SCPy - Writing Secure Code in Python

Learn how to write secure code in Python3 and its most common web frameworks - Django and Flask
Python is a general-purpose programming language that empowers developers to use several different programming styles as per their preference, style, or proficiency. As one of the more easy-to-learn and -use languages, Python is ideal for beginners and experienced coders alike. It has been holding the second place among the most used and demanded programming languages since 2019.
Python comes with an extensive library set available on the 'marketplaces' that developers can simply use to increase their productivity and speed up the delivery of software. Along with everything else, there have been multiple frameworks and libraries developed in Python to support the development of web applications. The list itself is extensive but in this course, we will focus on Django and Flask.
During this course, we will look at how vulnerabilities get introduced into Python projects. We will cover the most common vulnerabilities applicable in (all) other languages but also Python-specific ones in web solutions built with Django and Flask.
An example of vulnerable code from our hands-on labs of this trainings. Did you spot the 'bad code', yet?
def block_list(url):
block_list = [".", "//", "%2e"]
for b in block_list:
if url.find(b) != -1:
return True
return False
@app.route("/go-to", methods=['GET'])
def redirector():
go_to_page = request.args.get('u')
if block_list(go_to_page):
return render_template("index.html", content = "Woops! No way.")
return redirect(go_to_page, 302)
Email us if you figured out the bypass for bonus points!


  • Knowledge of Python3
  • Knowledge of MVC design patterns
  • Familiar with Python framework - Django, Flask
  • Familiar with most common frontend technologies and languages HTML, CSS and JavaScript
  • Interest in security

Target audience

  • Security Engineers
  • Security Champions
  • DevOps
  • Developers

Tools used

  • Any IDE
  • Docker (docker-compose)
  • Burp Suite Community edition
  • Coffee or Tea ☕️


The hacking mindset
Think like a hacker, act like a hacker, to understand the hacker
Secure coding introduction
Secure coding principles
OWASP Top 10 2021
OWASP ASVS and security requirements
CVSS: how to rate vulnerabilities
Security features
Django Security
Flask Security
Python security
Server side Vulnerabilities
Injection vulnerabilities
We will look at the class of injection vulnerablities such as SQL Injection, Command injections and more
LAB: SQL Injection in Django
LAB: SQL Injection in Flask
LAB: Command and Code Injection
LAB: Deserialization in python libraries
LAB: Server Side Template Injection in Flask
LAB: XML External Entities
LAB: Server Side Request Forgery
Race condition
Client side vulnerabilities
Client side web vulnerabilities
We will look at the most common vulnerabilities that affect victims through their web browsers
LAB: XSS (Cross Side Scripting)
DOM, Stored and Reflected
LAB: Client side Open Redirect
LAB: CSRF (Cross Site Request Forgery)
LAB: CSTI (Client Side Template Injection)
AuthNZ vulnerabilities and attacks
Authentication and Authorization principle s in web security
LAB: IDOR (Insecure Direct Object Reference)
LAB: Path traversal in Flask
LAB: JWT attacks
Secret bruteforce, None algorithm attacks
LAB: Attacking wrong OAuth2 implementations
Vulnerable and Outdated Dependencies
Dependency graphs
The importance of SCA (Static Component Analysis)
LAB: Detecting known vulnerabilities using Snyk
Integrate SCA in the CI/CD pipeline
Scanning your code using Semgrep
Semgrep basics
LAB: Semgrep for Flask
LAB: Semgrep for Django
Semgrep automation


Why should you attend this course?

This course will teach you the inside out of exploiting and securing Python applications via real-life examples, targeting different frameworks and techniques. If you are a Python developer this is the course for you.

More info? Contact us at [email protected]