Based on photo by Chris Yang on Unsplash

Before we get into how to protect python applications from dependency confusion attacks, we’ll define this new attack vector, give a bit of background, and look at examples.

Dependency Confusion is a new intrusion technique that exploits the way many programming languages handle dependency resolution when projects utilize a mix of public and private packages.

Nearly all new software projects today utilize some kind of third-party, open-source software. In fact, it’s common for the majority of the code in most software today to actually be composed of imported, open-source packages.

The term dependency confusion was first coined by security researcher…


Keep your code safe by avoiding these 6 pitfalls

Based on photo by Sebastian Herrmann on Unsplash

Assert

If you’ve spent any time doing automated testing in Python you’re probably familiar with the python assert statement. Assert is incredibly handy in the context of testing. It gives you the ability to test the truthiness of a condition. If the condition is false, an AssertionError is raised. This AssertionError is then caught by the testing framework and they are returned to the user as failures.

Since these statements work so well in testing, given their simple invocation and readability, you might be tempted to use them in your production python code. This would be a big mistake.

Assert should…


Let’s start with an analogy

In today’s world, building applications is a lot like building a house. If you’re building a house, you start by going to a store and purchasing materials that serve as the foundation of your house. For simplicity, let’s take windows, doors, and countertops as an example. After you purchase these materials and begin construction, you’ll consider things like:

  • Will the door open to the left or right?
  • Will the window face north or south?
  • Will the countertop go in the center of the kitchen or against the wall?

In other words, you (the builder), are…


Preventing Pwnage against Python Pickle

If you’re a heavy python user you’ve probably come across the pickle module from the standard library at some point. You may have even heard that this library is dangerous. This post will take a look at how pickle works (at a high level), what the risks are, and risk prevention strategies.

What is Pickle?


What is a “ReDoS” Attack, and how can you make sure your code is safe?

What is DoS?

I’ve covered this in a few earlier posts, but DoS stands for Denial-of-Service. Denial-of-Service is a type of cyber attack technique where the attacker attempts to disrupt the availability of a service, application, or company. DoS attacks generally exist in one of two broad categories, Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS). Both have the same general intent in mind, but they take very different forms. Within the DoS there are a Network based attacks and Application based attacks.

Application layer attacks, also sometime called Layer 7 attacks, involve putting operational strain on the software serving the requests in such a…


Why Typosquatting is a Threat to Python Developers and their Companies

Based on Photo by Gwendal Cottin on Unsplash

Imagine this, you’re a developer at Super corp. You’re working on a new web application and you’re planning on building it using Flask. Like many Macbook Pros, your laptop has some keyboard issues. No biggie. Typing like the wind, you try to install flask using pip. However, instead of typing pip install flask you end up with pip install flaskk.

The install completes in just a second, but you notice the typo. You uninstall flaskk and give the install a second try with the appropriate number of k’s. …


What’s your Infosec origin story?

I’ve always been fascinated by how other Cybersecurity professionals ended up in their roles. For some it was a childhood dream to be a hacker (or catch hackers) after watching an old school hacker movie, others fell into roles organically after a career in enterprise IT, and if we’re being honest, some are in it for the money. With record shortages in skilled security personnel, the field is growing with more and more diverse people with different backgrounds.

I’ve always enjoyed my own origin story (though I may be biased), partially because it was so unexpected. Here it is.

Notice…


Why does cloud sprawl happen and how can we control it?

Based on photo by Nicholas Swanson on Unsplash

First, what is cloud sprawl?

Cloud sprawl is the lack of controls against the expansion of an organization’s cloud instances, services or providers.

While instances and services are managed differently than providers, the lack of effective controls on any of these is a cause of concern for organizations.

A lack of visibility and control around the volume and types of instances and services offered by a Cloud Service Provider (CSP) is dangerous from a cost perspective as any unnecessary or untracked usage that is not contained can pose a serious financial burden. …


What are Wheels, Eggs, and Source Distributions?

Based on photo by Erol Ahmed on Unsplash

If you’ve done much Python development you’re probably familiar with importing dependencies using pip, or even easy_install, if you’ve been at this for awhile. Whether you were aware of it or not, these dependencies likely came from the public Python Package Index (PyPI) or perhaps an internal mirror of the PyPi repository that is hosted by your company.

What you may not have been aware of is how these dependencies are actually packaged, delivered, and installed, and the differences between the different distribution types available for Python.

The Primary Distribution Types

There are two primary distribution types in use today, Built Distributions and Source…


If you’re looking to learn more about vulnerability scanners on the cheap, look no further

Based on photo by Taylor Vick on Unsplash

Whether you’re a student, studying for certification, or a vulnerability management pro, finding cheap tools to satisfy educational requirements or satiate your scanning curiosity can be difficult. In this post I’ll be looking at my top 5 free vulnerability assessment tools.

This terminology can get a little confusing. Network Scanning can often be boiled down to the act of port scanning and mapping a network. Vulnerability Assessment is one step beyond network scanning where there is an additional step to identify services and test for vulnerable software. Finally Vulnerability Management is the process of identifying, prioritizing, and remediation vulnerabilities detected…

Ochrona Security

Manage your open-source dependencies at every step in the SDLC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store