Securing Python Web Applications

Transcript

1. Securing Python Web Applications Dmytro Khmelenko January 25, 2025

2. Who I Am • Writing code since 2010 • Backend

   developer since 2019 • Currently at Preply • Author of the book “Unlock the Code” • Building becomingbetterdeveloper.com

3. Why Security The average costs of security breaches in 2024

   was USD 4.88M https://www.ibm.com/reports/data-breach

4. Meet Ben - Backend Developer - Works for mid size

   company - Builds web applications

5. Basic Rules During Development

6. SQL Injections

7. SQL Injections - Parameterized Query

8. SQL Injections - Django Models

9. Weak Authentication & Authorization Threat - Poor password management -

   Improper session handling - Failed roles separation Solution - Use libraries like bcrypt for password hashing - Utilize existing solutions for access rights managements

10. Exposing Sensitive Data Threat - Leaking configurations & API keys

    - Leaking personal identifiable information Solution - Disable debug mode in production - Exclude configuration files in .gitignore

11. Exposing Personal Identifiable Information (PII) • Field Encryption • Data

    Masking • Data Redaction in APIs • Access Control

12. Exposing PII - Field Encryption

13. Exposing PII - Data Masking

14. Encryption Everywhere • Always use HTTPS • Use the library

    cryptography for robust encryption

15. Check dependencies • Dependabot for security updates • Apply pip-audit

    for checking known vulnerabilities • Lock dependency version with pip-tools • Regularly update outdated dependencies with pip list --outdated

16. Next Steps to Scale Up Security

17. Too Many Requests From The Same User

18. Throttling • Protect critical endpoints with throttling mechanism

19. Managing Secrets

20. None
21. None

22. Secrets Management • Avoid hardcoding passwords and API keys in

    code • Use Vault from HashiCorp or Secrets Manager from AWS

23. Secrets Management - AWS

24. Error Handling • Don’t expose stacktrace to users • Configure

    custom error pages • Log all possible errors

25. Security Edge Cases

26. Managing Stateful Systems

27. State Management

28. State Management

29. State Management Best Practices • Use immutable objects • Track

    object changes • Validate object before operating

30. How to keep track of ALL of that?

31. Open Web Application Security Project - OWASP • Track of

    top security risks • Tools for improving security • Guidelines and standards for secure coding • Community, resources and trainings https://owasp.org

32. “There is no silver bullet solution with cyber security; a

    layered defense is the only viable defence” – James Scott

33. Securing Python Web Applications dmytro-khmelenko @dkhmelenko