. If you had a little string that was a query, and you combine IT with stuff that came from a regular string like a user input, it'll fail the type system basically, IT still runs a python time work, but at least you would check IT with a my I type of checker.

That's very cool. Yeah, yeah, yeah. It's really there's .

not too many tools that support IT, but the static type checking do. Another one I think that's worth calling out here is you talked about be sure you pin your dependencies yes.

Um I like looking through all of the notes you have them pinning IT. So so I gone to like a love arguments with my technical editors about this one. So you want opinion dependencies like as you're going through all the different environments and not allow IT to update out when you get to prod because otherwise, if you're all testing different versions, right? So you want to make sure you're using the same when across the board that your test because otherwise your test aren't accurate, right?

Yeah, IT might be the same or IT could be an important library. Got an update between when you check the and when I got t to a dog container. different.

But the other thing is, is that you don't want IT to be permanently like that forever. And so like when you so that sounds weird. So you pin IT there, but then I can member where IT is.

I think I think the big distinction is, are you building an application? Are you building a library? People are building applications with because your application should pick its versions, but if you pick them concretely for the library, you're forcing tenny old vulnerable versions on the people, right? There's this tension of of what role in my play in which I think is tRicky.

yes. So ideally, like if you're like about to go to prod with something you don't want IT changing in different environments, that could be really bad. But yeah, like you said, pinning the virgin.

Well, i'm just like reading IT on the screen. We I remember like I was installed. I was doing like a proof concept with this company.

And in order to install IT, IT wanted me to downgrade adventure of npm dependencies. And then IT showed me that they're huge vulnerabilities in those dependencies that they had asked me to use. And I was like, well, like, deal, break your body, right. And so ah when you are creating like a product for someone, if they can see that in how it's compiled, like that's a deal break er for a lot of customers, customers are very savy in regarding security right now. And I love IT.

Yeah it's really good. And even putting security aside, you can end up if you have two libraries, they both use a sub library dependency and they have different pin versions, are ones less than are greater or less than equal that grew than equal to and there's no intersection of those numbers. You just well care on this.

I guess we just can't use these because it'll say I can't give you both greater than two and less than two at the same time, right? It's hazle. But the security bit is so important, obviously. Let's see. Yeah so uh bandit bandit an interesting in uh interesting in tool .

panda is a free static analysis tool that specifically is made for python and so some of them that so for instance, if you're using ruby, there's brain and it's made just for ruby and that's IT. So it's awesome because he only cares about your language because it's free and open source. There is not a giant security team behind IT supporting IT, but if you have never used to stack analysis tool is an excEllent place to start.

It's recommended over and over and over again when I when I teach secure coding in this, I have like this list of free python resources. People love that. People make a lot of tools for IT because they love IT .

and really popular. IT has a .

cool lobel. IT is very cute. IT is very cute. I like how they call them. They called a security winter R I would say it's a bit more like stack analysis because like IT definitely is trying to fine like sources and sink and like doing flow analysis. I don't know that does symbolic execution like I haven't seen like under the hood. So like when you buy like a test tool, there's like first generation and second generation and like different ways that they work. And I went, I love to know more under the hood of how works.

Yeah, yeah. IT looks really, I looks cool. You know, it'll find common things like pickle issues are parsing the that might be Better know all the different things that you're still allowed to do, but people decided to not choices, but we'll leave IT there. So we don't break things that are doing that but don't do IT and kind of like the the pointer safe string copies and sea plus plus don't copy like you used to like how do I do not .

even any you I feel too that like so it's called security into rather than stack anal sis. I feel like IT also focuses on code quality and not just security. And that's helpful too.

Because if you have higher quality code, it's just gonna be more secure. It's gonna easier to maintain, easier to bug. So if there is a current problem, you can address IT faster. You have less technically dead if you have higher quality code. So that's a win as well.

absolutely. All right. Let's talk about equal relational database these kinds of things a little bit.

I think there .

is no the majority of people out there haven't a APP that talks to a database that relational usually running on its own. And when things go bad, usually the data that came out over that makes the news.

not always, but usually.

yeah. But IT be so.

So in actual servers, a server, right? So IT is a server you need to patch IT. You need to keep IT up today.

You need to hold in IT. IT comes with a hardening guide. You should do all the steps in the hardening guide.

You should make sure that every single person you work with cannot access IT right? Like IT seems really obvious, but you would be surprised. Um so like basic server hype, en applies to them on top of that, then the S Q L software.

The S Q L server software itself IT can be hardened as well and that might sound odd. D but like IT has updates that IT needs. Um so you you want to make sure that you want to make sure that you've locked IT down the way that you think that you should.

And then I I can run in different users as well, right? It's easy to it's easier if I just runs as root, but IT wouldn't be Better if I in k, somebody gets to IT and breaks and through IT, right? You don't want him to use that as a lateral movement. First they got into the server and then they went over to, you know, who knows where?

We also want to make sure ideally that people are not accessing IT with database owner unless there is the databases owner right like ideally D B O users are used rarely um like let's say you're using M S S Q L server yeah that has databased owner privileges. I get IT because you're a databased administrator, but if you're up for your A P I is accessing the database, we want to use at least privilege approach.

So if you're just doing select statements, just do a read only user if you don't crede uh, create rate, update, delete, then you should use a regret user. But t bo is not almost ever actually needed if we think about IT. And so if you don't have that, less can happen.

That is bad access to every table or just .

these ten tables. Exactly another thing is like classifying the data that in each table as sensitive or not sensitive and maybe work for the government. So maybe it's the classified or secret or top secret or whatever your organization uses, but if you could classify those things and then label, boom, a lot of databases now have labels for a sensitivity, which is awesome. But if not just an actual field, if not just like at a field called sensitivity, and then it's just like public or unclassified or super secret, don't show people. And when when you do that, IT makes life so much Better if there is a security incident, because I know if I need different go a little, or if I need different go a lot and if it's not labeled, I have to assume the absolute worst when I respond until I know it's a lower threat in that really sucks.

Yeah, yeah for sure. Another thing that you called out in this section is make sure that logging is turned on and you need to do this before something goes bad because it's the log to tell you what happened.

Yes.

I think not just for database, but across the board logging.

I have a whole giant section in the book about what to log, but not to log, win to log like exactly what I would love, the logged in the clg, how to protect your logs. I had a customer, and there are like twenty of our customers, their credit cards got nicked in VISA codas and they want us to prove that IT wasn't us and and like, great, let's go get the logs there like we kind of deleted those .

know it's hard to back up.

I said what and they're like what we just switched to a new server four months ago and so we just deleted the old server. So like and we just did that. So like for four months we have no records and I um and so luckily, IT turned out there is a swat shop in the same building and they call employee with skimmed the cards.

And so this is like we figured that out and we're like great and like we're all being fired because they just know. But if you are your ability to use IT and your main way of making money is charging money over the internet, like you've just reduced your ability to do the main purpose of capitalism. Yeah, life life is you do not want na take off VISA or a mater carton. Don't do IT.

That's definitely, definitely, definitely unnerving. Let's see some more advice you got using O R M, if you can because they basically are immune. But they have a lot of automatic guards against you're not writing to extract.

So it's harder to come that stuff. And they will also do a lot of the code for you depending upon the one that you use. Like i've used the entity relationship framework with dot nand. It's like i'm going to write your gets and sad and do this and that for you oh god.

sweet. Thanks, buddy. And even your migrations.

And it's pretty nice.

I'm fine. I'm a believer. I know some people say, no, it's a little bit so whatever, like, yeah, I like get stuff done and sleep in the night. So another one I think, is really pointing out most important for database, but also just generally good idea, haven't extensive and well thought out back up plan and try to back up something at least once. I try to restore something at least once.

Yes, I worked somewhere and we had a computer problem, and they lost everyone's work in our entire two thousand percent department for for the whole week. So for like the three days I was the and they had lost all of our work.

Everyone's work was not saved, although was gone and we go the back up, guys and we're like, okay, do your thing and they're like, oh, well, it'll take at least a month and we've never really tried that before and we don't think I will really and so you guys should just redo IT and my boss was like, oh, I guess we have to redo IT. I was like, well, can I hire to new software developers? And like, why am? Like, because those guys are obviously fired.

great. And then I can just like hire two new depth. It'll be great.

And he's like, tony a go back to your room. I like we don't need them with their job. They just prove that their job is completely worthless.

So it's just get rid of them. And he is like, stop talking. Go away.

I am frustrated.

but that's not constructive.

I fire them. They were going to fire me because I had just get you was saying that, yeah, the one thing that comes to my now is, you know, back in the day, we had suburban and c VS safe and all things something went wrong with one and we and someone there might be a hundred copies of IT. It's it's less bad for a software person's perspective.

Three times I have worked somewhere where they lost their code postal. Yeah, one of the times I started and uh one of employees was junior and he had just deleted IT by accident and I managed to go to each person's computer and recover a ton of the code and and put a while back together ah another time is someone just deleted IT and the I feel are malicious and then another time, basically, we didn't want to wait for a shared services.

So the canadian government decided we would make a department that was the I. T. Department for the whole government, and they just wouldn't give us a server.

So we just took a server from another room in repurposing, decided that was our code of both survey. And so I set up a whole network. I set up active directory and all of this, I install team foundation server.

I did all the stuff I sent to them, and I was like, listen, but I did. But you need to back IT up every night. And he promised me he would an environment. Later, IT crashed.

And he's like, are you going to make IT go again? And IT was a red server and IT unlikely deleted everything. yeah. And so I was like, we'll get your .

back up and I he had .

not backed IT up a single time in five months and we lost eleven contractors work for like months, like five months. I was like, I am so angry and he's like, could you spend this weekend making us? And I like, no, i'm so angry at you make is like, but I don't know how I like, I was a tough to you.

You're gonna learn, learn the hard way. Yeah so we're pretty much all the time, but I do you, anna, maybe just putting out that there is a whole section on flask which is too awesome and you talk a lot about different extinctions ons that you can use like flat secrets for secret management or uh flask WTF for C S R F protection and things like that. So there's there's a bunch of stuff in there. People wanna check that output, think we might need to call IT for time a good stuff .

if you want to learn more sides. Obviously purchasing all of my books I ever read online academy add academy that some grab dev. I don't know if you want me to spell IT, because that's league. And IT there there .

oh it's like it's through .

my full time job. So I trained on the side and I do stuff for them full time. But I put IT in our private chat and basically um I have a free secure coding course in there is a few years old, like the book is all brand new stuff, but IT covers like that.

You know how to do input validation, how to do output encoding, how how make that you are using primary try queries, how to configure every single security hatter and is just free. And I did that because I need us to do Better. real? Yeah.

thank you. That's all some.

Thank you.

Yeah, it's been A A really fun conversation, and I feel like we could play talk for another two hours. But I .

know well, maybe in another year to all come back, if you have.

yeah, yeah, that would be amazing. Well, let's leave IT with final call action. People, you have their attention.

I thought, well, maybe I should validate that or or learn more. Do you more? What do you tell him .

before we wrapped up? I want you to go look at whatever framework that you are using and see if their security features and start using them in your code. So if you're using flask, there's a whole bunch of super awesome things in flask. Please use them. Your life will be Better.

Yeah, absolutely. Well, thank you for showing all your experience and the story. That's been a lot of fun.

Thank you so much. Having me my car yeah you.

But this has been another episode de of talk python to me. Thank you to our sponsors. Be sure to check out with their offering. IT really helps support the show.

This episode is sponsored by posit connect from the makers of shiny public share and deploy all of your data projects that you're creating using pipon streaming dash shiny book, fast P I first quarter reports dashboard and A P S. Posit connect supports all of them. Try posit connect for free by going to talk by them that a film flash posit B O S I T.

And this episode brought you buy a blue host. Do you need a website? Best get blue host.

Their A I built you were press site in minutes and their built in tools optimized your growth. Don't wait, visit my thon out of m slash blue host. They gets started on level up your python.

We have one of the largest catalogues of python video courses over our top python. Our content ranges from true beginners to deeply advanced topics like memory and asic. And best of all, there's not a subscription insight check IT out for yourself at training, not talk by thon out of them.

Be sure to subscribe to the show, open your favorite pieced APP and search for python. We should be ready at the top. You can also find the itunes feed that slash itunes, the google play feed that slash play, and the direct R S feet that flash R S on top.

Patongo of FM world live streaming, most of our recordings these days, if you wants to be part of the show and have your comments featured on the air, be sure to subscribed to our youtube channel at talk python at a film slash youtube. This is your host, Michael Kennedy. Thanks so much for listening. I really appreciate IT. Now get out there and write some python code.