Unsafe at Any Speed (PyCon UK, 26th October 2017)

Unsafe at Any Speed (PyCon UK, 26th October 2017)

The default settings of some libraries and tools are so useless, or even dangerous, that they should never be used. While they give the impression of being easy to use or performant, they actually represent traps for the unwary user. I look at some examples, consider the reasons why these bad defaults might have arisen, and offer some guidelines for setting up projects with good defaults.

Presented at PyCon UK 2017: http://2017.pyconuk.org/sessions/keynotes/unsafe-at-any-speed/

Links and resources:

CKAN: https://github.com/ckan/ckan/pull/2164

MongoDB security: https://blog.shodan.io/its-the-data-stupid/, https://www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your-data

Elasticsearch: http://bouk.co/blog/elasticsearch-rce/

PEP 476: http://legacy.python.org/dev/peps/pep-0476/

Tom Eastman's Serialization talk: http://s3.eastman.net.nz/serialization/, https://www.youtube.com/watch?v=kjZHjvrAS74
Update! PyYAML seems to be safe by default as of 26th August 2017: https://github.com/yaml/pyyaml/issues/5

MongoDB durability: https://docs.mongodb.com/manual/release-notes/2.6-compatibility/#write-method-acknowledgements

Li and Evans, Insecure by Default?: https://www.cs.virginia.edu/~evans/pubs/webframeworks2016/insecurebydefault.pdf

The Zen of Python: https://www.python.org/dev/peps/pep-0020/


Rae Knowler

October 26, 2017