WEBVTT 00:00:00.001 --> 00:00:03.900 What do developers need to know about AppSec and building secure software? 00:00:03.900 --> 00:00:09.340 We have Tanya Janca, aka SheHacksPurple, on the show to tell us all about it. 00:00:09.340 --> 00:00:13.580 We talk about what developers should expect from threat modeling sessions, 00:00:13.580 --> 00:00:17.100 as well as concrete tips for securing your apps and services. 00:00:17.100 --> 00:00:21.600 This is Talk Python To Me, recorded November 15th, 2024. 00:00:21.600 --> 00:00:24.460 Are you ready for your host, Tanya? 00:00:24.460 --> 00:00:28.160 You're listening to Michael Kennedy on Talk Python To Me. 00:00:28.160 --> 00:00:31.920 Live from Portland, Oregon, and this segment was made with Python. 00:00:31.920 --> 00:00:37.920 Welcome to Talk Python To Me, a weekly podcast on Python. 00:00:37.920 --> 00:00:40.140 This is your host, Michael Kennedy. 00:00:40.140 --> 00:00:45.480 Follow me on Mastodon, where I'm @mkennedy, and follow the podcast using @talkpython, 00:00:45.480 --> 00:00:51.300 both accounts over at fosstodon.org, and keep up with the show and listen to over nine years 00:00:51.300 --> 00:00:53.380 of episodes at talkpython.fm. 00:00:53.620 --> 00:00:57.980 If you want to be part of our live episodes, you can find the live streams over on YouTube. 00:00:57.980 --> 00:01:04.200 Subscribe to our YouTube channel over at talkpython.fm/youtube and get notified about upcoming shows. 00:01:04.760 --> 00:01:08.740 This episode is sponsored by Posit Connect from the makers of Shiny. 00:01:08.740 --> 00:01:13.240 Publish, share, and deploy all of your data projects that you're creating using Python. 00:01:13.240 --> 00:01:19.920 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Reports, Dashboards, and APIs. 00:01:19.920 --> 00:01:22.320 Posit Connect supports all of them. 00:01:22.320 --> 00:01:26.680 Try Posit Connect for free by going to talkpython.fm/Posit. 00:01:27.040 --> 00:01:28.000 P-O-S-I-T. 00:01:28.000 --> 00:01:30.940 And this episode is brought to you by Bluehost. 00:01:30.940 --> 00:01:32.560 Do you need a website fast? 00:01:32.560 --> 00:01:33.440 Get Bluehost. 00:01:33.440 --> 00:01:38.820 Their AI builds your WordPress site in minutes, and their built-in tools optimize your growth. 00:01:38.820 --> 00:01:39.780 Don't wait. 00:01:39.780 --> 00:01:43.380 Visit talkpython.fm/bluehost to get started. 00:01:43.380 --> 00:01:46.500 Tanya, welcome to Talk Python. 00:01:46.500 --> 00:01:47.680 I mean, it's awesome to have you here. 00:01:47.680 --> 00:01:49.600 Oh my gosh, I'm so excited to be here. 00:01:49.600 --> 00:01:50.920 Thank you for having me, Michael. 00:01:50.920 --> 00:01:52.800 Yeah, you're very welcome. 00:01:52.800 --> 00:01:54.860 And I'm super excited. 00:01:55.360 --> 00:02:00.180 You know, in a good and bad way, excited to have you here because I'm very excited to talk to you. 00:02:00.180 --> 00:02:04.840 But some of the stuff that we're going to talk about might be a little unnerving for people out there listening. 00:02:04.840 --> 00:02:10.860 They may pause the show and then run off to make some changes to what they're doing and then come back. 00:02:10.860 --> 00:02:13.880 And then that part might be a little exciting in a different way. 00:02:13.880 --> 00:02:16.400 Yes, it will. 00:02:16.400 --> 00:02:23.920 Have you ever had that experience where you're giving a presentation or something and somebody goes gasp in the audience and maybe runs away or something? 00:02:24.680 --> 00:02:30.160 I was doing a capture the flag contest once and I was showing people how to do an SQL injection. 00:02:30.160 --> 00:02:32.920 And then we just like logged in without a password. 00:02:32.920 --> 00:02:35.860 And this woman was like, oh my gosh. 00:02:35.860 --> 00:02:38.340 And she literally just she stood up. 00:02:38.340 --> 00:02:39.320 She's like, I have to go. 00:02:39.320 --> 00:02:43.760 And she told me the next day she fixed three of them at work. 00:02:43.760 --> 00:02:45.200 And she just stayed all night. 00:02:45.880 --> 00:02:46.940 Oh, amazing. 00:02:46.940 --> 00:02:48.140 You made a huge impression. 00:02:48.140 --> 00:02:50.600 It was pretty cool. 00:02:50.600 --> 00:02:52.460 Yeah, that's pretty awesome. 00:02:52.460 --> 00:02:59.280 I've never had that around security, but I was doing an in-person class once for database things, which we're going to touch on databases for sure. 00:02:59.280 --> 00:03:00.980 And this had to do with transactions. 00:03:00.980 --> 00:03:07.020 And I said, if you do things this way, it doesn't actually use a transaction unless, oh, yes, it does. 00:03:07.020 --> 00:03:08.660 And I showed that it did. 00:03:08.660 --> 00:03:10.420 And somebody said, I'll be back later. 00:03:10.420 --> 00:03:11.280 And they just took off. 00:03:11.280 --> 00:03:13.980 Oh my gosh, this is not good. 00:03:13.980 --> 00:03:15.800 We have to fix this now. 00:03:15.800 --> 00:03:18.680 So, yeah, hopefully no one actually has to do that here. 00:03:18.680 --> 00:03:21.460 But I'm sure there's a ton for people to learn. 00:03:21.460 --> 00:03:25.740 Speaking of learning, let's start with a little bit about you. 00:03:25.740 --> 00:03:29.160 You have a domain, shehackspurple.ca. 00:03:29.160 --> 00:03:31.820 That tells us several things about you, I believe. 00:03:31.820 --> 00:03:33.420 Purple is interesting. 00:03:33.420 --> 00:03:36.140 Hacks is interesting. 00:03:36.140 --> 00:03:36.900 And Canada. 00:03:36.900 --> 00:03:38.000 Tell us about yourself. 00:03:38.000 --> 00:03:42.380 So I was a software developer for a really long time. 00:03:42.380 --> 00:03:44.260 And then I switched to security. 00:03:45.360 --> 00:03:51.440 And when I was a software developer, I used to also play music in bars and music festivals as sort of my hobby. 00:03:51.440 --> 00:03:54.280 But I released albums and did all of that. 00:03:54.280 --> 00:03:58.700 So that's why I'm quite the public speaker, because I've been on stage my whole life. 00:03:58.700 --> 00:04:01.700 And so I switched to security. 00:04:01.700 --> 00:04:04.820 And I became a pen tester, which is Red Team. 00:04:04.820 --> 00:04:06.920 And that's where you attack things. 00:04:06.920 --> 00:04:08.400 And it's a fence of security. 00:04:08.400 --> 00:04:09.940 And I don't mean we swear at people. 00:04:09.940 --> 00:04:12.280 But then... 00:04:12.280 --> 00:04:14.400 It's the other way around, I believe. 00:04:14.600 --> 00:04:16.260 This is the direction the swearing probably goes. 00:04:16.260 --> 00:04:16.500 Right? 00:04:16.500 --> 00:04:22.120 But then as I was doing pen testing, I kept sitting with the devs. 00:04:22.120 --> 00:04:23.780 And I would pair a program with them. 00:04:23.780 --> 00:04:25.000 And I would help them fix things. 00:04:25.000 --> 00:04:26.860 And I'm like, well, if we threat model this... 00:04:26.860 --> 00:04:28.560 And I kept doing AppSec, essentially. 00:04:28.560 --> 00:04:31.240 And people are like, you keep doing blue team. 00:04:31.240 --> 00:04:32.380 You keep doing defenses. 00:04:32.380 --> 00:04:34.280 It's like you can't make up your mind. 00:04:34.280 --> 00:04:37.160 And eventually one of them is like, you're a purple team. 00:04:37.160 --> 00:04:39.800 And so I was at a conference in Europe. 00:04:39.800 --> 00:04:47.540 And on stage during the conference, this woman, she kept playing with her phone on a panel, ignoring the audience. 00:04:47.540 --> 00:04:48.560 And I was super shocked. 00:04:48.680 --> 00:04:50.180 And finally, she's like, I'm really sorry. 00:04:50.180 --> 00:04:54.100 But her company had created WannaCry by accident. 00:04:54.100 --> 00:04:55.400 Yeah. 00:04:55.400 --> 00:04:56.920 And it had just broken out. 00:04:56.920 --> 00:04:59.080 And she's like, so there's this virus. 00:04:59.080 --> 00:05:04.220 And it just hit the NHS and took down the hospitals and this and that. 00:05:04.220 --> 00:05:05.560 And oh, my gosh. 00:05:06.060 --> 00:05:08.700 And so everyone ran out of the room freaking out. 00:05:08.700 --> 00:05:10.340 And they all went to check Twitter. 00:05:10.340 --> 00:05:11.960 Because that's where everyone was talking. 00:05:11.960 --> 00:05:14.600 And so people are like, you have to make a Twitter account. 00:05:14.600 --> 00:05:16.960 And so I was like, oh, what will I call myself? 00:05:16.960 --> 00:05:18.820 And I was like, she acts computers. 00:05:18.820 --> 00:05:20.560 And then it was too long. 00:05:20.560 --> 00:05:21.700 Because that was my email address. 00:05:21.700 --> 00:05:23.560 She acts computers at gmail.com. 00:05:23.560 --> 00:05:24.580 That used to be my email. 00:05:24.580 --> 00:05:28.400 But then basically, that was too long. 00:05:28.400 --> 00:05:29.360 So I was like, I don't know. 00:05:29.360 --> 00:05:32.700 And someone's like, well, you know, you have that purple team thing going. 00:05:32.700 --> 00:05:35.120 So I was like, well, it's not like anyone will ever follow me. 00:05:35.600 --> 00:05:37.720 So I changed it into She Hacks Purple. 00:05:37.720 --> 00:05:43.260 And then it turns out that I really, so then I put some purple in my hair to tease my friend 00:05:43.260 --> 00:05:43.720 Kevin. 00:05:43.720 --> 00:05:46.060 And it went all from there. 00:05:46.060 --> 00:05:49.000 Like, yeah. 00:05:49.000 --> 00:05:50.040 I own a lot of purple now. 00:05:50.040 --> 00:05:50.380 That's amazing. 00:05:50.380 --> 00:05:51.280 Yeah. 00:05:51.280 --> 00:05:53.520 It's now part of the vibe, right? 00:05:53.520 --> 00:05:54.100 That's awesome. 00:05:54.100 --> 00:05:55.000 That's a really cool story. 00:05:55.000 --> 00:06:01.140 So you said you've been a programmer for a while and then got into app security and pen 00:06:01.140 --> 00:06:01.480 testing. 00:06:01.480 --> 00:06:02.720 How did you get into all that? 00:06:02.720 --> 00:06:04.520 It was totally an accident. 00:06:05.140 --> 00:06:07.120 So like I said, I was in a band. 00:06:07.120 --> 00:06:10.740 And so we had this pen tester in our office and he was in a band. 00:06:10.740 --> 00:06:13.020 And so we obviously became friends. 00:06:13.020 --> 00:06:17.540 And one day I came to his desk and I was like, hey, my band wrote this song called Mandatory 00:06:17.540 --> 00:06:18.200 Dance Party. 00:06:18.200 --> 00:06:21.900 And we want to make this mobile app where if you're near someone else that has the app, 00:06:21.900 --> 00:06:23.080 it goes beep, beep, beep. 00:06:23.080 --> 00:06:24.420 Mandatory Dance Party. 00:06:24.420 --> 00:06:26.500 And then you both have to dance or else. 00:06:26.680 --> 00:06:29.120 And then whoever jiggles their phone the most wins. 00:06:29.120 --> 00:06:30.960 I'm like, did you want to make this app with me? 00:06:30.960 --> 00:06:33.000 He's like, there's nothing I want to do more. 00:06:33.000 --> 00:06:35.680 And so our friendship began. 00:06:35.680 --> 00:06:39.620 And then for a year and a half, he just nagged me to become a pen tester. 00:06:39.620 --> 00:06:40.840 He's like, you'd be so good. 00:06:40.840 --> 00:06:42.080 You'd be really good at it. 00:06:42.080 --> 00:06:45.440 You've been doing you've been a dev for like 17 years. 00:06:45.440 --> 00:06:46.760 It's time for something new. 00:06:46.800 --> 00:06:49.620 And I was like, no, I am the king of software. 00:06:49.620 --> 00:06:50.980 This is the best. 00:06:50.980 --> 00:06:53.700 I make something out of nothing all day. 00:06:53.700 --> 00:06:55.500 It'll never be cooler than this. 00:06:55.500 --> 00:06:57.640 But then it turned out it was pretty cool. 00:06:57.640 --> 00:07:00.080 And you still get to write code sometimes. 00:07:00.080 --> 00:07:03.620 And then eventually I figured out I was not meant to be a pen tester. 00:07:03.620 --> 00:07:04.880 I was meant to do app sec. 00:07:04.880 --> 00:07:06.900 So I still get to hang out with devs all day. 00:07:06.900 --> 00:07:10.100 I'm not alone freezing cold in a data center at night. 00:07:10.100 --> 00:07:16.000 And I get to it's like more like a social butterfly type of job where a pen tester is more like 00:07:16.000 --> 00:07:17.540 the lone wolf type of job. 00:07:17.540 --> 00:07:17.900 Yeah. 00:07:17.900 --> 00:07:18.420 Yeah. 00:07:18.420 --> 00:07:23.520 You're working on the disassembly, looking for, you know, fuzzing something, looking for a crash. 00:07:23.520 --> 00:07:24.080 Yeah. 00:07:24.080 --> 00:07:29.280 So you still get to break stuff in app sec sometimes, but like, that's not all you do. 00:07:29.280 --> 00:07:35.620 You do a lot of conversations, a lot of brainstorming, and that's better for my extroverted personality. 00:07:35.620 --> 00:07:37.360 Yeah. 00:07:37.360 --> 00:07:37.860 That's awesome. 00:07:37.860 --> 00:07:38.960 You have a newsletter. 00:07:38.960 --> 00:07:42.820 People can visit your website and sign up and I'll put links to all those sorts of things 00:07:42.820 --> 00:07:44.400 in the show notes for you. 00:07:45.200 --> 00:07:49.160 So yeah, a couple of things I wanted to talk about. 00:07:49.160 --> 00:07:55.340 First of all, I've seen you given presentations about threat modeling and tell us what is threat 00:07:55.340 --> 00:07:57.640 modeling and what are some of the takeaways? 00:07:57.640 --> 00:08:05.000 Obviously our audience here is largely Python developers, data scientists, and a ginormous assorted 00:08:05.000 --> 00:08:07.860 other that sort of orbits around those spaces. 00:08:08.360 --> 00:08:13.600 So they'd probably be pretty interested on the developer data scientist side of threat modeling. 00:08:13.600 --> 00:08:16.540 What is it and what's it like for devs? 00:08:16.540 --> 00:08:22.060 So threat modeling is sort of like evil brainstorming. 00:08:22.060 --> 00:08:28.060 So you get a security person like me in the room, you get a dev or one of the technical leads 00:08:28.060 --> 00:08:30.320 for your system, and then you get the product owner. 00:08:30.320 --> 00:08:35.380 So the person that understands the business of this app and like why it exists in the world. 00:08:35.380 --> 00:08:37.780 And at least those three people. 00:08:37.780 --> 00:08:40.360 If more people come, it's better, but that's fine. 00:08:40.500 --> 00:08:45.160 And then you talk about what could go wrong and what are you going to do about it? 00:08:45.160 --> 00:08:48.800 I have this friend named Adam Shostak who's written a bunch of books about it. 00:08:48.800 --> 00:08:52.560 And so I used to ask a ton of questions and then I met him. 00:08:52.560 --> 00:08:54.300 And now I ask four things. 00:08:54.300 --> 00:08:55.860 What are we doing? 00:08:55.860 --> 00:08:58.620 And so then I usually draw it out on a whiteboard. 00:08:58.620 --> 00:09:03.240 So like, oh, there's an API and it talks to this and then this happens and then people steal bikes. 00:09:03.240 --> 00:09:03.700 Okay. 00:09:04.340 --> 00:09:06.040 And then it's like- 00:09:06.040 --> 00:09:06.520 Do we have a database? 00:09:06.520 --> 00:09:07.360 Is it in the cloud? 00:09:07.360 --> 00:09:09.560 Is it in a data center that we own? 00:09:09.560 --> 00:09:10.240 Whatever, yeah. 00:09:10.240 --> 00:09:10.740 Yeah. 00:09:10.740 --> 00:09:15.480 And then I ask questions along the way and then I'm like, so what could go wrong here? 00:09:15.480 --> 00:09:17.900 And then it's like, you know, these two things are talking. 00:09:17.900 --> 00:09:21.240 Do we authenticate first or do we just talk to any old API? 00:09:21.240 --> 00:09:22.100 Right? 00:09:22.100 --> 00:09:26.860 And we go through and we come up with some things that could go wrong and we make a list. 00:09:26.860 --> 00:09:30.220 And then I'm like, okay, so what are we going to do about these things? 00:09:30.220 --> 00:09:34.440 And you talk about basically, is this a serious risk? 00:09:34.440 --> 00:09:35.440 Is it scary? 00:09:35.440 --> 00:09:40.680 Or is it like, you know what, if that happens, it's not really a big deal and the likelihood is really, really rare. 00:09:40.680 --> 00:09:42.440 So maybe we'll accept that risk. 00:09:42.440 --> 00:09:50.980 But a lot of them, it's like, you know, if we added a certificate here or we included authentication there, like we can make some small changes. 00:09:51.340 --> 00:09:56.380 And if you're during the design phase of the system development lifecycle, it costs you nothing, right? 00:09:56.380 --> 00:10:00.340 Or usually it costs you nothing or very little. 00:10:00.340 --> 00:10:05.760 And so then you basically improve your design and then you write it all out. 00:10:05.760 --> 00:10:09.320 And then hopefully someone approves these changes. 00:10:09.840 --> 00:10:14.300 And then at the end, a thing that Adam asks is, did we do a good job? 00:10:14.300 --> 00:10:16.700 And that is the magical question. 00:10:16.700 --> 00:10:25.240 Because the very first time I did one of these in the government, I did not realize that that's what I was doing to my director. 00:10:25.240 --> 00:10:27.040 I was like, well, what about this? 00:10:27.040 --> 00:10:27.760 And what about that? 00:10:27.760 --> 00:10:28.580 And this could go wrong. 00:10:28.580 --> 00:10:32.580 And because I was trying to kill the project because I thought it was a terrible part. 00:10:32.580 --> 00:10:33.980 And we did end up canceling it. 00:10:33.980 --> 00:10:39.940 But I brought up like all these huge existential risks to this ridiculous project they were thinking of doing. 00:10:39.940 --> 00:10:42.360 And he just kept saying, it'll be fine. 00:10:42.360 --> 00:10:43.500 And I'll manage that risk. 00:10:43.500 --> 00:10:47.340 And I was like, you realize manage that risk means nothing, right? 00:10:47.340 --> 00:10:48.180 You're going to do nothing. 00:10:48.180 --> 00:10:50.060 So I brought up eight really big risks. 00:10:50.060 --> 00:10:52.020 And you want to do nothing about any of them. 00:10:52.020 --> 00:10:53.040 I'm like, are we doing it? 00:10:53.040 --> 00:10:54.760 Like, do you think we've done a good job here? 00:10:54.760 --> 00:10:55.800 Like, you feel proud today? 00:10:55.800 --> 00:10:56.740 Because I don't. 00:10:56.740 --> 00:10:58.320 And then we started again. 00:10:58.320 --> 00:11:03.400 And then eventually over the months, we canceled the project because it was quite silly. 00:11:03.400 --> 00:11:08.400 Just to be clear, I usually love it when software development projects go forward. 00:11:08.400 --> 00:11:13.140 This was a very special situation where it was not in the taxpayer's best interest. 00:11:13.140 --> 00:11:15.060 Yes. 00:11:15.060 --> 00:11:16.760 Anyway, I'm like, there's more there. 00:11:16.760 --> 00:11:17.940 But I'm like, NDAs. 00:11:17.940 --> 00:11:19.140 Yeah, of course. 00:11:19.140 --> 00:11:26.300 But usually we come up with like a couple of changes that grossly reduce the risk of the system. 00:11:26.300 --> 00:11:29.620 And it's quite fun. 00:11:29.620 --> 00:11:31.820 Like, once you start. 00:11:32.040 --> 00:11:38.900 So the first time I went to a threat model, I came with my dev background of, I will fix any problem you bring to me. 00:11:38.900 --> 00:11:40.840 I just need to do code. 00:11:40.840 --> 00:11:42.360 And I can fix whatever you need. 00:11:42.360 --> 00:11:45.280 But it's different when it's like, I'm going to try to break things. 00:11:45.280 --> 00:11:50.300 You have to learn kind of this new skill set of like, how can I make it do stuff it should not do? 00:11:50.300 --> 00:11:52.720 And it took me a while. 00:11:52.720 --> 00:11:53.880 And now I'm brutal. 00:11:53.880 --> 00:11:55.280 Like, I go to the movies. 00:11:55.280 --> 00:11:56.780 I'm like, we could have gotten free. 00:11:58.780 --> 00:12:00.980 It's even outside of technology now, huh? 00:12:00.980 --> 00:12:02.140 Oh, yeah. 00:12:02.140 --> 00:12:03.620 Oh, it's everywhere now. 00:12:03.620 --> 00:12:09.700 My significant other who does not work in tech will be like, I'm just trying to threat model this for the kids. 00:12:10.760 --> 00:12:13.220 If we go to the pool, they'll have wet bathing suits. 00:12:13.220 --> 00:12:15.480 Yeah. 00:12:15.480 --> 00:12:15.820 Yeah. 00:12:15.820 --> 00:12:16.500 Very nice. 00:12:16.500 --> 00:12:20.420 You know, I think there's two different ways to look at this, right? 00:12:20.420 --> 00:12:27.200 Obviously, from a developer perspective, you've got to look at, well, what packages or libraries am I using? 00:12:27.200 --> 00:12:31.280 And how are we validating input and all those kinds of things? 00:12:31.280 --> 00:12:35.740 And I feel like that's one level, but maybe the threat modeling is a little bit broader. 00:12:35.740 --> 00:12:38.660 Like, are we storing stuff unencrypted anywhere? 00:12:38.660 --> 00:12:39.900 Yeah. 00:12:39.900 --> 00:12:40.600 Who could get that? 00:12:40.600 --> 00:12:43.000 And it's the thing that makes me nervous. 00:12:43.000 --> 00:12:45.480 I said I would be somewhat nervous about this at the beginning. 00:12:45.480 --> 00:12:49.500 The stuff that makes me nervous about all of these things is the asymmetry of it. 00:12:49.500 --> 00:12:57.080 As a developer or data scientist or somebody in charge of this information and the systems, you have to be right all the time, right? 00:12:57.080 --> 00:13:00.760 And if you're ever not right, little Bobby Tables is on you like nothing. 00:13:00.760 --> 00:13:02.420 It's like a goalie. 00:13:02.420 --> 00:13:04.040 It's like a goalie, right? 00:13:04.040 --> 00:13:06.780 Like, you let into goals and everyone's like, you're the worst. 00:13:06.780 --> 00:13:09.680 And it's like, I defended against hundreds of shots. 00:13:09.680 --> 00:13:11.040 Do I get nothing? 00:13:11.040 --> 00:13:12.680 Exactly. 00:13:12.680 --> 00:13:16.300 Well, developers shouldn't be on their own in this, though. 00:13:16.300 --> 00:13:17.300 That's the whole thing. 00:13:17.300 --> 00:13:25.620 So, like, the job of the AppSec person, in my opinion, is to support the developers in making more secure apps, right? 00:13:25.620 --> 00:13:36.360 So, booking a threat modeling time with them or, you know, providing a static analysis tool or a secret scanner or whatever to scan their code so that they can make better code. 00:13:36.500 --> 00:13:48.360 So, they have help giving them training, giving them, like, a list of super clear requirements at the beginning of the project rather than at the end telling them it's wrong. 00:13:48.360 --> 00:13:50.600 That is a huge one. 00:13:50.740 --> 00:13:57.620 Like, if someone's going to build an API, I would prefer the API be behind an API gateway if it's publicly accessible. 00:13:57.620 --> 00:14:05.120 And I want to do things like turn on authentication and authorization and rate limiting and all sorts of fancy, nice, awesome stuff that they offer. 00:14:05.120 --> 00:14:12.240 And so, I tell them at the very beginning of the project, I don't wait until the end and I'm like, well, this design's all wrong. 00:14:13.060 --> 00:14:14.400 Like, if, you know what I mean? 00:14:14.400 --> 00:14:14.840 Yeah. 00:14:14.840 --> 00:14:16.920 But that's what we did back in the day. 00:14:16.920 --> 00:14:24.120 Like, when I had my first vulnerability assessment done, I, you know, I'm supposed to go to prod in two days. 00:14:24.120 --> 00:14:28.880 And they ran the world's crappiest dynamic scanner on my computer, on my app. 00:14:28.880 --> 00:14:31.360 And they're like, you have cross-site scripting. 00:14:31.360 --> 00:14:32.660 And this was so long ago. 00:14:32.660 --> 00:14:36.920 I searched for cross-site scripting on the internet and there was only three web pages. 00:14:36.920 --> 00:14:38.760 So, I'm old, everyone. 00:14:38.760 --> 00:14:43.700 And one was this thing called OWASP. 00:14:43.700 --> 00:14:45.920 And I was like, what the heck is that? 00:14:45.920 --> 00:14:50.340 And it took me quite a while to figure out how to fix it, right? 00:14:50.420 --> 00:14:56.260 Like, we've come a long way, but yeah, the developer shouldn't be alone in this anymore. 00:14:56.260 --> 00:14:57.860 They should have help. 00:14:57.860 --> 00:15:00.540 I'm not saying that every company does have that. 00:15:00.540 --> 00:15:01.700 I'm saying every company should. 00:15:01.700 --> 00:15:06.540 If you have a bunch of devs, you should have eventually a security person that supports them. 00:15:06.540 --> 00:15:06.960 Right. 00:15:06.960 --> 00:15:11.440 Maybe sits with them for a few hours a week or a month or something. 00:15:11.440 --> 00:15:15.660 And sort of, as you said, like a butterfly sort of moves around the team, hanging out with other people. 00:15:15.660 --> 00:15:16.880 Like, oh, you work on the API. 00:15:16.880 --> 00:15:19.080 Okay, let me hang out with you a bit this morning. 00:15:19.460 --> 00:15:20.980 Ideally, that would be great. 00:15:20.980 --> 00:15:26.760 Also, I mean, if you have a big enough company doing something like a security champions program. 00:15:26.760 --> 00:15:33.600 So, like each dev team, there's one representative and you just give them way more training and way more time. 00:15:33.600 --> 00:15:35.700 And you check in with them regularly. 00:15:35.700 --> 00:15:41.320 Like, if I'm working with only like 50 or 60 devs, like you can get to know a lot of them. 00:15:41.640 --> 00:15:45.780 But I remember working at this one place and there were 2000 devs and me. 00:15:45.780 --> 00:15:52.200 And I was like, okay, so how do I do this? 00:15:52.200 --> 00:15:57.620 And just very quickly, there was just like that one person per team that I would talk to all the time. 00:15:57.620 --> 00:16:06.120 And I remember, ironically, I went to Montreal on this vacation trip and my car got stuck in the mud because there'd been this big rainstorm. 00:16:06.120 --> 00:16:08.620 And I was like tweeting about it and how I was so sad. 00:16:08.620 --> 00:16:12.740 And one of my devs came to me and dragged me out of the mud. 00:16:12.740 --> 00:16:14.240 And I was like, he is a champion. 00:16:15.240 --> 00:16:15.920 I know. 00:16:15.920 --> 00:16:16.840 Oh, that's amazing. 00:16:16.840 --> 00:16:19.800 And there's benefits to large teams aren't in there. 00:16:19.800 --> 00:16:21.140 I know. 00:16:21.140 --> 00:16:24.740 I like, it never occurred to me that like I would get an answer. 00:16:24.740 --> 00:16:26.320 He's like, hey, I live in Montreal. 00:16:26.320 --> 00:16:27.160 Do you need help? 00:16:27.160 --> 00:16:28.400 And I was like, I do. 00:16:28.400 --> 00:16:30.020 And he's like, you help me all the time. 00:16:30.020 --> 00:16:30.840 I'll be right there. 00:16:30.840 --> 00:16:33.040 I was just like, oh, that's very cool. 00:16:33.040 --> 00:16:33.560 Yeah. 00:16:33.560 --> 00:16:43.120 This portion of Talk Python To Me is brought to you by Posit, the makers of Shiny, formerly RStudio, and especially Shiny for Python. 00:16:43.120 --> 00:16:45.100 Let me ask you a question. 00:16:45.460 --> 00:16:46.800 Are you building awesome things? 00:16:46.800 --> 00:16:47.840 Of course you are. 00:16:47.840 --> 00:16:49.420 You're a developer or a data scientist. 00:16:49.420 --> 00:16:50.320 That's what we do. 00:16:50.320 --> 00:16:52.360 And you should check out Posit Connect. 00:16:52.360 --> 00:16:59.340 Posit Connect is a way for you to publish, share, and deploy all the data products that you're building using Python. 00:16:59.340 --> 00:17:02.520 People ask me the same question all the time. 00:17:02.520 --> 00:17:05.680 Michael, I have some cool data science project or notebook that I built. 00:17:05.680 --> 00:17:08.960 How do I share it with my users, stakeholders, teammates? 00:17:08.960 --> 00:17:13.780 Do I need to learn FastAPI or Flask or maybe Vue or React.js? 00:17:13.780 --> 00:17:15.000 Hold on now. 00:17:15.000 --> 00:17:17.920 Those are cool technologies, and I'm sure you'd benefit from them. 00:17:17.920 --> 00:17:19.800 But maybe stay focused on the data project. 00:17:19.800 --> 00:17:22.280 Let Posit Connect handle that side of things. 00:17:22.280 --> 00:17:27.000 With Posit Connect, you can rapidly and securely deploy the things you build in Python. 00:17:27.400 --> 00:17:33.460 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, ports, dashboards, and APIs. 00:17:34.080 --> 00:17:35.740 Posit Connect supports all of them. 00:17:35.740 --> 00:17:41.600 And Posit Connect comes with all the bells and whistles to satisfy IT and other enterprise requirements. 00:17:41.600 --> 00:17:45.880 Make deployment the easiest step in your workflow with Posit Connect. 00:17:45.880 --> 00:17:52.060 For a limited time, you can try Posit Connect for free for three months by going to talkpython.fm/posit. 00:17:52.280 --> 00:17:55.740 That's talkpython.fm/P-O-S-I-T. 00:17:55.740 --> 00:17:57.620 The link is in your podcast player show notes. 00:17:57.620 --> 00:18:00.880 Thank you to the team at Posit for supporting Talk Python. 00:18:02.400 --> 00:18:08.300 So you managed it almost, I don't want to endorse Scrum necessarily, but like a Scrum of Scrum equivalent. 00:18:08.300 --> 00:18:16.080 So sort of you found somebody or different people from who could sort of represent different segments or apps and stuff and got together with those groups. 00:18:16.080 --> 00:18:16.640 Yeah. 00:18:16.640 --> 00:18:17.460 Yeah. 00:18:17.460 --> 00:18:24.640 So I didn't know what it was called when I started doing AppSec because I didn't have any training, right? 00:18:24.640 --> 00:18:27.480 I was just like, all of our apps are a total mess. 00:18:27.480 --> 00:18:29.700 I just switched to the security team. 00:18:29.700 --> 00:18:31.580 I need to fix this. 00:18:31.580 --> 00:18:42.620 And so I was trying to talk to all of them, but very quickly, there was like a person that sort of self-identified as the person who was totally willing to tolerate Tanya and all of her security nerdiness. 00:18:42.620 --> 00:18:47.260 And I would hold these little lunch and learns where I was like, oh my gosh, my first one. 00:18:47.260 --> 00:18:53.580 I remember I, because I'd been on the dev team and then I switched to the security team and I was like, I'm going to break into a bank at lunch. 00:18:53.580 --> 00:18:54.720 Who wants to watch? 00:18:54.720 --> 00:18:56.160 I brought donuts. 00:18:56.160 --> 00:18:57.920 And everyone's like, you're not going to. 00:18:57.920 --> 00:19:01.200 And I'm like, it's a, it's a pretend bank, but I'm going to do it. 00:19:01.200 --> 00:19:03.060 And they're like, but donuts, right? 00:19:03.060 --> 00:19:03.740 I'm like, yeah. 00:19:03.740 --> 00:19:08.260 You just got to choose the right motivation. 00:19:08.260 --> 00:19:14.900 I feel like pizza, any sort of carb goes really like it goes over well. 00:19:15.960 --> 00:19:19.760 But yeah, I just slowly formed more and more relationships. 00:19:19.760 --> 00:19:24.480 And then that is how I got a lot of security done because I'm not their boss. 00:19:24.480 --> 00:19:27.420 I can't make them prioritize security. 00:19:27.420 --> 00:19:30.140 I need to persuade them that it's important. 00:19:30.380 --> 00:19:39.720 And one of those people from my very first program, he became an application security engineer and he just started his first security champions program this year. 00:19:39.720 --> 00:19:42.360 And I spoke for them two months ago and it was amazing. 00:19:42.360 --> 00:19:42.840 Exciting. 00:19:42.840 --> 00:19:43.860 Yeah, that's awesome. 00:19:44.640 --> 00:19:51.540 Honestly, I think coming from the software dev side probably gets you a lot of credibility with the software teams. 00:19:51.960 --> 00:19:58.540 Yeah, because I can just like read code and stuff and the rest of the security team usually can't. 00:19:58.540 --> 00:20:02.020 And also, so I've gotten in trouble for that, though. 00:20:02.020 --> 00:20:07.820 I've gotten in trouble with the security team at a couple of places I've worked where they're like, you're always on their side. 00:20:07.820 --> 00:20:11.340 And I was like, yeah, but they're right and we're wrong this time. 00:20:11.340 --> 00:20:16.460 Because sometimes the security team's being so completely unflexible. 00:20:16.460 --> 00:20:20.500 And I'm like, listen, this is like a minute risk if you really think about it. 00:20:20.500 --> 00:20:25.000 Where like if you look at the context of this and this, it doesn't generate legitimate business risks. 00:20:25.000 --> 00:20:30.580 So, no, I'm not going to upgrade off of this vulnerable library because it's not actually exploitable. 00:20:30.580 --> 00:20:33.000 And there's this and this and this precaution. 00:20:33.000 --> 00:20:34.860 And like we're actually fine. 00:20:34.860 --> 00:20:37.580 And it's going to cost like months and months of time. 00:20:37.780 --> 00:20:40.900 And so I'd rather use my social currency on something that really matters. 00:20:40.900 --> 00:20:44.860 And I've just had people get really pissed at me on the security team. 00:20:44.860 --> 00:20:47.660 Like this plus between username and query. 00:20:47.660 --> 00:20:53.640 So, yeah, it's just not good. 00:20:53.640 --> 00:20:54.400 It's just not good. 00:20:54.400 --> 00:21:03.760 There is, you know, you see all the time, whether it's npm or pip or whatever package management tool you're using, 00:21:03.760 --> 00:21:06.140 you might see, oh, or GitHub. 00:21:06.420 --> 00:21:08.360 This library you're using has this vulnerability. 00:21:08.360 --> 00:21:10.040 And it sounds scary. 00:21:10.040 --> 00:21:18.340 But if the vulnerability is in a portion of it that you literally never use and you never expose the internet, you know, it might be bigger fish to fry. 00:21:18.340 --> 00:21:18.600 Who knows? 00:21:18.600 --> 00:21:19.060 Maybe not. 00:21:19.060 --> 00:21:21.420 But a lot of it's hard to decide. 00:21:21.420 --> 00:21:23.580 Insecurity, we call... 00:21:23.580 --> 00:21:24.360 As you're saying where to spend your time. 00:21:24.580 --> 00:21:28.600 Yeah, so we call that reachability in the InfoSec field. 00:21:28.600 --> 00:21:34.100 And so my advice, and not everyone agrees, is basically if something... 00:21:34.100 --> 00:21:35.900 So let's say you have the math library. 00:21:35.900 --> 00:21:40.240 And the math library has like a thousand different math functions because we love math. 00:21:40.240 --> 00:21:42.600 And one of them has a great big bug in it. 00:21:42.600 --> 00:21:44.300 But we're not calling that one. 00:21:44.300 --> 00:21:44.700 Right. 00:21:44.700 --> 00:21:46.860 And it's probably like a denial of service. 00:21:46.860 --> 00:21:50.040 If you give it this weird number, it'll overflow and then like loop forever. 00:21:50.040 --> 00:21:51.980 And we're never calling it. 00:21:51.980 --> 00:21:55.560 Yeah, maybe it's something like really bad. 00:21:55.560 --> 00:21:57.180 It's like remote code execution. 00:21:57.180 --> 00:21:58.020 Like this sucks. 00:21:58.020 --> 00:21:58.480 Okay. 00:21:58.480 --> 00:22:03.840 But if it's not reachable from within your code, it's probably not actually a risk. 00:22:03.840 --> 00:22:05.680 So let's say it's like the worst one. 00:22:05.680 --> 00:22:06.880 It's remote code execution. 00:22:06.880 --> 00:22:09.840 I'm like, listen, at some point, could you upgrade off of this? 00:22:09.840 --> 00:22:18.580 And I need you to keep scanning it with your software composition analysis tool every time you check your code in to make sure you are not calling that dangerous function. 00:22:18.900 --> 00:22:27.240 So if you switch it around and you are no going to prod, but as long as it's not reachable, then we're not causing legit business risk. 00:22:27.240 --> 00:22:31.280 But I do want it in the backlog because at some point I'd like you to upgrade off. 00:22:31.280 --> 00:22:32.640 But like, let's say it's a medium. 00:22:32.640 --> 00:22:37.620 It's like there's so many bugs that I want people to fix. 00:22:37.620 --> 00:22:39.620 And some of them aren't even bugs. 00:22:39.620 --> 00:22:43.200 Like some of them are, I want you to use content security policy header. 00:22:43.200 --> 00:22:45.640 Is that a bug that you're not using it? 00:22:45.640 --> 00:22:48.280 In my heart it is, but technically no. 00:22:48.820 --> 00:22:53.620 But it's an additional layer of security that basically stops cross-site scripting in its tracks. 00:22:53.620 --> 00:22:54.160 Right. 00:22:54.160 --> 00:23:06.880 And so I'd rather spend my social currency getting like the entire organization to adopt CSP than to fit like upgrade off of tons of different dependencies that aren't actually hurting anyone. 00:23:06.880 --> 00:23:07.840 Yeah, I agree. 00:23:07.840 --> 00:23:08.900 I think that makes a lot of sense. 00:23:08.900 --> 00:23:11.920 This is why security people yell at me. 00:23:12.540 --> 00:23:12.940 Yeah. 00:23:12.940 --> 00:23:17.100 Once you've solved all the other security problems, you can come back to the unreachable ones, right? 00:23:17.100 --> 00:23:18.520 Yeah, for sure. 00:23:18.960 --> 00:23:19.360 Yeah. 00:23:19.360 --> 00:23:22.460 I want to dive into your book and you've got a bunch of good recommendations. 00:23:22.460 --> 00:23:24.100 But before I do, I just have a quick question. 00:23:24.100 --> 00:23:31.740 What do you think, you know, the White House last year or beginning of this year released a thing saying we call for memory safe languages. 00:23:31.740 --> 00:23:34.520 And I know you started in C and C++. 00:23:34.520 --> 00:23:36.060 I also started C++. 00:23:36.340 --> 00:23:40.940 I was kicked a Fortran kicking and screaming for a little while and went back to it and then moved on. 00:23:40.940 --> 00:23:44.580 But, you know, we got a lot more options these days, right? 00:23:44.580 --> 00:23:53.020 And I know folks at the PSF were actually working with the people at the White House to encourage them to consider Python as one of the options. 00:23:53.020 --> 00:23:55.200 But what do you think about this and its implications? 00:23:55.980 --> 00:23:58.680 Oh, a lot of software is written in C. 00:23:58.680 --> 00:23:59.540 A lot. 00:23:59.540 --> 00:24:01.300 Like, maybe half. 00:24:01.300 --> 00:24:06.520 Like, it's nuts how much is written of our whole world is written in C. 00:24:06.520 --> 00:24:09.440 And they're like, oh, future software. 00:24:09.440 --> 00:24:16.940 So, if we're writing brand new software, yeah, I wouldn't write it in C unless I absolutely had to. 00:24:16.940 --> 00:24:18.340 I would try to use Rust. 00:24:18.760 --> 00:24:23.440 But do I think that everyone's going to suddenly, like, rewrite everything into Rust? 00:24:23.440 --> 00:24:25.020 No, I don't believe that. 00:24:25.020 --> 00:24:27.140 And it's because of a lot of reasons. 00:24:27.140 --> 00:24:34.520 One, like, I'm told it's difficult to develop in Rust because basically there's, like, no libraries for it compared to C. 00:24:34.520 --> 00:24:35.980 C is so rich. 00:24:35.980 --> 00:24:38.900 There's so many options in C, C++, right? 00:24:38.900 --> 00:24:40.120 Because it's been around forever. 00:24:40.120 --> 00:24:46.620 There's a zillion code samples that you can copy from and then paste into your code, which you should not do unless you understand it fully. 00:24:48.520 --> 00:24:49.000 Yeah. 00:24:49.000 --> 00:24:51.040 So many comments there. 00:24:51.040 --> 00:24:53.380 So, memory safety. 00:24:53.380 --> 00:24:57.600 Like, if you are going to write a new app, I want it to be memory safe. 00:24:57.600 --> 00:24:58.740 Yes, absolutely. 00:24:58.740 --> 00:25:01.120 Do I expect everyone to rewrite all the old code? 00:25:01.120 --> 00:25:02.320 No, no one's going to do that. 00:25:02.320 --> 00:25:03.580 No one can afford to do that. 00:25:03.580 --> 00:25:04.000 No. 00:25:04.000 --> 00:25:10.960 But I'd love to see, like, a framework over top of C and C++ that provided memory safety. 00:25:10.960 --> 00:25:12.100 That would be amazing. 00:25:12.100 --> 00:25:13.800 I'd pay for that, right? 00:25:14.520 --> 00:25:19.880 Like, a library that just, like, I collect your garbage and you don't have to think about it anymore. 00:25:19.880 --> 00:25:20.780 Right? 00:25:20.780 --> 00:25:22.000 Like, that would be beautiful. 00:25:22.000 --> 00:25:27.620 That would solve, that would do a lot of backwards compatibility if we started turning that on in my brain. 00:25:27.620 --> 00:25:31.980 Yeah, you talked about the remote code execution issues. 00:25:31.980 --> 00:25:38.440 A lot of that has to do with exceeding a buffer we've allocated, using a freed buffer before the pointer was gone. 00:25:38.440 --> 00:25:41.940 Like, a lot of it has to do with this memory ownership and stuff that you're talking about. 00:25:42.100 --> 00:25:45.340 Yeah, and sometimes mismanagement of objects as well. 00:25:45.340 --> 00:25:48.640 And so, basically, you know, you make a memory. 00:25:48.640 --> 00:25:49.820 Can I explain this? 00:25:49.820 --> 00:25:51.380 Or is this, like, way below? 00:25:51.380 --> 00:25:51.660 Okay. 00:25:51.660 --> 00:25:56.060 So, we can overflow an integer, a string, a buffer. 00:25:56.060 --> 00:26:00.240 But basically, like, you declare a variable of some form. 00:26:00.240 --> 00:26:02.740 And let's say you're like, oh, my string's 20. 00:26:02.740 --> 00:26:03.300 Cool. 00:26:03.300 --> 00:26:06.720 If you put 25 in there, where do you think that extra 5 goes? 00:26:06.720 --> 00:26:07.300 Right? 00:26:07.300 --> 00:26:09.000 Next bit of execution, probably. 00:26:09.000 --> 00:26:10.140 Yeah, it goes somewhere else. 00:26:10.140 --> 00:26:11.120 Or a heap or something, yeah. 00:26:11.280 --> 00:26:13.760 Yeah, it goes somewhere else in the stack or the heap. 00:26:13.760 --> 00:26:15.340 And guess what? 00:26:15.340 --> 00:26:18.920 If you happen to do enough of it, you'll find the stack pointer. 00:26:18.920 --> 00:26:20.380 And guess what the stack pointer does? 00:26:20.380 --> 00:26:22.840 It tells you where the next instruction is. 00:26:22.840 --> 00:26:27.120 And what if I tell it where the next instruction is and it's in my overflow? 00:26:27.120 --> 00:26:34.200 And what if I've added my own shell code with instructions to do bad stuff, like open a web prompt? 00:26:34.200 --> 00:26:35.760 I would like a shell, please. 00:26:35.760 --> 00:26:37.060 A shell would be nice. 00:26:37.060 --> 00:26:37.720 Thank you. 00:26:38.060 --> 00:26:46.020 And then you can execute code on their server remotely, which is the RCE worst in the world thing we do not want to have happen. 00:26:46.700 --> 00:26:49.540 And this is because of memory safety. 00:26:49.540 --> 00:26:53.100 Because it's not automatically checking the bounds for us. 00:26:53.100 --> 00:26:59.420 And because we ourselves have not done perfect input validation, which is a hard thing to get right. 00:26:59.620 --> 00:27:00.820 I was teaching it today. 00:27:00.820 --> 00:27:06.120 And literally, we spent one hour and 15 minutes just on input validation. 00:27:06.120 --> 00:27:08.280 And they had a trillion questions. 00:27:08.280 --> 00:27:14.280 And a lot of them were like, yeah, but we don't need to do input validation if it's just internal, right? 00:27:14.400 --> 00:27:17.820 And I'm like, are you handling the employee paychecks? 00:27:17.820 --> 00:27:20.140 Do you want me to see your employee paychecks? 00:27:20.140 --> 00:27:22.000 Then you probably need to validate. 00:27:22.000 --> 00:27:24.720 So I'm a slippery fish. 00:27:24.720 --> 00:27:26.080 Yeah. 00:27:26.080 --> 00:27:31.120 Are you reading from the database that somebody else could have gotten into and leveled up? 00:27:31.120 --> 00:27:31.440 Yeah. 00:27:31.440 --> 00:27:32.820 There is a lot there, Michael. 00:27:32.820 --> 00:27:33.900 There's so much. 00:27:33.900 --> 00:27:34.980 It's not good. 00:27:35.660 --> 00:27:37.380 It's a negotiation, though, right? 00:27:37.380 --> 00:27:38.500 And it's about persuasion. 00:27:38.500 --> 00:27:40.700 And it's about what their threat model looks like. 00:27:40.700 --> 00:27:47.800 Because if you're handling hundreds of millions of dollars a day, your threat model is very different than I used to work at a place. 00:27:47.800 --> 00:27:54.460 And their entire job was to show videos to nurses and doctors that they had to watch each month so they could continue their certification. 00:27:54.460 --> 00:27:57.240 And it was like, did they see the video or did they not see it? 00:27:57.240 --> 00:27:58.960 Threat model low. 00:27:58.960 --> 00:27:59.960 Yeah. 00:27:59.960 --> 00:28:04.740 You don't want people to mess it up and pollute it or whatever or take it down. 00:28:04.740 --> 00:28:08.060 But at the same time, it's not going to make the front page of the news. 00:28:08.060 --> 00:28:09.240 Exactly. 00:28:09.240 --> 00:28:10.340 Exactly. 00:28:10.340 --> 00:28:11.200 We now know. 00:28:11.200 --> 00:28:16.720 Everyone we know that Nurse 7725 has not been up to date. 00:28:16.720 --> 00:28:22.800 I mean, it's not great, but it's not the same as social security numbers and all that. 00:28:22.800 --> 00:28:23.380 Exactly. 00:28:23.380 --> 00:28:24.020 Yeah. 00:28:24.020 --> 00:28:24.700 All right. 00:28:24.700 --> 00:28:25.820 Let's talk about your book. 00:28:25.820 --> 00:28:27.400 I think your book is really good. 00:28:27.400 --> 00:28:28.120 Yes. 00:28:28.120 --> 00:28:33.820 Now, to be clear, specifically the Alice and Bob Lawrence Cure Coding, because I haven't read the other book. 00:28:33.820 --> 00:28:36.900 But if it's in the same style, it seems to me, I'm sure it's also good. 00:28:36.900 --> 00:28:37.880 Tell us about your books. 00:28:37.880 --> 00:28:39.340 Thank you. 00:28:39.340 --> 00:28:43.220 So my new book's called Alice and Bob Lawrence Cure Coding. 00:28:43.220 --> 00:28:45.580 And I'm dyslexic. 00:28:45.580 --> 00:28:48.300 And I'm about to get diagnosed for ADHD, too. 00:28:48.300 --> 00:28:49.460 Because why not? 00:28:50.140 --> 00:28:52.100 They go so well together. 00:28:52.100 --> 00:28:52.400 Yay. 00:28:52.400 --> 00:28:57.800 And so when I read a textbook, I find it really hard. 00:28:57.800 --> 00:29:00.200 So I read a zillion books. 00:29:00.200 --> 00:29:01.520 Like, I love books. 00:29:01.520 --> 00:29:03.760 Sitting still is hard for me. 00:29:03.760 --> 00:29:06.600 Reading a textbook, I find really, really hard. 00:29:06.600 --> 00:29:08.960 I want that knowledge to be in my brain very badly. 00:29:08.960 --> 00:29:11.960 But sitting my butt still for eight hours is really difficult. 00:29:12.520 --> 00:29:15.900 And I found traditional textbooks really difficult. 00:29:15.900 --> 00:29:21.540 So I started blogging because someone double dog dared me when I worked at Microsoft. 00:29:21.540 --> 00:29:22.940 And what else could I do, right? 00:29:22.940 --> 00:29:25.020 There's no way out. 00:29:25.020 --> 00:29:25.800 They've done it. 00:29:25.800 --> 00:29:26.820 I know. 00:29:26.820 --> 00:29:28.660 There's nothing I could do. 00:29:28.660 --> 00:29:30.600 Brock, you faded me into a corner. 00:29:31.540 --> 00:29:33.300 But I just kept blogging and blogging. 00:29:33.300 --> 00:29:35.560 And people kept telling me I should write a book. 00:29:35.560 --> 00:29:37.260 And publishers started reaching out to me. 00:29:37.260 --> 00:29:39.960 I'm like, yeah, but my blog's very casual language. 00:29:39.960 --> 00:29:42.780 I use a lot of examples with Alice and Bob. 00:29:42.780 --> 00:29:48.160 Alice and Bob were used by mathematicians to explain cryptography to normal people. 00:29:48.160 --> 00:29:50.260 So Alice wants to tell Bob a secret. 00:29:50.260 --> 00:29:52.040 How does Bob know it was Alice? 00:29:52.040 --> 00:29:55.540 And so I just kept using them because we all use them. 00:29:55.540 --> 00:29:59.060 And so basically, Wiley approached me. 00:29:59.140 --> 00:30:02.040 And they're like, yeah, you can write the weirdest textbook in the whole world. 00:30:02.040 --> 00:30:04.620 I'm like, because Alice is going to date people. 00:30:04.620 --> 00:30:06.080 He's like, okay. 00:30:06.080 --> 00:30:15.560 So my first book was for AppSec engineers and people that want to work in application security 00:30:15.560 --> 00:30:17.920 because there was no book of how to do that. 00:30:17.920 --> 00:30:19.880 So I wrote a book for past me. 00:30:19.880 --> 00:30:24.780 And so then when I thought about Alice and Bob having a sequel, I was like, I want to write 00:30:24.780 --> 00:30:28.520 a book for really past me for when I was a software developer. 00:30:28.520 --> 00:30:31.020 And so I was like, what should I cover? 00:30:31.020 --> 00:30:38.620 And so I covered the 10 top programming languages and the eight most popular frameworks within 00:30:38.620 --> 00:30:39.500 reason. 00:30:39.500 --> 00:30:45.960 So like some frame, like it was hard to pick the frameworks because I was like, oh, I was 00:30:45.960 --> 00:30:46.980 thinking about that when I was reading. 00:30:46.980 --> 00:30:48.880 I'm like, oh yeah, these are, it's not so easy. 00:30:49.060 --> 00:30:49.820 It was hard. 00:30:49.820 --> 00:30:51.540 And so I asked a lot of my followers. 00:30:51.540 --> 00:30:57.260 And so you might disagree with me about the frameworks I chose, but I really liked .NET. 00:30:57.260 --> 00:30:58.720 So it was obviously going to be in there. 00:30:58.720 --> 00:31:00.720 Flask, obviously going to be in there. 00:31:00.720 --> 00:31:03.680 But I was like, should I put pandas in here? 00:31:03.680 --> 00:31:07.780 Or should I put, I put in jQuery and my advice is don't use jQuery. 00:31:09.600 --> 00:31:10.040 Yeah. 00:31:10.040 --> 00:31:12.200 But document ready was so good. 00:31:12.200 --> 00:31:12.640 Come on. 00:31:12.640 --> 00:31:18.460 And so, so it was hard to choose. 00:31:18.460 --> 00:31:25.620 And then I wanted to cover like all the different agnostic programming advice, because to be quite 00:31:25.620 --> 00:31:30.080 blunt, there's a lot of stuff like input validation that applies to every single language in the 00:31:30.080 --> 00:31:31.380 world and every framework. 00:31:31.380 --> 00:31:32.420 It just doesn't matter. 00:31:32.420 --> 00:31:36.080 And I don't care if some of them say they do some input validation for you. 00:31:36.080 --> 00:31:36.780 It's not enough. 00:31:36.780 --> 00:31:37.820 Trust me. 00:31:38.120 --> 00:31:43.000 And so I wanted, so like the first third of the book is just completely agnostic. 00:31:43.000 --> 00:31:47.960 And I've been giving secure coding training basically since before the first book. 00:31:47.960 --> 00:31:52.220 And I just keep refining it and refining it and improving and improving it. 00:31:52.220 --> 00:31:56.520 And I was like, well, I have a lot to say on this subject now. 00:31:56.520 --> 00:32:01.260 And so then I asked all my followers, like, what do you want to see in the book? 00:32:01.260 --> 00:32:02.600 And they added a bunch of things. 00:32:02.600 --> 00:32:04.460 Like, they're like, oh, I want to see this topic. 00:32:04.460 --> 00:32:05.360 I want to see that topic. 00:32:05.360 --> 00:32:06.640 So it got even bigger. 00:32:06.640 --> 00:32:13.140 But then the end of the book, the last third is the system development lifecycle, all the 00:32:13.140 --> 00:32:16.020 security steps, but from a developer's point of view. 00:32:16.020 --> 00:32:20.560 Because when I was a dev, it was like, why am I being subjected to this? 00:32:20.560 --> 00:32:22.500 Like, what's a threat model? 00:32:22.500 --> 00:32:27.980 I remember being in a meeting and this woman was like, you want to do a penetration test on 00:32:27.980 --> 00:32:28.380 me? 00:32:28.380 --> 00:32:33.380 And then she turned bright red and was like, I don't know if I should be in this meeting. 00:32:33.380 --> 00:32:36.640 I was like, no, no, no, no, no, no. 00:32:36.640 --> 00:32:39.620 She's like, I was talking. 00:32:39.620 --> 00:32:40.660 I'm not a doctor. 00:32:40.660 --> 00:32:41.440 This is going to be fun. 00:32:41.440 --> 00:32:41.740 I know. 00:32:41.740 --> 00:32:42.440 I know. 00:32:42.440 --> 00:32:44.860 I was like, your web app, your web app. 00:32:44.860 --> 00:32:47.920 She's like, you just used a lot of words that were uncomfortable. 00:32:47.920 --> 00:32:49.200 I'm like, I'm so sorry. 00:32:50.160 --> 00:32:55.820 And so it's like, what to expect when a penetration test happens or like in a threat model, like 00:32:55.820 --> 00:32:59.200 bring your awesome ideas of how you would hack your app. 00:32:59.200 --> 00:33:02.920 And like, this is maybe how much will be expected from you. 00:33:03.160 --> 00:33:08.920 And why we like, what all these tools are and what they do and how you might want to use 00:33:08.920 --> 00:33:09.360 them. 00:33:09.360 --> 00:33:14.680 Because I feel like sometimes we just, I've heard a lot of security teams say to me, well, 00:33:14.680 --> 00:33:15.700 they should know. 00:33:15.700 --> 00:33:17.980 I'm like, do you think if they knew they would have done that thing? 00:33:17.980 --> 00:33:18.420 No. 00:33:18.420 --> 00:33:20.720 Did you, did you tell them it explicitly? 00:33:20.720 --> 00:33:22.220 Well, I felt it was implied. 00:33:22.220 --> 00:33:24.660 Dude, that's not good enough. 00:33:24.660 --> 00:33:29.360 This portion of Talk Python To Me is brought to you by Bluehost. 00:33:29.360 --> 00:33:32.600 Got ideas, but no idea how to build a website? 00:33:32.920 --> 00:33:33.720 Get Bluehost. 00:33:33.720 --> 00:33:39.140 With their AI design tool, you can quickly generate a high quality, fast loading WordPress 00:33:39.140 --> 00:33:40.220 site instantly. 00:33:40.220 --> 00:33:43.900 Once you've nailed the look, just hit enter and your site goes live. 00:33:43.900 --> 00:33:44.920 It's really that simple. 00:33:44.920 --> 00:33:49.480 And it doesn't matter whether you're a hobbyist, entrepreneur, or just starting your side hustle. 00:33:49.480 --> 00:33:55.120 Bluehost has you covered with built-in marketing and e-commerce tools to help you grow and scale 00:33:55.120 --> 00:33:56.560 your website for the long haul. 00:33:56.560 --> 00:34:00.780 Since you're listening to my show, you probably know Python, but sometimes it's better to focus 00:34:00.780 --> 00:34:05.740 on what you're creating rather than a custom built website and add another month till you 00:34:05.740 --> 00:34:06.500 launch your idea. 00:34:06.500 --> 00:34:12.660 When you upgrade to Bluehost cloud, you get 100% uptime and 24 seven support to ensure your 00:34:12.660 --> 00:34:15.080 site stays online through heavy traffic. 00:34:15.080 --> 00:34:18.920 Bluehost really makes building your dream website easier than ever. 00:34:19.120 --> 00:34:20.200 So what's stopping you? 00:34:20.200 --> 00:34:21.480 You've already got the vision. 00:34:21.480 --> 00:34:22.260 Make it real. 00:34:22.260 --> 00:34:27.180 Visit talkpython.fm/bluehost right now and get started today. 00:34:27.180 --> 00:34:29.700 And thank you to Bluehost for supporting the show. 00:34:30.740 --> 00:34:31.980 Yeah, I totally agree with you. 00:34:31.980 --> 00:34:33.860 And there's a really, let me do a quick search. 00:34:33.860 --> 00:34:37.360 There's a really interesting fact, at least from the Python space. 00:34:37.360 --> 00:34:44.080 If you look at the latest survey from the PSF and the JetBrains, how long have you been programming? 00:34:44.080 --> 00:34:45.700 There's a little one somewhere. 00:34:45.700 --> 00:34:45.920 Yeah. 00:34:45.920 --> 00:34:47.500 How long have you been programming professionally? 00:34:47.500 --> 00:34:49.800 33% less than a year. 00:34:49.800 --> 00:34:57.220 And if you look at less than two years, that's 50, that's half of the people doing software just 00:34:57.220 --> 00:34:57.780 got started. 00:34:58.180 --> 00:35:01.120 They probably don't even get the little Bobby table jokes, you know? 00:35:01.120 --> 00:35:02.220 Yeah, I know. 00:35:02.220 --> 00:35:03.700 They need to read XKCD. 00:35:03.700 --> 00:35:05.200 Yes, I know. 00:35:05.200 --> 00:35:08.540 But, you know, seriously, they, how are they supposed to know? 00:35:08.540 --> 00:35:10.880 They're struggling to just figure out how does it compile? 00:35:10.880 --> 00:35:12.640 Where do I get a virtual environment? 00:35:12.640 --> 00:35:14.180 Why won't I import that thing? 00:35:14.180 --> 00:35:18.300 They're, they're just, they're not at the place where they're, they're polishing it and 00:35:18.300 --> 00:35:19.040 they're, they're protecting. 00:35:19.040 --> 00:35:21.580 They haven't had the experience of, oh, I put it on the internet. 00:35:21.580 --> 00:35:22.700 I was hacked in eight seconds. 00:35:22.700 --> 00:35:23.320 You know? 00:35:23.320 --> 00:35:25.500 It hurts, man. 00:35:25.500 --> 00:35:32.500 I remember, so the guy that became my mentor, he gave a talk for my dev team because I ran 00:35:32.500 --> 00:35:34.440 the community of practice where I work. 00:35:34.440 --> 00:35:38.960 Shocker, me being an extrovert wanting to run a community of practice. 00:35:38.960 --> 00:35:44.080 And so I invited him to come and talk and he took one of our apps and he was at the login 00:35:44.080 --> 00:35:48.480 screen and he's like, I'm going to break into your app without a password and it's going 00:35:48.480 --> 00:35:50.900 to take over a minute just because I'm talking. 00:35:50.900 --> 00:35:55.360 And then he just did an SQL injection and he just got in and I was like, what? 00:35:55.360 --> 00:35:58.480 No, no, no, no, no. 00:35:58.480 --> 00:36:00.320 And then he was like telling us. 00:36:00.320 --> 00:36:05.680 And then of course, like all the SQL codes going in my head and I'm like, oh my gosh, 00:36:05.680 --> 00:36:06.900 that is very bad. 00:36:06.900 --> 00:36:14.200 What if my name, what if my name was quote dash, no quote, semicolon, drop tables, semicolon, 00:36:14.200 --> 00:36:14.880 dash, dash. 00:36:14.880 --> 00:36:16.580 That's an, that's an interesting name, isn't it? 00:36:16.780 --> 00:36:17.060 Right. 00:36:17.060 --> 00:36:20.540 We all, we all have special names, but yeah. 00:36:20.540 --> 00:36:27.960 So, I for, I forgot when you asked about my book, part of why it is weird is I try to 00:36:27.960 --> 00:36:29.100 make it casual language. 00:36:29.100 --> 00:36:30.660 So it's really easy to understand. 00:36:30.660 --> 00:36:31.040 Yeah. 00:36:31.040 --> 00:36:35.260 And I try to get, honestly, I didn't, I didn't put that together, but I had that experience 00:36:35.260 --> 00:36:35.800 reading it. 00:36:35.800 --> 00:36:37.100 So I think you nailed it. 00:36:37.100 --> 00:36:37.740 Thank you. 00:36:37.740 --> 00:36:43.440 And I try to use like different ways of explaining the same thing, like with a story and then 00:36:43.440 --> 00:36:44.760 like the technical explanation. 00:36:44.760 --> 00:36:51.280 And then maybe, there's like a funny story from Alice and Bob, cause Alice will not 00:36:51.280 --> 00:36:54.300 put up with unethical dates with pen testers. 00:36:54.300 --> 00:36:57.720 And Bob really worships this really cool guy. 00:36:57.720 --> 00:37:04.840 and like seeing it, how it applies to people's real lives, I felt like hit home with 00:37:04.840 --> 00:37:05.700 a lot of people. 00:37:05.700 --> 00:37:11.920 and so, yeah, I just, I want, I feel like security can be really hard and I was like, 00:37:11.920 --> 00:37:14.200 how can I make it a lot easier for people? 00:37:14.200 --> 00:37:15.640 So that was my goal with the book. 00:37:15.640 --> 00:37:16.360 Both of them. 00:37:16.360 --> 00:37:16.480 Yeah. 00:37:16.480 --> 00:37:16.860 Yeah. 00:37:16.860 --> 00:37:18.480 Well, I think it's, I think it's really approachable. 00:37:18.480 --> 00:37:22.980 So I want to pull up a few quotes out of it that I thought we could sort of riff on that 00:37:22.980 --> 00:37:24.100 I think would be fun here. 00:37:24.700 --> 00:37:32.100 So you start out the book by talking about humans and how humans are implicitly trusting 00:37:32.100 --> 00:37:34.340 of each other in general, right? 00:37:34.340 --> 00:37:34.800 In general. 00:37:34.800 --> 00:37:39.200 But you know, that's why we have societies and groups rather than every time we see a 00:37:39.200 --> 00:37:42.860 person, we either run away or attack, you know, like that's just not how it works to 00:37:42.860 --> 00:37:43.540 be a person. 00:37:43.540 --> 00:37:44.040 Right. 00:37:44.040 --> 00:37:50.500 And that trust is not necessarily appropriately transferred to computer systems and communication 00:37:50.500 --> 00:37:51.840 systems and all. 00:37:51.840 --> 00:37:52.200 Right. 00:37:52.200 --> 00:37:58.740 So you gave some examples of implicit trust and you also gave a warning or an important 00:37:58.740 --> 00:37:59.060 news. 00:37:59.060 --> 00:38:00.160 Maybe tell us about this bit. 00:38:01.200 --> 00:38:06.420 So basically when we started designing things, like we didn't even have passwords at first. 00:38:06.420 --> 00:38:11.140 Like I remember in college, my sister telling her friend, my sister's so crazy. 00:38:11.140 --> 00:38:13.220 She has a password on her computer. 00:38:13.220 --> 00:38:16.340 Like who wants to log into your stupid computer? 00:38:16.340 --> 00:38:17.740 And she thought I was- 00:38:17.740 --> 00:38:18.860 What are you working at a bank? 00:38:18.860 --> 00:38:19.540 Come on. 00:38:19.540 --> 00:38:19.980 Right. 00:38:20.520 --> 00:38:23.320 And so now we all have passwords on our computers. 00:38:23.320 --> 00:38:30.280 And, but we design our systems the way that our society operates with implicit trust. 00:38:30.280 --> 00:38:35.160 Like just imagine like someone comes to your door with a package and they ring the doorbell, 00:38:35.160 --> 00:38:36.440 you open it. 00:38:36.440 --> 00:38:41.760 But in the animal kingdom, which I have watched a lot of nature documentaries because I have small 00:38:41.760 --> 00:38:46.740 children at home, panthers, if they see another panther, it's going down. 00:38:46.740 --> 00:38:50.960 They're going to fight or make a new baby panther or both. 00:38:50.960 --> 00:38:53.220 That is what happens in the animal kingdom. 00:38:53.220 --> 00:38:55.840 and so like they have no trust. 00:38:55.840 --> 00:38:59.280 Like some of them like try to kill each other after they try to make baby panthers. 00:38:59.280 --> 00:39:02.660 Like they're all over the place because they have no implicit trust. 00:39:02.720 --> 00:39:04.860 So you see them alone a lot. 00:39:04.860 --> 00:39:11.280 And so when we started designing networks, one of the things we would do is we would, first 00:39:11.280 --> 00:39:16.000 of all, a lot of networks in this world today are still flat, which means one firewall around 00:39:16.000 --> 00:39:17.420 the outside and that's it. 00:39:17.420 --> 00:39:22.180 So if you can get to anything in the network, you can get to everything in the network. 00:39:22.180 --> 00:39:23.900 And that is an implied trust. 00:39:23.900 --> 00:39:28.880 So then we came up with zoning, like the data, the databases are all in one zone and there's 00:39:28.880 --> 00:39:30.020 a firewall around that. 00:39:30.020 --> 00:39:32.000 And then we have like a public access zone. 00:39:32.100 --> 00:39:35.580 And then we have a deep militarized zone because we think we're badasses, et cetera. 00:39:35.580 --> 00:39:36.220 Right. 00:39:36.220 --> 00:39:42.540 And, but what happened is if you have an SQL injection, you've gotten behind the firewall and now you 00:39:42.540 --> 00:39:45.460 can get to every single database in the entire organization. 00:39:45.460 --> 00:39:47.340 You have hit the gold mind. 00:39:47.340 --> 00:39:48.240 Right. 00:39:48.240 --> 00:39:49.540 So that is bad. 00:39:49.540 --> 00:39:51.960 and then we came up with zero trust. 00:39:51.960 --> 00:39:54.900 The idea of everything is closed by default. 00:39:54.900 --> 00:39:59.200 And unless there's a business requirement, you don't open it. 00:39:59.200 --> 00:39:59.860 Right. 00:40:00.020 --> 00:40:06.780 So, let's say you have a database and an API and it has a front end and then you have 00:40:06.780 --> 00:40:07.860 a service account for those. 00:40:07.860 --> 00:40:11.160 So the service account only can talk to those three things. 00:40:11.160 --> 00:40:15.740 Oh, and it can talk to the secret management tool to get your secrets because you store your 00:40:15.740 --> 00:40:17.140 secrets in a correct place. 00:40:17.340 --> 00:40:19.580 You don't put those in source code and just check them in the GitHub. 00:40:19.580 --> 00:40:23.200 Please do not do that. 00:40:23.200 --> 00:40:27.040 I only do that when I'm trying to prove a point. 00:40:29.300 --> 00:40:35.920 But, but then ideally the API checks that who's calling it is its front end and not someone 00:40:35.920 --> 00:40:36.320 else. 00:40:36.320 --> 00:40:36.620 Right. 00:40:36.620 --> 00:40:39.620 And then it authenticates and authorizes to the database. 00:40:39.620 --> 00:40:41.800 And we have, and nothing else. 00:40:41.800 --> 00:40:43.480 No one else can call that API. 00:40:43.480 --> 00:40:47.920 Why would you be calling it unless you're a malicious actor or you're a tester? 00:40:47.920 --> 00:40:48.480 Right. 00:40:48.540 --> 00:40:51.880 So once the testing phase is over, we're in production, no one else should be talking 00:40:51.880 --> 00:40:52.160 to it. 00:40:52.160 --> 00:40:54.400 So you only accept connections from there. 00:40:54.400 --> 00:40:58.560 And if, if we do zero trust perfectly, it is amazing. 00:40:58.820 --> 00:41:05.260 But quite often, we have partial implementations because it's quite a lot of work to implement. 00:41:05.260 --> 00:41:08.420 And if you get it wrong, it can be painful. 00:41:08.420 --> 00:41:10.040 Yeah. 00:41:10.040 --> 00:41:11.400 Yeah. 00:41:11.400 --> 00:41:16.920 What do you think about, things like thinks to canaries and those types of things? 00:41:16.920 --> 00:41:19.220 Maybe tell me what that is real quick. 00:41:19.220 --> 00:41:20.000 Yeah. 00:41:20.000 --> 00:41:25.940 So, there's this guy named Harum Mia who goes on risky business all the time, which is 00:41:25.940 --> 00:41:26.440 a podcast. 00:41:26.440 --> 00:41:26.960 I like. 00:41:26.960 --> 00:41:28.300 It's a good podcast. 00:41:28.500 --> 00:41:28.820 Yeah. 00:41:28.820 --> 00:41:30.220 Patrick Gray and Alex. 00:41:30.220 --> 00:41:31.800 What's the guy's first name? 00:41:31.800 --> 00:41:32.340 It's not Alex. 00:41:32.340 --> 00:41:32.620 Is it? 00:41:32.620 --> 00:41:37.200 I thought the guy, like the, is it Nick, the guy that he chats with? 00:41:37.200 --> 00:41:39.140 I haven't listened to it in like a year. 00:41:39.140 --> 00:41:39.620 Yeah. 00:41:39.620 --> 00:41:39.960 I'm sorry. 00:41:39.960 --> 00:41:42.400 Last name below, but first name, forget it. 00:41:42.400 --> 00:41:43.500 Anyway, they, they do a good show. 00:41:43.500 --> 00:41:43.680 Yeah. 00:41:43.680 --> 00:41:44.500 So yeah, go on. 00:41:44.500 --> 00:41:45.660 They're really good. 00:41:45.660 --> 00:41:48.500 It is a fun show and they're so like catty. 00:41:48.500 --> 00:41:49.080 I love it. 00:41:49.080 --> 00:41:50.500 Like they make fun of everything. 00:41:50.500 --> 00:41:51.360 Nothing is sacred. 00:41:51.360 --> 00:41:52.140 It's so fun. 00:41:52.140 --> 00:41:52.760 Absolutely. 00:41:52.760 --> 00:41:58.360 But basically, things canary, the company that Harum Mina works for, 00:41:58.440 --> 00:42:00.120 which why I've heard so much about it. 00:42:00.120 --> 00:42:01.020 Cause he's always on the show. 00:42:01.020 --> 00:42:05.440 They make, basically like these things that go on your network. 00:42:05.440 --> 00:42:09.000 So for instance, it could be like a fake word file. 00:42:09.620 --> 00:42:13.380 it could be a, some sort of fake file somewhere on your network. 00:42:13.380 --> 00:42:17.640 And then you see if it gets stolen and shows up somewhere cause it calls home. 00:42:17.880 --> 00:42:25.340 And so people go, so imagine like you have a data breach and then you can see because it 00:42:25.340 --> 00:42:27.960 phones home or you search the internet all the time to look for that. 00:42:27.960 --> 00:42:29.800 And you see, Oh crap, that's there. 00:42:29.800 --> 00:42:31.940 I actually was on stack overflow today. 00:42:31.940 --> 00:42:34.500 as a viewer, cause I'm banned for life. 00:42:34.500 --> 00:42:35.540 That's a long story. 00:42:35.980 --> 00:42:39.680 I tried to answer all the SunGrap questions in one day and they didn't like it. 00:42:39.680 --> 00:42:44.180 I feel like they should give you an award, not a ban, but okay. 00:42:44.180 --> 00:42:47.180 I know it's a, I agree. 00:42:47.180 --> 00:42:47.660 Right. 00:42:47.660 --> 00:42:51.140 Some of my answers, they didn't like, like, don't suppress that result. 00:42:51.140 --> 00:42:52.060 You have cross-site scripting. 00:42:52.060 --> 00:42:53.040 Here's how you fix your code. 00:42:53.040 --> 00:42:54.780 They're like, you didn't answer his question. 00:42:54.780 --> 00:42:56.240 Down vote, down vote. 00:42:57.020 --> 00:42:59.000 But anyway, the internet can be harsh. 00:42:59.000 --> 00:43:01.200 What were you saying about this trust and well-meaning? 00:43:01.200 --> 00:43:01.920 I don't know. 00:43:01.920 --> 00:43:02.980 Yeah. 00:43:02.980 --> 00:43:08.280 But so, so basically like this guy was saying his website keeps getting scraped by all his 00:43:08.280 --> 00:43:11.780 competitors rather than them typing out the information himself. 00:43:11.780 --> 00:43:18.320 So he puts fake musical artists into his database and then he goes to other companies and he searches 00:43:18.320 --> 00:43:23.340 for those fake musical artists and then he sends them ceases and desists. 00:43:24.400 --> 00:43:30.080 And so like the idea of a canary is that like the canary in the coal mine, but basically 00:43:30.080 --> 00:43:31.260 someone steals it. 00:43:31.260 --> 00:43:36.920 And then if it can, I believe that some of them can call home, but basically if they use 00:43:36.920 --> 00:43:38.940 it somewhere, you can see it's yours. 00:43:38.940 --> 00:43:41.500 And then you're like, oh, we are in trouble. 00:43:41.500 --> 00:43:42.460 Yeah. 00:43:42.460 --> 00:43:44.520 It's an early, early alarm. 00:43:44.520 --> 00:43:47.220 You know, the canary in the coal mine sort of deal, right? 00:43:47.220 --> 00:43:52.680 I think that it's a cool idea, but I think that if the canary calls out to you, you're already 00:43:52.680 --> 00:43:54.060 pretty screwed, right? 00:43:54.320 --> 00:43:54.440 Yeah. 00:43:54.440 --> 00:43:55.380 It's pretty bad. 00:43:55.380 --> 00:43:59.860 I think that it's cool, but it wouldn't be the first security measure I would do. 00:43:59.860 --> 00:44:04.760 It would be like, I have an advanced program that's like good and I want it to be super 00:44:04.760 --> 00:44:05.380 great. 00:44:05.380 --> 00:44:06.040 Yeah. 00:44:06.040 --> 00:44:06.480 Yeah. 00:44:06.480 --> 00:44:07.240 Sounds good. 00:44:07.240 --> 00:44:07.620 All right. 00:44:07.620 --> 00:44:11.540 So you say, if you only learn one single thing from your book or this podcast episode, 00:44:11.540 --> 00:44:12.960 let's put it, let's adapt it. 00:44:12.960 --> 00:44:14.020 I hope it is this. 00:44:14.020 --> 00:44:17.460 Design every system with as little implied trust as possible. 00:44:17.460 --> 00:44:18.120 It's true. 00:44:18.120 --> 00:44:19.860 And I highlighted that in purple for you. 00:44:19.860 --> 00:44:20.160 How's that? 00:44:20.160 --> 00:44:22.660 It's true. 00:44:23.040 --> 00:44:27.680 We want to, so in my first book, I'm like, trust no one, not even your mom, because my 00:44:27.680 --> 00:44:31.960 mom accidentally sent me a virus one day and I opened it because it was from my mom. 00:44:31.960 --> 00:44:33.620 Oh no. 00:44:34.000 --> 00:44:39.620 And so you can't even trust your mom, even if your mom's a brilliant mathematician chemist, 00:44:39.620 --> 00:44:42.920 because she can still get a virus on her computer. 00:44:42.920 --> 00:44:43.580 Yeah. 00:44:43.580 --> 00:44:45.580 Because it turned out grandma sent it to her. 00:44:45.580 --> 00:44:46.460 Yeah. 00:44:46.460 --> 00:44:48.360 And she trusted grandma. 00:44:48.360 --> 00:44:51.840 Grandma's not even sophisticated enough to send a virus. 00:44:51.840 --> 00:44:52.420 Is she? 00:44:52.460 --> 00:44:52.780 I know. 00:44:52.780 --> 00:44:54.420 Well, it turned out she was. 00:44:54.420 --> 00:44:57.820 But anyway, so don't trust anyone. 00:44:57.820 --> 00:45:03.060 So when you get input to your app, to your API, wherever it comes from. 00:45:03.060 --> 00:45:05.620 So that can mean getting stuff out of your database. 00:45:05.620 --> 00:45:12.500 So unless it's a static table that you know for sure is trusted, you should be checking the 00:45:12.500 --> 00:45:13.280 stuff from the database. 00:45:13.280 --> 00:45:16.820 So let's say someone's like filling out a form and then you save it to the database. 00:45:16.820 --> 00:45:18.500 So you would want to validate those values. 00:45:18.500 --> 00:45:19.680 You save it to the database. 00:45:19.680 --> 00:45:24.320 So then let's say an API goes and get some of that data to go do stuff with it. 00:45:24.320 --> 00:45:27.600 I would validate those values again before I use that. 00:45:27.600 --> 00:45:33.060 And then they put it on a webpage and it has JavaScript angle brackets in it. 00:45:33.060 --> 00:45:33.620 Yes. 00:45:33.620 --> 00:45:36.480 Then I would output and code it before I put it out there. 00:45:36.480 --> 00:45:39.520 And I would have content security policy header and a bunch of other things. 00:45:39.520 --> 00:45:40.460 But I digress. 00:45:40.460 --> 00:45:47.860 But if we could not trust anything that we get and always validate that it is what we 00:45:47.860 --> 00:45:48.360 are expecting. 00:45:48.360 --> 00:45:49.980 And if it's not, we reject it. 00:45:49.980 --> 00:45:51.420 So we don't try to fix it. 00:45:51.420 --> 00:45:52.760 Is it what we're expecting? 00:45:52.760 --> 00:45:56.360 And so this can mean like, so let's say it's a date of birth. 00:45:56.360 --> 00:45:58.840 So is it first of all, is it a date? 00:45:58.840 --> 00:46:00.860 Is it in the past? 00:46:00.860 --> 00:46:03.360 Is it more than 150 years in the past? 00:46:03.360 --> 00:46:04.580 Because that's less likely. 00:46:04.580 --> 00:46:07.900 Is it in the format you're expecting? 00:46:08.380 --> 00:46:10.420 Those are some of the things that we could check. 00:46:10.420 --> 00:46:15.480 And if it's not any of, if any one of those things are wrong, reject and just say, hey, 00:46:15.480 --> 00:46:16.540 actually we're expecting this. 00:46:16.540 --> 00:46:19.520 But let's say you need a person's name. 00:46:19.520 --> 00:46:21.760 So I work with someone named Luke O'Malley. 00:46:21.760 --> 00:46:26.560 Well, he has a single quote in his last name, which is a special character if we are going 00:46:26.560 --> 00:46:27.720 to use an SQL database. 00:46:27.720 --> 00:46:30.000 So what am I expecting? 00:46:30.000 --> 00:46:32.580 I'm expecting letters, lower and uppercase. 00:46:32.580 --> 00:46:36.500 And I'm expecting a hyphen and or a single quote. 00:46:36.760 --> 00:46:40.580 All of those are on my yes approved list, my allow list. 00:46:40.580 --> 00:46:43.900 So I check it against my allow list, not a block list. 00:46:43.900 --> 00:46:47.500 Because a block list of bad characters, guess what's going to happen? 00:46:47.500 --> 00:46:48.680 Tanya's goes around it. 00:46:48.680 --> 00:46:48.920 Yep. 00:46:48.920 --> 00:46:49.280 Thanks. 00:46:49.280 --> 00:46:49.940 I'm in. 00:46:49.940 --> 00:46:54.080 Usually Unicode escape sequence forward or some random thing. 00:46:54.080 --> 00:46:54.720 Yes. 00:46:54.720 --> 00:46:56.780 There's a zillion ways around it. 00:46:56.780 --> 00:47:02.200 And like, I remember when I learned that, how sad I was for all my past apps. 00:47:02.200 --> 00:47:09.320 And so you use an approved list of good stuff and you accept the single character and you 00:47:09.320 --> 00:47:12.540 accept the hyphen and then you sanitize or escape them. 00:47:12.540 --> 00:47:15.240 So sanitize means changing it for a different value. 00:47:15.240 --> 00:47:20.560 So you might want to change the hyphen to a pipe and you might, or probably not a pipe, 00:47:20.560 --> 00:47:21.880 maybe that's still a special character. 00:47:21.880 --> 00:47:23.680 But like, let's say the carrot. 00:47:23.680 --> 00:47:27.740 And then you change the single quote to the tilde symbol. 00:47:27.740 --> 00:47:30.340 And then those are not a problem. 00:47:30.340 --> 00:47:31.960 And then you pass that on. 00:47:31.960 --> 00:47:33.680 So you validate that's what you're expecting. 00:47:33.880 --> 00:47:37.700 And then you have either escape, sanitize it or escape them. 00:47:37.700 --> 00:47:40.320 So just put like a backslash in front of the special characters. 00:47:40.320 --> 00:47:46.080 Or maybe HTML or URL encode them to that, you know, percent some numbers, which is the 00:47:46.080 --> 00:47:48.180 quote or I don't know, whatever, whatever it resolves to. 00:47:48.180 --> 00:47:50.580 It depends on what you want to do with it. 00:47:50.580 --> 00:47:54.300 So if you're going to take that and then put it into a parameter and send it to a 00:47:54.300 --> 00:47:58.140 parameterized query, maybe, maybe you want to escape it. 00:47:58.140 --> 00:48:00.880 It's going to escape it for you when it gets there. 00:48:01.180 --> 00:48:04.500 There's a lot of options, but single quotes are kind of the danger zone. 00:48:04.500 --> 00:48:05.840 So I want to be careful. 00:48:05.840 --> 00:48:06.880 They're definitely tricky. 00:48:06.880 --> 00:48:07.700 All right. 00:48:07.700 --> 00:48:08.860 Next section. 00:48:08.860 --> 00:48:11.600 This is the Python section. 00:48:11.600 --> 00:48:17.520 So you have, as you said, a bunch of different technologies and they're quite up to date. 00:48:17.520 --> 00:48:18.840 You've got Node.js. 00:48:18.840 --> 00:48:23.240 You've got .NET Core, not the old crusty Windows only .NET. 00:48:23.240 --> 00:48:25.000 You've got Python, Python 3 stuff. 00:48:25.000 --> 00:48:26.680 So I think that's great. 00:48:26.680 --> 00:48:30.480 So let's talk about some of the what to do. 00:48:30.640 --> 00:48:34.420 Maybe just pick a few off this list that jump out at you that you want to talk about. 00:48:34.420 --> 00:48:35.540 Okay. 00:48:35.540 --> 00:48:37.140 So some of them are really obvious. 00:48:37.140 --> 00:48:38.720 Like, please use Python 3. 00:48:38.720 --> 00:48:41.220 It's time to say goodbye to Python 2. 00:48:41.220 --> 00:48:45.140 I know that we can still love it in our hearts, but new apps need to be Python 3. 00:48:45.140 --> 00:48:47.840 And updating our environment often. 00:48:47.840 --> 00:48:49.560 This goes for every framework. 00:48:49.880 --> 00:48:58.600 One thing is, is if you find a real security bug, reporting it to the security folks from Python, that is a valuable thing to do. 00:48:58.600 --> 00:49:06.840 Whatever programming language or framework you're in, if you feel you found a real legit bug, you should support it or you should report it. 00:49:06.920 --> 00:49:11.980 Because as a result, when they fix it, they're fixing it for thousands and thousands and thousands of devs. 00:49:11.980 --> 00:49:13.920 And you are a wonderful human. 00:49:13.920 --> 00:49:15.360 So that is that. 00:49:15.360 --> 00:49:15.540 Pay it forward. 00:49:15.540 --> 00:49:16.120 Yeah. 00:49:16.120 --> 00:49:20.100 And I want to give a shout out to the PSF and Python folks. 00:49:20.100 --> 00:49:26.320 They've made a lot of efforts in putting more time and energy into the security at Python. 00:49:26.800 --> 00:49:32.780 Both Mike Fiedler got hired as the security person behind PyPI, the package index. 00:49:32.780 --> 00:49:37.440 And Seth Larson got hired for more broadly Python security. 00:49:37.440 --> 00:49:39.040 Hopefully I've characterized that right. 00:49:39.040 --> 00:49:41.500 But we now have two full-time people working on it. 00:49:41.500 --> 00:49:45.900 Whereas before it was kind of core devs and other people contributing their spare time. 00:49:45.900 --> 00:49:47.300 Hopefully they could grab it, you know? 00:49:47.300 --> 00:49:48.160 So that's good. 00:49:48.360 --> 00:49:57.300 And you point out that there's a security at python.org email address for legitimate reports and not hassling busy people. 00:49:57.300 --> 00:49:57.780 Yes. 00:49:57.780 --> 00:49:58.780 Don't hassle them. 00:49:58.780 --> 00:50:01.000 Test and make sure it's repeatable. 00:50:01.000 --> 00:50:03.060 Like these people are very busy. 00:50:03.060 --> 00:50:06.480 There are so many things. 00:50:06.480 --> 00:50:10.240 So one of the things was, so like let's say you're taking, because we're talking about user input. 00:50:10.240 --> 00:50:16.460 And we're taking, so the bottom of that page, we're taking user input as a string from your code. 00:50:16.580 --> 00:50:23.220 And we can use the template class from the string module rather than other functions for string manipulation. 00:50:23.220 --> 00:50:26.100 So if we do that, it's safer. 00:50:26.100 --> 00:50:28.500 There's less string overloads. 00:50:28.500 --> 00:50:36.700 Like if we avoid using, for instance, fstring and string format for handling user input, because that can be manipulated by the user. 00:50:36.700 --> 00:50:43.660 So it sounds weird, but like using the template class from the string module can't be manipulated as easily. 00:50:43.660 --> 00:50:44.260 Interesting. 00:50:44.260 --> 00:50:45.920 Yeah, I know. 00:50:46.060 --> 00:50:47.740 I had to do a lot of research for this. 00:50:47.740 --> 00:50:48.640 I bet. 00:50:48.640 --> 00:50:49.480 Yeah. 00:50:49.480 --> 00:50:59.820 And they just added a new type to the Python type system called a literal string, which works for SQL for things that are not meant to accept user input. 00:50:59.820 --> 00:51:06.560 So if you had a literal string, that was a query and you combined it with stuff that came from a regular string, like a user input. 00:51:06.560 --> 00:51:11.520 And then you would check it with a Python type checker. 00:51:11.520 --> 00:51:14.800 And then you would check it with a mypy type of checker. 00:51:14.800 --> 00:51:16.720 That is very cool. 00:51:16.720 --> 00:51:18.200 Yeah, yeah, yeah. 00:51:18.200 --> 00:51:18.800 That's pretty neat. 00:51:18.800 --> 00:51:21.500 There's not too many tools to support it, but the static type checkers do. 00:51:21.740 --> 00:51:26.200 Another one I think that's worth calling out here is you talked about, be sure you pin your dependencies. 00:51:26.200 --> 00:51:28.640 Yes. 00:51:28.640 --> 00:51:33.180 I'm like looking through all of the notes. 00:51:33.180 --> 00:51:34.360 You have them. 00:51:36.420 --> 00:51:37.560 Pinning. 00:51:37.560 --> 00:51:42.320 So I got into like a lot of arguments with my technical editors about this one. 00:51:42.800 --> 00:51:54.020 So you want to pin your dependencies, like as you're going through all the different environments and not allow it to update out when you get to prod, because otherwise you're all testing different versions. 00:51:54.020 --> 00:51:54.540 Right. 00:51:54.540 --> 00:51:59.940 So you want to make sure you're using the same one across the board that you're testing, because otherwise your tests aren't accurate. 00:51:59.940 --> 00:52:00.420 Right. 00:52:00.420 --> 00:52:01.240 Yeah. 00:52:01.240 --> 00:52:08.000 It might be the same, or it could be an important library got an update between when you checked it in and when it got built to a Docker container or something. 00:52:08.000 --> 00:52:08.640 And it's different. 00:52:09.360 --> 00:52:15.000 But the other thing is, is that you don't want it to be permanently like that forever. 00:52:15.000 --> 00:52:19.040 And so like when you're, so it sounds weird. 00:52:19.040 --> 00:52:23.360 So you pin it there, but then I can't remember where it is. 00:52:23.360 --> 00:52:29.080 I think the, I think the big distinction is, are you building an application or are you building a library? 00:52:29.080 --> 00:52:32.960 People are building applications with, because your application should pick its versions. 00:52:32.960 --> 00:52:39.120 But if you pick them concretely for the library, you're forcing potentially old vulnerable versions onto people. 00:52:39.120 --> 00:52:39.640 Right. 00:52:39.640 --> 00:52:43.720 There's this tension of, of what role am I playing, which I think is tricky. 00:52:43.720 --> 00:52:44.400 Yes. 00:52:44.400 --> 00:52:51.760 So ideally, like if you're like about to go to prod with something, you don't want it changing in different environments. 00:52:51.760 --> 00:52:52.840 That could be really bad. 00:52:52.840 --> 00:52:55.800 But yeah, like you said, pinning the version. 00:52:55.800 --> 00:52:57.560 Well, I'm just like reading it on the screen. 00:52:59.340 --> 00:53:04.700 We, so I remember like I was installed, I was doing like a proof of concept with this company. 00:53:04.700 --> 00:53:10.380 And in order to install it, it wanted me to downgrade a bunch of npm dependencies. 00:53:10.380 --> 00:53:16.360 And then it showed me that there were huge vulnerabilities in those dependencies that they'd asked me to use. 00:53:16.360 --> 00:53:18.300 And I was like, well, like deal breaker buddy. 00:53:18.300 --> 00:53:18.820 Right. 00:53:18.820 --> 00:53:28.100 And so when you are creating like a product for someone, if they can see that and how it's compiled, like that's a deal breaker for a lot of customers. 00:53:28.100 --> 00:53:32.060 Customers are very savvy in regarding security right now. 00:53:32.060 --> 00:53:33.660 And I love it. 00:53:33.660 --> 00:53:34.700 Yeah, it's really good. 00:53:34.860 --> 00:53:47.820 And even putting security aside, you can end up, if you have two libraries, they both use a sub library, a dependency, and they have different pin versions or ones less than or greater than or less than or equal to the other is greater than equal to. 00:53:47.820 --> 00:53:49.500 And there's no intersection of those numbers. 00:53:49.500 --> 00:53:51.120 You just, you're like, well, I can't run this. 00:53:51.120 --> 00:53:57.300 I guess we just can't use these because it'll say, I can't give you both greater than two and less than two at the same time. 00:53:57.300 --> 00:53:57.600 Right. 00:53:57.600 --> 00:53:58.380 It's a hassle. 00:53:58.380 --> 00:54:01.140 But the security bid is also important, obviously. 00:54:01.140 --> 00:54:02.020 I agree. 00:54:02.020 --> 00:54:02.460 Let's see. 00:54:02.460 --> 00:54:02.860 Yeah. 00:54:02.860 --> 00:54:04.160 So, bandit. 00:54:04.160 --> 00:54:07.740 Bandit's an interesting, interesting tool. 00:54:07.740 --> 00:54:14.020 Bandit is a free static analysis tool that specifically is made for Python. 00:54:14.020 --> 00:54:21.960 and so some of the mat, so for instance, if you're using Ruby, there's Breakman and it's made just for Ruby and that's it. 00:54:21.960 --> 00:54:27.660 So it's awesome because it only cares about your language because it's free and open source. 00:54:27.660 --> 00:54:31.420 There's not a giant security team behind it, supporting it. 00:54:31.800 --> 00:54:36.360 But if you have never used a static analysis tool, this is an excellent place to start. 00:54:36.360 --> 00:54:39.020 It's recommended over and over and over again. 00:54:39.020 --> 00:54:45.340 When I, when I teach secure coding in this, I have like this list of free Python resources. 00:54:45.340 --> 00:54:46.680 People love Python. 00:54:46.680 --> 00:54:49.700 People make a lot of tools for it because they love it. 00:54:49.700 --> 00:54:51.760 And Bandit is like really popular. 00:54:52.180 --> 00:54:52.400 Yeah. 00:54:52.400 --> 00:54:52.960 That's awesome. 00:54:52.960 --> 00:54:54.180 And it has a cool logo. 00:54:54.180 --> 00:54:56.400 It is very cute. 00:54:56.400 --> 00:54:57.720 It is very cute. 00:54:57.720 --> 00:54:59.340 I like how they call it. 00:54:59.340 --> 00:55:01.740 They call it a security linter. 00:55:02.080 --> 00:55:04.920 I would say it's a bit more like stack analysis. 00:55:04.920 --> 00:55:12.060 cause like it, it definitely is trying to find like sources and syncs, like doing flow analysis. 00:55:12.060 --> 00:55:14.720 I don't know if it does symbolic execution. 00:55:14.720 --> 00:55:16.600 Like I haven't seen like under the hood. 00:55:16.600 --> 00:55:23.960 so like when you buy like a SAS tool, there's like first generation and second generation and like different ways that they work. 00:55:24.300 --> 00:55:28.260 And I went, I'd love to know more under the hood of how it works. 00:55:28.260 --> 00:55:29.360 Yeah. 00:55:29.360 --> 00:55:29.920 Yeah. 00:55:29.920 --> 00:55:31.620 It looks really, it looks really cool. 00:55:31.620 --> 00:55:44.260 You know, it'll find common things like pickle issues or parsing YAML that might be bad or, you know, all the different things that you're still allowed to do, but people decided probably are not the best choices, but we'll leave it there. 00:55:44.260 --> 00:55:46.800 So we don't break things that are doing it, but don't do it. 00:55:46.800 --> 00:55:54.200 And kind of like the pointer safe string copies and C++, don't copy like you used to like, well, 00:55:54.200 --> 00:55:55.360 how do I do it now? 00:55:55.360 --> 00:55:56.380 And I don't even know anymore. 00:55:56.380 --> 00:56:02.880 You know, I feel too that like, so it's called security linter rather than stack analysis. 00:56:02.880 --> 00:56:06.680 I feel like it also focuses on code quality and not just security. 00:56:06.680 --> 00:56:11.800 And that's helpful too, because if you have higher quality code, it's just going to be more secure. 00:56:11.800 --> 00:56:14.440 It's going to be easier to maintain, easier to debug. 00:56:14.440 --> 00:56:17.280 So if there is a security problem, you can address it faster. 00:56:17.280 --> 00:56:20.620 You have less technical debt if you have higher quality code. 00:56:20.620 --> 00:56:22.420 So that's a win as well. 00:56:22.420 --> 00:56:23.300 Absolutely. 00:56:23.660 --> 00:56:23.980 All right. 00:56:23.980 --> 00:56:29.200 Let's talk about SQL relational databases, these kinds of things a little bit. 00:56:29.200 --> 00:56:34.900 I think there's, you know, the majority of people out there have an app that talks to a database. 00:56:34.900 --> 00:56:36.100 That database is relational. 00:56:36.100 --> 00:56:38.180 Usually it's running on its own server. 00:56:38.180 --> 00:56:38.700 Yeah. 00:56:38.700 --> 00:56:43.200 And when things go bad, it's usually the data that came out of the server that makes the news. 00:56:43.200 --> 00:56:44.400 Not always, but usually. 00:56:44.400 --> 00:56:45.280 Yeah. 00:56:45.280 --> 00:56:46.900 But it can be the server. 00:56:46.900 --> 00:56:46.920 What's an advisor? 00:56:48.320 --> 00:56:52.240 So, so an SQL server is a server, right? 00:56:52.240 --> 00:56:53.560 So it is a server. 00:56:53.560 --> 00:56:54.580 You need to patch it. 00:56:54.580 --> 00:56:55.920 You need to keep it up to date. 00:56:55.920 --> 00:56:57.540 You need to harden it. 00:56:57.540 --> 00:56:59.260 It comes with a hardening guide. 00:56:59.260 --> 00:57:01.660 You should do all the steps in the hardening guide. 00:57:01.920 --> 00:57:05.820 You should make sure that every single person you work with cannot access it, right? 00:57:05.820 --> 00:57:10.460 Like it seems really obvious, but you would be surprised. 00:57:11.460 --> 00:57:17.040 So like basic server hygiene applies to them. 00:57:17.040 --> 00:57:25.480 On top of that, then the SQL software, the SQL server software itself, it can be hardened as well. 00:57:25.480 --> 00:57:29.800 And that might sound odd, but like it has updates that it needs. 00:57:29.800 --> 00:57:37.200 So you, you want to make sure that you want to make sure that you have locked it down the way that you think that you should. 00:57:38.140 --> 00:57:38.620 Yeah. 00:57:38.620 --> 00:57:39.840 Then absolutely. 00:57:39.840 --> 00:57:42.280 And it can run in different users as well, right? 00:57:42.280 --> 00:57:49.480 It's easy to, it's easiest if it just runs as root, but wouldn't it be better if it, in case somebody gets to it and breaks in through it, right? 00:57:49.480 --> 00:57:52.620 You don't want them to use it as a lateral movement. 00:57:52.620 --> 00:57:56.140 You know, first they got into the server and then they went over to, you know, who knows where. 00:57:56.140 --> 00:58:04.820 We also want to make sure ideally that people are not accessing it with database owner unless they're the database owner, right? 00:58:04.820 --> 00:58:07.920 Like ideally DBO users are used rarely. 00:58:07.920 --> 00:58:11.320 Like let's say you're using MS SQL server. 00:58:11.320 --> 00:58:11.920 Yeah. 00:58:11.920 --> 00:58:14.180 That has database owner privileges. 00:58:14.180 --> 00:58:15.120 I get it. 00:58:15.120 --> 00:58:22.500 Cause you're a database administrator, but if your app or your API is accessing the database, we want to use a least privilege approach. 00:58:22.620 --> 00:58:25.740 So if you're just doing Slack statements, just do a read only user. 00:58:25.740 --> 00:58:31.180 If you're doing cred, create, read, update, delete, then you should use a read, write user. 00:58:31.180 --> 00:58:35.800 But DBO is not almost ever actually needed if we think about it. 00:58:35.800 --> 00:58:38.000 And so if you don't have that, then less can happen. 00:58:38.000 --> 00:58:38.940 That is bad. 00:58:38.940 --> 00:58:39.380 Right. 00:58:39.380 --> 00:58:42.520 Does it need access to every table or just these 10 tables? 00:58:42.520 --> 00:58:43.520 Exactly. 00:58:43.520 --> 00:58:54.480 Another thing is like classifying the data that's in each table as sensitive or not sensitive and maybe work for the government. 00:58:54.480 --> 00:59:00.120 So maybe it's like classified or secret or top secret or whatever your organization uses. 00:59:00.340 --> 00:59:09.160 But if you could classify those things and then label them, a lot of databases now have labels for sensitivity, which is awesome. 00:59:09.160 --> 00:59:18.640 But if not just add an extra field, if not just like add a field called sensitivity, and then it's just like public or unclassified or super secret. 00:59:18.640 --> 00:59:19.640 Don't show people. 00:59:20.940 --> 00:59:30.760 And when you do that, it makes life so much better if there is a security incident, because I know if I need to freak out a little or if I need to freak out a lot. 00:59:30.760 --> 00:59:37.960 And if it's not labeled, I have to assume the absolute worst when I respond until I know it's a lower threat. 00:59:37.960 --> 00:59:40.140 And that really sucks. 00:59:40.140 --> 00:59:41.320 Yeah. 00:59:41.320 --> 00:59:42.940 Yeah, for sure. 00:59:42.940 --> 00:59:47.280 Another thing that you called out in this section is make sure that logging is turned on. 00:59:47.280 --> 00:59:53.320 And you need to do this before something goes bad, because it's the logs that tell you what happened. 00:59:53.320 --> 00:59:54.480 Yes. 00:59:54.480 --> 00:59:59.380 I think logging, not just for databases, but across the board, logging is super important. 00:59:59.380 --> 01:00:00.040 Oh, yeah. 01:00:00.040 --> 01:00:09.840 I have a whole giant section in the book about what to log, what not to log, when to log, like exactly what I would love a log to look like, how to protect your logs. 01:00:10.180 --> 01:00:21.840 I had a customer and they're like 28 of our customers, their credit cards got nicked and Visa called us and they want us to prove that it wasn't us. 01:00:21.840 --> 01:00:23.880 And I'm like, great, let's go get the logs. 01:00:23.880 --> 01:00:26.480 They're like, we kind of deleted those. 01:00:26.480 --> 01:00:28.660 You know, they're hard to back up. 01:00:29.780 --> 01:00:30.680 I said, what? 01:00:30.680 --> 01:00:34.560 And they're like, well, we just switched to a new server four months ago. 01:00:34.560 --> 01:00:36.660 And so we just deleted the old server. 01:00:36.660 --> 01:00:38.720 So like, and we just did that. 01:00:38.720 --> 01:00:41.160 So like for four months, we have no records. 01:00:41.160 --> 01:00:42.520 And I said, oh my gosh. 01:00:43.420 --> 01:00:51.460 And so luckily, it turned out there was a sandwich shop in the same building and they caught an employee was skimming the cards. 01:00:51.460 --> 01:00:53.400 And so Visa's like, we figured it out. 01:00:53.400 --> 01:00:54.380 And we're like, great. 01:00:54.380 --> 01:00:55.620 I'm like, we're all getting fired. 01:00:55.620 --> 01:00:58.340 Because they just knew. 01:00:58.340 --> 01:01:10.660 But if Visa yanks your ability to use it and your main way of making money is charging money over the Internet, like you've just reduced your ability to do the main purpose of capitalism. 01:01:11.280 --> 01:01:14.900 Yeah, life is, you do not want to tick off Visa or MasterCard. 01:01:14.900 --> 01:01:16.560 Don't do it. 01:01:16.560 --> 01:01:19.700 All that stuff is definitely, it's definitely unnerving. 01:01:19.700 --> 01:01:21.820 Let's see some more advice. 01:01:21.820 --> 01:01:29.200 You got using ORM if you can, because they basically are immune, but they have a lot of automatic guards against. 01:01:29.200 --> 01:01:31.300 You're not writing direct string. 01:01:31.300 --> 01:01:33.160 So it's harder to concatenate that stuff. 01:01:33.160 --> 01:01:33.480 Yeah. 01:01:33.480 --> 01:01:38.520 They will also do a lot of the code for you, depending upon the one that you use. 01:01:38.520 --> 01:01:41.500 Like, I've used the entity relationship framework with .NET. 01:01:41.500 --> 01:01:44.400 It's like, I'm going to write all your gets and sets and do this and that for you. 01:01:44.400 --> 01:01:45.060 I'm like, oh, sweet. 01:01:45.060 --> 01:01:45.660 Thanks, buddy. 01:01:45.660 --> 01:01:47.280 And even your migrations and stuff. 01:01:47.280 --> 01:01:47.500 Yeah. 01:01:47.500 --> 01:01:48.700 It's pretty nice. 01:01:48.700 --> 01:01:49.440 Yeah. 01:01:49.440 --> 01:01:50.800 I'm a fan. 01:01:50.800 --> 01:01:51.280 I'm a believer. 01:01:51.280 --> 01:01:53.400 I know some people say, oh, it's a little bit slower or whatever. 01:01:53.400 --> 01:01:54.100 Like, yeah. 01:01:54.540 --> 01:01:56.600 But I like getting stuff done and sleeping at night. 01:01:56.600 --> 01:01:57.080 Yeah. 01:01:57.080 --> 01:02:00.800 So another one I think is really worth pointing out. 01:02:00.800 --> 01:02:03.240 Most important for databases, but also just generally. 01:02:03.240 --> 01:02:03.900 Good idea. 01:02:03.900 --> 01:02:08.660 Have an extensive and well-thought-out backup plan and try to back up something at least once. 01:02:08.660 --> 01:02:10.520 Or try to restore something at least once. 01:02:11.200 --> 01:02:11.680 Yes. 01:02:11.680 --> 01:02:22.640 I worked somewhere and we had a computer problem and they lost everyone's work in our entire 2,000-person department for the whole week. 01:02:22.640 --> 01:02:24.120 So for like the three days. 01:02:24.120 --> 01:02:24.860 It was the Wednesday. 01:02:24.860 --> 01:02:26.940 And they had lost all of our work. 01:02:27.280 --> 01:02:28.720 Everyone's work was not saved. 01:02:28.720 --> 01:02:29.840 All of it was gone. 01:02:29.840 --> 01:02:33.460 And we go to the backup guys and we're like, okay, do your thing. 01:02:33.460 --> 01:02:36.020 And they're like, oh, well, it'll take like at least a month. 01:02:36.020 --> 01:02:37.440 And we've never really tried it before. 01:02:37.440 --> 01:02:39.060 And we don't think it'll really work. 01:02:39.060 --> 01:02:41.760 And so you guys should just still redo it. 01:02:41.760 --> 01:02:44.980 And my boss was like, oh, I guess we have to redo it. 01:02:44.980 --> 01:02:48.240 And I was like, well, can I hire two new software developers? 01:02:48.240 --> 01:02:49.500 And he's like, why? 01:02:49.500 --> 01:02:51.660 I'm like, well, because those guys are obviously fired. 01:02:51.660 --> 01:02:52.360 Right? 01:02:52.360 --> 01:02:54.640 And then I can just like hire two new devs. 01:02:54.640 --> 01:02:55.240 It'll be great. 01:02:55.240 --> 01:02:56.840 And he's like, Tanya, go back to your room. 01:02:56.840 --> 01:03:00.780 But I'm like, we don't need them. 01:03:00.780 --> 01:03:05.180 Their job, they just proved that their job is completely worthless. 01:03:05.180 --> 01:03:06.680 So let's just get rid of them. 01:03:06.680 --> 01:03:08.220 And he was like, stop talking. 01:03:08.220 --> 01:03:09.240 Go away. 01:03:09.240 --> 01:03:11.600 I understand you're frustrated. 01:03:11.600 --> 01:03:14.380 That's not constructive, Tanya. 01:03:14.380 --> 01:03:16.480 If I fire them, then they're going to have to fire me because I hire them. 01:03:16.480 --> 01:03:16.920 No, I'm just kidding. 01:03:16.920 --> 01:03:22.840 You know, one thing that comes to mind, though, is, you know, back in the day, 01:03:22.840 --> 01:03:26.340 we had Suburgeon and CVS and SourceSafe and all these things. 01:03:26.340 --> 01:03:28.580 And if something went wrong with that, it was just gone. 01:03:28.580 --> 01:03:29.460 It was just gone. 01:03:29.460 --> 01:03:30.560 And now we have Git. 01:03:30.560 --> 01:03:33.820 And if something goes wrong, there might be 100 copies of it. 01:03:33.820 --> 01:03:39.060 It's less bad from a software person's perspective. 01:03:39.060 --> 01:03:42.420 Three times I have worked somewhere where they lost their code repository. 01:03:42.420 --> 01:03:43.720 Yeah. 01:03:43.720 --> 01:03:52.960 One of the times I started and one of the employees was junior and he had just deleted it by accident. 01:03:52.960 --> 01:04:00.860 And I managed to go to each person's computer and recover a ton of the code and put a lot of it back together. 01:04:00.860 --> 01:04:06.200 Another time someone just deleted it and they, I feel, were malicious. 01:04:06.900 --> 01:04:12.920 And then another time, basically, we didn't want to wait for shared services. 01:04:13.020 --> 01:04:17.920 So the Canadian government decided we would make a department that was the IT department for the whole government. 01:04:17.920 --> 01:04:19.520 And they just wouldn't give us a server. 01:04:19.520 --> 01:04:24.980 So we just took a server from another room and repurposed it and decided that was our code repo survey. 01:04:24.980 --> 01:04:26.620 And so I set up a whole network. 01:04:26.620 --> 01:04:28.680 I set up Active Directory and all this. 01:04:28.680 --> 01:04:30.460 I installed Team Foundation server. 01:04:30.460 --> 01:04:31.320 I did all the stuff. 01:04:31.320 --> 01:04:32.020 I set it all up. 01:04:32.060 --> 01:04:35.900 And I was like, listen, bud, I did this for you, but you need to back it up every night. 01:04:35.900 --> 01:04:37.360 And he promised me he would. 01:04:37.360 --> 01:04:39.700 And then five months later, it crashed. 01:04:39.700 --> 01:04:42.020 And he's like, are you going to make it go again? 01:04:42.020 --> 01:04:43.580 And it was a RAID server. 01:04:43.580 --> 01:04:45.740 And it automatically deleted everything. 01:04:45.740 --> 01:04:46.580 Yeah. 01:04:46.580 --> 01:04:48.840 And so I was like, well, get your backup. 01:04:48.840 --> 01:04:49.540 Did its job. 01:04:49.540 --> 01:04:50.100 It replicated. 01:04:50.100 --> 01:04:53.160 He had not backed it up a single time in five months. 01:04:53.160 --> 01:04:57.960 And we lost 11 contractors work for like months, like five months. 01:04:57.960 --> 01:05:00.140 I was like, I am so angry. 01:05:00.140 --> 01:05:02.460 And he's like, could you spend this weekend making us a new? 01:05:02.460 --> 01:05:03.280 I was like, no. 01:05:03.280 --> 01:05:05.400 I'm so angry at you. 01:05:05.400 --> 01:05:06.120 You'll make it. 01:05:06.120 --> 01:05:07.140 He's like, but I don't know how. 01:05:07.140 --> 01:05:08.880 I'm like, I guess it's tough to be you. 01:05:08.880 --> 01:05:10.500 You're going to learn. 01:05:10.500 --> 01:05:12.460 You're going to learn the hard way. 01:05:12.460 --> 01:05:13.320 Yeah. 01:05:13.320 --> 01:05:15.000 So we're pretty much out of time here. 01:05:15.000 --> 01:05:20.180 But I do want to maybe just point out that there is a whole section on Flask, which is pretty awesome. 01:05:20.180 --> 01:05:30.120 And you talk a lot about different extensions that you can use, like Flask Secrets for secret management or Flask WTF for SEO. 01:05:30.120 --> 01:05:33.800 There are CSRF protection and things like that. 01:05:33.800 --> 01:05:35.560 So there's a bunch of stuff in there. 01:05:35.560 --> 01:05:36.620 People want to go check that out. 01:05:36.620 --> 01:05:38.520 But I think we might need to call it for time. 01:05:38.520 --> 01:05:40.040 But yeah, this is good stuff. 01:05:40.040 --> 01:05:49.740 If you want to learn more besides obviously purchasing all of my books, I have a free online academy at academy.semgrep.dev. 01:05:50.500 --> 01:05:52.500 I don't know if you want me to spell it because that's like... 01:05:52.500 --> 01:05:53.040 Yeah. 01:05:53.040 --> 01:05:58.500 I'm going to... 01:05:58.500 --> 01:06:00.000 I'll find it. 01:06:00.000 --> 01:06:00.600 I'll find it. 01:06:00.600 --> 01:06:01.120 There. 01:06:01.120 --> 01:06:04.660 Oh, it's like it's through my full-time job. 01:06:04.660 --> 01:06:07.440 So I train on the side and I do stuff for them full-time. 01:06:07.440 --> 01:06:09.080 But I put it in our private chat. 01:06:09.080 --> 01:06:12.760 And basically, I have a free secure coding course in there. 01:06:13.100 --> 01:06:14.160 It's a few years old. 01:06:14.160 --> 01:06:16.780 Like the book is all brand new stuff. 01:06:16.780 --> 01:06:27.560 But it covers like agnostic, you know, how to do input validation, how to do output encoding, how to make sure that you are using parametrized queries, how to configure every single security header. 01:06:27.560 --> 01:06:29.700 And it's just free. 01:06:29.700 --> 01:06:35.000 And I do that because I need us to do better real bad. 01:06:35.900 --> 01:06:37.420 Please, please, please, please, please. 01:06:37.420 --> 01:06:37.900 Yeah. 01:06:37.900 --> 01:06:38.580 Well, thank you. 01:06:38.580 --> 01:06:39.180 That's awesome. 01:06:39.180 --> 01:06:40.940 Thank you. 01:06:40.940 --> 01:06:41.840 Yeah. 01:06:41.840 --> 01:06:43.460 It's been a really fun conversation. 01:06:43.460 --> 01:06:47.440 And I feel like we could probably talk for another two hours, but... 01:06:47.440 --> 01:06:48.340 I know. 01:06:48.340 --> 01:06:52.380 Well, maybe in another year or two, we'll come back if you'll have me. 01:06:52.380 --> 01:06:52.620 Yeah. 01:06:52.620 --> 01:06:53.280 Yeah. 01:06:53.280 --> 01:06:53.920 That'd be amazing. 01:06:53.920 --> 01:06:56.700 Well, let's leave it with a final call to action. 01:06:56.700 --> 01:06:57.740 People are... 01:06:57.740 --> 01:06:58.760 You have their attention. 01:06:58.760 --> 01:07:02.380 They thought, well, maybe I should validate that or learn more or do more. 01:07:02.380 --> 01:07:04.360 What do you tell them before we wrap it up? 01:07:04.360 --> 01:07:13.680 I want you to go look at whatever framework that you are using and see if there are security features and start using them in your code. 01:07:13.680 --> 01:07:17.680 So if you're using Flask, there's a whole bunch of super awesome things in Flask. 01:07:17.680 --> 01:07:18.980 Please use them. 01:07:18.980 --> 01:07:20.620 Your life will be better. 01:07:20.620 --> 01:07:21.640 Yeah, absolutely. 01:07:21.640 --> 01:07:25.220 Well, thank you for sharing all your experience and the story. 01:07:25.220 --> 01:07:26.440 That's been a lot of fun. 01:07:26.440 --> 01:07:28.320 Thank you so much for having me, Michael. 01:07:28.320 --> 01:07:29.480 Yeah, you bet. 01:07:29.480 --> 01:07:29.900 Bye. 01:07:29.900 --> 01:07:33.360 This has been another episode of Talk Python To Me. 01:07:33.820 --> 01:07:35.180 Thank you to our sponsors. 01:07:35.180 --> 01:07:36.780 Be sure to check out what they're offering. 01:07:36.780 --> 01:07:38.200 It really helps support the show. 01:07:38.200 --> 01:07:42.540 This episode is sponsored by Posit Connect from the makers of Shiny. 01:07:42.540 --> 01:07:47.060 Publish, share, and deploy all of your data projects that you're creating using Python. 01:07:47.060 --> 01:07:53.640 Streamlit, Dash, Shiny, Bokeh, FastAPI, Flask, Quarto, Reports, Dashboards, and APIs. 01:07:53.640 --> 01:07:56.020 Posit Connect supports all of them. 01:07:56.020 --> 01:08:00.400 Try Posit Connect for free by going to talkpython.fm/Posit. 01:08:00.740 --> 01:08:01.700 P-O-S-I-T. 01:08:01.700 --> 01:08:04.760 And this episode is brought to you by Bluehost. 01:08:04.760 --> 01:08:06.380 Do you need a website fast? 01:08:06.380 --> 01:08:07.260 Get Bluehost. 01:08:07.260 --> 01:08:12.620 Their AI builds your WordPress site in minutes, and their built-in tools optimize your growth. 01:08:12.620 --> 01:08:13.580 Don't wait. 01:08:13.580 --> 01:08:17.180 Visit talkpython.fm/bluehost to get started. 01:08:17.180 --> 01:08:18.720 Want to level up your Python? 01:08:19.120 --> 01:08:22.840 We have one of the largest catalogs of Python video courses over at Talk Python. 01:08:22.840 --> 01:08:27.940 Our content ranges from true beginners to deeply advanced topics like memory and async. 01:08:27.940 --> 01:08:30.620 And best of all, there's not a subscription in sight. 01:08:30.620 --> 01:08:33.520 Check it out for yourself at training.talkpython.fm. 01:08:33.520 --> 01:08:35.620 Be sure to subscribe to the show. 01:08:35.620 --> 01:08:38.400 Open your favorite podcast app and search for Python. 01:08:38.400 --> 01:08:39.720 We should be right at the top. 01:08:39.720 --> 01:08:44.880 You can also find the iTunes feed at /itunes, the Google Play feed at /play, 01:08:44.880 --> 01:08:49.080 and the direct RSS feed at /rss on talkpython.fm. 01:08:49.080 --> 01:08:52.040 We're live streaming most of our recordings these days. 01:08:52.040 --> 01:08:55.460 If you want to be part of the show and have your comments featured on the air, 01:08:55.460 --> 01:08:59.880 be sure to subscribe to our YouTube channel at talkpython.fm/youtube. 01:08:59.880 --> 01:09:01.940 This is your host, Michael Kennedy. 01:09:01.940 --> 01:09:03.220 Thanks so much for listening. 01:09:03.220 --> 01:09:04.380 I really appreciate it. 01:09:04.380 --> 01:09:06.300 Now get out there and write some Python code. 01:09:06.300 --> 01:09:27.160 I really appreciate it.