close search bar

Sorry, not available in this language yet

close language selection

Securing Python Web Applications

Course Description

Python is one of the most popular programming languages in the world. This flexible, open source language can be used to develop software for everything from simple prototyping to high-performance gaming applications, enterprise-grade web frameworks, mobile applications, and more. This course dives deep into defensive programming techniques for Python, with examples using the two most well-known web frameworks built on top of Python: Django and Flask.

Learning Objectives

  • Use the framework's built-in security features to provide defense-in-depth
  • Protect against common attack vectors in the OWASP Top 10
  • Identify the security responsibilities and address how to build security in
  • Configure a web development framework
  • Implement session management securely
  • Effectively implement authentication and authorization

Details

Delivery Format: eLearning

Duration: 1 hour 30 minutes

Level: Intermediate

Intended Audience:

  • Back-End Developers
  • Front-End Developers
  • Enterprise Developers

Prerequisites:

Course Outline

Python Primer

  • Features
  • Python for Web Development
  • Python 3.x
  • Reasons to Switch

Python 3.x Core Languages Security Considerations

  • Errors and Exceptions
  • Eval() and Input() Functions
  • Unicode Strings
  • OpenSSL
  • Final Note on Syntax

Web Application Security

  • Cross-Site Scripting
  • Contextually Aware Output Encoding
  • Server-Side Template Injection
  • Login with Facebook

Web Application Security 2 - Attacks on Persisted Assets

  • Injection Overview
  • SQL Injection
  • XML Attacks

Web Development Framework Configuration 

  • Web Development Framework Scope of Responsibility
  • CSRF Protection
  • Limiting Scope and Access to Attacks
  • Same Site Cookies
  • Referrer Policy
  • Transporting Tokens Securely
  • Token Expiry
  • HTTP Strict Transport Security
  • Allowed_Hosts
  • Environment-Based Secret Management
  • Matching Definitions
  • TLS Configuration
  • Error Handling
  • Clickjacking
  • Monitoring and Notification

Session Management

  • Attacks on Session Management
  • Persistent Sessions
  • Scope
  • Expiry
  • Protecting Cookie Integrity

Authentication and Authorization

  • Authentication Factors
  • Attacker Objectives
  • Matching Definitions
  • Authentication
  • Password Storage
  • Authorization Overview
  • Is the User Logged In?
  • Authorizing a User to Access a Controller
  • Enforcing CRUD Properties on Model Data

Get more course information