Vulnerabilities in Python Applications

Below are the types of security vulnerabilities that Python developers should be concerned with:

SQL INJECTIONS (SQLI)

A malicious user controls the execution of SQL statements for an application at the backend database server. 

There are four sub-classes in SQLi:

• In-band SQL Injection / Classic SQLi
• Inferential / Blind SQL injection
• DBMS SQLi
• Compounded SQLi (Eg: Strom Worn)
• SQLi with inadequate authentication
• SQLi with DDoS attacks
• SQLi with DNS hijacking
• SQLi with XSS

CROSS SITE SCRIPTING (XSS)

In XSS, a malevolent user can trick any web application to steal stored cookies, saved passwords, and script code that served unsuspecting users of that application.

CROSS SITE REQUEST FORGERY (CSRF)

This security vulnerability occurs when a compromised website is forced to perform an action by another logged-in user like clicking on a button. Also, it includes the hacking or logging into of a website with others’ login credentials.

LDAP (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL) INJECTIONS

This vulnerability occurs when a malicious user inserts/modifies LDAP statements that lead to speculations.

COMMAND INJECTIONS

Here, a malicious user executes OS commands on a web server by abusing it in order to insert their own commands to gain complete control over the server.

XPATHI

This occurs when a malevolent user intentionally passes data to a website. They can use that interaction to find out how the data is structured in XML, or they can access secured data that they can’t access normally.

Security Scanners

Python Taint (PYT) – Static Analysis Tool: This utility is used for identifying command injection, XSS, SQLi, interprocedural, path traversal HTTP attacks in Python web apps. Python Taint is based on the Control flow graphs, data flow analysis and fixed points that are theoretical foundations built using the Flask framework.

Tinfoil Security Website Scanner: Tinfoil is an affordable security scanner for Python & Django that helps find holes in web servers and applications and also tells you the ways to fix them.

Bandit – AST Based Static Analyzer: It’s an OpenStack security linter that identifies the common security risks in Python programming. It is distributed using pip. To install bandit from source, we can use the command python setup.py install after downloading the pypi source tarball. You can even access the reports from bandit.

Pyntch – Static Code Analyzer: Pyntch (PYthoN Type CHecker) helps in detecting runtime errors such as exceptions, not found attributes and variable type missmatchings. It supports Python 2.x currently. It won’t address style issues like Pychecker or Pyflakes, but it works pretty fast and efficient in scanning thousands of lines within a minute.

Spaghetti Security Scanner: Spaghetti an open-source web application security scanner built on Python version 2.7. It detects default files, misconfigurations, and insecure files, and it supports numerous frameworks including Django, CherryPy, CakePHP, and others. 

The tool is capable of finding attacks like admin panel, cookie security, credit card/email/private IP disclosures, SQL injections, ShellShock, Struts-shock, Apache ModStatus, Anonymous cipher, and others.

Rough Auditing Tools for Security (RATS): It’s a free tool that scans languages like C, C++, PHP, Perl and Python and emphasizes the errors that are related to security like TOC (Time of Check), TOU (Time of Use), Buffer overflows and Acunetix. Manual code introspection is still important, but this tool still greatly assists us.

PyDbgEng – Windows Debugging Engine’s Python Wrapper: It helps in debugging user mode, kernel mode, software and hardware breakpoints, etc. With the help of this PyDbgEbg, you can do fault injection, fuzzing of applications, and unpacking executables automatically.

Python-ptrace: It’s an opensource debugging tool that uses ptrace developed and written in Python. Here, ptrace works as an tracer that hands the system calls in Linux, BSD and Darwin.

vdb / vtrace – Debugger for Exploit Malware Analysis: Here, VDB refers to a dynamic debugging element; vtrace refers to a platform that’s used in debugging frameworks implemented in Python. Vdb utilizes vtrace.

Immunity Debugger – Python Penetration Testing Tool: It uses python scripts and supports Windows with Graphical user interface and command line debuggers.

Docker for IBM Z

 Docker Enterprise Edition for Linux 17.06 on IBM Z is available directly from IBM and their network of channel partners. 

Companies who already have a mainframe footprint can extend their existing partnership with IBM to add Docker EE to their technology stack for their critical applications.

Additionally, IBM recently announced a new release of the enterprise Linux platform designed specifically for mainframe systems. 

This next generation of IBM LinuxONE systems and Docker EE together provide complementary security capabilities from the system to the application and the ability for massive scale – up to two million containers per system.

Amazon Connect

 Amazon Connect is an Amazon Web Services public cloud customer contact center service.

Amazon Connect enables customer service representatives to respond to phone calls or chat inquiries from end customers just as if the contact center infrastructure was set up and managed on premises. 

According to Amazon, the service can scale to accommodate tens of thousands of call center agents. AWS provides a telecommunication infrastructure for each company that uses the service. 

To access the service, users are required to have an Amazon Connect account or an AWS Identity and Access Management account.

How Amazon Connect works

The customer who requested the service becomes the administrator for Amazon Connect. The admin's first task is to claim a phone number and configure permissions for users, which include operators, contact center managers and agents. 

To deploy the service, the admin must first create an Amazon Connect cloud instance. To do this, the customer logs into their AWS Management Console and completes several tasks. 

First, the AWS customer must create or select a user directory, which can include an outside option, such as Microsoft Active Directory. Next, the customer creates a user with administrator privileges and then selects telephony options (such as whether the contact center needs to place calls, receive calls or both) and the location for data storage.

Amazon Connect: Contact Flows

A Contact Flow defines each step a customer can make when they interact with the contact center.

The logic is similar to that of an automated Interactive Voice Response (IRV) system and determines an end user's experience. An admin can configure a Contact Flow through a graphical user interface  in the console to play a recorded prompt, ask a caller a question, manage call recording settings or transfer a call.

A Contact Flow also supports text to speech with Amazon Polly and allows developers to customize pronunciation, speech rate and volume with Simple Speech Markup Language.

In addition, Amazon Connect can route end user calls according to agent skills, availability and caller priority. The service assigns agents a routing profile to fit agent expertise to one or more call queues.

Connect also provides a Contact Flow Logs feature, which allows a business to track and streamline its interactions with end customers via the contact center. Amazon CloudWatch stores these logs in the same region as the Connect instance.

Additionally, the Connect service provides nearly 100 metrics -- both in historical and real-time reports -- to help monitor contact center performance. An admin can export these reports to Simple Storage Service buckets, where they will be encrypted.

Software, hardware support

Amazon Connect requires the open source WebRTC, and supports a number of web browsers, including Google Chrome and Mozilla Firefox.

Amazon Connect enables voice interactions via a public switched telephone network provided by AMCS LLC. The service supports dual-tone multi-frequency signals, text-to-speech conversion via Amazon Polly and natural language interactions via Amazon Lex. 

Contact center agents use either a web-based softphone or traditional phone to interact with end users and a Contact Control Panel to manage these interactions.

In addition to its interactions with Amazon cloud services, Amazon Connect integrates with third-party customer relationship management (CRM), workforce management and analytics tools.

Languages and costs

Amazon Connect provides call center support for English, Spanish, Brazilian Portuguese, Korean, German, Simplified Chinese and Japanese.

Connect is a pay-as-you-go service. After a user exhausts its free tier of service, AWS charges for Connect use by the minute, plus daily telecom charges.

Docker Content trust

When transferring data among networked systems, trust is a central concern.

In particular, when communicating over an untrusted medium such as the internet, it is critical to ensure the integrity and the publisher of all the data a system operates on.

Docker Content Trust(DCT) provides strong cryptographic guarantees over what code and what versions of software are being run in your infrastructure.

When a publisher using Docker Content Trust pushes an image to a remote registry, Docker Engine signs the image locally with the publisher’s private key.

When the user later pulls this image, Docker Engine uses the publisher’s public key to verify that the image is exactly what the publisher created, has not been tampered with, and is up to date.

There are 4 major steps to setup DCT.

1)Generate Docker Content Trust Key

2)Add the Signer to the Docker Repository

3)Sign the Image

4)Enable Content Trust at the Docker host

By following above 4 steps we can set DCT.

Software Resilience Testing

Software resilience testing is a method of software testing that focuses on ensuring that applications will perform well in real-life or chaotic conditions.

 In other words, it tests an application’s resiliency, or ability to withstand stressful or challenging factors.

Resilience testing is one part of non-functional software testing that also includes compliance, endurance, load and recovery testing.

Since failures can never be avoided, resilience testing ensures that software can continue performing core functions and avoid data loss even when under stress.

In today’s world, system downtime is not an option. If a user can’t access an application once, chances are that they will never use it again. Resiliency, which in simple terms is the ability of a system to gracefully handle and recover from failures, thus becomes critical. 

Testing resiliency ensures the system’s ability to absorb the impact of a problem while continuing to provide an acceptable level of service to the business. 

This concept was originally introduced by Netflix in the Principles of Chaos Engineering.

To build your test strategies for resilient systems, you should:

1)Conduct a failure mode analysis by reviewing the design of the system. In simple terms, this means identifying all the components, internal and external interfaces, and identifying potential failures at every point. Once failure points are identified, validate that there are alternatives to failure. 

2)Validate data resiliency, i.e. that there is a mechanism for data to be available to applications if the system that originally hosted the data fails. Verify that the data backup process is either documented or automated.

 If automated, validate that the automated script backs up data correctly, maintaining integrity and schema.

3)From an infrastructure standpoint, configure and test health probes for load balancing and traffic management. These ensure that the system is not limited to a single region for deployment in case of latency issues.

4)From an application standpoint, conduct fault injection tests for every application in your system. Scenarios include shutting down interfacing systems, deleting certificates, consuming system resources, and deleting data sources.

5)Conduct critical tests in production with well-planned canary deployments. 

Validate that there is an automated rollback mechanism for code in production in case of failure.

Install and Run Gremlin on Windows

Below steps need to be followed to install Gremlin on windows.

• Signup for Gremlin Account using below link.   https://app.gremlin.com/signup
• Download the Gremlin installer gremlin_installer.msi
• Run the installer by double-clicking on the downloaded file.
• Windows, by default, prevents this from running, and shows a Windows protected your PC dialog box.
• Proceed with the installation by clicking on More info. 
• This will display another button at the bottom, Run anyway. Click that button to continue.
• Once the istallation done,we can locate Gremlin config file under below location.
•  C:\ProgramData\Gremlin\Agent\config.yaml
• Signin to Grimlin account.
• Go to "Team Settings" and Copy "TeamID" and "SecretKey".
• Open a command prompt and run "gremlin init"
• You will be prompted to enter the following values.

          Please input your Team ID:

          Please input your Team Secret:

•  Once provided with above values Gremlin will be initiated.

Failure Injection Testing

Fault Injection is a technique for enhancing the testing quality by involving the intentional faults in the software. 

Fault injection is often in stress testing and it is considered as an important part of developing robust software.

Fault injection Methods:

Compile-Time Injections - It is a fault injection technique where source code is modified to inject simulated faults into a system.

Run-Time Injections - It makes use of software trigger to inject a fault into a software system during run time. The Trigger can be of two types, Time Based triggers and Interrupt Based Triggers.

Tools used for Software Fault Injection:

Following are the tools used for fault injection purposes:

BStorm Beyond Security==> http://www.beyondsecurity.com/

The Mu Service Analyzer Mu Dynamics==>www.mudynamics.com

Holodecksecurity Innovation==>www.securityinnovation.com

Xception Critical software==>http://www.criticalsoftware.co