Facebook SDK

Friday, January 3, 2014

Programming Security-Part 6 (Python Security)

I’ve talked about a lot of general programming tactics in regards to security but now I’d like to focus on Python for a bit. Python eliminates a lot of security issues inherent in C, C++, and other languages. For example, it is very difficult, if not impossible, to create a buffer overflow in Python; the language will attempt to allocate the required memory, possibly slowing down the system as space is allocated but Python will automatically resize the buffer as needed or, worst case, throw an exception.

Now, this doesn’t mean that a suitably intelligent attacker won’t find some way to hack Python code and make a system fail. It just means that Python was written in such a way that the most common issues in programming are removed from the consciousness of the programmer; in short, you don’t have to think about vulnerabilities in the underlying language (as long as you upgrade to the latest versions). Obviously, vulnerabilities are found and patched, just like any other software. Maintaining your language (2.x or 3.x) at the most recent version ensures you have the latest security patches to the core language.

However, this doesn’t mean you won’t introduce vulnerabilities into your own programs just by choosing to use Python (or Java, Ruby, or any other “new” language). Sensible coding practices will help make your application resistant to attacks. Of course, you need to keep track of bug reports and provide updates to address any vulnerabilities that are found.

The Python Security website was established to make Python the “most secure programming language in the world” (according to the site). A lot of the material currently on the site (as of this writing) is for Python libraries and modules, like web frameworks, web servers, template engines, etc. The general security topics is somewhat limited. Being a wiki, the amount of information can be limited, and as of August 2013, the site is listed as no longer being updated.

Unfortunately, this means you are pretty much on your own when it comes to finding out how to secure your Python programs. You can use many of the general programming tips I have provided on this blog or you find in books or other web sites. The main thing to consider is that, if you are using external libraries or frameworks, you need to make sure that they are patched just like every other program.

If you are disturbing software, make a mailing list for users to subscribe to so they can receive security update information as you patch your software. If you use external libraries, make sure those get updated when you distribute new patches, or at least provide notifications for users so they can get their own updates. Just remember that, generally speaking, people are lazy when it comes to updating software so the less work they have to do, the more likely they will do something. Hence, if you include all the necessary updates in one package, there is a better chance they will update everything; if they have to find, download, and install eight different things, it probably won’t happen.

No comments: