Secure Coding with Python

OWASP Romania Conference 2014

24th October 2014, Bucureşti, România
• About Me
Started to work in IT in 1997, moved to information security in 2001. Working
in information security for over a decade with experience in software security,
information security management, and information security R&D.

Worked in many roles like Senior Security Engineer, Security Architect,

Disaster Recovery Specialist, Microsoft Security Specialist, etc… etc...

Leader of “OWASP Python Security” Project

• http://www.pythonsecurity.org/
Co-Leader of “OWASP Project Metrics” Project
• https://github.com/OWASP/OWASP-Project-Metrics

24th October 2014, Bucureşti, România 2

• OWASP Python Security Project
A new ambitious project that aims at making python more
secure and viable for usage in sensitive environments.

• We have started a full security review of python by checking

core modules written in both C and python
• First goal is to have a secure layer of modules for LINUX

The security review takes a lot of time and we are slowly

publishing libraries and tools, documentation will follow 
24th October 2014, Bucureşti, România 3
• OWASP Python Security Project
Python Security is a free, open source, OWASP Project that aims at
creating a hardened version of python that makes it easier for
security professionals and developers to write applications more
resilient to attacks and manipulations.

Our code in GITHUB:

• https://github.com/ebranca/owasp-pysec/

Known Issues in python modules concerning software security:

• https://github.com/ebranca/owasp-pysec/wiki/Security-Concerns-
in-modules-and-functions

24th October 2014, Bucureşti, România 4

 Total Software Flaws (CVE)
01/2001 to 12/2013
After checking statistics generated from
7,000
vendors we have to also check data
generated by the community at large.
6,000
Statistics on publicly disclosed vulnerabilities
5,000 are available at the site “NIST.gov” under the
name “National Vulnerability Database”
4,000
http://web.nvd.nist.gov/view/vuln/statistics
3,000
We will review vulnerability stats:
2,000 - By Access vector
- By Complexity
1,000
- By Severity
- By Category
0
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Series1
Then we will formulate some conclusions.
http://web.nvd.nist.gov/view/vuln/statistics
24th October 2014, Bucureşti, România 5
 Number of Software Flaws (CVE) Trend of Software Flaws (CVE)
by Access Vector By Access Vector
7,000

6,000

5,000

4,000

3,000

2,000

1,000

0
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Series1 Series2 Series3 Series1 Series2 Series3

http://web.nvd.nist.gov/view/vuln/statistics
24th October 2014, Bucureşti, România 6
 Number of Software Flaws (CVE) Trend of Software Flaws (CVE)
by Complexity by Complexity
5,000 9

4,500 8

4,000
7

3,500
6
3,000
5
2,500
4
2,000
3
1,500

2
1,000

500 1

0 0
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Series1 Series2 Series3 Series1 Series2 Series3

http://web.nvd.nist.gov/view/vuln/statistics
24th October 2014, Bucureşti, România 7
• Initial review of “National Vulnerability Database”
statistics revealed:

– Number of public vulnerabilities relaying on “network” is

decreasing
– Number of public vulnerabilities relaying on “local
network” access (adjacent networks) in increasing
– Number of public vulnerabilities relaying on “local access
only” access in increasing
– Medium or low complexity Vulnerabilities are preferred

24th October 2014, Bucureşti, România 8

• Analysis of the “Web Application Vulnerability
Statistics 2013” report revealed:
– Rate of server misconfigurations is increasing
– Authentication issues are increasingly not checked
– Authorization issues are increasingly not checked
– Server application headers are not sanitized
– Server application error are not filtered
– Server default files/dirs are left accessible

24th October 2014, Bucureşti, România 9

• How network configurations can impact internal
code operations?
• IP Fragmentation
– https://isc.sans.edu/forums/diary/IP+Fragmentation+Attacks/13282
– http://www.snort.org/assets/165/target_based_frag.pdf
– http://www.icir.org/vern/papers/activemap-oak03.pdf

• Depending on the system reading the fragmented packets

arriving at the NIC, the reassembly process can either DESTROY
or REASSEMBLE the original stream, as an application may have
sent valid data but the receiving end may see only random data.
24th October 2014, Bucureşti, România 10
def genjudyfrags():
pkts=scapy.plist.PacketList()
This section of code will generate
pkts.append(IP(flags="MF",frag=0)/("1"*24)) six packet fragments as outlined in
pkts.append(IP(flags="MF",frag=4)/("2"*16)) “IP Fragment Reassembly with
pkts.append(IP(flags="MF",frag=6)/("3"*24)) scapy“ with the offsets specified in
pkts.append(IP(flags="MF",frag=1)/("4"*32))
pkts.append(IP(flags="MF",frag=6)/("5"*24))
the Shankar/Paxson and Novak
pkts.append(IP(frag=9)/("6"*24)) papers.
return pkts

The picture is taken from

the Novak paper and
represent the final packet
order per each reassembly
policy.

http://www.snort.org/assets/165/t
arget_based_frag.pdf
24th October 2014, Bucureşti, România 11
python -OOBR reassembler.py –demo
Reassembled using policy: First (Windows, SUN, MacOS, HPUX)
11111111111111111111111144444444222222222222222233333333333333333333333366666
6666666666666666666
Reassembled using policy: Last/RFC791 (Cisco)
11111111444444444444444444444444444444442222222255555555555555555555555566666
6666666666666666666
Reassembled using policy: Linux (Umm.. Linux)
11111111111111111111111144444444444444442222222255555555555555555555555566666
6666666666666666666
Reassembled using policy: BSD (AIX, FreeBSD, HPUX, VMS)
11111111111111111111111144444444444444442222222233333333333333333333333366666
6666666666666666666
Reassembled using policy: BSD-Right (HP Jet Direct)
11111111444444444444444444444444222222222222222255555555555555555555555566666
6666666666666666666

24th October 2014, Bucureşti, România 12

• What about numeric operations?

As an example we will take in consideration LINUX.

Many security operations are based on random numbers and

every linux system using any cryptographic function can be
impacted by the lack of good entropy.

What is generally overlooked is that under linux almost every

process uses entropy when is created and even the network
stack uses entropy to generate the “TCP-syn cookies”.

24th October 2014, Bucureşti, România 13

• This is an expected behavior and is working as designed.
• Spawning a process uses (on average) 16 bytes of entropy per
“exec()”, therefore when server load spikes entropy is quickly
depleted as the kernel is not generating entropy fast enough.
• Also when a system is built to use “Stack Smashing Protector”
(SSP) by default it uses “/dev/urandom” directly, this tends to
consume all the kernel entropy.
• Almost all modern Linux systems use “Address space layout
randomization“ (ASLR) and stack protections that need a small
amount of entropy per process. Since “/dev/urandom” always
remixes, it doesn't strictly run out, but the entropy drops.

24th October 2014, Bucureşti, România 14

• In fact many linux command used to check the amount of
entropy are “consuming” it and may lead to it’s depletion.

• For example this command will “consume” entropy

– watch cat /proc/sys/kernel/random/entropy_avail

• But this python one-line script will NOT use entropy:

– python -c "$(echo -e "import time\nwhile True:\n time.sleep(0.5)\n
print open('/proc/sys/kernel/random/entropy_avail', 'rb').read(),")"

• Also the command “inotifywatch -v -t 60 /dev/random” will

monitor the access to “/dev/random” without using entropy

24th October 2014, Bucureşti, România 15

 • What happens to the entropy level in a
working linux server under average load?
250
150-200 bits = Entropy lowest limit Generate
200 1024bits SSL key

150
Generate
128bits SSL key
100

50

0
81

193

305

417

529

641

753

865
1
17
33
49
65

97
113
129
145
161
177

209
225
241
257
273
289

321
337
353
369
385
401

433
449
465
481
497
513

545
561
577
593
609
625

657
673
689
705
721
737

769
785
801
817
833
849

881
897
913
929
24th October 2014, Bucureşti, România 16
Under linux every process uses entropy and every server
“should” not have less than 200 bits. It Is possible to
increase the entropy level using entropy deamons like the
package “haveged”. (http://www.issihosts.com/haveged/)
4500

4000
Haveged Running Haveged Running
3500

3000

2500

2000

1500

1000 Haveged Stopped

500

0
183

521

1301
1
27
53
79
105
131
157

209
235
261
287
313
339
365
391
417
443
469
495

547
573
599
625
651
677
703
729
755
781
807
833
859
885
911
937
963
989
1015
1041
1067
1093
1119
1145
1171
1197
1223
1249
1275

1327
1353
1379
1405
1431
1457
1483
1509
24th October 2014, Bucureşti, România 17
• PYTHON for networking?
Scapy libdnet dpkt Impacket
pypcap pynids Dirtbags py-pcap flowgrep
Mallory Pytbull 0trace

• PYTHON for fuzzing?

Sulley Peach Fuzzing antiparser TAOF
untidy Powerfuzzer Mistress Fuzzbox
WSBang Construct Fusil SMUDGE

24th October 2014, Bucureşti, România 18

• OWASP Secure Coding Principles
1. Minimize attack surface area
2. Establish secure defaults
3. Principle of Least privilege
4. Principle of Defence in depth
5. Fail securely
6. Don’t trust services
7. Separation of duties
8. Avoid security by obscurity
9. Keep security simple
10. Fix security issues correctly
24th October 2014, Bucureşti, România 19
• In reality “Secure coding” is a PRACTICE

Practice: “the actual application or use of an idea,

belief, or method, as opposed to theories relating to it”

The definition of “secure coding” changes over time as

each person/company has different ideas.

• Is about how to DESIGN code to be inherently

secure and NOT on how to write secure code
24th October 2014, Bucureşti, România 20
• As a PRACTICE secure coding includes but is
not limited to:

Definition of areas of interest

Analysis of architectures involved
Review of implementation details
Verification of code logic and syntax
Operational testing (unit testing, white-box)
Functional testing (black-box)
24th October 2014, Bucureşti, România 21
• Secure coding depends on “functional testing”
– Functional testing: “verifies a program by checking it
against ... design document(s) or specification(s)”
– System testing: “validate[s] a program by checking it
against the published user or system requirements”
(Kaner, Falk, Nguyen. Testing Computer Software. Wiley Computer Publishing, 1999)

• Operational testing = white-box testing  unit-test

– (http://en.wikipedia.org/wiki/Operational_acceptance_testing)

• Functional testing = black-box testing

– (http://en.wikipedia.org/wiki/Functional_testing)

24th October 2014, Bucureşti, România 22

• PYTHON  use with moderation

We have seen some powerful tools written in python but what

about the security of python itself?

• Are there operations to avoid?

• Any module or core library to use with caution?
• Something to know before writing code for security?

24th October 2014, Bucureşti, România 23

 • EXAMPLE – numeric overflow
RESULT (debian 7 x64)
Traceback (most recent call last):
N = 2 ** 63
File "xrange_overflow.py", line 5, in <module>
for n in xrange(N):
for n in xrange(N):
print n
OverflowError: Python int too large to convert
to C long

PROBLEM: xrange uses "Plain Integer Objects" created by the OS

SOLUTION: Use python "long integer object“ that will allow
numbers of arbitrary length as the limit will be the system's
memory.
24th October 2014, Bucureşti, România 24
 • EXAMPLE – operations with file descriptors
RESULT
close failed in file object destructor:
import sys sys.excepthook is missing
import io lost sys.stderr

fd = io.open(sys.stdout.fileno(), 'wb') Code is trying to write a non-zero

fd.close() amount of data to something that
try: does not exists.
sys.stdout.write("test for error") The file descriptor has been closed
except Exception: and nothing can be sent, but python
raise
has no control over it and returns a
system error.
24th October 2014, Bucureşti, România 25
• EXAMPLE - File descriptors in Windows
C:\Python27>python.exe -V
Python 2.7.6

python.exe -OOBtt “winfd_1.py”

import io
import sys

fd = io.open(sys.stdout.fileno(), 'wb')
fd.close()

sys.stdout.write(“Now writing to stdout closed FD will cause a crash")

24th October 2014, Bucureşti, România 26
 • EXAMPLE – string evaluation
import sys
import os
try:
eval("__import__('os').system('clear')", {})
#eval("__import__('os').system(cls')", {})
print "Module OS loaded by eval"
except Exception as e:
print repr(e)

The function "eval" executes a string but is not possible to any

control to the operation. Malicious code is executed without limits
in the context of the user that loaded the interpreter.
REALLY DANGEROUS
24th October 2014, Bucureşti, România 27
 • EXAMPLE – input evaluation
Secret = "A SECRET DATA" What you type as input is interpreted
Public = "a COCONUT"
through an expression and the
value = input("Please enter your age ")
print "There are",value, result is saved into your target
print "monkeys looking for",Public variable with no control or limits.
python -OOBRtt input_1.py
Please enter your age 32
There are 32 monkeys looking for a COCONUT
The dir() function returns “most”
python -OOBRtt input_1.py of the attributes of an object.
Please enter your age dir()
There are ['Public', 'Secret', '__builtins__', '__doc__', '__file__', '__name__', '__package__'] monkeys
looking for a COCONUT

python -OOBRtt input_1.py

Please enter your age Secret
There are A SECRET DATA monkeys looking for a COCONUT
24th October 2014, Bucureşti, România 28
• Unicode string encode/decode
RESULT

Correct-String "u'A\\ufffdBC\\ufffd'"  KNOWN GOOD STRING

CODECS-String "u'A\\ufffdBC'"  WRONG
IO-String "u'A\\ufffdBC\\ufffd'"  OK

The problem is due to a bug in the "codec" library that detects the character
"F4" and assumes this is the first character of a sequence of characters and wait
to receive the remaining 3 bytes, and the resulting string is truncated.

A better and safer approach would be to read the entire stream and only then
proceed to the decoding phase, as done by the ”io” module.

24th October 2014, Bucureşti, România 29

• CODE – Unicode string encode/decode
import codecs
import io
try:
ascii
except NameError:
ascii = repr
b = b'\x41\xF5\x42\x43\xF4'
print("Correct-String %r") % ((ascii(b.decode('utf8', 'replace'))))
with open('temp.bin', 'wb') as fout:
fout.write(b)
with codecs.open('temp.bin', encoding='utf8', errors='replace') as fin:  ISSUE HERE
print("CODECS-String %r") % (ascii(fin.read()))
with io.open('temp.bin', 'rt', encoding='utf8', errors='replace') as fin:
print("IO-String %r") % (ascii(fin.read()))
24th October 2014, Bucureşti, România 30
 • EXAMPLE – data corruption with “cPickle”
import os
import cPickle pickle/CPICKLE (debian 7 x64)
import traceback
random_string = os.urandom(int(2147483648))
LIMIT = 2147483648 -1 = 2147483647
print ("STRING-LENGTH-1=%r") % (len(random_string)) (32bit integer object)
fout = open('test.pickle', 'wb')
try:
TEST WITH STRING SIZE "2147483647"
cPickle.dump(random_string, fout) ALL OK
except Exception as e:
print "###### ERROR-WRITE ######"
print sys.exc_info()[0] TEST using cPickle (data corruption)
raise
fout.close()
TEST WITH STRING SIZE "2147483648"
fin = open('test.pickle', 'rb') ###### ERROR-WRITE ######
try:
random_string2 = cPickle.load(fin)
<type 'exceptions.SystemError'>
except Exception as e: ....
print "###### ERROR-READ ######"
print sys.exc_info()[0]
File "pickle_2.py", line 18, in <module>
raise pickle.dump(random_string, fout)
print ("STRING-LENGTH-2=%r") % (len(random_string2))
print random_string == random_string2
SystemError: error return without exception set

24th October 2014, Bucureşti, România 31

 • EXAMPLE – data corruption with “pickle”
import os
import pickle pickle/CPICKLE (debian 7 x64)
import traceback
random_string = os.urandom(int(2147483648))
LIMIT = 2147483648 -1 = 2147483647
print ("STRING-LENGTH-1=%r") % (len(random_string)) (32bit integer object)
fout = open('test.pickle', 'wb')
try:
TEST WITH STRING SIZE "2147483647"
pickle.dump(random_string, fout) ALL OK
except Exception as e:
print "###### ERROR-WRITE ######"
print sys.exc_info()[0] TEST using pickle (data corruption)
raise
fout.close()
TEST WITH STRING SIZE "2147483648"
fin = open('test.pickle', 'rb') ###### ERROR-WRITE ######
try:
random_string2 = pickle.load(fin)
<type 'exceptions.MemoryError'>
except Exception as e: ….
print "###### ERROR-READ ######"
print sys.exc_info()[0]
File "/usr/lib/python2.7/pickle.py", line 488, in
raise save_string self.write(STRING + repr(obj) + '\n')
print ("STRING-LENGTH-2=%r") % (len(random_string2))
print random_string == random_string2
MemoryError

24th October 2014, Bucureşti, România 32

 • EXAMPLE – unrestricted code in “pickle”
drwxr-xr-x 24 root root 4096 Feb 28 01:42 .
import pickle drwxr-xr-x 24 root root 4096 Feb 28 01:42 ..
drwxr-xr-x 2 root root 4096 Feb 28 01:14 bin
obj = pickle.load(open('./bug.pickle')) drwxr-xr-x 158 root root 12288 Apr 30 22:16 etc
print "== Object ==" drwxr-xr-x 3 root root 4096 Feb 28 00:45 home
drwx------ 2 root root 16384 Feb 27 23:25 lost+found
print repr(obj) drwxr-xr-x 3 root root 4096 May 2 09:18 media
drwxr-xr-x 2 root root 4096 Dec 4 12:31 mnt
drwxr-xr-x 2 root root 4096 Feb 27 23:26 opt
bug.pickle dr-xr-xr-x 316 root root 0 Apr 16 12:21 proc
cos drwx------ 7 root root 4096 Mar 7 23:09 root
drwxr-xr-x 2 root root 4096 Feb 28 01:55 sbin
system drwxr-xr-x 2 root root 4096 Feb 27 23:26 srv
(S'ls -al /' drwxr-xr-x 13 root root 0 Apr 16 12:21 sys
drwxrwxrwt 13 root root 4096 May 2 14:57 tmp
tR. drwxr-xr-x 10 root root 4096 Feb 27 23:26 usr
drwxr-xr-x 13 root root 4096 Feb 28 07:21 var

WARNING: pickle or cPickle are NOT designed as

safe/secure solution for serialization
24th October 2014, Bucureşti, România 33
 • EXAMPLE – inconsistent “pickle” serialization
RESULT # python 3
b'cUserList\ndefaultdict\nq\x00)Rq\x01.' import pickle
b'ccollections\ndefaultdict\nq\x00)Rq\x01.' import collections
b'\x80\x02cUserList\ndefaultdict\nq\x00)Rq\x01.' dct = collections.defaultdict()
b'\x80\x02ccollections\ndefaultdict\nq\x00)Rq\x01.‘ f = pickle.dumps(dct, protocol=1)
print (repr(f))
(http://hg.python.org/cpython/file/7272ef213b7c/Li g = pickle.dumps(dct, protocol=1,
b/_compat_pickle.py at line 80) fix_imports=False)
print (repr(g))
If there's a “collections.defaultdict” in the pickle h = pickle.dumps(dct, protocol=2)
dump, python 3 pickles it to “UserString.defaultdict” print (repr(h))
instead of “collections.defaultdict” even if python i = pickle.dumps(dct, protocol=2,
2.7 and 2.6 do not have a “defaultdict” class in fix_imports=False)
“UserString”. print (repr(i))
24th October 2014, Bucureşti, România 34
• EXAMPLE – review of pickle/cPickle
– Main problems: code injection, data corruption

• cPickle: severe errors as exceptions are "lost" even if

an error is generated and signalled by the O.S.
• pickle: no controls on data/object integrity
• pickle: no control on data size or system limitations
• pickle: code evaluated without security controls
• pickle: string encoded/decoded without verification
24th October 2014, Bucureşti, România 35
 • EXAMPLE – socket remains open after error ..
OPEN IN TERMINAL 1 (one line): import smtplib smtplib_1.py
python -m smtpd -n -c DebuggingServer try:
localhost:45678 s = smtplib.SMTP_SSL("localhost", 45678)
except Exception:
OPEN IN TERMINAL 2: raise
python -OOBRtt smtplib_1.py

RESULT:
ssl.SSLError: [Errno 1] _ssl.c:504: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol

lsof -P | grep python | grep ":45678"

python 16725 user01 3u IPv4 31510356 0t0 TCP localhost:45678 (LISTEN)

The underlying socket connection remains open, but you can't access it or close it.
24th October 2014, Bucureşti, România 36
 • EXAMPLE – “unlimited data” in POP3
python -OOBRtt pop3_client.py
Connecting to '127.0.0.1':45678...
import socket SERVER
HOST = '127.0.0.1'
Welcome: '+OK THIS IS A TEST' PORT = 45678
Error: 'out of memory‘ NULLS = '\0' * (1024 * 1024) # 1 MB
sock = socket.socket()
sock.bind((HOST, PORT))
import poplib
HOST = '127.0.0.1'
CLIENT sock.listen(1)
PORT = 45678 while 1:
try: conn, _ = sock.accept()
print "Connecting to %r:%d..." % (HOST, PORT) conn.sendall("+OK THIS IS A TEST\r\n")
pop = poplib.POP3(HOST, PORT) conn.recv(4096)
print "Welcome:", repr(pop.welcome) DATA = NULLS
print "Listing..." try:
reply = pop.list() while 1:
print "LIST:", repr(reply) for _ in xrange(1024):
except Exception, ex: conn.sendall(DATA)
print "Error: %r" % str(ex) except IOError, ex:
print "End." print "Error: %r" % str(ex)

24th October 2014, Bucureşti, România 37

 • EXAMPLE – leaks in poplib/urllib/smtplib …
python -OOBRtt pop3_server.py
Traceback (most recent call last): If python process has an error
File "pop3_server.py", line 12, in <module> the exception will not reliably
sock.bind((HOST, PORT)) close all file and socket file
File "/usr/lib/python2.7/socket.py", line 224, in meth descriptors (handles) leading to
return getattr(self._sock,name)(*args) leaks and uncontrollable
socket.error: [Errno 98] Address already in use background processes

ps aux | grep pop3

user01 30574 0.0 0.0 33256 6052 ? S 19:34 0:00 /usr/bin/python –OOBRtt pop3_server.py

lsof -P | grep python | grep pop3

pop3_serv 30574 user01 txt /usr/bin/python2.7
pop3_serv 30574 user01 mem REG /usr/lib/python2.7/lib-dynload/_ssl.so
24th October 2014, Bucureşti, România 38
• EXAMPLE – libs with “unlimited data“ issues
HTTPLIB  http://bugs.python.org/issue16037 (fixed)
FTPLIB  http://bugs.python.org/issue16038 (fixed)
IMAPLIB  http://bugs.python.org/issue16039 (fixed)
NNTPLIB  http://bugs.python.org/issue16040 (fixed)
POPLIB  http://bugs.python.org/issue16041
SMTPLIB  http://bugs.python.org/issue16042
XMLRPC  http://bugs.python.org/issue16043

24th October 2014, Bucureşti, România 39

• Small list of KNOWN UNSAFE python components

ast multiprocessing
pty
bastion os.exec
rexec
commands os.popen
shelve
cookie os.spawn
subprocess
cPickle os.system
tarfile
eval parser
yaml
marshal pickle
zipfile
mktemp pipes
24th October 2014, Bucureşti, România 40
• PYTHON for the web?
Requests HTTPie ProxMon WSMap
Twill Ghost Windmill FunkLoad
spynner mitmproxy pathod / pathoc scrapy

• PYTHON for offensive actions?

Plenty of dangerous python tools in “packet storm security” website:
• http://packetstormsecurity.com/files/tags/python/

More general tools:

• http://pythonsource.com/

24th October 2014, Bucureşti, România 41

• PYTHON for reverse engineering?
Androguard IDAPython pyasm2 pype32
apkjet libdisassemble PyBFD python-adb
AsmJit-Python llvmpy PyCodin python-ptrace
BeaEnginePython Miasm pydasm PythonGdb
Binwalk ollydbg2-python PyDBG PyVEX
Buggery OllyPython pydbgr pywindbg
cuckoo PDBparse PyELF Rekall
Disass pefile pyew Vivisect
ElfParserLib PIDA pygdb2 Volatility
Frida PyADB pyMem WinAppDbg

24th October 2014, Bucureşti, România 42

• Closing Summary

• Python is a powerful and easy to learn

language BUT has to be used with care.

• There are no limits or controls in the language,

is responsibility of the coder to know what can
be done and what to avoid.
24th October 2014, Bucureşti, România 43
Secure Coding Review
Server Issues Access class to Monitor Architectural Aspects
Misconfiguration Local network Kernel Architecture
Application headers Local access only Data write policy
Application Errors Remote Network Access NIC configuration
Default files Entropy pool
Vulnerabilities to Check Language Issues
Default Locations
Format String File operations
Traffic in clear text
Buffer Errors Object evaluations
Vulnerable to DoS
Credentials Management Instruction Validation
Vulnerable to MITM
Cryptographic Issues Variable Manipulation
Crypto Issues Information Leak String/Input Evaluation
Weak ciphers Input Validation Unicode encode/decode
Small keys OS Command Injections Serialization
Invalid SSL certs SQL Injection Data limits
24th October 2014, Bucureşti, România 44
 Contact
Enrico Branca
“OWASP Python Security Project”
http://www.pythonsecurity.org/

Email: [email protected]
Linkedin: http://fr.linkedin.com/in/ebranca
24th October 2014, Bucureşti, România 45