PyCon Israel 2023

๐Ÿ‡บ๐Ÿ‡ธ Omniscient AppSec: Custom, continuous security verification of python code
07-04, 15:00โ€“15:45 (Africa/Cairo), Hall 3 (2nd Floor)

Security is most valuable when it brings solutions which are specific to your use case, but enforcing them is hard. In this talk, we will show how to enforce internal python security guidelines that generic tools wonโ€™t find, in a repeatable way.


The best software security solutions to your security requirements and challenges are specific to your use case, self-service and don't impede development velocity. This will often include creating custom, safe versions of functionality or not allowing the use of certain library functions which we know are dangerous. However, making sure that this guidance is constantly followed can be problematic.

Whilst standard automated tools such as bandit or pylint may help discover generic vulnerabilities such as insecure use of pickle or security errors/misconfigurations such insecure autoescape configuration, how can we verify that our custom solutions and guidance have been correctly implemented and more importantly, stay that way, without writing complicated custom rules for these tools?

In this talk we will discuss examples of custom solutions like this but more importantly, we will demonstrate how to continuously verify that the code remain in a secure state with these solutions implemented, on an ongoing basis. We will demonstrate using simple rule syntax provided by the free, open-source, Semgrep tool.

Some example scenarios weโ€™ll discuss:

  • Verifying we are not using a disallowed function in a 3rd party library.
  • Checking for the presence of security sensitive decorators in all places with allowed exceptions, etc.
  • Looking for a function that is called in an unsafe way.

You should leave with ideas for how you can have custom and specific security guidelines that match your situation and how you can use a simple rule syntax to verify them as well as solve other similar code analysis problems.


Session language โ€“

English

Target audience โ€“

Developers

Other (target audience) โ€“

Will probably be widely applicable to anyone interested in analysing python code. The talk is security focused but in a way that does not require in-depth security knowledge.

Josh Grossman has worked as a consultant in IT and Application Security and Risk for 15 years now, as well as a Software Developer. This has given him an in-depth understanding of how to manage the balance between business needs, developer needs and security needs which goes into a successful software security programme.

Josh is currently CTO for Bounce Security where he helps clients improve and get better value from their application security processes and provides specialist application security advice. His consultancy work has led him to work, speak and deliver training both locally and worldwide including privately for ISACA and Manicode and publicly for OWASP's Global AppSec conferences.

In his spare time, he co-leads the OWASP Application Security Verification Standard project and is on the OWASP Israel chapter board.

He was also recognized as a Key Contributor for the OWASP Proactive Controls project and has also contributed to the OWASP Top 10 Risks project and the OWASP JuiceShop project.

Michal is a security researcher at Bounce Security - a boutique security consultancy where she works on projects to help clients build software securely from the start. She particularly enjoys diving into a new domain and learning it inside out as well as sharing her knowledge with the community.

In her spare time, she is a student of computer science and math, volunteers at the Hackeriot initiative and she also enjoys playing chess, following artistic and rhythmic gymnastics and is the lucky human of a ginger tabby cat named Unix.