How to write safe Python code. Meals Kushal Das

Here is the original English version of this interview.

This year, the company of speakers Moscow Python Conf ++ picked up what is needed (that is, how, picked up - the Program Committee picked up ). But who is interested in studying achievements, it is much more interesting what the speaker thinks about issues that concern us. To find out, get insider information or the advice of a more experienced developer, and you need to communicate at conferences. But I took advantage of the situation and took a short interview from our speaker Kushal Das.

A distinctive feature of Kushal’s speeches is that he regularly publishes “secret” ways to break Python code and, in contrast, shows how to write code so that the NSA cannot crack it. At our conference I atewill tell you how to safely develop and deploy Python code, so I asked him about security.



- I ate, please tell us a little about yourself and about your work with Python and the like.

Kushal Das: I live in India, now I work as a public interest technologist at the American non-profit organization Freedom of the Press Foundation, where I help support the SecureDrop project. SecureDrop is an open source information platform. The main language here is Python.

In addition, I am involved in other open source projects, including the Python language itself. I am one of the CPython Core developers and a member of the Python Software Foundation's Board of Directors.

I have been working with Python since 2005, and almost my entire career has been connected with this language, as well as with Linux. These are two main areas of my interests. I am also a member of the Tor Project Core Team. As many already know, Tor helps keep your privacy online.

- Tor is a terrific project, it is used by developers around the world to get access to API and documentation blocked, for example, due to local laws. Your presentation will be built around security, so I have a few questions.

First of all, there is an opinion that for an ordinary developer without special training, security in itself is too complicated. It is believed that we, as an industry, should provide tools and an ecosystem so that the software we create is safe by default.

What do you think is still better: to educate security people or provide them with some tools?

I ate Das: I think both of them. Indeed, security is a complex issue. However, if a novice programmer goes through basic training or works as a team, he learns to avoid most common problems.

Most often, real security errors, such as hacking, data leakage or data theft, arise due to incorrect configuration, lack of updates or incorrect, sometimes hooligan code.

I think that most of the basic mistakes can be avoided if we train both beginners and “old-timers” of the industry. In addition, some things that are inaccessible to the human eye can be revealed with the help of new tools, new automation, new processes.

A very simple example is the dependency checks that GitHub now has. If a Python application contains errors or uses some old version of an independent module, and there is a certain vulnerability described in CVE, GitHub can tell you as a developer: “Hey! An update is required here! ” - and the bot will automatically try to do PR to update the module.

Thus, training and tools are best combined, but personally, I would still prefer as much training as possible. It is people who enter data and make mistakes. Technology cannot fix all such errors.

- Yes, unfortunately, it is. Modern software development relies heavily on open repositories such as the Python Package Index, node.js, npm, etc. At the current level of development, this usually happens as pip install or poetry add.

In your opinion, how high are the security risks for a regular Python backend developer in a medium-sized company if he uses only these tools? Are such risks acceptable, or should developers even consider trivial vulnerabilities?

Kushal Das: This is a really important question, because in all the repositories that we support, where you can download modules for different languages, we try to make this process simple and accessible for developers.

For Python, for example, there is a Python security mailing list that alerts you to problems with the latest loaded modules for Python. There are cases of the so-called typosquatting, when the name of the package is similar to a very well-known package, and the developers use the wrong one inadvertently. On the Python side, PyPI takes care of such things.

In addition, when installing any package using pip, you can really check it and make sure that this is what you need, as well as check the security of the download. For example, there is PEP 458, which advises you to protect downloads with PyPI packet signing.

Safety instrument development work is still ongoing. I would recommend that developers starting work with any new unsigned module find out who the author is, how many people are involved in development, where they are hosted, what large projects are used, what is in the source code, are there any complaints about problems or errors, etc.

This is only 15-30 minutes of searching, but they give a lot of advantages. If no person in the world, except the author, uses this package, perhaps you should not use it. If this particular module is used in other packages or software, then it will most likely be more secure for your code.

— , , - , , , .

, , node.js npm, npm install something.

NPM checks data security and shows results. For example, it displays the message: “Among the packages you just installed, there are two with a high security risk and ten with an average risk. You can execute the following commands to fix or update them, or refuse to install. " This is similar to built-in tools. What do you think of such solutions, and can you expect something similar for PyPI?

Eaten Das: I never used NPM, except maybe once or twice in my life when I needed to test something. Therefore, I can’t directly comment on how good this is, but it seems to be about giving the developer a more intuitive user interface.

In general, all this is part of the story about user interaction, when the task of developers and designers is to identify how best to present the data, given that it is actually viewed by the final developer, the third party who will install all these tools and modules. Because when there is too much information, we usually click or skip it without reading. The truth is somewhere in between.

As for the future plans of Python and pip development, I cannot comment on them; they are unknown to me. However, I think, or rather, hope that someone has already submitted a request for a similar function so that pip authors can take it into account in their plans. Now the support team is a little larger than it was before - about seven people with the right to accept commits.

- Thank you, I hope that over time, people will think more about security and build more checks in our ecosystem. Let's talk a little about your upcoming performance at Moscow Python Conf ++. It is built around built-in dependency security and packaging.

We will not spoil here, but from the point of view of a security expert, from your point of view, what else should developers take into account when checking application security?

We have already discussed how to secure dependency handling and packages. What else needs to be checked by the ordinary developer? What should I look for?

I ate Das: I think one of the main points should be updates. Make sure that at least you have order with this, and everything you depend on is updated, including the OS, whether it be Linux, Mac, Windows, or even iOS. Alternatively, make sure you at least model the processes to understand what else might go wrong.

The problem for beginners (and this has happened to me) in most cases is that we blindly trust user input. You need to rely less on the fact that the input is indeed correct and that this will not cause any other problems. Everything needs to be double-checked.

In addition, if you opened something, make sure you do not forget to close it.. Imagine an ordinary door: when we enter the office, we check whether we forgot to close the door behind us. Also in programming, when we open files, sockets, or something else, or access to something, you need to make sure after completion that everything is clean and closed.

From a programming point of view, I think these are two main points that many people forget.

- Yes, there are many things that people forget about, and now, I think, the last question. Based on your personal experience, what kind of security errors do Python mid-level backend developers most often make? User input? Addictions? Secure application packaging? What is more common?

Eaten Das: The problems that I saw were mainly due to incorrect entry.

In 2011, I was developing a tool for the Fedora project and forgot to clean my temporary files. In this particular case, these were dumps, and their absence in the new environment caused unforeseen problems for the infrastructure - it fell due to my, to put it mildly, bad code.

This is a continuation of the same topic, when you need to make sure that the code is “cleaned up” if you create or open something. So it was a serious lesson for me. When you think, “Yeah, I did it! Everything works on my laptop! ”, It’s not a fact that it will work in a real release or production.

For some reason, we often think that the environment will be identical to our local one, but it never happens. Even large companies are often difficult to determine the real environment on the client side. It’s important to just keep that in mind.

And further -make more comments on your code , write documentation. This tip is not only for beginners, but also for experienced developers. If you have not looked into the code for several months or several years, then it can be very difficult to understand why you once wrote something.

Kushal Das will perform at Moscow Python Conf ++ . We were forced to postpone a large offline conference for the fall, but on March 27 we held a mini-online conference, the materials of which we will soon share, stay in touch.