SCPy - Writing Secure Code in Python
Learn how to write secure code in Python3 and its most common web frameworks - Django and Flask
Python is a general-purpose programming language that empowers developers to use several different programming styles as per their preference, style, or proficiency. As one of the more easy-to-learn and -use languages, Python is ideal for beginners and experienced coders alike. It has been holding the second place among the most used and demanded programming languages since 2019.
Python comes with an extensive library set available on the 'marketplaces' that developers can simply use to increase their productivity and speed up the delivery of software. Along with everything else, there have been multiple frameworks and libraries developed in Python to support the development of web applications. The list itself is extensive but in this course, we will focus on Django and Flask.
During this course, we will look at how vulnerabilities get introduced into Python projects. We will cover the most common vulnerabilities applicable in (all) other languages but also Python-specific ones in web solutions built with Django and Flask.
An example of vulnerable code from our hands-on labs of this trainings. Did you spot the 'bad code', yet?
Email us if you figured out the bypass for bonus points!
Prerequisites
Knowledge of Python3
Knowledge of MVC design patterns
Familiar with Python framework - Django, Flask
Familiar with most common frontend technologies and languages HTML, CSS and JavaScript
Interest in security
Target audience
Security Engineers
Security Champions
DevOps
Developers
Tools used
Any IDE
Docker (docker-compose)
Burp Suite Community edition
Coffee or Tea ☕️
Syllabus
| Module | Topic | Details |
|---|---|---|
The hacking mindset | ||
Think like a hacker, act like a hacker, to understand the hacker | ||
Secure coding introduction | ||
Secure coding principles | ||
From SDLC to SSDLC | ||
OWASP Top 10 2021 | ||
OWASP ASVS and security requirements | ||
CVSS: how to rate vulnerabilities | ||
Security features | Django Security | |
Flask Security | ||
Python security | ||
Server side Vulnerabilities | ||
Injection vulnerabilities | We will look at the class of injection vulnerablities such as SQL Injection, Command injections and more | |
LAB: SQL Injection in Django | ||
LAB: SQL Injection in Flask | ||
LAB: Command and Code Injection | ||
LAB: Deserialization in python libraries | ||
LAB: Server Side Template Injection in Flask | ||
LAB: XML External Entities | ||
LAB: Server Side Request Forgery | ||
Race condition | ||
Client side vulnerabilities | ||
Client side web vulnerabilities | We will look at the most common vulnerabilities that affect victims through their web browsers | |
LAB: XSS (Cross Side Scripting) | DOM, Stored and Reflected | |
LAB: Client side Open Redirect |
| |
LAB: CSRF (Cross Site Request Forgery) | ||
LAB: CSTI (Client Side Template Injection) | ||
AuthNZ vulnerabilities and attacks | ||
Authentication and Authorization principle s in web security | ||
LAB: IDOR (Insecure Direct Object Reference) | ||
LAB: Path traversal in Flask | ||
LAB: JWT attacks | Secret bruteforce, | |
LAB: Attacking wrong OAuth2 implementations | ||
Vulnerable and Outdated Dependencies | ||
Dependency graphs | ||
The importance of SCA (Static Component Analysis) | ||
LAB: Detecting known vulnerabilities using Snyk | ||
Integrate SCA in the CI/CD pipeline | ||
Scanning your code using Semgrep | ||
Semgrep basics | ||
LAB: Semgrep for Flask | ||
LAB: Semgrep for Django | ||
Semgrep automation |
Trainers
Why should you attend this course?
This course will teach you the inside out of exploiting and securing Python applications via real-life examples, targeting different frameworks and techniques. If you are a Python developer this is the course for you.
Last updated
