Desktop Application Security in Python

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software
  • Constraints and the market
  • The dark side

Input validation

• Input validation principles
  • Blacklists and whitelists
  • Data validation techniques
  • Lab – Input validation
  • What to validate – the attack surface
  • Where to validate – defense in depth
  • How to validate – validation vs transformations
  • Output sanitization
  • Encoding challenges
  • Lab – Encoding challenges
  • Validation with regex
  • Regular expression denial of service (ReDoS)
  • Lab – Regular expression denial of service (ReDoS)
  • Dealing with ReDoS
• Injection
  • Injection principles
  • Injection attacks
  • SQL injection
    • SQL injection basics
    • Lab – SQL injection
    • Attack techniques
    • Content-based blind SQL injection
    • Time-based blind SQL injection
  • SQL injection best practices
    • Input validation
    • Parameterized queries
    • Additional considerations
    • Lab – SQL injection best practices
    • Case study – Hacking Fortnite accounts
  • Code injection
    • Code injection via input()
    • OS command injection
      • Lab – Command injection
      • OS command injection best practices
      • Avoiding command injection with the right APIs
      • Lab – Command injection best practices
      • Case study – Shellshock
      • Lab – Shellshock
      • Case study – Command injection via ping
      • Python module hijacking
      • Lab – Module hijacking
  • General protection best practices

DAY 2

Input validation

• Integer handling problems
  • Representing signed numbers
  • Integer visualization
  • Integers in Python
  • Integer overflow
  • Integer overflow with ctypes and numpy
  • Lab – Integer problems in Python
  • Other numeric problems
    • Division by zero
    • Other numeric problems in Python
    • Working with floating-point numbers
• Files and streams
  • Path traversal
  • Path traversal-related examples
  • Lab – Path traversal
  • Additional challenges in Windows
  • Virtual resources
  • Path traversal best practices
  • Format string issues
• Unsafe native code
  • Native code dependence
  • Lab – Unsafe native code
  • Best practices for dealing with native code

Security features

• Authentication
  • Authentication basics
  • Multi-factor authentication
  • Authentication weaknesses – spoofing
  • Case study – PayPal 2FA bypass
  • Password management
    • Inbound password management
      • Storing account passwords
      • Password in transit
      • Lab – Is just hashing passwords enough?
      • Dictionary attacks and brute forcing
      • Salting
      • Adaptive hash functions for password storage
      • Password policy
        • NIST authenticator requirements for memorized secrets
        • Password length
        • Password hardening
        • Using passphrases
        • Password change
        • Forgotten passwords
        • Lab – Password reset weakness
      • Case study – The Ashley Madison data breach
        • The dictionary attack
        • The ultimate crack
        • Exploitation and the lessons learned
      • Password database migration
    • Outbound password management
      • Hard coded passwords
      • Best practices
      • Lab – Hardcoded password
      • Protecting sensitive information in memory
        • Challenges in protecting memory
• Information exposure
  • Exposure through extracted data and aggregation
  • Case study – Strava data exposure
  • System information leakage
    • Leaking system information
  • Information exposure best practices
• Python platform security
  • The Python ecosystem and its attack surface
  • Python bytecode and security
  • Security features offered by the Python runtime
  • PEP 578 and audit hooks
  • Sandboxing Python

Using vulnerable components

• Assessing the environment
• Hardening
• Malicious packages in Python
• Vulnerability management
  • Patch management
  • Bug bounty programs
  • Vulnerability databases
  • Vulnerability rating – CVSS
  • DevOps, the build process and CI / CD
  • Dependency checking in Python
  • Lab – Detecting vulnerable components

DAY 3

Cryptography for developers

• Cryptography basics
• Cryptography in Python
• Elementary algorithms
  • Random number generation
    • Pseudo random number generators (PRNGs)
    • Cryptographically strong PRNGs
    • Using virtual random streams
    • Weak and strong PRNGs
    • Using random numbers in Python
    • Case study – Equifax credit account freeze
    • Lab – Using random numbers in Python
  • Hashing
    • Hashing basics
    • Common hashing mistakes
    • Hashing in Python
    • Lab – Hashing in Python
• Confidentiality protection
  • Symmetric encryption
    • Block ciphers
    • Modes of operation
    • Modes of operation and IV – best practices
    • Symmetric encryption in Python
    • Lab – Symmetric encryption in Python
    • Asymmetric encryption
      • The RSA algorithm
        • Using RSA – best practices
        • RSA in Python
      • Elliptic Curve Cryptography
        • The ECC algorithm
        • Using ECC – best practices
        • ECC in Python
      • Combining symmetric and asymmetric algorithms
        • Key exchange
        • Diffie-Hellman key agreement algorithm
        • Key exchange pitfalls and best practices
• Integrity protection
  • Authenticity and non-repudiation
  • Message Authentication Code (MAC)
    • MAC in Python
    • Lab – Calculating MAC in Python
  • Digital signature
    • Digital signature with RSA
    • Digital signature with ECC
    • Digital signature in Python
• Public Key Infrastructure (PKI)
  • Some further key management challenges
  • Certificates
    • Chain of trust
    • PGP – Web of Trust
    • Certificate management – best practices

Common software security weaknesses

• Time and state
  • Race conditions
    • File race condition
      • Time of check to time of usage – TOCTTOU
      • Insecure temporary file
    • Avoiding race conditions in Python
      • Thread safety and the Global Interpreter Lock (GIL)
      • Case study: TOCTTOU in Calamares
• Errors
  • Error and exception handling principles
  • Error handling
    • Returning a misleading status code
    • Information exposure through error reporting
  • Exception handling
    • In the except,catch block. And now what?
    • Empty catch block
    • The danger of assert statements
    • Lab – Exception handling mess
• Code quality
  • Language elements
    • Using dangerous language elements
    • Using obsolete language elements
    • Portability flaw
    • Module injection and monkey patching
    • Dangers of compile(), exec() and eval()
    • Sandboxing Python
• Denial of service
  • Denial of Service
  • Resource exhaustion
  • Cash overflow
  • Flooding
  • Algorithm complexity issues

Wrap up

• Secure coding principles
  • Principles of robust programming by Matt Bishop
  • Secure design principles of Saltzer and Schröder
• And now what?
  • Software security sources and further reading
  • Python resources