#485: Secure coding for Python with SheHacksPurple Transcript
00:00 What do developers need to know about AppSec and building secure software?
00:03 We have Tanya Janka, aka SheHacksPurple, on the show to tell us all about it.
00:09 We talk about what developers should expect from threat modeling sessions,
00:13 as well as concrete tips for securing your apps and services.
00:17 This is Talk Python to Me, recorded November 15th, 2024.
00:21 Are you ready for your host, Tanya?
00:24 You're listening to Michael Kennedy on Talk Python to Me.
00:28 Live from Portland, Oregon, and this segment was made with Python.
00:31 Welcome to Talk Python to Me, a weekly podcast on Python.
00:37 This is your host, Michael Kennedy.
00:40 Follow me on Mastodon, where I'm @mkennedy, and follow the podcast using @talkpython,
00:45 both accounts over at fosstodon.org, and keep up with the show and listen to over nine years
00:51 of episodes at talkpython.fm.
00:53 If you want to be part of our live episodes, you can find the live streams over on YouTube.
00:57 Subscribe to our YouTube channel over at talkpython.fm/youtube and get notified about upcoming shows.
01:04 This episode is sponsored by PositConnect from the makers of Shiny.
01:08 Publish, share, and deploy all of your data projects that you're creating using Python.
01:13 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Reports, Dashboards, and APIs.
01:19 PositConnect supports all of them.
01:22 Try PositConnect for free by going to talkpython.fm/Posit.
01:27 P-O-S-I-T.
01:28 And this episode is brought to you by Bluehost.
01:30 Do you need a website fast?
01:32 Get Bluehost.
01:33 Their AI builds your WordPress site in minutes, and their built-in tools optimize your growth.
01:38 Don't wait.
01:39 Visit talkpython.fm/Bluehost to get started.
01:43 Tanya, welcome to Talk Python.
01:46 I mean, it's awesome to have you here.
01:47 Oh my gosh, I'm so excited to be here.
01:49 Thank you for having me, Michael.
01:50 Yeah, you're very welcome.
01:52 And I'm super excited.
01:55 You know, in a good and bad way, excited to have you here because I'm very excited to talk to you.
02:00 But some of the stuff that we're going to talk about might be a little unnerving for people out there listening.
02:04 They may pause the show and then run off to make some changes to what they're doing and then come back.
02:10 And then that part might be a little exciting in a different way.
02:13 Yes, it will.
02:16 Have you ever had that experience where you're giving a presentation or something and somebody goes gasp in the audience and maybe runs away or something?
02:24 I was doing a capture the flag contest once and I was showing people how to do an SQL injection.
02:30 And then we just like logged in without a password.
02:32 And this woman was like, oh my gosh.
02:35 And she literally just she stood up.
02:38 She's like, I have to go.
02:39 And she told me the next day she fixed three of them at work.
02:43 And she just stayed all night.
02:45 Oh, amazing.
02:46 You made a huge impression.
02:48 It was pretty cool.
02:50 Yeah, that's pretty awesome.
02:52 I've never had that around security, but I was doing an in-person class once for database things, which we're going to touch on databases for sure.
02:59 And this had to do with transactions.
03:00 And I said, if you do things this way, it doesn't actually use a transaction unless, oh, yes, it does.
03:07 And I showed that it did.
03:08 And somebody said, I'll be back later.
03:10 And they just took off.
03:11 Oh my gosh, this is not good.
03:13 We have to fix this now.
03:15 So, yeah, hopefully no one actually has to do that here.
03:18 But I'm sure there's a ton for people to learn.
03:21 Speaking of learning, let's start with a little bit about you.
03:25 You have a domain, shehackspurple.ca.
03:29 That tells us several things about you, I believe.
03:31 Purple is interesting.
03:33 Hacks is interesting.
03:36 And Canada.
03:36 Tell us about yourself.
03:38 So I was a software developer for a really long time.
03:42 And then I switched to security.
03:45 And when I was a software developer, I used to also play music in bars and music festivals as sort of my hobby.
03:51 But I released albums and did all of that.
03:54 So that's why I'm quite the public speaker, because I've been on stage my whole life.
03:58 And so I switched to security.
04:01 And I became a pen tester, which is Red Team.
04:04 And that's where you attack things.
04:06 And it's a fence of security.
04:08 And I don't mean we swear at people.
04:09 But then...
04:12 It's the other way around, I believe.
04:14 This is the direction the swearing probably goes.
04:16 Right?
04:16 But then as I was doing pen testing, I kept sitting with the devs.
04:22 And I would pair a program with them.
04:23 And I would help them fix things.
04:25 And I'm like, well, if we threat model this...
04:26 And I kept doing AppSec, essentially.
04:28 And people are like, you keep doing blue team.
04:31 You keep doing defenses.
04:32 It's like you can't make up your mind.
04:34 And eventually one of them is like, you're a purple team.
04:37 And so I was at a conference in Europe.
04:39 And on stage during the conference, this woman, she kept playing with her phone on a panel, ignoring the audience.
04:47 And I was super shocked.
04:48 And finally, she's like, I'm really sorry.
04:50 But her company had created WannaCry by accident.
04:54 Yeah.
04:55 And it had just broken out.
04:56 And she's like, so there's this virus.
04:59 And it just hit the NHS and took down the hospitals and this and that.
05:04 And oh, my gosh.
05:06 And so everyone ran out of the room freaking out.
05:08 And they all went to check Twitter.
05:10 Because that's where everyone was talking.
05:11 And so people are like, you have to make a Twitter account.
05:14 And so I was like, oh, what will I call myself?
05:16 And I was like, she acts computers.
05:18 And then it was too long.
05:20 Because that was my email address.
05:21 She acts computers at gmail.com.
05:23 That used to be my email.
05:24 But then basically, that was too long.
05:28 So I was like, I don't know.
05:29 And someone's like, well, you know, you have that purple team thing going.
05:32 So I was like, well, it's not like anyone will ever follow me.
05:35 So I changed it into She Hacks Purple.
05:37 And then it turns out that I really, so then I put some purple in my hair to tease my friend
05:43 Kevin.
05:43 And it went all from there.
05:46 Like, yeah.
05:49 I own a lot of purple now.
05:50 That's amazing.
05:50 Yeah.
05:51 It's now part of the vibe, right?
05:53 That's awesome.
05:54 That's a really cool story.
05:55 So you said you've been a programmer for a while and then got into app security and pen
06:01 testing.
06:01 How did you get into all that?
06:02 It was totally an accident.
06:05 So like I said, I was in a band.
06:07 And so we had this pen tester in our office and he was in a band.
06:10 And so we obviously became friends.
06:13 And one day I came to his desk and I was like, hey, my band wrote this song called Mandatory
06:17 Dance Party.
06:18 And we want to make this mobile app where if you're near someone else that has the app,
06:21 it goes beep, beep, beep.
06:23 Mandatory Dance Party.
06:24 And then you both have to dance or else.
06:26 And then whoever jiggles their phone the most wins.
06:29 I'm like, did you want to make this app with me?
06:30 He's like, there's nothing I want to do more.
06:33 And so our friendship began.
06:35 And then for a year and a half, he just nagged me to become a pen tester.
06:39 He's like, you'd be so good.
06:40 You'd be really good at it.
06:42 You've been doing you've been a dev for like 17 years.
06:45 It's time for something new.
06:46 And I was like, no, I am the king of software.
06:49 This is the best.
06:50 I make something out of nothing all day.
06:53 It'll never be cooler than this.
06:55 But then it turned out it was pretty cool.
06:57 And you still get to write code sometimes.
07:00 And then eventually I figured out I was not meant to be a pen tester.
07:03 I was meant to do app sec.
07:04 So I still get to hang out with devs all day.
07:06 I'm not alone freezing cold in a data center at night.
07:10 And I get to it's like more like a social butterfly type of job where a pen tester is more like
07:16 the lone wolf type of job.
07:17 Yeah.
07:17 Yeah.
07:18 You're working on the disassembly, looking for, you know, fuzzing something, looking for a crash.
07:23 Yeah.
07:24 So you still get to break stuff in app sec sometimes, but like, that's not all you do.
07:29 You do a lot of conversations, a lot of brainstorming, and that's better for my extroverted personality.
07:35 Yeah.
07:37 That's awesome.
07:37 You have a newsletter.
07:38 People can visit your website and sign up and I'll put links to all those sorts of things
07:42 in the show notes for you.
07:45 So yeah, a couple of things I wanted to talk about.
07:49 First of all, I've seen you given presentations about threat modeling and tell us what is threat
07:55 modeling and what are some of the takeaways?
07:57 Obviously our audience here is largely Python developers, data scientists, and a ginormous assorted
08:05 other that sort of orbits around those spaces.
08:08 So they'd probably be pretty interested on the developer data scientist side of threat modeling.
08:13 What is it and what's it like for devs?
08:16 So threat modeling is sort of like evil brainstorming.
08:22 So you get a security person like me in the room, you get a dev or one of the technical leads
08:28 for your system, and then you get the product owner.
08:30 So the person that understands the business of this app and like why it exists in the world.
08:35 And at least those three people.
08:37 If more people come, it's better, but that's fine.
08:40 And then you talk about what could go wrong and what are you going to do about it?
08:45 I have this friend named Adam Shostak who's written a bunch of books about it.
08:48 And so I used to ask a ton of questions and then I met him.
08:52 And now I ask four things.
08:54 What are we doing?
08:55 And so then I usually draw it out on a whiteboard.
08:58 So like, oh, there's an API and it talks to this and then this happens and then people steal bikes.
09:03 Okay.
09:04 And then it's like-
09:06 Do we have a database?
09:06 Is it in the cloud?
09:07 Is it in a data center that we own?
09:09 Whatever, yeah.
09:10 Yeah.
09:10 And then I ask questions along the way and then I'm like, so what could go wrong here?
09:15 And then it's like, you know, these two things are talking.
09:17 Do we authenticate first or do we just talk to any old API?
09:21 Right?
09:22 And we go through and we come up with some things that could go wrong and we make a list.
09:26 And then I'm like, okay, so what are we going to do about these things?
09:30 And you talk about basically, is this a serious risk?
09:34 Is it scary?
09:35 Or is it like, you know what, if that happens, it's not really a big deal and the likelihood is really, really rare.
09:40 So maybe we'll accept that risk.
09:42 But a lot of them, it's like, you know, if we added a certificate here or we included authentication there, like we can make some small changes.
09:51 And if you're during the design phase of the system development lifecycle, it costs you nothing, right?
09:56 Or usually it costs you nothing or very little.
10:00 And so then you basically improve your design and then you write it all out.
10:05 And then hopefully someone approves these changes.
10:09 And then at the end, a thing that Adam asks is, did we do a good job?
10:14 And that is the magical question.
10:16 Because the very first time I did one of these in the government, I did not realize that that's what I was doing to my director.
10:25 I was like, well, what about this?
10:27 And what about that?
10:27 And this could go wrong.
10:28 And because I was trying to kill the project because I thought it was a terrible part.
10:32 And we did end up canceling it.
10:33 But I brought up like all these huge existential risks to this ridiculous project they were thinking of doing.
10:39 And he just kept saying, it'll be fine.
10:42 And I'll manage that risk.
10:43 And I was like, you realize manage that risk means nothing, right?
10:47 You're going to do nothing.
10:48 So I brought up eight really big risks.
10:50 And you want to do nothing about any of them.
10:52 I'm like, are we doing it?
10:53 Like, do you think we've done a good job here?
10:54 Like, you feel proud today?
10:55 Because I don't.
10:56 And then we started again.
10:58 And then eventually over the months, we canceled the project because it was quite silly.
11:03 Just to be clear, I usually love it when software development projects go forward.
11:08 This was a very special situation where it was not in the taxpayer's best interest.
11:13 Yes.
11:15 Anyway, I'm like, there's more there.
11:16 But I'm like, NDAs.
11:17 Yeah, of course.
11:19 But usually we come up with like a couple of changes that grossly reduce the risk of the system.
11:26 And it's quite fun.
11:29 Like, once you start.
11:32 So the first time I went to a threat model, I came with my dev background of, I will fix any problem you bring to me.
11:38 I just need to do code.
11:40 And I can fix whatever you need.
11:42 But it's different when it's like, I'm going to try to break things.
11:45 You have to learn kind of this new skill set of like, how can I make it do stuff it should not do?
11:50 And it took me a while.
11:52 And now I'm brutal.
11:53 Like, I go to the movies.
11:55 I'm like, we could have gotten free.
11:58 It's even outside of technology now, huh?
12:00 Oh, yeah.
12:02 Oh, it's everywhere now.
12:03 My significant other who does not work in tech will be like, I'm just trying to threat model this for the kids.
12:10 If we go to the pool, they'll have wet bathing suits.
12:13 Yeah.
12:15 Yeah.
12:15 Very nice.
12:16 You know, I think there's two different ways to look at this, right?
12:20 Obviously, from a developer perspective, you've got to look at, well, what packages or libraries am I using?
12:27 And how are we validating input and all those kinds of things?
12:31 And I feel like that's one level, but maybe the threat modeling is a little bit broader.
12:35 Like, are we storing stuff unencrypted anywhere?
12:38 Yeah.
12:39 Who could get that?
12:40 And it's the thing that makes me nervous.
12:43 I said I would be somewhat nervous about this at the beginning.
12:45 The stuff that makes me nervous about all of these things is the asymmetry of it.
12:49 As a developer or data scientist or somebody in charge of this information and the systems, you have to be right all the time, right?
12:57 And if you're ever not right, little Bobby Tables is on you like nothing.
13:00 It's like a goalie.
13:02 It's like a goalie, right?
13:04 Like, you let into goals and everyone's like, you're the worst.
13:06 And it's like, I defended against hundreds of shots.
13:09 Do I get nothing?
13:11 Exactly.
13:12 Well, developers shouldn't be on their own in this, though.
13:16 That's the whole thing.
13:17 So, like, the job of the AppSec person, in my opinion, is to support the developers in making more secure apps, right?
13:25 So, booking a threat modeling time with them or, you know, providing a static analysis tool or a secret scanner or whatever to scan their code so that they can make better code.
13:36 So, they have help giving them training, giving them, like, a list of super clear requirements at the beginning of the project rather than at the end telling them it's wrong.
13:48 That is a huge one.
13:50 Like, if someone's going to build an API, I would prefer the API be behind an API gateway if it's publicly accessible.
13:57 And I want to do things like turn on authentication and authorization and rate limiting and all sorts of fancy, nice, awesome stuff that they offer.
14:05 And so, I tell them at the very beginning of the project, I don't wait until the end and I'm like, well, this design's all wrong.
14:13 Like, if, you know what I mean?
14:14 Yeah.
14:14 But that's what we did back in the day.
14:16 Like, when I had my first vulnerability assessment done, I, you know, I'm supposed to go to prod in two days.
14:24 And they ran the world's crappiest dynamic scanner on my computer, on my app.
14:28 And they're like, you have cross-site scripting.
14:31 And this was so long ago.
14:32 I searched for cross-site scripting on the internet and there was only three web pages.
14:36 So, I'm old, everyone.
14:38 And one was this thing called OWASP.
14:43 And I was like, what the heck is that?
14:45 And it took me quite a while to figure out how to fix it, right?
14:50 Like, we've come a long way, but yeah, the developer shouldn't be alone in this anymore.
14:56 They should have help.
14:57 I'm not saying that every company does have that.
15:00 I'm saying every company should.
15:01 If you have a bunch of devs, you should have eventually a security person that supports them.
15:06 Right.
15:06 Maybe sits with them for a few hours a week or a month or something.
15:11 And sort of, as you said, like a butterfly sort of moves around the team, hanging out with other people.
15:15 Like, oh, you work on the API.
15:16 Okay, let me hang out with you a bit this morning.
15:19 Ideally, that would be great.
15:20 Also, I mean, if you have a big enough company doing something like a security champions program.
15:26 So, like each dev team, there's one representative and you just give them way more training and way more time.
15:33 And you check in with them regularly.
15:35 Like, if I'm working with only like 50 or 60 devs, like you can get to know a lot of them.
15:41 But I remember working at this one place and there were 2000 devs and me.
15:45 And I was like, okay, so how do I do this?
15:52 And just very quickly, there was just like that one person per team that I would talk to all the time.
15:57 And I remember, ironically, I went to Montreal on this vacation trip and my car got stuck in the mud because there'd been this big rainstorm.
16:06 And I was like tweeting about it and how I was so sad.
16:08 And one of my devs came to me and dragged me out of the mud.
16:12 And I was like, he is a champion.
16:15 I know.
16:15 Oh, that's amazing.
16:16 And there's benefits to large teams aren't in there.
16:19 I know.
16:21 I like, it never occurred to me that like I would get an answer.
16:24 He's like, hey, I live in Montreal.
16:26 Do you need help?
16:27 And I was like, I do.
16:28 And he's like, you help me all the time.
16:30 I'll be right there.
16:30 I was just like, oh, that's very cool.
16:33 Yeah.
16:33 This portion of Talk Python to Me is brought to you by Posit, the makers of Shiny, formerly RStudio, and especially Shiny for Python.
16:43 Let me ask you a question.
16:45 Are you building awesome things?
16:46 Of course you are.
16:47 You're a developer or a data scientist.
16:49 That's what we do.
16:50 And you should check out Posit Connect.
16:52 Posit Connect is a way for you to publish, share, and deploy all the data products that you're building using Python.
16:59 People ask me the same question all the time.
17:02 Michael, I have some cool data science project or notebook that I built.
17:05 How do I share it with my users, stakeholders, teammates?
17:08 Do I need to learn FastAPI or Flask or maybe Vue or React.js?
17:13 Hold on now.
17:15 Those are cool technologies, and I'm sure you'd benefit from them.
17:17 But maybe stay focused on the data project.
17:19 Let Posit Connect handle that side of things.
17:22 With Posit Connect, you can rapidly and securely deploy the things you build in Python.
17:27 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, ports, dashboards, and APIs.
17:34 Posit Connect supports all of them.
17:35 And Posit Connect comes with all the bells and whistles to satisfy IT and other enterprise requirements.
17:41 Make deployment the easiest step in your workflow with Posit Connect.
17:45 For a limited time, you can try Posit Connect for free for three months by going to talkpython.fm/posit.
17:52 That's talkpython.fm/P-O-S-I-T.
17:55 The link is in your podcast player show notes.
17:57 Thank you to the team at Posit for supporting Talk Python.
18:02 So you managed it almost, I don't want to endorse Scrum necessarily, but like a Scrum of Scrum equivalent.
18:08 So sort of you found somebody or different people from who could sort of represent different segments or apps and stuff and got together with those groups.
18:16 Yeah.
18:16 Yeah.
18:17 So I didn't know what it was called when I started doing AppSec because I didn't have any training, right?
18:24 I was just like, all of our apps are a total mess.
18:27 I just switched to the security team.
18:29 I need to fix this.
18:31 And so I was trying to talk to all of them, but very quickly, there was like a person that sort of self-identified as the person who was totally willing to tolerate Tanya and all of her security nerdiness.
18:42 And I would hold these little lunch and learns where I was like, oh my gosh, my first one.
18:47 I remember I, because I'd been on the dev team and then I switched to the security team and I was like, I'm going to break into a bank at lunch.
18:53 Who wants to watch?
18:54 I brought donuts.
18:56 And everyone's like, you're not going to.
18:57 And I'm like, it's a, it's a pretend bank, but I'm going to do it.
19:01 And they're like, but donuts, right?
19:03 I'm like, yeah.
19:03 You just got to choose the right motivation.
19:08 I feel like pizza, any sort of carb goes really like it goes over well.
19:15 But yeah, I just slowly formed more and more relationships.
19:19 And then that is how I got a lot of security done because I'm not their boss.
19:24 I can't make them prioritize security.
19:27 I need to persuade them that it's important.
19:30 And one of those people from my very first program, he became an application security engineer and he just started his first security champions program this year.
19:39 And I spoke for them two months ago and it was amazing.
19:42 Exciting.
19:42 Yeah, that's awesome.
19:44 Honestly, I think coming from the software dev side probably gets you a lot of credibility with the software teams.
19:51 Yeah, because I can just like read code and stuff and the rest of the security team usually can't.
19:58 And also, so I've gotten in trouble for that, though.
20:02 I've gotten in trouble with the security team at a couple of places I've worked where they're like, you're always on their side.
20:07 And I was like, yeah, but they're right and we're wrong this time.
20:11 Because sometimes the security team's being so completely unflexible.
20:16 And I'm like, listen, this is like a minute risk if you really think about it.
20:20 Where like if you look at the context of this and this, it doesn't generate legitimate business risks.
20:25 So, no, I'm not going to upgrade off of this vulnerable library because it's not actually exploitable.
20:30 And there's this and this and this precaution.
20:33 And like we're actually fine.
20:34 And it's going to cost like months and months of time.
20:37 And so I'd rather use my social currency on something that really matters.
20:40 And I've just had people get really pissed at me on the security team.
20:44 Like this plus between username and query.
20:47 So, yeah, it's just not good.
20:53 It's just not good.
20:54 There is, you know, you see all the time, whether it's NPM or pip or whatever package management tool you're using,
21:03 you might see, oh, or GitHub.
21:06 This library you're using has this vulnerability.
21:08 And it sounds scary.
21:10 But if the vulnerability is in a portion of it that you literally never use and you never expose the internet, you know, it might be bigger fish to fry.
21:18 Who knows?
21:18 Maybe not.
21:19 But a lot of it's hard to decide.
21:21 Insecurity, we call...
21:23 As you're saying where to spend your time.
21:24 Yeah, so we call that reachability in the InfoSec field.
21:28 And so my advice, and not everyone agrees, is basically if something...
21:34 So let's say you have the math library.
21:35 And the math library has like a thousand different math functions because we love math.
21:40 And one of them has a great big bug in it.
21:42 But we're not calling that one.
21:44 Right.
21:44 And it's probably like a denial of service.
21:46 If you give it this weird number, it'll overflow and then like loop forever.
21:50 And we're never calling it.
21:51 Yeah, maybe it's something like really bad.
21:55 It's like remote code execution.
21:57 Like this sucks.
21:58 Okay.
21:58 But if it's not reachable from within your code, it's probably not actually a risk.
22:03 So let's say it's like the worst one.
22:05 It's remote code execution.
22:06 I'm like, listen, at some point, could you upgrade off of this?
22:09 And I need you to keep scanning it with your software composition analysis tool every time you check your code in to make sure you are not calling that dangerous function.
22:18 So if you switch it around and you are no going to prod, but as long as it's not reachable, then we're not causing legit business risk.
22:27 But I do want it in the backlog because at some point I'd like you to upgrade off.
22:31 But like, let's say it's a medium.
22:32 It's like there's so many bugs that I want people to fix.
22:37 And some of them aren't even bugs.
22:39 Like some of them are, I want you to use content security policy header.
22:43 Is that a bug that you're not using it?
22:45 In my heart it is, but technically no.
22:48 But it's an additional layer of security that basically stops cross-site scripting in its tracks.
22:53 Right.
22:54 And so I'd rather spend my social currency getting like the entire organization to adopt CSP than to fit like upgrade off of tons of different dependencies that aren't actually hurting anyone.
23:06 Yeah, I agree.
23:07 I think that makes a lot of sense.
23:08 This is why security people yell at me.
23:12 Yeah.
23:12 Once you've solved all the other security problems, you can come back to the unreachable ones, right?
23:17 Yeah, for sure.
23:18 Yeah.
23:19 I want to dive into your book and you've got a bunch of good recommendations.
23:22 But before I do, I just have a quick question.
23:24 What do you think, you know, the White House last year or beginning of this year released a thing saying we call for memory safe languages.
23:31 And I know you started in C and C++.
23:34 I also started C++.
23:36 I was kicked a Fortran kicking and screaming for a little while and went back to it and then moved on.
23:40 But, you know, we got a lot more options these days, right?
23:44 And I know folks at the PSF were actually working with the people at the White House to encourage them to consider Python as one of the options.
23:53 But what do you think about this and its implications?
23:55 Oh, a lot of software is written in C.
23:58 A lot.
23:59 Like, maybe half.
24:01 Like, it's nuts how much is written of our whole world is written in C.
24:06 And they're like, oh, future software.
24:09 So, if we're writing brand new software, yeah, I wouldn't write it in C unless I absolutely had to.
24:16 I would try to use Rust.
24:18 But do I think that everyone's going to suddenly, like, rewrite everything into Rust?
24:23 No, I don't believe that.
24:25 And it's because of a lot of reasons.
24:27 One, like, I'm told it's difficult to develop in Rust because basically there's, like, no libraries for it compared to C.
24:34 C is so rich.
24:35 There's so many options in C, C++, right?
24:38 Because it's been around forever.
24:40 There's a zillion code samples that you can copy from and then paste into your code, which you should not do unless you understand it fully.
24:48 Yeah.
24:49 So many comments there.
24:51 So, memory safety.
24:53 Like, if you are going to write a new app, I want it to be memory safe.
24:57 Yes, absolutely.
24:58 Do I expect everyone to rewrite all the old code?
25:01 No, no one's going to do that.
25:02 No one can afford to do that.
25:03 No.
25:04 But I'd love to see, like, a framework over top of C and C++ that provided memory safety.
25:10 That would be amazing.
25:12 I'd pay for that, right?
25:14 Like, a library that just, like, I collect your garbage and you don't have to think about it anymore.
25:19 Right?
25:20 Like, that would be beautiful.
25:22 That would solve, that would do a lot of backwards compatibility if we started turning that on in my brain.
25:27 Yeah, you talked about the remote code execution issues.
25:31 A lot of that has to do with exceeding a buffer we've allocated, using a freed buffer before the pointer was gone.
25:38 Like, a lot of it has to do with this memory ownership and stuff that you're talking about.
25:42 Yeah, and sometimes mismanagement of objects as well.
25:45 And so, basically, you know, you make a memory.
25:48 Can I explain this?
25:49 Or is this, like, way below?
25:51 Okay.
25:51 So, we can overflow an integer, a string, a buffer.
25:56 But basically, like, you declare a variable of some form.
26:00 And let's say you're like, oh, my string's 20.
26:02 Cool.
26:03 If you put 25 in there, where do you think that extra 5 goes?
26:06 Right?
26:07 Next bit of execution, probably.
26:09 Yeah, it goes somewhere else.
26:10 Or a heap or something, yeah.
26:11 Yeah, it goes somewhere else in the stack or the heap.
26:13 And guess what?
26:15 If you happen to do enough of it, you'll find the stack pointer.
26:18 And guess what the stack pointer does?
26:20 It tells you where the next instruction is.
26:22 And what if I tell it where the next instruction is and it's in my overflow?
26:27 And what if I've added my own shell code with instructions to do bad stuff, like open a web prompt?
26:34 I would like a shell, please.
26:35 A shell would be nice.
26:37 Thank you.
26:38 And then you can execute code on their server remotely, which is the RCE worst in the world thing we do not want to have happen.
26:46 And this is because of memory safety.
26:49 Because it's not automatically checking the bounds for us.
26:53 And because we ourselves have not done perfect input validation, which is a hard thing to get right.
26:59 I was teaching it today.
27:00 And literally, we spent one hour and 15 minutes just on input validation.
27:06 And they had a trillion questions.
27:08 And a lot of them were like, yeah, but we don't need to do input validation if it's just internal, right?
27:14 And I'm like, are you handling the employee paychecks?
27:17 Do you want me to see your employee paychecks?
27:20 Then you probably need to validate.
27:22 So I'm a slippery fish.
27:24 Yeah.
27:26 Are you reading from the database that somebody else could have gotten into and leveled up?
27:31 Yeah.
27:31 There is a lot there, Michael.
27:32 There's so much.
27:33 It's not good.
27:35 It's a negotiation, though, right?
27:37 And it's about persuasion.
27:38 And it's about what their threat model looks like.
27:40 Because if you're handling hundreds of millions of dollars a day, your threat model is very different than I used to work at a place.
27:47 And their entire job was to show videos to nurses and doctors that they had to watch each month so they could continue their certification.
27:54 And it was like, did they see the video or did they not see it?
27:57 Threat model low.
27:58 Yeah.
27:59 You don't want people to mess it up and pollute it or whatever or take it down.
28:04 But at the same time, it's not going to make the front page of the news.
28:08 Exactly.
28:09 Exactly.
28:10 We now know.
28:11 Everyone we know that Nurse 7725 has not been up to date.
28:16 I mean, it's not great, but it's not the same as social security numbers and all that.
28:22 Exactly.
28:23 Yeah.
28:24 All right.
28:24 Let's talk about your book.
28:25 I think your book is really good.
28:27 Yes.
28:28 Now, to be clear, specifically the Alice and Bob Lawrence Cure Coding, because I haven't read the other book.
28:33 But if it's in the same style, it seems to me, I'm sure it's also good.
28:36 Tell us about your books.
28:37 Thank you.
28:39 So my new book's called Alice and Bob Lawrence Cure Coding.
28:43 And I'm dyslexic.
28:45 And I'm about to get diagnosed for ADHD, too.
28:48 Because why not?
28:50 They go so well together.
28:52 Yay.
28:52 And so when I read a textbook, I find it really hard.
28:57 So I read a zillion books.
29:00 Like, I love books.
29:01 Sitting still is hard for me.
29:03 Reading a textbook, I find really, really hard.
29:06 I want that knowledge to be in my brain very badly.
29:08 But sitting my butt still for eight hours is really difficult.
29:12 And I found traditional textbooks really difficult.
29:15 So I started blogging because someone double dog dared me when I worked at Microsoft.
29:21 And what else could I do, right?
29:22 There's no way out.
29:25 They've done it.
29:25 I know.
29:26 There's nothing I could do.
29:28 Brock, you faded me into a corner.
29:31 But I just kept blogging and blogging.
29:33 And people kept telling me I should write a book.
29:35 And publishers started reaching out to me.
29:37 I'm like, yeah, but my blog's very casual language.
29:39 I use a lot of examples with Alice and Bob.
29:42 Alice and Bob were used by mathematicians to explain cryptography to normal people.
29:48 So Alice wants to tell Bob a secret.
29:50 How does Bob know it was Alice?
29:52 And so I just kept using them because we all use them.
29:55 And so basically, Wiley approached me.
29:59 And they're like, yeah, you can write the weirdest textbook in the whole world.
30:02 I'm like, because Alice is going to date people.
30:04 He's like, okay.
30:06 So my first book was for AppSec engineers and people that want to work in application security
30:15 because there was no book of how to do that.
30:17 So I wrote a book for past me.
30:19 And so then when I thought about Alice and Bob having a sequel, I was like, I want to write
30:24 a book for really past me for when I was a software developer.
30:28 And so I was like, what should I cover?
30:31 And so I covered the 10 top programming languages and the eight most popular frameworks within
30:38 reason.
30:39 So like some frame, like it was hard to pick the frameworks because I was like, oh, I was
30:45 thinking about that when I was reading.
30:46 I'm like, oh yeah, these are, it's not so easy.
30:49 It was hard.
30:49 And so I asked a lot of my followers.
30:51 And so you might disagree with me about the frameworks I chose, but I really liked .NET.
30:57 So it was obviously going to be in there.
30:58 Flask, obviously going to be in there.
31:00 But I was like, should I put pandas in here?
31:03 Or should I put, I put in jQuery and my advice is don't use jQuery.
31:09 Yeah.
31:10 But document ready was so good.
31:12 Come on.
31:12 And so, so it was hard to choose.
31:18 And then I wanted to cover like all the different agnostic programming advice, because to be quite
31:25 blunt, there's a lot of stuff like input validation that applies to every single language in the
31:30 world and every framework.
31:31 It just doesn't matter.
31:32 And I don't care if some of them say they do some input validation for you.
31:36 It's not enough.
31:36 Trust me.
31:38 And so I wanted, so like the first third of the book is just completely agnostic.
31:43 And I've been giving secure coding training basically since before the first book.
31:47 And I just keep refining it and refining it and improving and improving it.
31:52 And I was like, well, I have a lot to say on this subject now.
31:56 And so then I asked all my followers, like, what do you want to see in the book?
32:01 And they added a bunch of things.
32:02 Like, they're like, oh, I want to see this topic.
32:04 I want to see that topic.
32:05 So it got even bigger.
32:06 But then the end of the book, the last third is the system development lifecycle, all the
32:13 security steps, but from a developer's point of view.
32:16 Because when I was a dev, it was like, why am I being subjected to this?
32:20 Like, what's a threat model?
32:22 I remember being in a meeting and this woman was like, you want to do a penetration test on
32:27 me?
32:28 And then she turned bright red and was like, I don't know if I should be in this meeting.
32:33 I was like, no, no, no, no, no, no.
32:36 She's like, I was talking.
32:39 I'm not a doctor.
32:40 This is going to be fun.
32:41 I know.
32:41 I know.
32:42 I was like, your web app, your web app.
32:44 She's like, you just used a lot of words that were uncomfortable.
32:47 I'm like, I'm so sorry.
32:50 And so it's like, what to expect when a penetration test happens or like in a threat model, like
32:55 bring your awesome ideas of how you would hack your app.
32:59 And like, this is maybe how much will be expected from you.
33:03 And why we like, what all these tools are and what they do and how you might want to use
33:08 them.
33:09 Because I feel like sometimes we just, I've heard a lot of security teams say to me, well,
33:14 they should know.
33:15 I'm like, do you think if they knew they would have done that thing?
33:17 No.
33:18 Did you, did you tell them it explicitly?
33:20 Well, I felt it was implied.
33:22 Dude, that's not good enough.
33:24 This portion of Talk Python to Me is brought to you by Bluehost.
33:29 Got ideas, but no idea how to build a website?
33:32 Get Bluehost.
33:33 With their AI design tool, you can quickly generate a high quality, fast loading WordPress
33:39 site instantly.
33:40 Once you've nailed the look, just hit enter and your site goes live.
33:43 It's really that simple.
33:44 And it doesn't matter whether you're a hobbyist, entrepreneur, or just starting your side hustle.
33:49 Bluehost has you covered with built-in marketing and e-commerce tools to help you grow and scale
33:55 your website for the long haul.
33:56 Since you're listening to my show, you probably know Python, but sometimes it's better to focus
34:00 on what you're creating rather than a custom built website and add another month till you
34:05 launch your idea.
34:06 When you upgrade to Bluehost cloud, you get 100% uptime and 24 seven support to ensure your
34:12 site stays online through heavy traffic.
34:15 Bluehost really makes building your dream website easier than ever.
34:19 So what's stopping you?
34:20 You've already got the vision.
34:21 Make it real.
34:22 Visit talkpython.fm/Bluehost right now and get started today.
34:27 And thank you to Bluehost for supporting the show.
34:30 Yeah, I totally agree with you.
34:31 And there's a really, let me do a quick search.
34:33 There's a really interesting fact, at least from the Python space.
34:37 If you look at the latest survey from the PSF and the JetBrains, how long have you been programming?
34:44 There's a little one somewhere.
34:45 Yeah.
34:45 How long have you been programming professionally?
34:47 33% less than a year.
34:49 And if you look at less than two years, that's 50, that's half of the people doing software just
34:57 got started.
34:58 They probably don't even get the little Bobby table jokes, you know?
35:01 Yeah, I know.
35:02 They need to read XKCD.
35:03 Yes, I know.
35:05 But, you know, seriously, they, how are they supposed to know?
35:08 They're struggling to just figure out how does it compile?
35:10 Where do I get a virtual environment?
35:12 Why won't I import that thing?
35:14 They're, they're just, they're not at the place where they're, they're polishing it and
35:18 they're, they're protecting.
35:19 They haven't had the experience of, oh, I put it on the internet.
35:21 I was hacked in eight seconds.
35:22 You know?
35:23 It hurts, man.
35:25 I remember, so the guy that became my mentor, he gave a talk for my dev team because I ran
35:32 the community of practice where I work.
35:34 Shocker, me being an extrovert wanting to run a community of practice.
35:38 And so I invited him to come and talk and he took one of our apps and he was at the login
35:44 screen and he's like, I'm going to break into your app without a password and it's going
35:48 to take over a minute just because I'm talking.
35:50 And then he just did an SQL injection and he just got in and I was like, what?
35:55 No, no, no, no, no.
35:58 And then he was like telling us.
36:00 And then of course, like all the SQL codes going in my head and I'm like, oh my gosh,
36:05 that is very bad.
36:06 What if my name, what if my name was quote dash, no quote, semicolon, drop tables, semicolon,
36:14 dash, dash.
36:14 That's an, that's an interesting name, isn't it?
36:16 Right.
36:17 We all, we all have special names, but yeah.
36:20 So, I for, I forgot when you asked about my book, part of why it is weird is I try to
36:27 make it casual language.
36:29 So it's really easy to understand.
36:30 Yeah.
36:31 And I try to get, honestly, I didn't, I didn't put that together, but I had that experience
36:35 reading it.
36:35 So I think you nailed it.
36:37 Thank you.
36:37 And I try to use like different ways of explaining the same thing, like with a story and then
36:43 like the technical explanation.
36:44 And then maybe, there's like a funny story from Alice and Bob, cause Alice will not
36:51 put up with unethical dates with pen testers.
36:54 And Bob really worships this really cool guy.
36:57 and like seeing it, how it applies to people's real lives, I felt like hit home with
37:04 a lot of people.
37:05 and so, yeah, I just, I want, I feel like security can be really hard and I was like,
37:11 how can I make it a lot easier for people?
37:14 So that was my goal with the book.
37:15 Both of them.
37:16 Yeah.
37:16 Yeah.
37:16 Well, I think it's, I think it's really approachable.
37:18 So I want to pull up a few quotes out of it that I thought we could sort of riff on that
37:22 I think would be fun here.
37:24 So you start out the book by talking about humans and how humans are implicitly trusting
37:32 of each other in general, right?
37:34 In general.
37:34 But you know, that's why we have societies and groups rather than every time we see a
37:39 person, we either run away or attack, you know, like that's just not how it works to
37:42 be a person.
37:43 Right.
37:44 And that trust is not necessarily appropriately transferred to computer systems and communication
37:50 systems and all.
37:51 Right.
37:52 So you gave some examples of implicit trust and you also gave a warning or an important
37:58 news.
37:59 Maybe tell us about this bit.
38:01 So basically when we started designing things, like we didn't even have passwords at first.
38:06 Like I remember in college, my sister telling her friend, my sister's so crazy.
38:11 She has a password on her computer.
38:13 Like who wants to log into your stupid computer?
38:16 And she thought I was-
38:17 What are you working at a bank?
38:18 Come on.
38:19 Right.
38:20 And so now we all have passwords on our computers.
38:23 And, but we design our systems the way that our society operates with implicit trust.
38:30 Like just imagine like someone comes to your door with a package and they ring the doorbell,
38:35 you open it.
38:36 But in the animal kingdom, which I have watched a lot of nature documentaries because I have small
38:41 children at home, panthers, if they see another panther, it's going down.
38:46 They're going to fight or make a new baby panther or both.
38:50 That is what happens in the animal kingdom.
38:53 and so like they have no trust.
38:55 Like some of them like try to kill each other after they try to make baby panthers.
38:59 Like they're all over the place because they have no implicit trust.
39:02 So you see them alone a lot.
39:04 And so when we started designing networks, one of the things we would do is we would, first
39:11 of all, a lot of networks in this world today are still flat, which means one firewall around
39:16 the outside and that's it.
39:17 So if you can get to anything in the network, you can get to everything in the network.
39:22 And that is an implied trust.
39:23 So then we came up with zoning, like the data, the databases are all in one zone and there's
39:28 a firewall around that.
39:30 And then we have like a public access zone.
39:32 And then we have a deep militarized zone because we think we're badasses, et cetera.
39:35 Right.
39:36 And, but what happened is if you have an SQL injection, you've gotten behind the firewall and now you
39:42 can get to every single database in the entire organization.
39:45 You have hit the gold mind.
39:47 Right.
39:48 So that is bad.
39:49 and then we came up with zero trust.
39:51 The idea of everything is closed by default.
39:54 And unless there's a business requirement, you don't open it.
39:59 Right.
40:00 So, let's say you have a database and an API and it has a front end and then you have
40:06 a service account for those.
40:07 So the service account only can talk to those three things.
40:11 Oh, and it can talk to the secret management tool to get your secrets because you store your
40:15 secrets in a correct place.
40:17 You don't put those in source code and just check them in the GitHub.
40:19 Please do not do that.
40:23 I only do that when I'm trying to prove a point.
40:29 But, but then ideally the API checks that who's calling it is its front end and not someone
40:35 else.
40:36 Right.
40:36 And then it authenticates and authorizes to the database.
40:39 And we have, and nothing else.
40:41 No one else can call that API.
40:43 Why would you be calling it unless you're a malicious actor or you're a tester?
40:47 Right.
40:48 So once the testing phase is over, we're in production, no one else should be talking
40:51 to it.
40:52 So you only accept connections from there.
40:54 And if, if we do zero trust perfectly, it is amazing.
40:58 But quite often, we have partial implementations because it's quite a lot of work to implement.
41:05 And if you get it wrong, it can be painful.
41:08 Yeah.
41:10 Yeah.
41:11 What do you think about, things like thinks to canaries and those types of things?
41:16 Maybe tell me what that is real quick.
41:19 Yeah.
41:20 So, there's this guy named Harum Mia who goes on risky business all the time, which is
41:25 a podcast.
41:26 I like.
41:26 It's a good podcast.
41:28 Yeah.
41:28 Patrick Gray and Alex.
41:30 What's the guy's first name?
41:31 It's not Alex.
41:32 Is it?
41:32 I thought the guy, like the, is it Nick, the guy that he chats with?
41:37 I haven't listened to it in like a year.
41:39 Yeah.
41:39 I'm sorry.
41:39 Last name below, but first name, forget it.
41:42 Anyway, they, they do a good show.
41:43 Yeah.
41:43 So yeah, go on.
41:44 They're really good.
41:45 It is a fun show and they're so like catty.
41:48 I love it.
41:49 Like they make fun of everything.
41:50 Nothing is sacred.
41:51 It's so fun.
41:52 Absolutely.
41:52 But basically, things canary, the company that Harum Mina works for, which why I've heard so much about it.
42:00 Cause he's always on the show.
42:01 They make, basically like these things that go on your network.
42:05 So for instance, it could be like a fake word file.
42:09 it could be a, some sort of fake file somewhere on your network.
42:13 And then you see if it gets stolen and shows up somewhere cause it calls home.
42:17 And so people go, so imagine like you have a data breach and then you can see because it
42:25 phones home or you search the internet all the time to look for that.
42:27 And you see, Oh crap, that's there.
42:29 I actually was on stack overflow today.
42:31 as a viewer, cause I'm banned for life.
42:34 That's a long story.
42:35 I tried to answer all the SunGrap questions in one day and they didn't like it.
42:39 I feel like they should give you an award, not a ban, but okay.
42:44 I know it's a, I agree.
42:47 Right.
42:47 Some of my answers, they didn't like, like, don't suppress that result.
42:51 You have cross-site scripting.
42:52 Here's how you fix your code.
42:53 They're like, you didn't answer his question.
42:54 Down vote, down vote.
42:57 But anyway, the internet can be harsh.
42:59 What were you saying about this trust and well-meaning?
43:01 I don't know.
43:01 Yeah.
43:02 But so, so basically like this guy was saying his website keeps getting scraped by all his
43:08 competitors rather than them typing out the information himself.
43:11 So he puts fake musical artists into his database and then he goes to other companies and he searches
43:18 for those fake musical artists and then he sends them ceases and desists.
43:24 And so like the idea of a canary is that like the canary in the coal mine, but basically
43:30 someone steals it.
43:31 And then if it can, I believe that some of them can call home, but basically if they use
43:36 it somewhere, you can see it's yours.
43:38 And then you're like, oh, we are in trouble.
43:41 Yeah.
43:42 It's an early, early alarm.
43:44 You know, the canary in the coal mine sort of deal, right?
43:47 I think that it's a cool idea, but I think that if the canary calls out to you, you're already
43:52 pretty screwed, right?
43:54 Yeah.
43:54 It's pretty bad.
43:55 I think that it's cool, but it wouldn't be the first security measure I would do.
43:59 It would be like, I have an advanced program that's like good and I want it to be super
44:04 great.
44:05 Yeah.
44:06 Yeah.
44:06 Sounds good.
44:07 All right.
44:07 So you say, if you only learn one single thing from your book or this podcast episode,
44:11 let's put it, let's adapt it.
44:12 I hope it is this.
44:14 Design every system with as little implied trust as possible.
44:17 It's true.
44:18 And I highlighted that in purple for you.
44:19 How's that?
44:20 It's true.
44:23 We want to, so in my first book, I'm like, trust no one, not even your mom, because my
44:27 mom accidentally sent me a virus one day and I opened it because it was from my mom.
44:31 Oh no.
44:34 And so you can't even trust your mom, even if your mom's a brilliant mathematician chemist,
44:39 because she can still get a virus on her computer.
44:42 Yeah.
44:43 Because it turned out grandma sent it to her.
44:45 Yeah.
44:46 And she trusted grandma.
44:48 Grandma's not even sophisticated enough to send a virus.
44:51 Is she?
44:52 I know.
44:52 Well, it turned out she was.
44:54 But anyway, so don't trust anyone.
44:57 So when you get input to your app, to your API, wherever it comes from.
45:03 So that can mean getting stuff out of your database.
45:05 So unless it's a static table that you know for sure is trusted, you should be checking the
45:12 stuff from the database.
45:13 So let's say someone's like filling out a form and then you save it to the database.
45:16 So you would want to validate those values.
45:18 You save it to the database.
45:19 So then let's say an API goes and get some of that data to go do stuff with it.
45:24 I would validate those values again before I use that.
45:27 And then they put it on a webpage and it has JavaScript angly brackets in it.
45:33 Yes.
45:33 Then I would output and code it before I put it out there.
45:36 And I would have content security policy header and a bunch of other things.
45:39 But I digress.
45:40 But if we could not trust anything that we get and always validate that it is what we
45:47 are expecting.
45:48 And if it's not, we reject it.
45:49 So we don't try to fix it.
45:51 Is it what we're expecting?
45:52 And so this can mean like, so let's say it's a date of birth.
45:56 So is it first of all, is it a date?
45:58 Is it in the past?
46:00 Is it more than 150 years in the past?
46:03 Because that's less likely.
46:04 Is it in the format you're expecting?
46:08 Those are some of the things that we could check.
46:10 And if it's not any of, if any one of those things are wrong, reject and just say, hey,
46:15 actually we're expecting this.
46:16 But let's say you need a person's name.
46:19 So I work with someone named Luke O'Malley.
46:21 Well, he has a single quote in his last name, which is a special character if we are going
46:26 to use an SQL database.
46:27 So what am I expecting?
46:30 I'm expecting letters, lower and uppercase.
46:32 And I'm expecting a hyphen and or a single quote.
46:36 All of those are on my yes approved list, my allow list.
46:40 So I check it against my allow list, not a block list.
46:43 Because a block list of bad characters, guess what's going to happen?
46:47 Tanya's goes around it.
46:48 Yep.
46:48 Thanks.
46:49 I'm in.
46:49 Usually Unicode escape sequence forward or some random thing.
46:54 Yes.
46:54 There's a zillion ways around it.
46:56 And like, I remember when I learned that, how sad I was for all my past apps.
47:02 And so you use an approved list of good stuff and you accept the single character and you
47:09 accept the hyphen and then you sanitize or escape them.
47:12 So sanitize means changing it for a different value.
47:15 So you might want to change the hyphen to a pipe and you might, or probably not a pipe,
47:20 maybe that's still a special character.
47:21 But like, let's say the carrot.
47:23 And then you change the single quote to the tilde symbol.
47:27 And then those are not a problem.
47:30 And then you pass that on.
47:31 So you validate that's what you're expecting.
47:33 And then you have either escape, sanitize it or escape them.
47:37 So just put like a backslash in front of the special characters.
47:40 Or maybe HTML or URL encode them to that, you know, percent some numbers, which is the
47:46 quote or I don't know, whatever, whatever it resolves to.
47:48 It depends on what you want to do with it.
47:50 So if you're going to take that and then put it into a parameter and send it to a
47:54 parameterized query, maybe, maybe you want to escape it.
47:58 It's going to escape it for you when it gets there.
48:01 There's a lot of options, but single quotes are kind of the danger zone.
48:04 So I want to be careful.
48:05 They're definitely tricky.
48:06 All right.
48:07 Next section.
48:08 This is the Python section.
48:11 So you have, as you said, a bunch of different technologies and they're quite up to date.
48:17 You've got Node.js.
48:18 You've got .NET Core, not the old crusty Windows only .NET.
48:23 You've got Python, Python 3 stuff.
48:25 So I think that's great.
48:26 So let's talk about some of the what to do.
48:30 Maybe just pick a few off this list that jump out at you that you want to talk about.
48:34 Okay.
48:35 So some of them are really obvious.
48:37 Like, please use Python 3.
48:38 It's time to say goodbye to Python 2.
48:41 I know that we can still love it in our hearts, but new apps need to be Python 3.
48:45 And updating our environment often.
48:47 This goes for every framework.
48:49 One thing is, is if you find a real security bug, reporting it to the security folks from Python, that is a valuable thing to do.
48:58 Whatever programming language or framework you're in, if you feel you found a real legit bug, you should support it or you should report it.
49:06 Because as a result, when they fix it, they're fixing it for thousands and thousands and thousands of devs.
49:11 And you are a wonderful human.
49:13 So that is that.
49:15 Pay it forward.
49:15 Yeah.
49:16 And I want to give a shout out to the PSF and Python folks.
49:20 They've made a lot of efforts in putting more time and energy into the security at Python.
49:26 Both Mike Fiedler got hired as the security person behind PyPI, the package index.
49:32 And Seth Larson got hired for more broadly Python security.
49:37 Hopefully I've characterized that right.
49:39 But we now have two full-time people working on it.
49:41 Whereas before it was kind of core devs and other people contributing their spare time.
49:45 Hopefully they could grab it, you know?
49:47 So that's good.
49:48 And you point out that there's a security at python.org email address for legitimate reports and not hassling busy people.
49:57 Yes.
49:57 Don't hassle them.
49:58 Test and make sure it's repeatable.
50:01 Like these people are very busy.
50:03 There are so many things.
50:06 So one of the things was, so like let's say you're taking, because we're talking about user input.
50:10 And we're taking, so the bottom of that page, we're taking user input as a string from your code.
50:16 And we can use the template class from the string module rather than other functions for string manipulation.
50:23 So if we do that, it's safer.
50:26 There's less string overloads.
50:28 Like if we avoid using, for instance, fstring and string format for handling user input, because that can be manipulated by the user.
50:36 So it sounds weird, but like using the template class from the string module can't be manipulated as easily.
50:43 Interesting.
50:44 Yeah, I know.
50:46 I had to do a lot of research for this.
50:47 I bet.
50:48 Yeah.
50:49 And they just added a new type to the Python type system called a literal string, which works for SQL for things that are not meant to accept user input.
50:59 So if you had a literal string, that was a query and you combined it with stuff that came from a regular string, like a user input.
51:06 That's a query.
51:07 It will fail the type system basically.
51:09 It still runs.
51:10 That's the way Python types work.
51:11 But at least you would check it with a mypy type of checker.
51:14 That is very cool.
51:16 Yeah, yeah, yeah.
51:18 That's pretty neat.
51:18 There's not too many tools to support it, but the static type checkers do.
51:21 Another one I think that's worth calling out here is you talked about, be sure you pin your dependencies.
51:26 Yes.
51:30 I'm like looking through all of the notes.
51:33 You have them.
51:34 Pinning.
51:37 So I got into like a lot of arguments with my technical editors about this one.
51:42 So you want to pin your dependencies, like as you're going through all the different environments and not allow it to update out when you get to prod, because otherwise you're all testing different versions.
51:54 Right.
51:54 So you want to make sure you're using the same one across the board that you're testing, because otherwise your tests aren't accurate.
51:59 Right.
52:00 Yeah.
52:01 It might be the same, or it could be an important library got an update between when you checked it in and when it got built to a Docker container or something.
52:08 And it's different.
52:08 But the other thing is, is that you don't want it to be permanently like that forever.
52:15 And so like when you're, so it sounds weird.
52:19 So you pin it there, but then I can't remember where it is.
52:23 I think the, I think the big distinction is, are you building an application or are you building a library?
52:29 People are building applications with, because your application should pick its versions.
52:32 But if you pick them concretely for the library, you're forcing potentially old vulnerable versions onto people.
52:39 Right.
52:39 There's this tension of, of what role am I playing, which I think is tricky.
52:43 Yes.
52:44 So ideally, like if you're like about to go to prod with something, you don't want it changing in different environments.
52:51 That could be really bad.
52:52 But yeah, like you said, pinning the version.
52:55 Well, I'm just like reading it on the screen.
52:57 We, so I remember like I was installed, I was doing like a proof of concept with this company.
53:04 And in order to install it, it wanted me to downgrade a bunch of NPM dependencies.
53:10 And then it showed me that there were huge vulnerabilities in those dependencies that they'd asked me to use.
53:16 And I was like, well, like deal breaker buddy.
53:18 Right.
53:18 And so when you are creating like a product for someone, if they can see that and how it's compiled, like that's a deal breaker for a lot of customers.
53:28 Customers are very savvy in regarding security right now.
53:32 And I love it.
53:33 Yeah.
53:34 It's really good.
53:34 And even putting security aside, you can end up, if you have two libraries, they both use a sub library, a dependency, and they have different pin versions or ones less than or greater than or less than or equal to the other is greater than equal to.
53:47 And there's no intersection of those numbers.
53:49 You just, you're like, well, I can't run this.
53:51 I guess we just can't use these because it'll say, I can't give you both greater than two and less than two at the same time.
53:57 Right.
53:57 It's a hassle.
53:58 But the security bid is also important, obviously.
54:01 I agree.
54:02 Let's see.
54:02 Yeah.
54:02 So Bandit.
54:04 Bandit's an interesting tool.
54:07 Bandit is a free static analysis tool that specifically is made for Python.
54:14 And so some of the, so for instance, if you're using Ruby, there's Breakman and it's made just for Ruby and that's it.
54:21 So it's awesome because it only cares about your language.
54:25 Because it's free and open source, there's not a giant security team behind it supporting it.
54:31 But if you have never used a static analysis tool, this is an excellent place to start.
54:36 It's recommended over and over and over again.
54:39 When I teach secure coding in this, I have like this list of free Python resources.
54:45 People love Python.
54:46 People make a lot of tools for it because they love it.
54:49 And Bandit is like really popular.
54:51 Yeah.
54:52 That's awesome.
54:52 And it has a cool logo.
54:55 It is very cute.
54:56 It is very cute.
54:57 I like how they call it a security linter.
55:01 I would say it's a bit more like stack analysis.
55:06 Because like it definitely is trying to find like sources and syncs, like doing flow analysis.
55:12 I don't know if it does symbolic execution.
55:14 Like I haven't seen like under the hood.
55:16 So like when you buy like a SaaS tool, there's like first generation and second generation and like different ways that they work.
55:24 And I'd love to know more under the hood of how it works.
55:28 Yeah.
55:29 Yeah.
55:29 It looks really cool.
55:31 You know, it'll find common things like pickle issues or parsing YAML that might be bad or, you know, all the different things that you're still allowed to do.
55:40 But people decided probably are not the best choices, but we'll leave it there so we don't break things that are doing it.
55:45 But don't do it.
55:46 Kind of like the pointer safe string copies in C++.
55:52 Don't copy like you used to.
55:53 Like, well, yeah.
55:54 How do I do it now?
55:55 And I don't even know anymore, you know?
55:56 I feel too that like, so it's called security linter rather than stack analysis.
56:02 I feel like it also focuses on code quality and not just security.
56:06 And that's helpful too, because if you have higher quality code, it's just going to be more secure.
56:11 It's going to be easier to maintain, easier to debug.
56:14 So if there is a security problem, you can address it faster.
56:17 You have less technical debt if you have higher quality code.
56:20 So that's a win as well.
56:22 Absolutely.
56:23 All right.
56:23 Let's talk about SQL relational databases, these kinds of things a little bit.
56:29 I think there's, you know, the majority of people out there have an app that talks to a database.
56:34 That database is relational.
56:36 Usually it's running on its own server.
56:38 Yeah.
56:38 And when things go bad, it's usually the data that came out of the server that makes the news.
56:43 Not always, but usually.
56:44 Yeah.
56:45 But it can be the server.
56:46 So an SQL server is a server, right?
56:52 So it is a server.
56:53 You need to patch it.
56:54 You need to keep it up to date.
56:55 You need to harden it.
56:57 It comes with a hardening guide.
56:59 You should do all the steps in the hardening guide.
57:01 You should make sure that every single person you work with cannot access it.
57:05 Right?
57:07 Like, it seems really obvious, but you would be surprised.
57:10 So like basic server hygiene applies to them.
57:17 On top of that, then the SQL software, the SQL server software itself, it can be hardened as well.
57:25 And that might sound odd, but like it has updates that it needs.
57:29 So you want to make sure that you have locked it down the way that you think that you should.
57:37 Yeah.
57:38 Then on top of-
57:40 And it can run in different users as well, right?
57:42 It's easy to, it's easiest if it just runs as root, but wouldn't it be better if it, in case somebody gets to it and breaks in through it, right?
57:49 You don't want them to use it as a lateral movement.
57:52 You know, first they got into the server and then they went over to, you know, who knows where.
57:56 We also want to make sure, ideally, that people are not accessing it with database owner unless they're the database owner, right?
58:04 Like ideally, DBO users are used rarely.
58:08 Like let's say you're using MS SQL server, yeah, that has database owner privileges.
58:14 I get it because you're a database administrator.
58:16 But if your app or your API is accessing the database, we want to use a least privilege approach.
58:22 So if you're just doing select statements, just do a read-only user.
58:25 If you're doing CRED, create, read, update, delete, then you should use a read-write user.
58:31 But DBO is not almost ever actually needed, if we think about it.
58:35 And so if you don't have that, then less can happen that is bad, right?
58:39 Right.
58:39 Does it need access to every table or just these 10 tables?
58:42 Mm-hmm.
58:43 Exactly.
58:45 Another thing is like classifying the data that's in each table as sensitive or not sensitive.
58:52 And maybe you work for the government.
58:54 So maybe it's like classified or secret or top secret or whatever your organization uses.
59:00 But if you could classify those things and then label them.
59:04 A lot of databases now have labels for sensitivity, which is awesome.
59:09 But if not, just add an extra field.
59:10 If not just like add a field called sensitivity.
59:13 And then it's just like public or unclassified or super secret.
59:18 Don't show people.
59:19 And when you do that, it makes life so much better if there is a security incident.
59:26 Because I know if I need to freak out a little or if I need to freak out a lot.
59:30 And if it's not labeled, I have to assume the absolute worst when I respond until I know it's a lower threat.
59:37 And that really sucks.
59:40 Yeah.
59:41 Yeah, for sure.
59:42 Another thing that you called out in this section is make sure that logging is turned on.
59:47 And you need to do this before something goes bad.
59:49 Because it's the logs that tell you what happened.
59:53 Yes.
59:54 I think not just for databases, but across the board.
59:57 Logging is super important.
59:59 Oh, yeah.
01:00:00 I have a whole giant section in the book about what to log, what not to log, when to log.
01:00:05 Like exactly what I would love a log to look like, how to protect your logs.
01:00:09 I had a customer and they're like 28 of our customers.
01:00:14 Their credit cards got nicked and Visa called us.
01:00:17 And they want us to prove that it wasn't us.
01:00:21 And I'm like, great, let's go get the logs.
01:00:23 They're like, we kind of deleted those.
01:00:26 You know, they're hard to back up.
01:00:28 I said, what?
01:00:30 And they're like, well, we just switched to a new server four months ago.
01:00:34 And so we just deleted the old server.
01:00:36 So like, and we just did that.
01:00:38 So like for four months, we have no records.
01:00:41 And I said, oh my gosh.
01:00:42 And so luckily it turned out there was a sandwich shop in the same building and they caught an
01:00:49 employee was skimming the cards.
01:00:51 And so Visa's like, we figured it out.
01:00:53 And we're like, great.
01:00:54 I'm like, we're all getting fired.
01:00:55 Because if Visa yanks your ability to use it and your main way of making money is charging
01:01:04 money over the internet.
01:01:05 Like you've just reduced your ability to do the main purpose of capitalism.
01:01:10 Yeah.
01:01:11 Life is, you do not want to take off Visa or MasterCard.
01:01:14 Don't do it.
01:01:16 All that stuff is definitely, it's definitely unnerving.
01:01:19 Let's see some more advice.
01:01:21 You got using ORM if you can, because it, they basically are not immune, but they have a lot
01:01:27 of automatic guards against.
01:01:29 You're not writing direct string.
01:01:31 So it's harder to concatenate that stuff.
01:01:33 Yeah.
01:01:33 They will also do a lot of the code for you, depending upon the one that you use.
01:01:38 Like I've used the entity relationship framework with .NET.
01:01:41 It's like, I'm going to write all your gets and sets and do this and that for you.
01:01:44 I'm like, oh, sweet.
01:01:45 Thanks, buddy.
01:01:45 And even your migrations and stuff.
01:01:47 Yeah.
01:01:47 It's pretty nice.
01:01:48 Yeah.
01:01:49 I'm a fan.
01:01:50 I'm a believer.
01:01:51 I know some people say, oh, it's a little bit slower, whatever.
01:01:53 Like, yeah, but I like getting stuff done and sleeping at night.
01:01:56 Yeah.
01:01:57 So another one I think is really worth pointing out.
01:02:00 Most important for databases, but also just generally good idea.
01:02:03 Have an extensive and well thought out backup plan and try to back up something at least
01:02:08 once or try to restore something at least once.
01:02:10 Yes.
01:02:11 I worked somewhere and we had a computer problem and they lost everyone's work in our entire
01:02:18 2000 person department for, for the whole week.
01:02:22 So for like the three days, it was the Wednesday and they had lost all of our work.
01:02:26 Everyone's work was not saved.
01:02:28 All of it was gone.
01:02:29 And we go to the backup guys and we're like, okay, do your thing.
01:02:33 And they're like, oh, well, it'll take like at least a month.
01:02:36 And we've never really tried it before.
01:02:37 And we don't think it'll really work.
01:02:39 And so you guys should just still redo it.
01:02:41 And my boss was like, oh, I guess we have to redo it.
01:02:44 And I was like, well, can I hire two new software developers?
01:02:48 And he's like, why?
01:02:49 I'm like, well, because those guys are obviously fired.
01:02:52 Right.
01:02:52 And then I can just like hire two new devs.
01:02:54 It'll be great.
01:02:55 And he's like, Tanya, go back to your room.
01:02:56 But I'm like, we don't need them.
01:03:00 Their job, they just proved that their job is completely worthless.
01:03:05 So let's just get rid of them.
01:03:06 And he was like, stop talking.
01:03:08 Go, go away.
01:03:10 I understand you're frustrated, but.
01:03:12 That's not constructive, Tanya.
01:03:14 If I fire them, then they're going to have to fire me because I hire.
01:03:16 No, I'm just kidding.
01:03:16 You know, one thing that I, yeah.
01:03:19 The one thing that comes to mind though is, you know, back in the day, we had Subversion
01:03:23 and CVS and SourceSafe and all these things.
01:03:26 And if something went wrong with that, it was just gone.
01:03:28 It was just gone.
01:03:29 And now we have Git.
01:03:30 And if something goes wrong, there might be a hundred copies of it.
01:03:33 It's less bad from a software person's perspective.
01:03:39 Three times I have worked somewhere where they lost their code repository.
01:03:42 Yeah.
01:03:43 One of the times I started and one of the employees was junior and he had just deleted it by accident.
01:03:52 And I managed to go to each person's computer and recover a ton of the code and put a lot of
01:04:00 it back together.
01:04:00 Another time someone just deleted it and they, I feel were malicious.
01:04:06 And then another time, basically we didn't want to wait for shared services.
01:04:12 So the Canadian government decided we would make a department that was the IT department
01:04:17 for the whole government and they just wouldn't give us a server.
01:04:19 So we just took a server from another room and repurposed it and decided that was our code
01:04:24 repo survey.
01:04:25 And so I set up a whole network.
01:04:26 I set up active directory and all this.
01:04:28 I installed team foundation server.
01:04:30 I did all the stuff.
01:04:31 I set it all up.
01:04:32 And I was like, listen, bud, I did this for you, but you need to back it up every night.
01:04:35 And he promised me he would.
01:04:37 And then five months later, it crashed.
01:04:39 And he's like, are you going to make it go again?
01:04:42 And it was a raid server.
01:04:43 And it automatically deleted everything.
01:04:45 Yeah.
01:04:46 And so I was like, well, get your backup.
01:04:48 Get its job.
01:04:49 It replicated.
01:04:50 He had not backed it up a single time in five months.
01:04:53 And we lost 11 contractors work for like months, like five months.
01:04:57 I was like, I am so angry.
01:05:00 And he's like, could you spend this weekend making us a new?
01:05:02 I was like, no, I'm so angry at you.
01:05:05 You'll make it.
01:05:06 He's like, but I don't know how.
01:05:07 I'm like, I guess it's tough to be you.
01:05:08 You're going to learn.
01:05:10 You're going to learn the hard way.
01:05:12 Yeah.
01:05:13 So we're pretty much out of time here.
01:05:15 But I do want to maybe just point out that there is a whole section on Flask, which is
01:05:19 pretty awesome.
01:05:20 And you talk a lot about different extensions that you can use, like Flask Secrets for secret
01:05:26 management or Flask WTF for CSRF protection and things like that.
01:05:33 So there's a bunch of stuff in there.
01:05:35 People want to go check that out.
01:05:36 But I think we might need to call it for time.
01:05:38 But yeah, this is good stuff.
01:05:40 If you want to learn more besides obviously purchasing all of my books, I have a free online
01:05:45 academy at academy.semgrep.dev.
01:05:49 I don't know if you want me to spell it because that's like...
01:05:52 I'm going to...
01:05:58 I'll find it.
01:06:00 I'll find it.
01:06:00 There.
01:06:00 Oh, it's like it's through my full-time job.
01:06:04 So I train on the side and I do stuff for them full-time.
01:06:07 But I put it in our private chat.
01:06:09 And basically, I have a free secure coding course in there.
01:06:12 It's a few years old.
01:06:14 Like the book is all brand new stuff.
01:06:16 It covers like agnostic, you know, how to do input validation, how to do output encoding,
01:06:21 how to make sure that you are using parameterized queries, how to configure every single security
01:06:27 header.
01:06:27 And it's just free.
01:06:29 And I do that because I need us to do better real bad.
01:06:35 Please, please, please, please, please, please.
01:06:37 Yeah.
01:06:37 Well, thank you.
01:06:38 That's awesome.
01:06:39 Thank you.
01:06:40 Yeah.
01:06:41 It's been a really fun conversation.
01:06:43 And I feel like we could probably talk for another two hours, but...
01:06:47 I know.
01:06:49 Well, maybe in another year or two, we'll come back if you'll have me.
01:06:52 Yeah.
01:06:52 Yeah.
01:06:53 That'd be amazing.
01:06:53 Well, let's leave it with a final call to action.
01:06:56 People are...
01:06:57 You have their attention.
01:06:58 They thought, well, maybe I should validate that or learn more or do more.
01:07:02 What do you tell them before we wrap it up?
01:07:04 I want you to go look at whatever framework that you are using and see if there are security
01:07:10 features and start using them in your code.
01:07:13 So if you're using Flask, there's a whole bunch of super awesome things in Flask.
01:07:17 Please use them.
01:07:18 Your life will be better.
01:07:20 Yeah, absolutely.
01:07:21 Well, thank you for sharing all your experience and the story.
01:07:25 That's been a lot of fun.
01:07:26 Thank you so much for having me, Michael.
01:07:28 Yeah, you bet.
01:07:29 Bye.
01:07:30 This has been another episode of Talk Python to Me.
01:07:33 Thank you to our sponsors.
01:07:35 Be sure to check out what they're offering.
01:07:36 It really helps support the show.
01:07:38 This episode is sponsored by Posit Connect from the makers of Shiny.
01:07:42 Publish, share, and deploy all of your data projects that you're creating using Python.
01:07:47 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Reports, Dashboards, and APIs.
01:07:53 Posit Connect supports all of them.
01:07:56 Try Posit Connect for free by going to talkpython.fm/posit, P-O-S-I-T.
01:08:02 And this episode is brought to you by Bluehost.
01:08:04 Do you need a website fast?
01:08:06 Get Bluehost.
01:08:07 Their AI builds your WordPress site in minutes, and their built-in tools optimize your growth.
01:08:12 Don't wait.
01:08:13 Visit talkpython.fm/bluehost to get started.
01:08:17 Want to level up your Python?
01:08:18 We have one of the largest catalogs of Python video courses over at Talk Python.
01:08:23 Our content ranges from true beginners to deeply advanced topics like memory and async.
01:08:27 And best of all, there's not a subscription in sight.
01:08:30 Check it out for yourself at training.talkpython.fm.
01:08:33 Be sure to subscribe to the show, open your favorite podcast app, and search for Python.
01:08:38 We should be right at the top.
01:08:39 You can also find the iTunes feed at /itunes, the Google Play feed at /play,
01:08:44 and the direct RSS feed at /rss on talkpython.fm.
01:08:49 We're live streaming most of our recordings these days.
01:08:52 If you want to be part of the show and have your comments featured on the air,
01:08:55 be sure to subscribe to our YouTube channel at talkpython.fm/youtube.
01:08:59 This is your host, Michael Kennedy.
01:09:01 Thanks so much for listening.
01:09:03 I really appreciate it.
01:09:04 Now get out there and write some Python code.
01:09:20 I'll see you next time.