Security of your application is just a few clicks away
a talk by Míla Votradovec
Every time you type
pip install -r requirements.txt, you are putting your web application and user data at risk. Modern web applications are using dozens of 3rd party components, that are totally out of your control. You’ve already learned you should test your code, but I’ll do my best to convince you that you should test external code for the security vulnerabilities too.
In January, two biggest vulnerabilities, Meltdown and Spectre, were publicly disclosed. Those are the most known ones, but smaller vulnerabilities are published nearly every day. And all of them can be exploited and used to abuse your application. The attacker might try to take your application out, steal your user’s data or take advantage of your computer power.
Since vulnerabilities are disclosed, they can be also mitigated. There are multiple vendors dealing with security testing and I’ll focus on the solutions for PyPI package scans. During the talk, I’ll show you how a vulnerability can be exploited, where and how it is reported (you’ll learn what the CVE is) and how you can secure your application using “GitHub’s security alerts for vulnerable dependencies” and Snyk.io on various levels (repository integration, CI server, CLI integration).
This talk is suitable for both beginner and advanced Pythonistas.
I am a developer with a passion for problem-solving, puzzles and guitar. I am a self-starter, who tried to complete formal education after years in a field.
I have been working for corporates, small companies and startups. I still remember being completely fresh in the field. I was grateful for any guidance or advice, so I am trying to pay back by mentoring others.
I currently live in London and work for Snyk, company which provides Security as a Service.