Before we get into how to protect python applications from dependency confusion attacks, we’ll define this new attack vector, give a bit of background, and look at examples.
Dependency Confusion is a new intrusion technique that exploits the way many programming languages handle dependency resolution when projects utilize a mix of public and private packages.
Nearly all new software projects today utilize some kind of third-party, open-source software. In fact, it’s common for the majority of the code in most software today to actually be composed of imported, open-source packages.
If you’ve spent any time doing automated testing in Python you’re probably familiar with the python
assert statement. Assert is incredibly handy in the context of testing. It gives you the ability to test the truthiness of a condition. If the condition is false, an
AssertionError is raised. This
AssertionError is then caught by the testing framework and they are returned to the user as failures.
Since these statements work so well in testing, given their simple invocation and readability, you might be tempted to use them in your production python code. This would be a big mistake.
Let’s start with an analogy
In today’s world, building applications is a lot like building a house. If you’re building a house, you start by going to a store and purchasing materials that serve as the foundation of your house. For simplicity, let’s take windows, doors, and countertops as an example. After you purchase these materials and begin construction, you’ll consider things like:
In other words, you (the builder), are…
If you’re a heavy python user you’ve probably come across the pickle module from the standard library at some point. You may have even heard that this library is dangerous. This post will take a look at how pickle works (at a high level), what the risks are, and risk prevention strategies.
I’ve covered this in a few earlier posts, but DoS stands for Denial-of-Service. Denial-of-Service is a type of cyber attack technique where the attacker attempts to disrupt the availability of a service, application, or company. DoS attacks generally exist in one of two broad categories, Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS). Both have the same general intent in mind, but they take very different forms. Within the DoS there are a Network based attacks and Application based attacks.
Application layer attacks, also sometime called Layer 7 attacks, involve putting operational strain on the software serving the requests in such a…
Imagine this, you’re a developer at Super corp. You’re working on a new web application and you’re planning on building it using Flask. Like many Macbook Pros, your laptop has some keyboard issues. No biggie. Typing like the wind, you try to install
flask using pip. However, instead of typing
pip install flask you end up with
pip install flaskk.
The install completes in just a second, but you notice the typo. You uninstall
flaskk and give the install a second try with the appropriate number of k’s. …
I’ve always been fascinated by how other Cybersecurity professionals ended up in their roles. For some it was a childhood dream to be a hacker (or catch hackers) after watching an old school hacker movie, others fell into roles organically after a career in enterprise IT, and if we’re being honest, some are in it for the money. With record shortages in skilled security personnel, the field is growing with more and more diverse people with different backgrounds.
I’ve always enjoyed my own origin story (though I may be biased), partially because it was so unexpected. Here it is.
First, what is cloud sprawl?
Cloud sprawl is the lack of controls against the expansion of an organization’s cloud instances, services or providers.
While instances and services are managed differently than providers, the lack of effective controls on any of these is a cause of concern for organizations.
A lack of visibility and control around the volume and types of instances and services offered by a Cloud Service Provider (CSP) is dangerous from a cost perspective as any unnecessary or untracked usage that is not contained can pose a serious financial burden. …
If you’ve done much Python development you’re probably familiar with importing dependencies using pip, or even easy_install, if you’ve been at this for awhile. Whether you were aware of it or not, these dependencies likely came from the public Python Package Index (PyPI) or perhaps an internal mirror of the PyPi repository that is hosted by your company.
What you may not have been aware of is how these dependencies are actually packaged, delivered, and installed, and the differences between the different distribution types available for Python.
There are two primary distribution types in use today, Built Distributions and Source…
Whether you’re a student, studying for certification, or a vulnerability management pro, finding cheap tools to satisfy educational requirements or satiate your scanning curiosity can be difficult. In this post I’ll be looking at my top 5 free vulnerability assessment tools.
This terminology can get a little confusing. Network Scanning can often be boiled down to the act of port scanning and mapping a network. Vulnerability Assessment is one step beyond network scanning where there is an additional step to identify services and test for vulnerable software. Finally Vulnerability Management is the process of identifying, prioritizing, and remediation vulnerabilities detected…
Manage your open-source dependencies at every step in the SDLC