Headed to RSA? Schedule time to discuss how Qwiet AI agents can help secure your software

AppSec Resources

Python and OWASP Top 10: A Developer’s Guide

Introduction

Is your Python code built to withstand security threats, or is it vulnerable to the slightest challenge? In the rapidly evolving software development landscape, implementing robust security measures for Python applications is not just recommended; it’s essential to constantly combat the sophisticated threats that emerge. This article delves into the OWASP Top 10 security risks, arming Python developers with advanced strategies to fortify their codebase. 

Injection Flaws

Injection flaws can turn your Python app into an all-you-can-eat buffet for hackers if you’re not careful. In the Python world, these flaws often pop up when user-provided data gets mishandled and executes unwanted commands in your database.

 

To keep your app secure, with a Python code this snippet that illustrates how to prevent SQL Injection, which is a common type of injection flaw:

import sqlite3

def get_user_by_id(user_id):
    # Connect to the database safely
    with sqlite3.connect(‘app.db’) as connection:
        cursor = connection.cursor()
        # Use parameterized queries to avoid SQL Injection
        cursor.execute(“SELECT * FROM users WHERE id = ?”, (user_id,))
        return cursor.fetchone()

# Validate user input before using it
def is_valid_user_id(user_id):
    return user_id.isdigit()

# Example usage
user_input = input(“Enter your user ID: “)
if is_valid_user_id(user_input):
    user_data = get_user_by_id(user_input)
    print(“User Data:”, user_data)
else:
    print(“That doesn’t look like a valid user ID.”)

In this snippet:

  • We use the sqlite3 library to interact with a SQLite database securely.
  • The function get_user_by_id executes a parameterized query, which prevents SQL injection by separating SQL code from data values.
  • The is_valid_user_id function checks if the provided user ID contains only digits, which is a simple form of input validation.
  • The if statement uses is_valid_user_id to ensure we only process valid IDs.

 

Broken Authentication

Broken authentication can leave your Python application vulnerable, so it’s important to handle user credentials securely. 

 

Here’s a code snippet that demonstrates secure authentication practices in Python, using Flask for a web application, Werkzeug for password hashing, and ItsDangerous for token generation:

from flask import Flask, request, jsonify
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import generate_password_hash, check_password_hash
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer

app = Flask(__name__)
auth = HTTPBasicAuth()
app.config[‘SECRET_KEY’] = ‘a_very_secret_key’

# User storage with hashed passwords
users = {
    “user1”: generate_password_hash(“secret_pass”)
}

# Verify password function for basic authentication
@auth.verify_password
def verify_password(username, password):
    # Check if user exists and password matches
    if username in users and \
            check_password_hash(users.get(username), password):
        return username

# Token-based authentication setup
def generate_auth_token(user_id, expiration=600):
    s = Serializer(app.config[‘SECRET_KEY’], expires_in=expiration)
    # Return a token with the user’s ID
    return s.dumps({‘id’: user_id})

@app.route(‘/api/resource’)
@auth.login_required
def get_resource():
    # Protected resource that requires authentication
    return jsonify({‘data’: ‘Secure Resource Access’})

# Example usage of generating an auth token
@app.route(‘/api/token’)
@auth.login_required
def get_auth_token():
    token = generate_auth_token(auth.current_user())
    return jsonify({‘token’: token.decode(‘ascii’), ‘duration’: 600})

if __name__ == ‘__main__’:
    app.run()

In this example:

  • We set up Flask with HTTPBasicAuth for basic username and password verification.
  • Passwords are securely hashed using Werkzeug’s generate_password_hash to prevent storing plain-text passwords.
  • The verify_password function uses Werkzeug’s check_password_hash to validate user-provided passwords.
  • We generate a time-limited authentication token using ItsDangerous, which can be used in place of a username and password for subsequent requests.
  • @auth.login_required decorator is used to protect routes, ensuring that only authenticated users can access them.

Sensitive Data Exposure

Sensitive data exposure is a critical issue in Python applications, especially when it comes to personal identifiable information (PII), financial records, health information, and business secrets. Protecting this kind of data is paramount to maintaining user trust and complying with regulations.

 

This Python code that demonstrates encryption, one of the best practices for securing sensitive data:

from cryptography.fernet import Fernet

# Step 1: Classify Data
# Before coding, identify what data is sensitive in your context.

# Step 2: Encrypt Data
# Generate a key for encryption and decryption
key = Fernet.generate_key()
cipher_suite = Fernet(key)

# Encrypt some sensitive data
sensitive_data = “Sensitive patient information”
encrypted_data = cipher_suite.encrypt(sensitive_data.encode(‘utf-8’))

# Decrypt the data when needed
decrypted_data = cipher_suite.decrypt(encrypted_data).decode(‘utf-8’)

# Step 3: Secure Storage
# Store the encrypted data in a secure database or environment

# Step 4: Monitor Access
# Implement logging to monitor who accesses the sensitive data

# Example usage of the encryption and decryption
print(f”Encrypted: {encrypted_data}”)
print(f”Decrypted: {decrypted_data}”)

# IMPORTANT: Store the key in a secure location, it’s needed for decryption

In this example, we’re using the cryptography library to handle the encryption and decryption of data:

  • Classify Data: The first step in the process, not included in the code but crucial, is to identify which data is sensitive and needs protection.
  • Encrypt Data: We generate an encryption key and create a cipher suite with it. Then, we encrypt the sensitive data, which converts it into an unreadable format without the key.
  • Secure Storage: After encryption, you should store this data in a secure database. This snippet doesn’t include database operations, but encrypted data should be handled carefully.
  • Monitor Access: It’s essential to track who accesses the sensitive data. While not detailed in this snippet, implementing access logs and regular reviews of data access can help mitigate unauthorized access.

External Entities and Security Misconfigurations

External entities, such as libraries, frameworks, and third-party services, are integral to most modern applications but can introduce vulnerabilities if not properly managed. The challenge is ensuring these components are correctly configured and updated to avoid security loopholes.

 

Security misconfigurations are a common threat to any application’s stack. This includes misconfigurations in-network services, platforms, web servers, databases, frameworks, and the application’s custom code. Leaving applications with default settings or unnecessary features enabled can inadvertently expose your system to attackers, potentially leading to data breaches or more severe security incidents.

 

To protect against these issues, implement the following best practices:

  • Ensure all system components start with secure default configurations.
  • Keep all software and dependencies up to date with regular patches.
  • Eliminate unnecessary features, services, and user accounts.
  • Implement the Principle of Least Privilege in all system configurations.
  • Embed automated security testing within the development process.
  • Store sensitive configuration data in environment variables.
  • Conduct regular monitoring and audits of system configurations and access.
  • Sanitize and validate inputs from external sources to prevent vulnerabilities.
  • Choose third-party components that are secure, reputable, and actively maintained.

Broken Access Control and Cross-Site Scripting (XSS)

When we talk about external entities in the context of Python applications, we’re often referring to components such as libraries, frameworks, or any third-party services that interact with our app. The risk lies in incorrectly configured or outdated entities that can lead to security vulnerabilities.

 

Security misconfigurations can happen at any level of an application stack, including network services, platforms, web servers, database systems, frameworks, custom code, and pre-installed virtual machines, containers, or storage. A misconfigured app might give attackers unauthorized access to your system, leading to data breaches or worse.

 

Best practices for managing configurations in Python apps include:

 

  • Maintain a Secure Default Configuration: Ensure that the default configurations of all system components are secure. Remove or disable any unnecessary features, accounts, or services.
  • Keep Software Up-to-Date: Regularly update all libraries and dependencies to protect against known vulnerabilities.
  • Principle of Least Privilege: Apply this principle in system configurations to minimize each component’s exposure to risks.
  • Automated Security Testing: Integrate security testing into your continuous integration/continuous deployment (CI/CD) pipeline.
  • Secure Database Access: Use environment variables for database credentials instead of hard-coded values.

Here’s an example of how you might manage configurations securely in a Python application:

import os
from dotenv import load_dotenv
from sqlalchemy import create_engine

# Load environment variables from a .env file
load_dotenv()

# Database configuration with environment variables
DATABASE_URL = os.getenv(“DATABASE_URL”, “sqlite:///default.db”)
DATABASE_USER = os.getenv(“DATABASE_USER”)
DATABASE_PASS = os.getenv(“DATABASE_PASS”)

# Create a database engine that does not include the sensitive information in version control
engine = create_engine(f“postgresql://{DATABASE_USER}:{DATABASE_PASS}@{DATABASE_URL}”)

# Rest of your application code goes here

In this snippet:

  • We use the python-dotenv package to load the environment variables from a .env file, which should not be tracked in version control systems like Git.
  • We retrieve the database URL, user, and password using os.getenv, which helps prevent hard-coded sensitive information in the source code.
  • We create a database engine using SQLAlchemy without exposing our credentials in the codebase.

 

Insecure Deserialization and Using Components with Known Vulnerabilities

Insecure deserialization can happen when untrusted data is used to abuse the logic of an application, inflict a denial of service attack, or even execute arbitrary code. It occurs when an application deserializes data from untrusted sources without sufficient sanitization. This is like blindly trusting a stranger to hand you a box and putting it directly into your home without checking if it’s safe.

 

Using components with known vulnerabilities is equally dangerous. It’s like using a recalled lock for your door; it just won’t provide the security it’s supposed to.

 

Here’s how to stay safe:

 

  • Validate Data Before Deserialization: Always validate and sanitize incoming data before you deserialize it.
  • Use Serialization Safely: Consider the security implications of serialization formats. Some formats are more dangerous because they allow the execution of arbitrary code during deserialization.
  • Keep Components Updated: Regularly scan your Python projects for outdated components and update them. Tools like pip-audit for Python can help identify known vulnerabilities in your dependencies.
  • Use Dependable Sources: Only use libraries and components from trusted sources, and prefer those with a good track record of fixing vulnerabilities promptly.

 

Here’s a code snippet that uses itsdangerous to safely serialize and deserialize data, along with an example of using pip-audit:

from itsdangerous import JSONWebSignatureSerializer

import subprocess

import sys

# Safely serializing data
serializer = JSONWebSignatureSerializer(‘your-secret-key’)
data_to_serialize = {‘id’: 123}
serialized_data = serializer.dumps(data_to_serialize)

# Deserializing safely, with checks
try:
    deserialized_data = serializer.loads(serialized_data)
except Exception as e:
    # Handle the exception or error appropriately.
    print(f”Deserialization error: {e}”)

# Keeping components updated, run in your terminal:
# pip install pip-audit
# Then, to audit your environment for known vulnerabilities:
subprocess.run([sys.executable, ‘-m’, ‘pip_audit’])

In the code:

  • We’re using itsdangerous to securely serialize and deserialize data, with a secret key that helps ensure the data hasn’t been tampered with.
  • The try-except block around the deserialization process is used to catch any issues safely, preventing the application from executing potentially harmful data.
  • The subprocess.run command shows how you would use pip-audit from within a Python script. However, this command is typically run directly in the terminal.

Insufficient Logging and Monitoring

In a Python app, security, logging, and monitoring are akin to having a surveillance system; they are essential for detecting and responding to security incidents. With adequate logging, you may realize your application is under attack once it’s too late. Similarly, with proper monitoring, you could only notice the tell-tale signs of a security breach.

 

Effective logging strategies in Python involve capturing and recording every action that could have security implications. Monitoring involves setting up systems to review these logs and alert you when something suspicious occurs.

Let’s take a look at an example of how to implement logging in practice: 

import logging
from logging.handlers import RotatingFileHandler

# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)

# Add a rotating file handler to log to a file with backup for past logs
handler = RotatingFileHandler(‘app.log’, maxBytes=10000, backupCount=3)
logger.addHandler(handler)

# Log an example security-relevant event
def user_login_attempt(username, success):
    if success:
        logger.info(f”User ‘{username}’ logged in successfully.”)
    else:
        logger.warning(f”Failed login attempt for user ‘{username}’.”)

# Usage of the logging function
user_login_attempt(‘johndoe’, success=True# This should log an info message
user_login_attempt(‘johndoe’, success=False) # This should log a warning message

In this code snippet:

  • We set up the basic logging configuration with a level of INFO, which means it will capture all events of level INFO and above (including WARNING, ERROR, and CRITICAL).
  • We create a RotatingFileHandler that ensures that our log files don’t grow indefinitely — it rotates them after they reach a certain size.
  • We define a function user_login_attempt that logs different messages depending on whether a user’s login attempt was successful or not.
  • By logging successful and failed login attempts, we can monitor user activity and potentially detect brute force attacks.

Conclusion

Diving into Python application security reveals a constant need for vigilance, from defending against injection vulnerabilities to setting up effective logging and monitoring. Security is a continuous journey. Use Qwiet to enhance your defenses and secure your Python codebase secure,  book a demo today.

Read Next

January 16, 2025 14 min to read

Securing Your Flask Applications: Essential Extensions an...

Introduction Did you know a single security flaw in your Flask application could jeopardize your entire user database? Although Flask is a popular and flexible Python web framework, it requires stringent security measures to prevent vulnerabilities. This post will explore essential security extensions and best practices for Flask, including Flask-Security, Flask-Talisman, and Flask-SeaSurf. Additionally, we […]

READ MORE
January 16, 2025 10 min to read

Securing Your Python Codebase: Best Practices for Developers

Introduction Are you confident that your Python application can stand up to the latest cybersecurity threats? As Python’s popularity surges across various fields, the security of its codebases has become critical. This article delves into essential security practices for Python developers, aiming to fortify applications against cyber threats. You’ll walk away with a clear understanding […]

READ MORE
January 16, 2025 10 min to read

Securing Python Applications with PyCrypto

Introduction Python is widely used in applications and must be protected from common security threats. This guide introduces PyCrypto, a powerful library for implementing cryptographic techniques in Python applications. You’ll learn how to encrypt and decrypt data, generate secure keys, and ensure data integrity. By reading this post, you’ll gain practical knowledge and step-by-step instructions […]

READ MORE

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwietdev.wpengine.com

Subscribe to newsletter

Privacy Policy
Terms of Service © 2025 Qwiet. All rights reserved

Services
Company
Platform
Resources
Log In