Desktop Application Security in Python

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software
•        Constraints and the market
•        The dark side

Input validation

• Input validation principles
•        Blacklists and whitelists
•        Data validation techniques
•        Lab – Input validation
•        What to validate – the attack surface
•        Where to validate – defense in depth
•        How to validate – validation vs transformations
•        Output sanitization
•        Encoding challenges
•        Lab – Encoding challenges
•        Validation with regex
•        Regular expression denial of service (ReDoS)
•        Lab – Regular expression denial of service (ReDoS)
•        Dealing with ReDoS
• Injection
•        Injection principles
•        Injection attacks
•        SQL injection
•                SQL injection basics
•                Lab – SQL injection
•                Attack techniques
•                Content-based blind SQL injection
•                Time-based blind SQL injection
•        SQL injection best practices
•                Input validation
•                Parameterized queries
•                Additional considerations
•                Lab – SQL injection best practices
•                Case study – Hacking Fortnite accounts
•        Code injection
•                Code injection via input()
•                OS command injection
•                Lab – Command injection
•                        OS command injection best practices
•                        Avoiding command injection with the right APIs
•                        Lab – Command injection best practices
•                        Case study – Shellshock
•                        Lab – Shellshock
•                        Case study – Command injection via ping
•                        Python module hijacking
•                        Lab – Module hijacking
•        General protection best practices

DAY 2

Input validation

• Integer handling problems
•        Representing signed numbers
•        Integer visualization
•        Integers in Python
•        Integer overflow
•        Integer overflow with ctypes and numpy
•        Lab – Integer problems in Python
•        Other numeric problems
•                Division by zero
•                Other numeric problems in Python
•                Working with floating-point numbers
• Files and streams
•        Path traversal
•        Path traversal-related examples
•        Lab – Path traversal
•        Additional challenges in Windows
•        Virtual resources
•        Path traversal best practices
•        Format string issues
• Unsafe native code
•        Native code dependence
•        Lab – Unsafe native code
•        Best practices for dealing with native code

Security features

• Authentication
•        Authentication basics
•        Multi-factor authentication
•        Authentication weaknesses – spoofing
•        Case study – PayPal 2FA bypass
•        Password management
•                Inbound password management
•                        Storing account passwords
•                        Password in transit
•                        Lab – Is just hashing passwords enough?
•                        Dictionary attacks and brute forcing
•                        Salting
•                        Adaptive hash functions for password storage
•                        Password policy
•                                NIST authenticator requirements for memorized secrets
•                                Password length
•                                Password hardening
•                                Using passphrases
•                                Password change
•                                Forgotten passwords
•                                Lab – Password reset weakness
•                        Case study – The Ashley Madison data breach
•                                The dictionary attack
•                                The ultimate crack
•                                Exploitation and the lessons learned
•                        Password database migration
•                Outbound password management
•                        Hard coded passwords
•                        Best practices
•                        Lab – Hardcoded password
•                        Protecting sensitive information in memory
•                                Challenges in protecting memory
• Information exposure
•        Exposure through extracted data and aggregation
•        Case study – Strava data exposure
•        System information leakage
•                Leaking system information
•        Information exposure best practices
• Python platform security
•        The Python ecosystem and its attack surface
•        Python bytecode and security
•        Security features offered by the Python runtime
•        PEP 578 and audit hooks
•        Sandboxing Python

Using vulnerable components

• Assessing the environment
• Hardening
• Malicious packages in Python
• Vulnerability management
•        Patch management
•        Bug bounty programs
•        Vulnerability databases
•        Vulnerability rating – CVSS
•        DevOps, the build process and CI / CD
•        Dependency checking in Python
•        Lab – Detecting vulnerable components

DAY 3

Cryptography for developers

• Cryptography basics
• Cryptography in Python
• Elementary algorithms
•        Random number generation
•                Pseudo random number generators (PRNGs)
•                Cryptographically strong PRNGs
•                Using virtual random streams
•                Weak and strong PRNGs
•                Using random numbers in Python
•                Case study – Equifax credit account freeze
•                Lab – Using random numbers in Python
•        Hashing
•                Hashing basics
•                Common hashing mistakes
•                Hashing in Python
•                Lab – Hashing in Python
• Confidentiality protection
•        Symmetric encryption
•                Block ciphers
•                Modes of operation
•                Modes of operation and IV – best practices
•                Symmetric encryption in Python
•                Lab – Symmetric encryption in Python
•                Asymmetric encryption
•                        The RSA algorithm
•                                Using RSA – best practices
•                                RSA in Python
•                        Elliptic Curve Cryptography
•                                The ECC algorithm
•                                Using ECC – best practices
•                                ECC in Python
•                        Combining symmetric and asymmetric algorithms
•                                Key exchange
•                                Diffie-Hellman key agreement algorithm
•                                Key exchange pitfalls and best practices
• Integrity protection
•        Authenticity and non-repudiation
•        Message Authentication Code (MAC)
•                MAC in Python
•                Lab – Calculating MAC in Python
•        Digital signature
•                Digital signature with RSA
•                Digital signature with ECC
•                Digital signature in Python
• Public Key Infrastructure (PKI)
•        Some further key management challenges
•        Certificates
•                Chain of trust
•                PGP – Web of Trust
•                Certificate management – best practices

Common software security weaknesses

• Time and state
•        Race conditions
•                File race condition
•                        Time of check to time of usage – TOCTTOU
•                        Insecure temporary file
•                Avoiding race conditions in Python
•                        Thread safety and the Global Interpreter Lock (GIL)
•                        Case study: TOCTTOU in Calamares
• Errors
•        Error and exception handling principles
•        Error handling
•                Returning a misleading status code
•                Information exposure through error reporting
•        Exception handling
•                In the except,catch block. And now what?
•                Empty catch block
•                The danger of assert statements
•                Lab – Exception handling mess
• Code quality
•        Language elements
•                Using dangerous language elements
•                Using obsolete language elements
•                Portability flaw
•                Module injection and monkey patching
•                Dangers of compile(), exec() and eval()
•                Sandboxing Python
• Denial of service
•        Denial of Service
•        Resource exhaustion
•        Cash overflow
•        Flooding
•        Algorithm complexity issues

Wrap up

• Secure coding principles
•        Principles of robust programming by Matt Bishop
•        Secure design principles of Saltzer and Schröder
• And now what?
•        Software security sources and further reading
•        Python resources