{"id":2012,"date":"2020-05-18T10:28:00","date_gmt":"2020-05-18T10:28:00","guid":{"rendered":"https:\/\/www.securecoding.com\/?p=2012"},"modified":"2020-10-15T09:14:06","modified_gmt":"2020-10-15T09:14:06","slug":"python-security-practices-you-should-maintain","status":"publish","type":"post","link":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/","title":{"rendered":"Python Security Practices You Should Maintain"},"content":{"rendered":"\n<p><\/p>\n\n\n<section class=\"c-block c-margin c-margin--bottom-default c-block b-picture b-picture--page-python-security-practices-you-should-maintain  align\" id=\"b-picture-1\">\n\t<div class=\"container\">\n\t\t\t<picture class=\"c-picture\">\n\t\n\t\t<img loading=\"lazy\" decoding=\"async\" width=\"1171\" height=\"413\" src=\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Refine-Blogs_4-copy-2.png\" class=\"c-image c-picture__image\" alt=\"\" srcset=\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Refine-Blogs_4-copy-2.png 1171w, https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Refine-Blogs_4-copy-2-300x106.png 300w, https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Refine-Blogs_4-copy-2-1024x361.png 1024w, https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Refine-Blogs_4-copy-2-768x271.png 768w, https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Refine-Blogs_4-copy-2-540x190.png 540w\" sizes=\"auto, (max-width: 1171px) 100vw, 1171px\" \/>\n<\/picture>\n\t\t<\/div>\n<\/section>\n\n\n<section class=\"c-block c-margin c-margin--bottom-default c-block b-text b-text--page-python-security-practices-you-should-maintain  align\" id=\"b-text-1\">\n\t<div class=\"container\">\n\t\t<div class=\"c-text\">\n\t\t<p><span style=\"font-weight: 400;\">Python is a high-level programming language and offers a lot of flexibility and liberty to structure your codebase the way you want it which might open up some loopholes if security practices are not being followed.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When building software, writing secure code is essential for protecting sensitive data and maintaining correct behaviour of software. Writing secure code can be hard though and even the best developers can\u2019t always be 100% sure of the security of their code.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">No matter how small the application and or how good the developers who built it are, there\u2019s always a possibility of a security vulnerability that could be exploited to steal money from users or be the next known Cyber-Incident.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">So what do you do to prevent or avoid this?<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The best thing to do here is to follow best practices for writing secure code when building applications using Python. In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Use the Most Recent Major Version of Python<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Many companies and developers are still running old versions of Python for their projects and even in production like Python 2.6 or 2.7. These are way outdated and won\u2019t receive any more<\/span> <a href=\"https:\/\/www.python.org\/doc\/sunset-python-2\/\"><span style=\"font-weight: 400;\">security updates after April 2020<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Python 3 was released date back in 2008 and starting from Jan 1, 2020 the Python Foundation announced that Python 2 will stop receiving security updates or support from the community.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">If you are still using old versions of Python below Python 3, then you should start considering how to migrate your codebase to Python 3. Start using Python 3 for your new projects or you leave yourself open to security vulnerabilities.\u00a0\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">To check for your Python version, you can run:<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">python &#8211;version<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Migrating your Python 2 code to Python 3 is actually very easy and you can read more on how to do that<\/span> <a href=\"https:\/\/medium.com\/better-programming\/why-you-must-migrate-to-python-3-now-2a2729631a22\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Use a Virtual Environment\u00a0<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When building any Python projects, it&#8217;s always advisable to use a virtual environment as it helps to prevent conflict in Python modules and as well as have the same modules both on local and production environments.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Using a virtual environment prevents having malicious Python dependencies in your projects and shipping the same to production by using `pip freeze` to generate requirements.txt. If you have malicious packages in your Python environments, using a virtual environment will prevent having the same packages in your Python codebase since it&#8217;s isolated.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">To create a virtual environment you can either use<\/span> <a href=\"https:\/\/virtualenv.pypa.io\/en\/latest\/\"><span style=\"font-weight: 400;\">Virtualenv<\/span><\/a><span style=\"font-weight: 400;\"> or<\/span> <a href=\"https:\/\/pypi.org\/project\/pipenv\/\"><span style=\"font-weight: 400;\">Pipenv<\/span><\/a><span style=\"font-weight: 400;\"> which help create isolated virtual environments. Pipenv helps to manage, have a predictable and up-to-date environment.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">With Pipenv, you can manage your installations, virtual environments, look through your dependency tree, and scan your dependencies for known vulnerabilities.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">You can set up Virtualenv:<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">pip install virtualenv<\/span><\/p>\n<p><span style=\"font-weight: 400;\">virtualenv -p \/path\/to\/python &lt;env_name&gt;<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Import Packages the Right Way<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When working with external or internal Python modules, you should always ensure you are importing them the right way and using the right paths. We have two types of import paths in Python and they are absolute, relative.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Absolute imports specifies the path of the resource to be imported using its full path from the project\u2019s root folder while relative import specifies the resource to be imported relative to the current location of the project where the import statement is.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><iframe style=\"width: 680px; height: 197px; border: 0; transform: scale(1); overflow: hidden;\" src=\"https:\/\/carbon.now.sh\/embed?bg=rgba(221%2C224%2C225%2C0)&amp;t=solarized%20light&amp;wt=none&amp;l=auto&amp;ds=false&amp;dsyoff=20px&amp;dsblur=68px&amp;wc=true&amp;wa=false&amp;pv=0px&amp;ph=0px&amp;ln=false&amp;fl=1&amp;fm=Hack&amp;fs=14px&amp;lh=149%25&amp;si=false&amp;es=2x&amp;wm=false&amp;code=%252F*%2520Absolute%2520Import%2520*%252F%250Afrom%2520package1%2520import%2520module1%250Afrom%2520package1.module2%2520import%2520function1%250A%252F*%2520Relative%2520Import%2520*%252F%250Afrom%2520.some_module%2520import%2520some_class%250Afrom%2520..some_package%2520import%2520some_function\" sandbox=\"allow-scripts allow-same-origin\"><br \/>\n<\/iframe><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Now there are two types of relative imports: implicit and explicit.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Implicit imports does not specify the resource path relative to the current module while Explicit imports specify the exact path of the module you want to import relative to the current module.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Implicit import has been disapproved and removed from Python 3, because if the module specified is found in the system path, it will be imported and that could be very dangerous.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Since it\u2019s possible for a malicious module with the same name to be in a popular open source library and find its way to the system path. If the malicious module is found before the real module it will be imported and could be used to exploit applications that has it in their dependency tree.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">To prevent this, ensure you use either absolute import or explicit relative imports as it guarantees you import the real and intended module.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><iframe style=\"width: 680px; height: 95px; border: 0; transform: scale(1); overflow: hidden;\" src=\"https:\/\/carbon.now.sh\/embed?bg=rgba(221%2C224%2C225%2C0)&amp;t=solarized%20light&amp;wt=none&amp;l=auto&amp;ds=false&amp;dsyoff=20px&amp;dsblur=68px&amp;wc=true&amp;wa=false&amp;pv=0px&amp;ph=0px&amp;ln=false&amp;fl=1&amp;fm=Hack&amp;fs=14px&amp;lh=149%25&amp;si=false&amp;es=2x&amp;wm=false&amp;code=from%2520safe_module%2520import%2520package%252C%2520function%252C%2520class\" sandbox=\"allow-scripts allow-same-origin\"><br \/>\n<\/iframe><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">or<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><iframe style=\"width: 680px; height: 95px; border: 0; transform: scale(1); overflow: hidden;\" src=\"https:\/\/carbon.now.sh\/embed?bg=rgba(221%2C224%2C225%2C0)&amp;t=solarized%20light&amp;wt=none&amp;l=auto&amp;ds=false&amp;dsyoff=20px&amp;dsblur=68px&amp;wc=true&amp;wa=false&amp;pv=0px&amp;ph=0px&amp;ln=false&amp;fl=1&amp;fm=Hack&amp;fs=14px&amp;lh=149%25&amp;si=false&amp;es=2x&amp;wm=false&amp;code=from%25C2%25A0%2520..relative_module%2520import%2520package%252C%2520function%252C%2520class\" sandbox=\"allow-scripts allow-same-origin\"><br \/>\n<\/iframe><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">If you are still using Python 2, ensure you remove the use of implicit relative imports as this as been removed in Python 3.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>String Formatting In Python<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Python has one of the most powerful and flexible methods to format strings and if you are not careful enough while using, you might end up opening up a security vulnerability in your code.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Python3 introduced <\/span><span style=\"font-weight: 400;\">f-strings<\/span><span style=\"font-weight: 400;\">\u00a0 and <\/span><span style=\"font-weight: 400;\">str.format()<\/span><span style=\"font-weight: 400;\"> as a flexible way to format strings and its actually very interesting. However, this opens up a way for data exploit when dealing with user inputs.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">If the application built on Python allows users control of the format string, they can be misused to leak sensitive data. For instance, let\u2019s take a look at the exploit code below:<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><iframe style=\"width: 680px; height: 673px; border: 0; transform: scale(1); overflow: hidden;\" src=\"https:\/\/carbon.now.sh\/embed?bg=rgba(221%2C224%2C225%2C0)&amp;t=solarized%20light&amp;wt=none&amp;l=auto&amp;ds=false&amp;dsyoff=20px&amp;dsblur=68px&amp;wc=true&amp;wa=false&amp;pv=0px&amp;ph=0px&amp;ln=false&amp;fl=1&amp;fm=Hack&amp;fs=14px&amp;lh=149%25&amp;si=false&amp;es=2x&amp;wm=false&amp;code=CONFIG%2520%253D%2520%257B%250A%250A%2520%2520%2520%2520%25E2%2580%259CAPI_KEY%25E2%2580%259D%253A%2520%25E2%2580%259Csecret_key%25E2%2580%259D%250A%257D%250Aclass%2520User%253A%250A%250A%2520%2520%2520%2520name%2520%253D%2520%25E2%2580%259C%25E2%2580%259D%250A%250A%2520%2520%2520%2520email%2520%253D%2520%25E2%2580%259C%25E2%2580%259D%250A%250A%2520%2520%2520%2520def%2520__init__(self%252C%2520name%252C%2520email)%253A%250A%250A%2520%2520%2520%2520%2520%2520%2520%2520self.name%2520%253D%2520name%250A%250A%2520%2520%2520%2520%2520%2520%2520%2520self.email%2520%253D%2520email%250A%250A%2520%2520%2520%2520def%2520__str__(self)%253A%250A%250A%2520%2520%2520%2520%2520%2520%2520%2520return%2520self.name%250A%250Aname%2520%253D%2520%25E2%2580%259CToby%25E2%2580%259D%250A%250Aemail%2520%253D%2520%25E2%2580%259Coyetoketoby80%2540gmail.com%25E2%2580%259D%250A%250Auser%2520%253D%2520User(name%252C%2520email)%250A%250Aprint(f%25E2%2580%259D%257Buser.__init__.__globals__%255B%25E2%2580%2598CONFIG%25E2%2580%2599%255D%255B%25E2%2580%2598API_KEY%25E2%2580%2599%255D%257D%25E2%2580%259D)%250A%250A%252F*%2520secret_key%2520*%252F\" sandbox=\"allow-scripts allow-same-origin\"><br \/>\n<\/iframe><\/p>\n<p><span style=\"font-weight: 400;\">With this, sensitive global data from a <\/span><span style=\"font-weight: 400;\">CONFIG<\/span><span style=\"font-weight: 400;\"> dictionary can be accessed via the argument.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">However, Python has a built-in <\/span><span style=\"font-weight: 400;\">string<\/span><span style=\"font-weight: 400;\"> module that can be used to fix and prevent this. Using the <\/span><span style=\"font-weight: 400;\">Template<\/span><span style=\"font-weight: 400;\"> class from the <\/span><span style=\"font-weight: 400;\">string<\/span><span style=\"font-weight: 400;\"> module:<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><iframe style=\"width: 680px; height: 197px; border: 0; transform: scale(1); overflow: hidden;\" src=\"https:\/\/carbon.now.sh\/embed?bg=rgba(221%2C224%2C225%2C0)&amp;t=solarized%20light&amp;wt=none&amp;l=auto&amp;ds=false&amp;dsyoff=20px&amp;dsblur=68px&amp;wc=true&amp;wa=false&amp;pv=0px&amp;ph=0px&amp;ln=false&amp;fl=1&amp;fm=Hack&amp;fs=14px&amp;lh=149%25&amp;si=false&amp;es=2x&amp;wm=false&amp;code=from%2520string%2520import%2520Template%250Aname_template%2520%253D%2520Template(%2522Hello%252C%2520my%2520name%2520is%2520%2524name.%2522)%250Agreeting%2520%253D%2520name_template.substitute(name%253D%2522Tobi%2522)%250A%250A%250A%252F*%2520Hello%252C%2520my%2520name%2520is%2520Toby%2520*%252F\" sandbox=\"allow-scripts allow-same-origin\"><br \/>\n<\/iframe><br \/>\n<span style=\"font-weight: 400;\">from string import Template<\/span><\/p>\n<p><span style=\"font-weight: 400;\">name_template = Template(&#8220;Hello, my name is $name.&#8221;)<\/span><\/p>\n<p><span style=\"font-weight: 400;\">greeting = name_template.substitute(name=&#8221;Tobi&#8221;)<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">\/* Hello, my name is Toby *\/<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The string module is good for handling user inputs and generated data.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Handle Python HTTP Requests Safely<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When building Python project that requires sending HTTP requests, it\u2019s always advisable to do it safely and know the library you are using handles security to prevent security issues.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When using HTTP requests library like Requests, you should not pin the versions down in your <\/span><span style=\"font-weight: 400;\">requirements.txt<\/span><span style=\"font-weight: 400;\"> has that might install outdated and vulnerable version of the module.\u00a0\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">For instance, Requests uses Certifi for handling SSL verification, ensure you are sending it to a non-exploited site. By default, Requests handles the SSL certificate verification and can be disabled if you trust the source.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">url = &#8220;http:\/\/trusted_url&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">requests.get(url, safe=False)<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">This ensures you are not sending requests to an exploited source that could send back exploited code in the Response headers or body.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">So to prevent this ensure you are using the latest version of your HTTP requests library, confirm if the library is handling the SSL verification of the source you sent requests to, if you are using standard library <\/span><span style=\"font-weight: 400;\">urllib<\/span><span style=\"font-weight: 400;\">,\u00a0 you should follow best practices to prevent request smuggling.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Look Out for Exploited and Malicious Packages<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Packages can be very helpful and save you time as you don\u2019t have to re-invent the wheel. Packages can be easily installed through the <\/span><span style=\"font-weight: 400;\">Pip<\/span><span style=\"font-weight: 400;\"> package.\u00a0 They offer various benefits like saving time, making your codebase compact and smaller, easier application design and better performance.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Most Python Packages are published to PyPI which serves as a code repository for Python Packages and does not go through any form of security review or check.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">This means that anyone out there with malicious thought can easily build and publish a package to PyPI with a malicious code or sometimes publish a package with a similar name to a popular package and imitate the package features.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Double-check each Python packages you are installing and importing to prevent having exploited packages in your code. Also, you can use security tools to scan your Python dependencies to screen out exploited packages.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Handling Data Deserialization Safely<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">When handling data deserialization in Python, I\u2019ll recommend only deserializing data from a trusted source as its possible that a malicious arbitrary code could be hidden in the data.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Deserialization process in Python recreates Python objects by reading its representation from a file on disk, network interface or string. The resulting objects contain constructors and methods that are executable.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">So if data contains malicious code, on deserialization it could run the code thereby exploiting user data or doing something worse.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">To fix it, ensure you are using deserialization packages that ensures the safety of the data in sandbox before fully deserializing the data. One of the best packages to do this is PyCrypto as it securely deserializing your data and prevent the running of arbitrary code.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The same goes for Pickle and YAML data type. Pickle lets you to serialize and deserialize a Python object structure. If you are deserializing a pickled python object structure from an untrusted source, that can result in malicious code execution.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">YAML is another type of data type mostly used for data configurations and be handled using the PyYAML package. However if you have a YAML objects with malicious code, using the <\/span><span style=\"font-weight: 400;\">yaml.load<\/span><span style=\"font-weight: 400;\"> function won\u2019t help but lets you run malicious code if found.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">This can be prevented by using the <\/span><span style=\"font-weight: 400;\">yaml.safe_load<\/span><span style=\"font-weight: 400;\"> for preventing running malicious code when deserializing YAML data in Python.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Keep Up-To Date Open Source Vulnerabilities in Your Python Packages<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">One of the simplest ways to prevent and get rid of open source vulnerabilities is having the latest updates of the open source that already fixed the vulnerability. Open source is a good way for developers and communities with one interest in mind to build, contribute and publish software openly for better use of the community.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">However, sometimes there\u2019s a possibility that a security loophole might pop up that could be very dangerous as any software or application using the project may be open up for attacks.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">For this reason, open source vulnerabilities are always published as soon as they are discovered and a fix and prevention method are usually rolled out in the next version usually security patch release which should end up in the next major release.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">The sooner you have the latest update of the open source package, the better you are secured. Always ensure you are updated with vulnerabilities of the open source package you are using, so as to know when to upgrade to the next version.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><b>Conclusion<\/b><\/h2>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Securing your Python code is actually very easy to implement as long as you follow the basic rules and practices.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Many developers do not put this in mind as they are only concerned on delivering and meeting up with tasks which can open ways for vulnerability in the future.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">It\u2019s always advisable to have these practices in mind when you are writing your Python projects.<\/span><\/p>\n\n\t<\/div>\n\t<\/div>\n<\/section>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.<\/p>\n","protected":false},"author":38,"featured_media":2346,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2012","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Python Security Practices You Should Maintain - SecureCoding<\/title>\n<meta name=\"description\" content=\"In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Python Security Practices You Should Maintain - SecureCoding\" \/>\n<meta property=\"og:description\" content=\"In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/\" \/>\n<meta property=\"og:site_name\" content=\"SecureCoding\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-18T10:28:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-10-15T09:14:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png\" \/>\n\t<meta property=\"og:image:width\" content=\"466\" \/>\n\t<meta property=\"og:image:height\" content=\"376\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Lisa Haas\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Lisa Haas\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/\"},\"author\":{\"name\":\"Lisa Haas\",\"@id\":\"https:\/\/www.securecoding.com\/#\/schema\/person\/b1ca614301f8d8d43d70f9169cc5c5b0\"},\"headline\":\"Python Security Practices You Should Maintain\",\"datePublished\":\"2020-05-18T10:28:00+00:00\",\"dateModified\":\"2020-10-15T09:14:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/\"},\"wordCount\":6,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.securecoding.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/\",\"url\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/\",\"name\":\"Python Security Practices You Should Maintain - SecureCoding\",\"isPartOf\":{\"@id\":\"https:\/\/www.securecoding.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png\",\"datePublished\":\"2020-05-18T10:28:00+00:00\",\"dateModified\":\"2020-10-15T09:14:06+00:00\",\"description\":\"In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage\",\"url\":\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png\",\"contentUrl\":\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png\",\"width\":466,\"height\":376},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.securecoding.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Python Security Practices You Should Maintain\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.securecoding.com\/#website\",\"url\":\"https:\/\/www.securecoding.com\/\",\"name\":\"SecureCoding\",\"description\":\"Everything you need to know about code security\",\"publisher\":{\"@id\":\"https:\/\/www.securecoding.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.securecoding.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.securecoding.com\/#organization\",\"name\":\"SecureCoding\",\"url\":\"https:\/\/www.securecoding.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.securecoding.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Secure-Coding_new-logo_SecureCoding_logo_Horizontal.svg\",\"contentUrl\":\"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Secure-Coding_new-logo_SecureCoding_logo_Horizontal.svg\",\"width\":320,\"height\":65,\"caption\":\"SecureCoding\"},\"image\":{\"@id\":\"https:\/\/www.securecoding.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.securecoding.com\/#\/schema\/person\/b1ca614301f8d8d43d70f9169cc5c5b0\",\"name\":\"Lisa Haas\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.securecoding.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/287c4f64dc587067cef518384f1b0614c1c854214c98cdb59d7c28c58b8a36a9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/287c4f64dc587067cef518384f1b0614c1c854214c98cdb59d7c28c58b8a36a9?s=96&d=mm&r=g\",\"caption\":\"Lisa Haas\"},\"url\":\"https:\/\/www.securecoding.com\/blog\/author\/mend-lisa\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Python Security Practices You Should Maintain - SecureCoding","description":"In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/","og_locale":"en_US","og_type":"article","og_title":"Python Security Practices You Should Maintain - SecureCoding","og_description":"In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.","og_url":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/","og_site_name":"SecureCoding","article_published_time":"2020-05-18T10:28:00+00:00","article_modified_time":"2020-10-15T09:14:06+00:00","og_image":[{"width":466,"height":376,"url":"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png","type":"image\/png"}],"author":"Lisa Haas","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Lisa Haas"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#article","isPartOf":{"@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/"},"author":{"name":"Lisa Haas","@id":"https:\/\/www.securecoding.com\/#\/schema\/person\/b1ca614301f8d8d43d70f9169cc5c5b0"},"headline":"Python Security Practices You Should Maintain","datePublished":"2020-05-18T10:28:00+00:00","dateModified":"2020-10-15T09:14:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/"},"wordCount":6,"commentCount":0,"publisher":{"@id":"https:\/\/www.securecoding.com\/#organization"},"image":{"@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage"},"thumbnailUrl":"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/","url":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/","name":"Python Security Practices You Should Maintain - SecureCoding","isPartOf":{"@id":"https:\/\/www.securecoding.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage"},"image":{"@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage"},"thumbnailUrl":"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png","datePublished":"2020-05-18T10:28:00+00:00","dateModified":"2020-10-15T09:14:06+00:00","description":"In this article, we\u2019ll explore best practices for securing python code from the simplest practices to the hardest one.","breadcrumb":{"@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#primaryimage","url":"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png","contentUrl":"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/05\/8.png","width":466,"height":376},{"@type":"BreadcrumbList","@id":"https:\/\/www.securecoding.com\/blog\/python-security-practices-you-should-maintain\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.securecoding.com\/"},{"@type":"ListItem","position":2,"name":"Python Security Practices You Should Maintain"}]},{"@type":"WebSite","@id":"https:\/\/www.securecoding.com\/#website","url":"https:\/\/www.securecoding.com\/","name":"SecureCoding","description":"Everything you need to know about code security","publisher":{"@id":"https:\/\/www.securecoding.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.securecoding.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.securecoding.com\/#organization","name":"SecureCoding","url":"https:\/\/www.securecoding.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.securecoding.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Secure-Coding_new-logo_SecureCoding_logo_Horizontal.svg","contentUrl":"https:\/\/www.securecoding.com\/wp-content\/uploads\/2020\/07\/Secure-Coding_new-logo_SecureCoding_logo_Horizontal.svg","width":320,"height":65,"caption":"SecureCoding"},"image":{"@id":"https:\/\/www.securecoding.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.securecoding.com\/#\/schema\/person\/b1ca614301f8d8d43d70f9169cc5c5b0","name":"Lisa Haas","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.securecoding.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/287c4f64dc587067cef518384f1b0614c1c854214c98cdb59d7c28c58b8a36a9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/287c4f64dc587067cef518384f1b0614c1c854214c98cdb59d7c28c58b8a36a9?s=96&d=mm&r=g","caption":"Lisa Haas"},"url":"https:\/\/www.securecoding.com\/blog\/author\/mend-lisa\/"}]}},"_links":{"self":[{"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/posts\/2012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/users\/38"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/comments?post=2012"}],"version-history":[{"count":0,"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/posts\/2012\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/media\/2346"}],"wp:attachment":[{"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/media?parent=2012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/categories?post=2012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securecoding.com\/wp-json\/wp\/v2\/tags?post=2012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}