OWASP Python Security Project

OWASP Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

The project is designed to explore how web applications can be developed in python by approaching the problem from three different angles:

• Security in python: white-box analysis, structural and functional analysis
• Security of python: black-box analysis, identify and address security-related issues
• Security with python: develop security hardened python suitable for high-risk and high-security environments

This project source code is licensed under the Apache 2.0 license, which has no restriction except for attribution and allows proprietary modifications and proprietary forks of this project. The project documentation is licensed under the Creative Commons license. You can use or modify PySec however you want, even include it in commercial products.

Security in python

White-box analysis, structural and functional analysis of python applications and open source code.

We focused our efforts on:

• Techniques for string evaluation and string protection
• Functional Whitelisting and blacklisting for both strings and streams
• Implicit and explicit Access controls in the source code
• Error detection and Error handling
• Safer object serialization for inter-process communication
• Detection and reaction to events that can lead to SBE and MBE
• Handling of unexpected and non-standard behaviors in communication protocols
• Mitigation of risks related to importable libraries
• Logging with event-handling controls to facilitate application monitoring
• Modular Application checkpointing using finite state automata

Security of python

Black-box analysis, identify and address security-related issues that can affect the interpreter.

We focused our efforts on:

• Implementation of functional sandboxing
• Safer application output to system consoles
• Single and chained exception handling
• Protection command strings passed to the OS
• Checks and controls of data streams in sockets
• Low-level primitives for controlling Python->OS interactions
• File and object permission controls
• Improved controls for multiprocess operations
• Enforcement of data and memory limits
• Controls over I/O operations on file objects