Security

Managing Application Secrets with Brian Kelly - Episode 181

Summary

Any application that communicates with other systems or services will at some point require a credential or sensitive piece of information to operate properly. The question then becomes how best to securely store, transmit, and use that information. The world of software secrets management is vast and complicated, so in this episode Brian Kelly, engineering manager at Conjur, aims to help you make sense of it. He explains the main factors for protecting sensitive information in your software development and deployment, ways that information might be leaked, and how to get the whole team on the same page.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • When you’re ready to launch your next app you’ll need somewhere to deploy it, so check out Linode. With private networking, shared block storage, node balancers, and a 40Gbit network, all controlled by a brand new API you’ve got everything you need to scale up. Go to podcastinit.com/linode to get a $20 credit and launch a new server in under a minute.
  • Visit the site to subscribe to the show, sign up for the newsletter, and read the show notes. And if you have any questions, comments, or suggestions I would love to hear them. You can reach me on Twitter at @Podcast__init__ or email [email protected])
  • To help other people find the show please leave a review on iTunes, or Google Play Music, tell your friends and co-workers, and share it on social media.
  • Join the community in the new Zulip chat workspace at podcastinit.com/chat
  • Your host as usual is Tobias Macey and today I’m interviewing Brian Kelly about how to store, deploy, and use sensitive information in your applications

Interview

  • Introductions
  • How did you get introduced to Python?
  • To begin with, how do you define a secret in the context of an application?
  • What are the broad categories for solutions to secrets management?
  • What are the different aspects of secrets management in the lifecycle of developing, deploying, and maintaining an application?
  • How does the scale of a project or organization impact the strategies that are reasonable for secrets management?
  • What are some of the most challenging aspects of secrets management at the different stages of usage?
    • What are some of the common reasons that secrets management strategies fail?
    • What are some of the vulnerabilities or attack vectors that development teams should be thinking about when working with credentials?
  • What are your thoughts on versioning of secrets?
  • Beyond storing and deploying sensitive information, what are some of the secondary concerns around secrets management that development teams should be thinking about?
  • How does the use of multiple environments (e.g. dev, QA, production, etc.) affect the strategies used for secrets management?
  • What are some of the most useful resources that you have found for anyone looking to learn more about this subject?

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Infection Monkey Vulnerability Scanner with Daniel Goldberg - Episode 177

Summary

How secure are your servers? The best way to be sure that your systems aren’t being compromised is to do it yourself. In this episode Daniel Goldberg explains how you can use his project Infection Monkey to run a scan of your infrastructure to find and fix the vulnerabilities that can be taken advantage of. He also discusses his reasons for building it in Python, how it compares to other security scanners, and how you can get involved to keep making it better.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • When you’re ready to launch your next app you’ll need somewhere to deploy it, so check out Linode. With private networking, shared block storage, node balancers, and a 40Gbit network, all controlled by a brand new API you’ve got everything you need to scale up. Go to podcastinit.com/linode to get a $20 credit and launch a new server in under a minute.
  • Visit the site to subscribe to the show, sign up for the newsletter, and read the show notes. And if you have any questions, comments, or suggestions I would love to hear them. You can reach me on Twitter at @Podcast__init__ or email [email protected])
  • To help other people find the show please leave a review on iTunes, or Google Play Music, tell your friends and co-workers, and share it on social media.
  • Join the community in the new Zulip chat workspace at podcastinit.com/chat
  • Your host as usual is Tobias Macey and today I’m interviewing Daniel Goldberg about Infection Monkey, an open source system breach simulation tool for evaluating the security of your network

Interview

  • Introductions
  • How did you get introduced to Python?
  • What is infection monkey and what was the reason for building it?
    • What was the reasoning for building it in Python?
    • If you were to start over today what would you do differently?
  • Penetration testing is typically an endeavor that requires a significant amount of knowledge and experience of security practices. What have been some of the most difficult aspects of building an automated vulnerability testing system?
    • How does a deployed instance keep up to date with recent exploits and attack vectors?
  • How does Infection Monkey compare to other tools such as Nessus and Nexpose?
  • What are some examples of the types of vulnerabilities that can be discovered by Infection Monkey?
  • What kinds of information can Infection Monkey discover during a scan?
    • How does that information get reported to the user?
    • How much security experience is necessary to understand and address the findings in a given report generated from a scan?
  • What techniques do you use to ensure that the simulated compromises can be safely reverted?
  • What are some aspects of network security and system vulnerabilities that Infection Monkey is unable to detect and/or analyze?
  • For someone who is interested in using Infection Monkey what are the steps involved in getting it set up?
    • What is the workflow for running a scan?
    • Is Infection Monkey intended to be run continuously, or only with the interaction of an operator?
  • What are your plans for the future of Infection Monkey?

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Yosai with Darin Gordon - Episode 120

Summary

For any program that is used by more than one person you need a way to control identity and permissions. There are myriad solutions to that problem, but most of them are tied to a specific framework. Yosai is a flexible, general purpose framework for managing role-based access to your applications that has been decoupled from the underlying platform. This week the author of Yosai, Darin Gordon, joins us to talk about why he started it, his experience porting it from Java, and where he hopes to take it in the future.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who supports us on Patreon. Your contributions help to make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at www.podastinit.com/linode and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit the site to subscribe to the show, sign up for the newsletter, read the show notes, and get in touch.
  • To help other people find the show please leave a review on iTunes, or Google Play Music, tell your friends and co-workers, and share it on social media.
  • Your host as usual is Tobias Macey and today I’m interviewing
    Darin Gordon about Yosai, a security framework for Python applications

Interview

  • Introductions
  • How did you get introduced to Python?
  • What is Yosai and what is the problem that you were trying to solve when you started it?
  • How does Yosai compare to existing libraries for web frameworks such as Flask-Security or Django Guardian and why might someone choose Yosai instead?
  • In the documentation it mentions that Yosai is a port of the Apache Shiro framework from Java to Python. What was most difficult about exposing a Pythonic interface while maintaining the core principles of the original?
  • Authentication and authorization are difficult problem domains and can cause significant issues if they are not implemented in a secure fashion. How do you ensure an appropriate level of quality in Yosai to be confident having people use it?
  • To start can you describe how the framework is architected and what is involved in integrating it with a project?
  • Outside of the context of web applications, what are some situations where someone should consider integrating authentication and authorization into their project?
  • What have been some of the most challenging aspects of building the Yosai project?
  • Tell us about the Rust extension you wrote earlier this year
  • What do you have planned for the future of Yosai?

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Scapy with Guillaume Valadon - Episode 107

Summary

Network protocols are often inscrutable, but if you have an effective way to experiment with them then they expose a lot of power. This week Guillaume Valadon explains how Scapy can be used to inspect your network traffic, test the security of your systems, and develop brand new protocols, all in Python!

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who supports us on Patreon. Your contributions help to make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at www.podastinit.com/linode and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit the site to subscribe to the show, sign up for the newsletter, read the show notes, and get in touch.
  • To help other people find the show please leave a review on iTunes, or Google Play Music, tell your friends and co-workers, and share it on social media.
  • Get a shirt and support the show! Go to https://teespring.com/podcastinit and get a mug to go with it.
  • Your host as usual is Tobias Macey and today I am interviewing Guillaume Valadon about Scapy, the swiss army knife for packet manipulation in Python

Interview

  • Introductions
  • How did you get introduced to Python?
  • Can you explain what Scapy is and what problem it was created to solve?
  • How has the decision to build Scapy in Python benefited the project?
  • How has the 10 year history of the project affected your ability to maintain and evolve the code?
  • How has the project evolved from the initial prototypes by Philippe Biondi through to its current incarnation as Scapy 2?
  • I understand that the project was originally hosted on Bitbucket and then moved to Github. What prompted that decision and how has it played out?
  • Who is the target audience and what are some of the primary intended use cases for Scapy?
  • How is the implementation of packet layering architected in order to allow for such flexibility and composability?
  • What are some of the most interesting and unexpected ways that you have seen Scapy used?
  • What protocols have been the most problematic to implement and maintain?
  • What have been some of the most challenging aspects of developing Scapy?
  • What do you have planned for the future of Scapy?

Contact Info

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Duplicity with Kenneth Loafman - Episode 103

Summary

Everyone who uses a computer on a regular basis knows the importance of backups. Duplicity is one of the most widely used backup technologies, and it’s written in Python! This week Kenneth Loafman shares how Duplicity got started, how it works, and why you should be using it every day.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Your host as usual is Tobias Macey and today I’m interviewing Kenneth Loafman about Duplicity, the Python based backup tool

Interview

  • Introduction
  • How did you get introduced to Python?
  • Can you share some of the history of Duplicity?
  • What is duplicity and how does it differ from other available backup tools?
  • Many backup solutions are written in Java or lower level languages such as C, what is the motivation for using Python as the language for implementing Duplicity?
  • At face value backing up files seems like a straightforward task but there is a lot of incidental complexity. Can you describe the architecture and internals of Duplicity that allow for it to handle a wide variety of use cases?
  • It has been shown in a number of contexts that people will generally use the default settings, so by forcing people to opt out of encrypting their backups you are promoting security best practices in Duplicity. Why is it so important to have the archive encrypted, even if the storage medium is fully under the control of the person doing the backup?
  • Given that backups need to be highly reliable what are the steps that you take during the development process to ensure that there are no regressions?
  • What mechanisms are built into duplicity to prevent data corruption?
  • What are some of the most difficult or complex aspects of the problem space that Duplicity is dealing with?
  • I noticed that you have a proposal for a new archive format to replace Tar. Can you describe the motivation for that and the design choices that have been made?

Contact

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Digital Identity, Privacy, and Security with Brian Warner - Episode 102

Summary

As the internet and digital technologies continue to infiltrate our way of life, we are forced to consider how our concepts of identity and security are reflected in these spaces. Brian Warner joins me this week to discuss his work on privacy focused projects that he has worked on, including the Tahoe LAFS, Firefox Sync, and Magic Wormhole. He also has some intriguing ideas about how we can replace passwords and what it means to have an online identity.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Your host as usual is Tobias Macey and today I’m interviewing Brian Warner about digital identity, privacy, and security

Interview

  • Please introduce yourself
  • How did you get introduced to Python?
  • How did you get involved in the area of cryptography and digital privacy?
  • You have created or made significant contributions to a number of projects that are focused on making secure communications and storage more accessible, including Tahoe LAFS (Least Authority File System), Magic Wormhole, and Petmail. Can you provide a brief overview of these projects and any others that you would like to mention?
  • What problem were you trying to solve when you created or began contributing to each of them and how satisfied are you with their current state?
  • What have you found to be the biggest barriers to adoption for these projects?
  • How do Tahoe and Magic Wormhole benefit an average user and what are your plans for their future development?
  • One of the most ubiquitous issues with our modern security infrastructure leading to compromise is the humble password. What are some technologies that you foresee replacing the need for passwords?
  • As technologists we are fairly well aware of the weaknesses in the systems that we use day-to-day. How can we make digital privacy and security more accessible?

Contact Info

warner on GitHub
@lotharrr on Twitter

Picks

Links

The Update Framework: Securing Your Software Updates with Justin Cappos - Episode 99

Summary

If you write software then there’s a good probability that you have had to deal with installing dependencies, but did you stop to ask whether you’re installing what you think you are? My guest this week is Professor Justin Cappos from the Secure Systems Lab at New York University and he joined me to discuss his work on The Update Framework which was built to guarantee that you never install a compromised package in your systems.

Preface

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Your host as usual is Tobias Macey and today I’m interviewing Justin Cappos about The Update Framework, an open spec and reference implementation for mitigating attacks on software update systems.

Interview

  • Introduction
  • How did you first get introduced to Python?
  • Please start by explaining what The Update Framework (TUF) is and the problem that you were trying to solve when you created it.
  • How is TUF architected and what led you to choose Python for the reference implementation?
  • TUF addresses the problem of ensuring that the packages that get installed are created by the right developers, but how do you properly establish trust in the first place?
  • Why are consistent and auditable dependencies important for the security of a system and how does TUF help with that goal?
  • What are some of the known attack vectors for a software update system and how do Python and other systems attempt to mitigate these vulnerabilities?
  • One of the perennial problems with any dependency management system is that of transitive dependencies. How does TUF handle this extra complexity of ensuring that all of the secondary, tertiary, etc. dependencies are also properly pinned and trusted?
  • For someone who wants to start using TUF what are the steps to get it set up with pip?
  • How would a project that wants to use TUF, do so?
  • Who is using TUF and when will it be used with PyPI?

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Mycroft with Steve Penrod - Episode 82

Summary

Speech is the most natural interface for communication, and yet we force ourselves to conform to the limitations of our tools in our daily tasks. As computation becomes cheaper and more ubiquitous and artificial intelligence becomes more capable, voice becomes a more practical means of controlling our environments. This week Steve Penrod shares the work that is being done on the Mycroft project and the company of the same name. He explains how he met the other members of the team, how the project got started, what it can do right now, and where they are headed in the future.

Brief Introduction

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • You’ll want to make sure that your users don’t have to put up with bugs, so you should use Rollbar for tracking and aggregating your application errors to find and fix the bugs in your application before your users notice they exist. Use the link rollbar.com/podcastinit to get 90 days and 300,000 errors for free on their bootstrap plan.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Join our community! Visit discourse.pythonpodcast.com to talk to previous guests and other listeners of the show.
  • Your host as usual is Tobias Macey and today I’m interviewing Steve Penrod about the company and project Mycroft, a voice controlled, AI powered personal assistant written in Python.

Interview with Steve Penrod

  • Introductions
  • How did you get introduced to Python?
  • Can you start by describing what Mycroft is and how the project and business got started?
  • How is Mycroft architected and what are the biggest challenges that you have encountered while building this project?
  • What are some of the possible applications of Mycroft?
  • Why would someone choose to use Mycroft in place of other platforms such as Amazon’s Alexa or Google’s personal assistant?
  • What kinds of machine learning approaches are being used in Mycroft and do they require a remote system for execution or can they be run locally?
  • What kind of hardware is needed for someone who wants to build their own Mycroft and what does the install process look like?
  • It can be difficult to run a business based on open source. What benefits and challenges are introduced by making the software that powers Mycroft freely available?
  • What are the mechanisms for extending Mycroft to add new capabilities?
  • What are some of the most surprising and innovative uses of Mycroft that you have seen?
  • What are the long term goals for the Mycroft project and the business that you have formed around it?

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Sandstorm.io with Asheesh Laroia - Episode 75

Summary

Sandstorm.io is an innovative platform that aims to make self-hosting applications easier and more maintainable for the average individual. This week we spoke with Asheesh Laroia about why running your own services is desirable, how they have made security a first priority, how Sandstorm is architected, and what the installation process looks like.

Brief Introduction

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable. For details on how to support the show you can visit our site at pythonpodcast.com
  • Linode is sponsoring us this week. Check them out at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for your next project
  • We are also sponsored by Rollbar. Rollbar is a service for tracking and aggregating your application errors so that you can find and fix the bugs in your application before your users notice they exist. Use the link rollbar.com/podcastinit to get 90 days and 300,000 errors for free on their bootstrap plan.
  • Hired has also returned as a sponsor this week. If you’re looking for a job as a developer or designer then Hired will bring the opportunities to you. Sign up at hired.com/podcastinit to double your signing bonus.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Join our community! Visit discourse.pythonpodcast.com for your opportunity to find out about upcoming guests, suggest questions, and propose show ideas.
  • I would also like to mention that the organizers of PyCon Zimbabwe are looking to the global Python community for help in supporting their event. If you would like to donate the link will be in the show notes.
  • Your hosts as usual are Tobias Macey and Chris Patti
  • Today we’re interviewing Asheesh Laroia about Sandstorm.io, a project that is trying to make self-hosted applications easy and secure for everyone.

Interview with Asheesh Laroia

  • Introductions
  • How did you get introduced to Python? – Tobias
  • Can you start by telling everyone about the Sandstorm project and how you got involved with it? – Tobias
  • What are some of the reasons that an individual would want to self-host their own applications rather than using comparable services available through third parties? – Tobias
  • How does Sandstorm try to make the experience of hosting these various applications simple and enjoyable for the broadest variety of people? – Tobias
  • What does the system architecture for Sandstorm look like? – Tobias
  • I notice that Sandstorm requires a very recent Linux kernel version. What motivated that choice and how does it affect adoption? – Chris
  • One of the notable aspects of Sandstorm is the security model that it uses. Can you explain the capability-based authorization model and how it enables Sandstorm to ensure privacy for your users? – Tobias
  • What are some of the most difficult challenges facing you in terms of software architecture and design? – Tobias
  • What is involved in setting up your own server to run Sandstorm and what kinds of resources are required for different use cases? – Tobias
  • You have a number of different applications available for users to install. What is involved in making a project compatible with the Sandstorm runtime environment? Are there any limitations in terms of languages or application architecture for people who are targeting your platform? – Tobias
  • How much of Sandstorm is written in Python and what other languages does it use? – Tobias

Keep In Touch

Picks

Links

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

Bandit with Tim Kelsey, Travis McPeak, and Eric Brown - Episode 62

Summary

Making sure that your code is secure is a difficult task. In this episode we spoke to Eric Brown, Travis McPeak, and Tim Kelsey about their work on the Bandit library, which is a static analysis engine to help you find potential vulnerabilities before your application reaches production. We discussed how it works, how to make it fit your use case, and why it was created. Give the show a listen and then go start scanning your projects!

Brief Introduction

  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable. For details on how to support the show you can visit our site at pythonpodcast.com
  • Linode is sponsoring us this week. Check them out at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for your next project. And they just doubled the RAM for their introductory level servers, so that $20 will get you even more performance.
  • We are also sponsored by Sentry this week. Stop hoping your users will report bugs. Sentry’s real-time tracking gives you insight into production deployments and information to reproduce and fix crashes. Check them out at getsentry.com and use the code podcastinit at signup to get a $50 credit!
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Join our community! Visit discourse.pythonpodcast.com for your opportunity to find out about upcoming guests, suggest questions, and propose show ideas.
  • Your hosts as usual are Tobias Macey and Chris Patti
  • Today we’re interviewing Tim Kelsey and Eric Brown about Bandit which is a static analysis engine for finding security vulnerabilities in your Python code.

Interview with Eric Brown, Travis McPeak and Tim Kelsey

  • Introductions
  • How did you get introduced to Python? – Chris
  • What is Bandit and what was the inspiration for creating it? – Tobias
  • How did you each get involved with the Bandit project? – Tobias
  • At what stage of the development process would you want to use Bandit? – Tobias
  • What kinds of analysis does Bandit do on the source code that it is run against? – Tobias
  • How does it determine whether a particular segment of code is introducing a vulnerability and what means does it use to determine the severity? – Tobias
  • What does the generated report include and what can be done with that information? – Tobias
  • What are some of the biggest design and implementation difficulties that have been encountered in the process of creating Bandit? – Tobias
  • How does bandit compare to similar tools in other languages such as Ruby’s BrakeMan? – Tobias
  • What are some of the most interesting extensions that you have seen for Bandit? – Tobias
  • What is on the roadmap for the future of Bandit? – Tobias

Keep In Touch

Picks

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA