Before we get into how to protect python applications from dependency confusion attacks, we’ll define this new attack vector, give a bit of background, and look at examples. What is Dependency Confusion? Dependency Confusion is a new intrusion technique that exploits the way many programming languages handle dependency resolution when projects utilize a mix…

Ochrona, the Python security tool has some major updates, including SAST checks — Ochrona, an open source supply chain security tool for Python developers, released a new update to enable enhanced security throughout the SDLC. With Ochrona, Python developers were already able to check their projects for malicious package usage and set policies to audit additional packages outside of those tied to known…

Overview Securing the software supply chain has been a hot topic of conversation as of late (read: Malicious PyPI Packages Steal Credit Cards and Inject Code; or the White House’s Executive Order to Protect Software Supply Chains). The need for proactive open-source package management has never been more prevalent, and…

Let’s start with an analogy In today’s world, building applications is a lot like building a house. If you’re building a house, you start by going to a store and purchasing materials that serve as the foundation of your house. For simplicity, let’s take windows, doors, and countertops as an…

Keep your code safe by avoiding these 6 pitfalls — Assert If you’ve spent any time doing automated testing in Python you’re probably familiar with the python assert statement. Assert is incredibly handy in the context of testing. It gives you the ability to test the truthiness of a condition. If the condition is false, an AssertionError is raised. …

Preventing Pwnage against Python Pickle — If you’re a heavy python user you’ve probably come across the pickle module from the standard library at some point. You may have even heard that this library is dangerous. …

What is a “ReDoS” Attack, and how can you make sure your code is safe? — What is DoS? I’ve covered this in a few earlier posts, but DoS stands for Denial-of-Service. Denial-of-Service is a type of cyber attack technique where the attacker attempts to disrupt the availability of a service, application, or company. DoS attacks generally exist in one of two broad categories, Denial-of-Service (DoS) and Distributed Denial-of-Service…

Why Typosquatting is a Threat to Python Developers and their Companies — The Setup Imagine this, you’re a developer at Super corp. You’re working on a new web application and you’re planning on building it using Flask. Like many Macbook Pros, your laptop has some keyboard issues. No biggie. Typing like the wind, you try to install flask using pip. …

What’s your Infosec origin story? — I’ve always been fascinated by how other Cybersecurity professionals ended up in their roles. For some it was a childhood dream to be a hacker (or catch hackers) after watching an old school hacker movie, others fell into roles organically after a career in enterprise IT, and if we’re being…