Sessions at PyCon US 2012 about Security

Your current filters are…

Friday 9th March 2012

  • Advanced Security Topics

    by Paul McMillan

    If your Python application has users, you should be worried about security. This talk will cover advanced material, highlighting common mistakes. Topics will include hashing and salts, timing attacks, serialization, and much more. Expect eye opening demos, and an urge to go fix your code right away.

    If your Python application has users (even if it's used offline), you should be worried about security. This talk will cover advanced material, highlighting common mistakes.

    Hashing and encryption can be tricky to get right. We'll discuss when to use hashing to sign data, and how to choose the right encryption algorithm (spoiler: don't). We'll demonstrate length extension attacks, and discuss how to prevent them.

    Another common mistake is the incorrect use of pseudo-random number generators. We'll discuss the fix, and some of the dangers associated with it.

    Timing attacks are relatively exotic, but as applications move into shared data centers (and shared virtual machines) they have become easier to implement and more dangerous. They're a very common class of bugs, but fixing them (and proving they're fixed) can be difficult.

    Pickle is a common and easy to use serialization format for Python objects. Unfortunately, it's also insecure when attackers can send or modify the pickled data. We'll discuss strategies for signing pickled objects, and alternate serialization formats.

    The final portion of the talk will discuss a meta security problem within the Python community. I'll be demonstrating live code that can compromise even the most locked down of servers, and discussing the steps we need to take as a community to mitigate this threat moving forward.

    At 1:45pm to 2:40pm, Friday 9th March

    In E1, Santa Clara Convention Center

    Coverage video

  • Certainty in an Uncertain World: Gaining Confidence through Security Testing

    by Geremy Condra

    Nobody thinks you have to be a performance expert to write performance tests- why assume that you have to be a security expert to write security tests? During this presentation I'll show you how to use fuzzers, attack tools, and other simple techniques to help protect your users, improve the strength of your existing tests, and gain confidence in the security of your code. There will be demos!

    Fundamentally, testing is about gaining confidence in the properties of your system- confidence that a refactor preserves behavior, that a new feature doesn't hurt performance, that your code is correct and operates as expected.

    Unfortunately, such tests seldom include the adversarial assumption- that one of your users (or admins, or ...) is out to get you. The goal of security testing is to cover this gap by building the tools to ensure that your code will not fail, even when an unusually clever or determined attacker tries to take you down.

    The talk is therefore divided into two major parts. The first ('mocking with malice') focuses on how to improve your existing test sequence and add the adversarial assumption. The second ('how to build a bad user') aims to help developers better understand their attack surface, the capabilities of their adversaries, and the tools available to help defeat them.

    By the end of the talk, developers should have a strong understanding of how to build security testing into their test regimen and how it can help them gain confidence in their code and better protect their users.

    At 4:40pm to 5:20pm, Friday 9th March

    In D5, Santa Clara Convention Center

Schedule incomplete?

Add a new session

Filter by Day

Filter by coverage

Filter by Topic

Filter by Venue

Filter by Space