You cannot post messages because only members can post, and you are not currently a member.
Description:
The Google Group to accompany PythonSecurity.org
|
|
|
Fortify for Python
|
| |
Anyone have any experience running Fortify on Python code? I'm mainly wondering what rules they are applying and how I could verify that its actually looking at my code. So far I've run it and found very little of interest, just a few Low priority items like using the word "Password" inside a comment.... more »
|
|
|
Introduction to PythonSecurity.org Slide
|
| |
Hello, My name is Zaki. Currently I lead OWASP Indonesia chapter. I am planning to give talk at Indonesian Python meetup. Is there any presentation slide which I can use to promote/explain this project? Thanks!
|
|
|
Python library security announcement list
|
| |
Hi all, Something I've been worrying about for a while is the need for a security announcement list for small Python libraries that might be used in a typical web site. For example, there are *many* Django libraries/app out there, most of them far too small to have their own mailing lists (and very few would be... more »
|
|
|
cryptography page
|
| |
Hey all,
I'm wondering if anybody minds if I mess around with the
[link] page. I've already
added one thing, but it really just needs a complete overhaul, and I'm
not sure what the protocol is here.
Thanks for your (collective) time,
Geremy Condra
|
|
|
Extending Burp Suite in Python
|
| |
Hi all!
Just to let you know in case this is of interest for some of you, I
wrote a Jython binding for the Burp Suite application. This enables
users to create Burp Suite extensions directly in the Python language.
Burp Suite ([link]) is an integrated framework
to assess the security of web applications.... more »
|
|
|
Current Focus: Session Management
|
| |
Let's shift our current focus towards session management [1], including the prevention of session hijacking [2] and session fixation [3]. Session identifiers are keys to the kingdom, and can allow an attacker to impersonate an authenticated user without even knowing their credentials. Consider this: If you aren't using SSL, a user's session identifier can be... more »
|
|
|
Intrusion Detection System (was Tools for security analysis)
|
| |
Last year I wrote a somewhat limited IDS for ESAPI on Python [1]. The primary way it was used was through exceptions - when input failed validation an exception would be raised, which would register an event with the IDS. - Events - These are things such as "Bad Password," "input did not pass validation," or "successful login". When events are registered they need... more »
|
|
|
Tools for security analysis
|
| |
I've been thinking a lot about what tools would be useful to have when analyzing Python code for security vulnerabilities. At some point all computers are basic input/output systems, which is the premise for security tools which identify sources and sinks, and can trace the flow of data from one to the other. Part of the idea of taint mode in... more »
|
|
|
ESAPI Swingset, a playground for application security
|
| |
I'd like to introduce the ESAPI Swingset [1], an application aiming to make security more transparent and exploratory. The application allows developers to learn more about security in a safe sandbox. To really understand what it's all about, take a look! There are pretty good demonstrations of cross... more »
|
|
|
