I recently started doing some large scale static analysis of a large percentage of the packages on PyPI. Using Bandersnatch from the Python Packaging Authority, it was relatively easy to download roughly ~200k of the nearly 330k packages available on PyPI today. …
A couple years ago I started to put together my own database of known vulnerabilities in Python packages. Much of my list came from NIST NVD, the Github Advisory Database, vendor disclosures and blog posts, and most recently, from the PyPA Advisory DB. …
Before we get into how to protect python applications from dependency confusion attacks, we’ll define this new attack vector, give a bit of background, and look at examples.
Dependency Confusion is a new intrusion technique that exploits the way many programming languages handle dependency resolution when projects utilize a mix…
If you’ve spent any time doing automated testing in Python you’re probably familiar with the python assert statement. Assert is incredibly handy in the context of testing. It gives you the ability to test the truthiness of a condition. If the condition is false, an AssertionError is raised. …
In early November 2020, SalesForce announced a new active TLS fingerprinting tool, inexplicably named JARM. …
If you’re a heavy python user you’ve probably come across the pickle module from the standard library at some point. You may have even heard that this library is dangerous. …
I’ve covered this in a few earlier posts, but DoS stands for Denial-of-Service. Denial-of-Service is a type of cyber attack technique where the attacker attempts to disrupt the availability of a service, application, or company. DoS attacks generally exist in one of two broad categories, Denial-of-Service (DoS) and Distributed Denial-of-Service…
Imagine this, you’re a developer at Super corp. You’re working on a new web application and you’re planning on building it using Flask. Like many Macbook Pros, your laptop has some keyboard issues. No biggie. Typing like the wind, you try to install flask using pip. …
I’ve always been fascinated by how other Cybersecurity professionals ended up in their roles. For some it was a childhood dream to be a hacker (or catch hackers) after watching an old school hacker movie, others fell into roles organically after a career in enterprise IT, and if we’re being…
First, what is cloud sprawl?
Cloud sprawl is the lack of controls against the expansion of an organization’s cloud instances, services or providers.
While instances and services are managed differently than providers, the lack of effective controls on any of these is a cause of concern for organizations.
A lack…
