Talks: Securing Code with the Python Type System

Presented by:


Preventing security vulnerabilities often brings to mind heavyweight security tools. But what if it doesn’t have to be that way? What if you could use the concepts already built into Python to make your code incrementally more secure?

In this talk, we'll see how Python types allow you to improve your project's security incrementally. First, we’ll show how simple type annotations by themselves can prevent security-impacting logic errors. Second, we'll see how you can prevent injection vulnerabilities such as SQL injection using a special type in your APIs (PEP 675). Next, we demonstrate how to leverage runtime type validation to securely deal with user-controlled data (such as HTTP requests). Finally, we show how types naturally enable powerful typing-based tools like Pysa and CodeQL to perform static taint flow analysis and catch complex vulnerabilities that span multiple functions. No security tool is a panacea, however, so we’ll also show you where typing and the tools that rely on it can fail.