Over the last decade, an increasing body of evidence has accumulated indicating that even when a system is hardened enough to provide strong guarantees about its high-level behavior, implementation details and especially performance properties can still provide attackers with an easy way in. For Python, this is especially problematic: its generally high-level view and the emphasis placed on flexibility often mean that it can be difficult to stop attackers from gaining a foothold, while its comparatively low execution speed increases the efficacy of wide variety of implementation and timing attacks.

To help Pythonistas understand and cope with these problems, we've divided this talk into two parts: in the first, we demonstrate the attacks against a series of widely-deployed Python projects with the goal of both improving awareness about the issue and demonstrating common weaknesses to be avoided. The second demonstrates effective countermeasures and alternative constructions with the goal of improving defenders' odds of spotting and correcting these flaws in their own code.