Practical Django Secuirty

Video thumbnail (Frame 0) Video thumbnail (Frame 1573) Video thumbnail (Frame 7214) Video thumbnail (Frame 10844) Video thumbnail (Frame 17450) Video thumbnail (Frame 22591) Video thumbnail (Frame 24858) Video thumbnail (Frame 26600) Video thumbnail (Frame 29271) Video thumbnail (Frame 39854) Video thumbnail (Frame 50893) Video thumbnail (Frame 61705) Video thumbnail (Frame 72517)
Video in TIB AV-Portal: Practical Django Secuirty

Formal Metadata

Practical Django Secuirty
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Web application security is an ever present problem. The "don't trust user input" mantra sounds nice but doesn't practically work. In this talk we will go over introduce and apply a set of practical programming paradigms that you can use to write secure code.
Mathematics Multiplication sign Conic section Content (media) Mathematical analysis Bit Figurate number Lie group Information security
Slide rule Mobile app Game controller Context awareness Code Primitive (album) Mass Client (computing) Computer programming Number Mechanism design Mathematics Different (Kate Ryan album) Hacker (term) Software testing Information security Proxy server Social class Vulnerability (computing) Authentication Injektivität Programming language Surface Content (media) Sound effect Bit Denial-of-service attack Cartesian coordinate system Software maintenance Category of being Computer animation Software output Right angle Remote procedure call Window Local ring
Randomization Group action Code View (database) Multiplication sign Set (mathematics) Function (mathematics) Mereology Cumulant Computer configuration Square number Endliche Modelltheorie Information security Social class Vulnerability (computing) Physical system Scripting language Injektivität Area Electronic mailing list Sequence Category of being Data management Process (computing) Hash function Pattern language Whiteboard Point (geometry) Web page Mobile app Functional (mathematics) Game controller Cone penetration test Similarity (geometry) Web browser Metadata Number Revision control Goodness of fit Internetworking Authorization Authentication Gender Surface Expression Cartesian coordinate system Cryptography Uniform resource locator Query language Personal digital assistant Statement (computer science)
Density functional theory Building Beta function Code View (database) Execution unit Set (mathematics) Mereology Neuroinformatik Derivation (linguistics) Medical imaging Sign (mathematics) Software framework Endliche Modelltheorie Information security Physical system Social class Theory of relativity Software developer Bit Price index Regulärer Ausdruck <Textverarbeitung> Measurement Arithmetic mean Process (computing) Hash function Point (geometry) Functional (mathematics) Game controller Implementation Service (economics) Markup language Student's t-test Template (C++) Revision control Authorization Data structure Hydraulic jump Tunis Condition number Domain name Authentication User interface Default (computer science) Distribution (mathematics) Line (geometry) Evolute Word Uniform resource locator Computer animation Personal digital assistant Statement (computer science) HTTP cookie Object (grammar)
Game controller Goodness of fit Computer animation Information Internetworking Multiplication sign Software developer Endliche Modelltheorie Field (computer science)
Code View (database) Multiplication sign Execution unit Source code Sheaf (mathematics) Primitive (album) Mereology Computer programming Order of magnitude Mechanism design Software framework Information security Social class Mapping Software developer Sound effect Bit Special unitary group Perturbation theory Variable (mathematics) Hand fan Web application Arithmetic mean Hash function Order (biology) Right angle Procedural programming Quicksort Writing Web page Slide rule Functional (mathematics) Implementation Identifiability Computer file Link (knot theory) Patch (Unix) Checklist Number Power (physics) Latent heat Hacker (term) Operating system Traffic reporting Key (cryptography) Consistency Surface Basis <Mathematik> Line (geometry) Cryptography Cartesian coordinate system Limit (category theory) System call Computer animation Integrated development environment Software Personal digital assistant Password Blog Video game Musical ensemble Family
Building State of matter Code Multiplication sign View (database) Direction (geometry) Source code Set (mathematics) Mereology Cartesian product Perspective (visual) Computer programming Web 2.0 Different (Kate Ryan album) Videoconferencing Software framework Endliche Modelltheorie Information security Linear regression Software developer Shared memory Type theory Web application Process (computing) Exterior algebra Website Right angle Quicksort Asynchronous Transfer Mode Slide rule Functional (mathematics) Game controller Implementation Service (economics) Patch (Unix) Rule of inference Field (computer science) Product (business) Number Latent heat Internetworking Hacker (term) Software testing Traffic reporting Form (programming) Condition number Default (computer science) Projective plane Volume (thermodynamics) Cartesian coordinate system Exploit (computer security) Software Personal digital assistant Pressure
Receiver operating characteristic Group action Code Multiplication sign Workstation <Musikinstrument> Execution unit Sheaf (mathematics) Set (mathematics) Disk read-and-write head Mereology Computer font Perspective (visual) Information technology consulting Computer programming Programmer (hardware) Mathematics Bit rate Different (Kate Ryan album) Extension (kinesiology) Information security Vulnerability (computing) Social class Physical system Injektivität Area Programming language Pattern recognition Block (periodic table) Linear regression Sound effect Bit Database transaction Staff (military) Demoscene Arithmetic mean Befehlsprozessor Process (computing) Chain Website Right angle Cycle (graph theory) Figurate number Quicksort Conformal map Sinc function Asynchronous Transfer Mode Point (geometry) Game controller Angular momentum Server (computing) Service (economics) Computer file Connectivity (graph theory) Control flow Online help Parallel computing Streaming media Student's t-test Event horizon Rule of inference Field (computer science) Power (physics) Broadcasting (networking) Latent heat Goodness of fit Profil (magazine) Robotics Operator (mathematics) Authorization Boundary value problem Lie group Proxy server Tunis Condition number Dependent and independent variables Focus (optics) Key (cryptography) Surface Weight Gender Set (mathematics) Cartesian coordinate system Limit (category theory) Uniform resource locator Computer animation Integrated development environment Software Personal digital assistant Video game Natural language Iteration HTTP cookie Table (information) Family Library (computing)
the thing and a such that things would change what what what the now have a about security and then we just up in New York and my 1st time this I spoke for about 3 hours and I realize that tonomous lies little bit and news analysis about tax but when it came to posting content for general conic figure but that's not tax change of a so that those of you and want someone learning and things from this talk so i come up with a unique approach to how and go through security so employed by 1
wonderful genesis I used in the mechanical mass and I'm in a manner center how many of them look at the challenges OK good so we see some people as a kind of an application penetration testing for about 2 use of that window anagenesis do not to to security it house and I like to say employed so a bike mention the contents of the slides of my own now when it comes to speak
about security it gets really tough is heavily on this talk about security they drag into a big conference room in these large corporations if you work in 1 of those was made place here about you need about happens unleaded about different hacks and it's really it's a bit ahead of gobble it still exists and the the major reasons for that is that in the back when you happy ecosystems and secure the lowest-common-denominator take for example in a cross-site scripting but within 1 Google Apps that affects every single 1 because the president trust each other the now that's really tough because the surface as we get to the really big also secured is constantly changing what was good yesterday is not good today and as can the slides work for today and I will work a little bit more but you should take his paintings comes down research and further to the change so let's look at what we can do to change that now so if you have to breakdown down security capabilities into 2 categories they can be broken down rather simple because of a lack of their properly designed and properly coded security controls and this will cause you to avoid those 2 attacks like denial of service and we you don't have the winning authentication bypass because you authentication mechanism isn't secure is susceptible to bypass and then the 1st and most common is improperly implemented cryptographic primitives which you know you could the the Watson-Crick that but can easily be decrypted and modified and then this is mixed up with codon is largely run around with the with local execution vulnerabilities no matter obviously there about applications that have remote code execution interfaces built into them where stuff lexical injection class it's good being in an attacker can make the execute as couldn't 1 year survival rate based on your all within the context of classes for being with clients because maintenance number including mixed up so let's look at these things in a bit of a different way right so as opposed to have prevented the attacks that's movements would build their after mineral bust splits not located in atmosphere to build better software now and language and program has side effects but there are some things that we can prevent and I feel so that 1 of the 1st things in making the most of your program it was burning software that is incredibly asserted in last 2 the best of your ability perceive it as much as possible but the user is giving you this what you intend it to be not linear so it it's going to be what you intended MIT to vote and the then has has this works is made explicit is better than it was at that just take the input from the user but certainly to make sure it's exactly what you want now
let's look at that using 1 would use MIT's encoding data and for when we talk about mitigating class it's good and signal injection we talk about statements like output encoding but prepared statement of parameterized queries and this taken sound very nice and you know when when we hit by cosets within what they tell you when you you have to the the not encoding lasting belonging to the best of the injection at home you have to you have to use the personalized squares prepared statements but is a stopgap measures with with the with these things actually or so minutes by this but for example it's a single injection you have a sequence where it would that data from user the now I know that is what's it supposed to be a number or supposed to be taxed right now could you shouldn't the text and it should only be considered taxpayer civil so if we explicitly put into that category at that point litigated and that's what I prepared statements or prepared statements and come as close the class and those things that like a using both them is evident like blooming in every different have been impeached app ecosystem have another way of saying prepared statements are parameterized queries but this did not want to be explicitly tell the simpler parts this is data do not execute this is this was in the Buddha required in this location not explicitly like as they a when it comes to output encoding when nanosecond user data on the page at that point you have the ability to the In the numerical metadata what the text of revision bytes as big it has the additional part should hold jobs script that engine within the browser or not to execute that now this should be a general and this is what I all and that should be at it I think that many of you should follow as well if you don't managers find out what it's going to be used and what we do not get out of the market as data I know this is a risky option try not to the the set
name that's the security controls so this is what it's really tough because the security controls you have to understand attack surfaces yet understand threat modeling in the afternoon and burned you control in Boston and that's tough because the current controls that we use every day have been the cumulative set of knowledge research around the new security controls and no no not at this point because many attacks that they've been hit by we only have security controls because we know that we don't have them because they was was an initial thought security M is an afterthought it's burning after an attacker comes at the beginning of the LP would not invest money it's in a vault but the warm and then as people as things that that as that of the broken into certain of all technology has evolved so that you can do is if you've ever been security controls if you implement them a deeper use them use popular it's I and my popular is use once that was true leaders newtons you can find strength in numbers right do not use when that military people use that many times under there line under UV and see that it's great as also functionality and contains an authentication bypass the this is security but they have now been built that that that the unsuspecting users actually just jump straight into and we can use this posting promulgated that these that are patched up the people using them and the view on the code and therefore building out and that the better scary draw now to answers with authentication it doesn't help us very much of authorization so let us find ourselves with the authorization code it's important that you build this all this cone means used authorization was well authorization that areas that you build them you write and in 1 and put them in 1 place they should not be scattered among 2 application it's ignoring it and take the Pythons and 10 times before any security control if we find patterns and going up into many different locations can lead to a vulnerability expression 1 you intend to update women in a specific attack and I have to do it in every single location now the it today as mentioned previously without getting cold example this room and board to be explicit but conservative may explain why little but later no if you find yourself in case you ask actionability a system at that point you need to go by the book you need to get in an application security work began on a of recommendations later on and you need to go down the list of all the attacks and find other mitigated you will act crying SIFT descriptor secure so when least secure as if they are now on this we we had so landing systems and designed 1st the to be volume similar if not the same you must understand the tax and whatever you do not write your own encryptor retains I I I I have so much pain on the internet when I see what he what randomizations in interval insecure the crypto retains now it's also important to note that you have to understand what you're doing so you have conservative it of cryptographic hash functions and we'll get to listen to that later but most of the 1st of all what women but gender provides very good and powerful security retains it's important that you can use that because this is where the strength in numbers and James is popular where here we all represent accurately than Last Name election there not here today and we don't think we probably from within this hotel not so James is very popular if j The Lancet usually implement the now let's look at some
security control the chain of about straight if you look at the graphical signed something use Yale you design imaging of comes with just use case the but most encompassing market safety and models baby the data all explicitly Marcus if after oral statement but not stable in works for HTML markup if you find yourself needing to meeting to rendered jobless because images jobs we couldn't just code now becomes also valid in view of structure of the regular expressions provide a very very secure implementation of ensuring that the problems you should be using it to provide it to provide a stopgap measure that people it should be hitting certain endpoints with certain data should the patient data however it's not perfect now 4 as an example the default hashes should be K DFT possibly skin derivative function to make sitting around the the wall words will be the set of characters when you know what it stands for but it's 10 thousand if you should upgrade that 100 thousand and that's as of today will draw future news watching the news were considered missing women need to increase that at a later point now if you want if if it slows down your system right now to about 7 that in the latest related loose version of Python 2 . 7 it has backward for Python 3 the see pharmacy hash function and we don't have to worry about it and evolution that we have is that object conditions are present within the framework and offenders developers don't think about and the it's really going to remember that you have to be of service which user loans which object and on top of that the see surf implementation for being in general implicitly trusts the framework and that's only the working on the battle but it because we trust that the key insight and it base is a and C 7 mitigation on cookie if you can if you have access to write a cookie for that domain if you have effectively broken Caesar now that is hard but it's possible the some some enhancements to indices of mentation tune Woodgate that issue but let's talk let's let's jump that little bit to building or security controls mentioned that distribution when location and we should not repeat ourselves and and that it should be very straightforward this means that when you use in rather quiet decorator it does not belong you've used up part it will engineering and stuff and how many people have used up and it's been a than a thousand lines there no right how hard is it to in to the PFE realizing just when you assume there's not really grows larger than 100 wines it works quite well now I'm not going to the beta function function these users class this his personal use class like them they're not on but not much for you know the free framework now the class the students to actually get the ability to create Nixon's by overriding the dispatch method
and we have an example that here you have the units in the screenshot from computer in a classical assume that Nixon that is a matter of course it's going to that that of any specific object it is well known that a is then by that user and as you see in what's the line 5 for example we we obtain the target user based on the object we checked that online alignment is going to make use of the request that the user interface now this is by assuming that within your application in in you request that you not see objects as anonymous users and further in 900 you check if the user is authenticated but then you also checking in my mind if that user owns that object n this is 1 of the reasons I like class-based use their house they're using sense and communities make sense to create the moons but authenticated take template for you which just have this is an external up outside and then the and the template in the general offers and new evidence and you know and and you don't have to worry about the long and were not applied also allows you to put all your authentication and authorization code in 1 easy to find a place the fuse
was talk about things known just the messenger firms to give their both fairly well the thing that scares me the most as many forms of and experience and how you know master scientists and that's good for just about the same amount of people that will experience is really good so this is something we don't have and you know what is we shouldn't but that's assignment is about where the fields with new model are accidentally exposed to the internet allowing anyone to put any information they want in those fields now I have use I have written with the digital documentation probably tones make use of fields and that I was very much trusted and use exclude them useful your white listing the same amount these fields and 1 of the authors with with the public these fields in our model and I think this is needed across a very good example of it properly implemented control it makes it hard for the developer should themselves in the foot at the same time it's also very powerful
no or will not quite a few things are
less what look about being look let's talk about being conservative so that Sister is 1 of the things that is is it is is a popular that's been exploited and it's pretty scary and 1 of the problems that that I feel a Jano has special with function-based used is the lack of explicit HTTP for handling but now use in my class this year I have unintelligible from the general gave when I'm ability to respond to both get a post but if I don't I don't have any of those methods will get enough not a bit about those views return method not a lot work has the function the fuel elements return based on that method method there or sister of holes that I've found that exist because functions were expected to post bail and didn't them to get the put the issue of the variables of request on and you know the sea so if we're in general sort get he said don't check for procedure fear and I and this dangerous compromise so there are no there is environment within general function within function-based Houston's 80 decorator called allowed methods but I'm not that much of a not such a fan of that sometimes the left out and when it comes to running around in the room but had a but that's just my own personal view and then you the don't take it to judge on a case-by-case basis but I like to be very conservative at least 1 when it comes to my own personal development so I shall remain decorators I'm using classes and being conservative and explicit about what my use a post and all but then now that we have we the
explicit is about was talk about crypto now I was because of section in your slides here were examples of how to cook the properly and I will example of because that implementation of my blog in GAS and then someone has a bunch of questions about it and started moving things around and then at my slides out this talk I wanted out of the shutdown that page released remove it could is really hot radio reporter fears have problems with it well and support humans like us it is really important to note that if you don't don't at the properly users can be negatively affected and therefore you have to be very conservative with what you do it using keys are the only unit a recommendation use case are when it comes to use keys are done implemented yourself please and please don't those keys are a modified his life and accuser probabilities now I have a friend mainly on yeah and I used to work in medicine of an activity that is an alumni development and application Jamal that was allegedly used a cryptographic hash identify user and you let let me know about answer not have true is simple the user cryptographic hash when you need to now but going to examples of what is the 1 not use case for cryptographic hash that you absolutely need cryptographic hash and the so an incorrect because of the use of cryptographic hashes was the 1st going patches for the 1st 1st line passage because the supposedly mineral functions for the Great Depression mechanisms this cryptographic hashes can be calculated very fast pathogen around 1st so we did not use means that algorithms that are tunable so I mentioned that calling or cryptographic currency again and the amount of processing power than the coin network has article about it and that uses and the shop family where of among a puppet 5 but the the shop and of hashes hashes your password the nanopatches they're able to generate a 2nd it is mind-boggling so there are 2 examples of enhanced actual in the new user hash unless you absolutely need to the use case I know is if you want to ensure contain consistency of a bit of a specific file and food for example did users hatches to track files mainly the open-source programs use hashes so people should know if the if the file has been modified a not but women in Natchez we need that bias that needed tieback users so for that we have new and for you for rooms 16 bytes out of the cryptographic random source of the operating systems as opposed to if you don't have access to a will just is Python's random so we have to ensure that you actually have access to a bathroom the then we can just set of bytes that completely random just 11 you wonder that the example code right there that number is completely unique was Albert as well you need something do something to be signed now enjoying the sun if you start you have to projected that the Python sketch map implantation but then once it may attract implementation which badly needs hash that's another example of of the of the primitive that means a cryptographic hash algorithm now what negative he had was a timing attack channel priming effect so it will just stay on the safe side view the general primitives but I don't want to shorten this talk a little bit going up almost 15 minutes so that in a lot of questions but let's while the of an appeal by security is a great industry it's wounded it's mainly better engineer and I hope it as it taken as the research in research into security then you will become better engineers it's important to note limitations flows coming out of the room never disappear from security just like the Chinese and secure as its weakest link but it's really important to do research work things out and the 1 building new modular applications to try to understand the attack surface there's only that what should happen to we look at what may have and once you start making magnitude that what may happen you realize it's a little bit tedious because so many things may happen so let's just be assertive and show as much as we can but should well the I'd like to make an appeal to the larger community and there's a lot of knowledge that we have within James about security there's a checklist that we should be building and how our phone developers the right more secure code known as a developed as a security person 1 administrative we all have set innocent people people in general are we could because of our code we don't have that happen unfortunately thought parasites that happens in the world that means that the music and unfortunately sometimes a it will take advantage of our code that so we should be creating a very basic for a checklist of every part of the framework of when you're writing when you use user as part of the framework what you have to be worried about it and it should be useful as a pure oxygen and out and if you'd like some managerial and understanding of recommend Latin call it the web application Hacker's Handbook to the the 2nd edition the first one is good but the 2nd missions there came and went on the order of a soccer security assessment Microsoft also has a great book on Writing Secure Code the and Microsoft's got some good books out there and these books will give you the mind set the proper mind-set to build more secure code and now that's good also
thanks of different regressions on the share of the slides on my
website and so but when the question part thank you so much lady I think there that you've left a full 90 minutes for questions of my career service I also please youth size the exciting opportunity share of security matters of security of our request for this is question about that you mentioned that yeah teenagers seeking numbers at G brain is a sort of diminishing returns there is much as why you make it a benefit as a developer of the collective knowledge of of the community but so that they can secure puppy secure against attacks on does that also those open up duration when there is a security exploits that he loves larger right if a regional project is using the same and code secure themselves out once in exports have you have a huge swath of projects that you can exploit so it that we think about it in the simple forms part elite affected buildings that that's exactly the signal and this is also very popular library but at the same time Internet within the alternatives this is particularly that kind of pick your battles is better than the alternative right you is not me if it were not be more secure they're very few people in the world are able to put out a solid cryptographic libraries and for initially secure by default and I don't know them that implementing but no interests and this is the global community got a large set of eyes on yes volume if there's an exploit many people will be affected but at the same time every time there's a thorough and and you know that there's so much security review that has been done and they found a slight chink in the armor and and is about as everyone talks about patching it right away it's not that that everyone administered war it's known to few people in the New York the patch and then you get hit by it 6 months later thanks not don't pick 2 questions are they that they happen going on the video report this so long I have a more specific question but which are the people run this T cell what's the best way to the create a field in in jangle models so this is a I 1 1 I have a you know user I 1 increase their 1st last name it doesn't there doesn't seem to be a very clear way to do this is there anything you recommend besides the instead of just passing on with rational 1 happier Costache is supposed to be a one-way function you not sustainable but added using kids are and collected is really how can we include it in put back and decrepit every time you pull it out uh I believe in general could could feel something to adapt to check them out but the general conditions uses his are in general acute fields has an example has has a text a text based encrypted field all great thank you that's not inverted the Jericho feels it's that kind of look at them once they may change but analogy and on on that so it's really is a third-party that yeah the genus is the question of you comment on development burst production settings example comes to mind is allowed hosts church so fish was important in that node must be turned off that means that right then and and I did when I was a general developer and when I joined the security world of like OK now I'm going to count the amount of status in blood was turned off by almost every application that I've tested had it mode enabled in some way end it's 1 really important for that now also production you do with things like rate-limiting abuse that you're not used to and between don't look here at every use case is different than just set some really basic rules and guidelines should How much of your service during exertion use chat with question at and that might yield to specific but you you had time to elaborate a little bit on the source moving the pose by using a by passing serving how is it trust there In if you're using a function based you whether the request is of supply so have pressure show that so I'm a talk in the abstract and don't have the code to show but I try to be as specific as possible so every function if you take so quest I the it will take any type of relationship you're question doesn't matter of now with the because of that function on specific directives to process based on that request if request that posts so if this is a post request process before it request that get do the outset etc. now the issue I was describing was envisioned that has been found with a view existed and this no used to request and that's was just looking for a guest again proposed was but the developer assumed the fact that it was in a form that it would be posted to but we can easily then requested by gets what was the issue so you mentioned your top that it's important if you Q venture down the security road writing your own software for that your controls it's important to understand all the attacks that you know you're going to have to your debate chapter in a state that but in off my question to more pertains to you is do you think is valuable to be able to understand and execute some these exploits yourself in that process that depends largely on the way a person works and learns both for it from my perspective I software security by looking at the frame approach Agenda framework and just seeing what is it that I was at work and then we have implementations and why different and the the differences in understanding how it can be attacked so we will find it really helpful to actually attack and for that letters also as a baby the program called web got that allows you to move from a web application allows you to really test at the end application it's it's a test application security for an application hackers give you a lot of those attacks practically that
the the make use of the of the proxy tool application proxy called the book but fully and it food food as my swiss army knife when it comes to pen-testing and so I will run it heavily food for everything that I do and uh I think that going through specific components understand it is really about the attack services on on those components will be really helpful but the works of if it is assumed to to break into the the actual application very hot and if it's you know it's as if you just look at a stations than difference in both in both thank you so my question is about do you have a guideline to no literary to step back and ask 1 aspect the when security is wholistic so how can you know whether the jingle layer is the appropriate layer to address a certain security concerns with the you know the status of the others there so I just said to expand on what you just said people what should so with for example in the rate-limiting control you can remember what season genetics we but that recognition actually with that directive in jail what came to 1 of the other now and depends what you're looking for and units nodes have a proxy answer files very well right so you want to limit the amount of IP is that your site we can mention engine actually run a limit the amount of IPC figures that a specific and we could do that with an engine necks however it doesn't know anything about your application essentially you can build rate when there's but can we limit specific actions so that shouldn't have to decide to use that specific action conformal that entire action of culture application so down to you our as engine anthrax is going expect it's not a set of behaviors it's mostly depend on what you what you want with the title control 1 build this really important is that citizen you can get out of Jane as in put intention x for learning should be done before that has when I start to consider a request response cycle when you do it you can just stop it from ever happening yeah the did you have a lie settings around cookies like moved it yielding secure time cookies the a recommendation of how you set up your settings broad you just use the faults what so in the room depends on the site the part of staying for example if your site is not closed under SSL than settings secure from your book is kind of breakpoint should be sections so the the only 1 when I set my mind on the would talking markedly settings and make sure that each set on both the session cookie as well as the seas of cooking and insecure I just for SSL so secure on both of those as well now let's important that most people don't know is that the sea surface only do exist by the fall and is 1 of the easiest with the profile of a site is that is is actually genocide in the post with it it is missing seizure focus on invalid 1 we'll get back this is a very and consultation with the sites in the debug mode well that's a good bit problematic most people don't change the it's release support of the ch chain you know so my question is more about Python to read and tools like keys our head cryptic fields when all is seared anybody working on the Earth is Kickstarter's varies seeing need new tools coming out that's for Python 3 verses what you talk about the net so that I will expanded question also pipeline right at the heart of makes use of I think it's a Python pi could go a pipe produces the extension of Python pi there's more compiled by does work on from Python 3 and make the reason I chose kids are In this case as a set of executables it's also integer anything galaxy it was written in Java and run the no you off what is important is that you don't run these executables open yourself up to command injection we relatively communities of those executables use the true don't use a likely if don't use it so much as a library and that will be you know you're abstracted away from the internal outside and you just simply using would like is as if you genes stay on in shall using just the shock MIT Museum per day that we get data accessible anyone so on this the Our Lady seems like a lot of that the ions that you're it's it's not about attacks you're talking about best practices again services generally when it seems like a service you're talking about why a lot is at the request responsible for example you say and was but all authorization in 1 place but what about raising what about if you're dispatching in broadcasting you know exactly you know you don't see on the other end of the I find that I sometimes use logic for old and de seem obvious like were also Isolde you that's so this is why I I chose the request response cycle phase and then 45 minutes or 2 hours wouldn't help with sinc security that we will come to secure and it's been comes to protect yourself from vulnerabilities as I mentioned previously in largely have to assert what is going to happen you have to be very specific you have to read push yourself to understand what's going to happen welcomes asynchronous programming films are also being handed off to different with changing coatings or or no event-driven asynchronous programming you can true yourself down a rabbit really fasting and you can run I think about race conditions and asynchronous programming so every bank that exists today does not make use of asynchronous programming when it comes to transferring 1 for the next set of weights can efficiently with iterates conditions they make sure that everything is is within the transaction but you will mention asynchronous programming from my perspective on data
from the Python way not not just API calls that are being sent out to the to the server goes is also handled by János request responsible whereas with the gender itself is synchronously processing certain things uh 1 important thing to note when dealing with it is just an outline dive really deep into it is just because it's a scene doesn't mean it's like lakes and it's because it's like really in 1 place doesn't is light weight and the other for example if you manage to find if you think it will increase the amount of processing power that is required by that he's saying there are based on that simple of the most recent 1 of the most recent alarms and GenGO is someone who as with invented resplendent depart request a set of files that cause generated due to for professional and operation if you can find that was an amazing piece of code using GMM then that person's that real problems because 2 events it is great when it comes time and it actually the isn't so good when it comes to serious CPU handling and it's gonna stop responding to everything else so what you important is the bregman it as much as possible don't assert that don't think that you can upload a 300 megabyte file will be really easy on your system the 2nd thing is to move the synchronous parts of your code from where it can get a little bit hairy and I mean by that is when you have code that is going around the payment system you wanna make sure that system the that payment happens once in 1 location and can be triggered next with times within a specific set of that set of time so in a way that world rocks making blocks the style of that in in the the current the In an AUROC however I found properties control or maybe the especially asynchronous programming made break those rocks a data point where you maybe within multiple works at the same time due to certain things so it's important to be synchronous that said it doesn't mean that it is the none of the the answer is 1 of the earliest so amount for effect the area of the so I'm an educator can teach people about Python program I thought with program so on and so forth and 1 of the most difficult areas for me as educators that I had these really trust a programmer which means the very bad that this kind of work do you have any advice or for educators for students who were learning this kind of thing about ways to make themselves constructively apparently will efficiently trusting person is it's great it's you you enough unfortunately where when I where nanostructures we could mean but there was so let's just a show of hands how and he brought by people over to their homes the people at answer a definite and so it means that power of the problem that has helped me that person before he invited them over your house the country most of you have not known that person excluding in being the only 1 person of right so you might summary announcing the season streams same country confirm you right now you can expect individual who the courteous and to know the boundaries right if you have not because of their own pocket not June class the other members of the table etc. and large and they you know very nice individuals then you like that but when that person oversteps the boundaries at that point you should you can show them the doors right now when it comes to building software we don't have that luxury of being able to handle just 1 request and ensure that everything is working nicely around it so we're trying to assert as much as possible please and rules around that 1 request that guest in our house and save the use of the robot areas we can only go in the bedroom if you're a member of the family know environment dishes don't get the angular momentum certain things you opportunity if your trusted setting a good staff member a member of the family can change the channel fueled enough if you haven't what's AT right or 16 now that is this kind of how you have to look at you users with your application is going to have the individual users are going to be good all working people hardworking sorry about that it's there and when I'm individuals but haven't % that's going to literally just probe you define your weaknesses and being sort of from the onset is really about now need this you need to the security actually comes to me from a different part of my life is you never arise in religious Jew and of the users of what's the answer larger in in in many places but collected in a book all the time what now but I think many of you have done the told here but the and of language and work so you take lead we discussed this and this is suppose that we know this is all that let's look at the limitations of it and hypothesized everything and from the right piece of style which would be in the original along the scope masterpiece of every single facets when it should be done to unwind it it should be this way and this is why I've taken that part of my life and it in tune with buttons software-writing secure software and include that put out on very explicit what happened and why should have and again kind of the OK I hope it's going to work a kind of I on I'm not it's not that I'm not trusting of my users but I'm just sort you user if you meet these requirements the same way if someone walks into your house there's an invited guest if you can accept common courtesy no regressions asked this already grows so thank you and in the