Application security is best designed into a system from the start. Anthony Shaw is doing something about it by creating an editor plugin that actually helps you write more secure application code while you are coding. We discuss his security plugin, but also application security in general, as well as other security components you need to consider.

Transcript for episode 101 of the Test & Code Podcast

This transcript starts as an auto generated transcript.
PRs welcome if you want to help fix any errors.

00:00:00 Application security is best designed into a system from the start. Anthony Shaw is doing something about it by creating an editor plugin that actually helps you write more secure application code while you’re coding. So cool. On today’s test and code, Anthony and I discuss his security plugin, but also application security in general, as well as other security components that you need to consider.

00:00:24 Security is something every team needs to think about, whether you’re a single person team, a small startup, or a large Corporation.

00:00:32 Anthony and I also discuss where to start if it’s just the few of you or even just one of you.

00:00:39 Thank you, Oxylabs, for sponsoring this episode. Oxylabs, a top provider of innovative services including real time crawler, web scraper, and residential and data center proxies trusted by more than 500 companies. Find out what they can do for you at Oxylabs. Io Test And Code.

00:01:09 Welcome to Test and Code, a podcast about software development, software testing, and Python.

00:01:23 Welcome to Test and Code. I’m really excited to have Anthony Shaw back. Or Anthony Shaw. Sorry. Anyway, thanks for coming on the show.

00:01:30 Hey, Brian, it’s good to be back on the show.

00:01:33 Yeah. So you’ve been up to a whole bunch of stuff, and one of the things you’re up to is this plug in for pipe Arm with security. So why is your head in security right now?

00:01:45 It has been for a while. I’ve been interested in sort of like application developer security for ages and have sort of written about it and also wanted to write a Python plugin because pretty much any application that has a plug in capability, it’s too tempting not to just sit down and try and write a plugin for it.

00:02:07 Okay, sure.

00:02:10 What are we talking about when we’re talking about security?

00:02:12 Yeah, I guess on this particular topic, wanted to focus on application security in particular because if you look at security, cybersecurity in general or like information security, then there’s a whole bunch of stuff you could talk about, like data security, environment security.

00:02:31 But the application is the bit that as a developer, you’re responsible for and you have the biggest impact on.

00:02:39 I’m quite passionate about it because I’ve seen so many insecurely developed applications over the years, or one of my first jobs was as a support engineer in a data center and being called out in the middle of the night time and time again because people’s servers had been hacked because of poorly written applications.

00:03:02 So probably since then I think I’ve been kind of cared about it. And there’s such a lack of awareness, I think, of the easy ways to hack into applications. Some people make the same mistakes over and over again.

00:03:15 So the goal with the plugin was to basically write something that would sit in PyCharm and almost like give you hints and stuff as you’re writing the code, saying, okay, actually what you’re doing is a bit insecure here’s. A better way of doing it, and it will highlight the code and show you where you’ve potentially introduced a vulnerability.

00:03:37 And then it will suggest a quick fix. So if you’re used to PyCharm, you can hit the quick fix, which I don’t know what it is on Windows, but it’s command and enter on Mac, and it will just replace the code with whatever it suggests as being a more secure alternative.

00:03:55 Okay, so that’s a couple of questions here. By application, you mean a web application, right?

00:04:04 Yeah. So that’s an interesting one. I think when people think about application security, they think, okay, yeah, fine. If I’ve got something that’s on the Internet, then I should care about security. But my app is, I don’t know, it’s shipped to people’s desktops, or it runs in, like, a corporate environment somewhere and it’s behind a firewall. Like, why do I need to bother about security? But actually, all this stuff really can impact any type of application, not just Internet facing applications. I think web apps definitely get the most amount of attacks in hammering. But if you’re an attacker and you want to basically get into a network, you can use application vulnerabilities, too, like, sidestep security, basically. So, like, a common technique is to go in via one entry point and find an application that has a vulnerability and then almost, like, use that as a stepping stone into something else.

00:05:06 So it’s not just the web apps. It’s pretty much everything you have to care about.

00:05:10 Before we’re talking, I was even thinking, well, I don’t have to care about it for a static site, but there’s no running code, so there’s no vulnerabilities.

00:05:20 But you pointed out that there’s JavaScript, but we have to care about that, too, right?

00:05:25 Yeah, absolutely. I mean, if I was to tell you that there’s a way of running arbitrary code on your users machines and you have no control over it, you’d probably be terrified. But you pretty much got that in your application at the moment with script Tags at the top. You’re importing libraries from third party places. You probably haven’t vetted those.

00:05:50 And it sounds paranoid, but this stuff happens all the time. We were just talking about the British Airways hack, which is basically related to JavaScript. It wasn’t even a back end floor. It was the fact that they were using a JavaScript library that had been compromised and had a keylogger in it, and they had that on their payment site, and it was all related to adverts. So they had adverts on the site.

00:06:14 And basically one of the adverts had was importing some JavaScript libraries that were compromised. And we’re just capturing people’s credit card information off the payment page.

00:06:25 Okay, yeah. See, this is terrifying. So that’s one of the reasons why I’m glad we’re talking about this is because to try to make it a little less terrifying. My first reaction is, well, I just don’t want to do anything related to the web anymore, but that’s not a reasonable solution. There’s a lot of people that are just small businesses or something, or even just small teams that don’t have a bunch of money to throw at this or extra people. So how do we take this in small steps to do the right thing?

00:06:53 If I run your plug in on Pi Charm, I like the idea of trying to catch things as people are writing. Does it also scan the rest of it as well, or is it related to do we have to scan existing code before the stuff that’s there already?

00:07:10 Yeah. So what it’ll do is you can it basically pops up in the editor. So as you’re writing, it will make suggestions just like any other annotation in PyCharm.

00:07:19 Also, when you open the project, it will look at the packages that you’re using, and it will see if any of those packages have got known security flaws.

00:07:29 So it uses something called Safety DB, which is the same database that Pyap uses. If anyone has ever used Pyap, it’s like a GitHub integration that looks at your packages on your GitHub repositories. So basically what it will do is it will look at all your package dependencies and say, are you using this particular version of Django? Actually, that version has got these three security issues. So when you open the project in pie PyCharm, it will give you a warning to go and update the packages. So that’s assuming that the security issues are known, which in a lot of cases for big applications they are people have found the holes already and reported them, and then you can scan the whole project as well if you want.

00:08:13 Okay.

00:08:14 So even if I have, I’m not really working on my app, but it’s sitting on top of a bunch of other projects. I do need to pay attention to this on a regular basis to make sure that there are vulnerabilities in the packages I’m using.

00:08:28 You were kind enough, since I’m a newbie at test at security stuff, kind enough to write some notes down, and I appreciate that. But one of the things that you brought up is whose job is it? I think the answer is going to be it’s everybody’s. But there’s got to be some separation of responsibilities there, right?

00:08:45 Yeah. I mean, if I gave you a scenario not UNSecurity, just in normal testing, let’s say somebody had written, you’d developed an application that takes inputs and it puts those inputs in the database. And then another part of the application loads the data from a database and representing a view or something. That’s a really common pattern in applications. Let’s say if you were doing QA, you discovered that in the input you could make it inject or put null values into the database, and the database was configured to allow null values in this particular column. And then the other part of the application that reads the null values crashes because it’s not expecting a null value. Would you ship that application?

00:09:31 No, of course not.

00:09:33 And whose job is it to find that issue?

00:09:37 Well, it’s yours.

00:09:38 You don’t work for me, but it’s still yours.

00:09:41 Yeah.

00:09:42 So I think the security aspect is basically the same. It’s just thinking differently. So if you’re thinking about it from a like a normal software, like quality testing, you think about, okay, here’s some inputs.

00:09:58 What kind of inputs is expecting? Can I give it different inputs? Like can I try and break the application that way? And security testing is basically similar, but you’re thinking maliciously. So if you can put your evil hat on for a minute and think, okay, how can I maliciously do this? Just because the user shouldn’t do that doesn’t mean they won’t.

00:10:19 And in some cases, people will try and go out of their way to basically bypass things. So I think whose job is the testing? It’s definitely the developers responsibility to think about and have knowledge about application security. I think it’s the testing team. If there is a testing team, or whether that responsibility is integrated, I think it’s part of testing to think about security and to also look at and test for security scenarios.

00:10:50 And I think it’s also management’s job to make sure that enough time has been factored into road maps or planning or whatever to allow for security testing. And don’t think of it as a luxury like another common one that people another common trap that people fall into, for example, is on web applications or something called parameter manipulation, which sounds technical, but when you understand it as a developer, it makes you approach things differently. So if you had a web application that was like a shop, for example, and a user had logged in and they could click on their orders or something, and it would look in the database to see what orders you made in the past and you could click on one of those orders and it would take you to the order page.

00:11:43 So that’s a fairly simple common thing that people would write.

00:11:47 So when you click on the order, it passes the ID to a view and says, okay, this is your order. When you ordered five books or whatever, the step of going from the orders page to the order view, you’re passing an order ID or a unique Identifier or something. Okay, are you validating on the last view that that order ID still belongs to the same user?

00:12:11 Because this is probably one of the most common mistakes in web applications is to basically present a series of data to a user and then to allow them to then go to another page, like via Ajax or via a form post or something.

00:12:29 But what you can do is just swap that ID out for something else.

00:12:34 What if I change the ID? Do I get somebody else’s orders.

00:12:39 Is there ways that I can use that to get information about other people?

00:12:44 Change my permission? This is a pretty common mistake people make.

00:12:49 Yeah, especially. I don’t know if it happens anymore, but it used to be people would even have, like, their user ID and the URL that you’d end up following down.

00:13:00 Yeah, that’s a pretty bad one. I think if people think that you’re using Post, then it’s secure, but it’s just the same. You can still swap Post values.

00:13:09 Oh, really?

00:13:10 Okay, yeah, it’s easy to do.

00:13:15 Thank you to Oxylabs for sponsoring this episode. Oxylabs is a top provider of innovative web data gathering services such as real time crawler, web scraper and Residential and data Center Proxies.

00:13:28 Oxylabs is now introducing their next generation Residential Proxies, which are a significantly improved data gathering solution. They provide a stable and Fax proxy pool with more than 30 million global IP addresses, and they are resource efficient with the proxy management, user agents and IP rotation. All done on the Oxylab side, Oxylabs has a deep understanding and knowledge of how to acquire web data, and they provide a dedicated account manager for every client already trusted by more than 500 companies. Visit Oxylabs IO Test And Code to find out more about their services and to apply for a free trial of their next generation Residential Proxies that’s Oxylabs IO Test And Code.

00:14:18 Does it make sense to bring on somebody that really has the knowledge on how to break things like the evil hacker hat?

00:14:30 Does it make sense to bring somebody like that onto a team? And if so, when? At what level of team do you need that?

00:14:41 This is a hard question.

00:14:43 There’s definitely a perception that these kind of security testers are these. They have, like, huge amounts of domain knowledge, which they can in some cases, and they know all the secret ways to hack into the applications.

00:14:58 The ones I’ve worked with, definitely some of them have that, and they’ve taught me loads about Web applications in particular.

00:15:07 Whether you should hire one, I mean, as a dedicated role is going to depend on your budget. I’d say at a minimum, you need to have a set of standards as a team and check some things that you would look for. So to make sure that everyone on the team is aware, at least of security and has been trained on application security.

00:15:30 And then also you can sit down as a team and say, okay, what would our coding standards be? What kind of things would we make sure that we validate? Because those are going to be specific to whatever it is you’re building. Like, fine, if you’re building a Web application that’s an online store, then you obviously need to think about how you handle credit card data, how you handle passwords, how you handle user authentication, stuff like that.

00:15:53 But if you’re building, like, an application like you do, Brian, or you’re testing an application like you do, which is more sort of to do with radio signals, and I can’t remember exactly what it does, but you still need to think about that stuff, because if people wanted to hack into it, they would do it for different purposes. Like if your equipment has been used for, I don’t know, like military applications or it’s being used in some big industrial scenarios, could somebody attack it? And if they could, what mechanisms would they use? Are there any inputs into it? Is there any way of sending signals to it? So I think as a team, you’ve got to sit down and discuss what would our attack surface look like?

00:16:42 How can people get stuff into the system and how can we basically update our like patterns and practices as a team to think about security and think about sanitizing input and think about all the other different approaches that we need to take? So I think first step would be if you work either as a single developer, then you need to do this yourself.

00:17:05 If you work in a very small team, then I think as a team to do this and there’s heaps of training you can do online free. You don’t need to spend any money and then actually just sit down and think about it and start to write a basically a list of best practices for your team.

00:17:21 And then if you’re big enough, then you can absolutely hire somebody to do this.

00:17:26 But if you do hire a full time person, I’d say also be careful because there are people who can write a lot of theory and things like that. But if you actually need someone who’s going to sit and try and hack the application all day, then make sure you’re hiring for that particular skill set.

00:17:47 Now, I imagine there’s a lot of low hanging fruit of common problems with lots of applications. So is there applications off the shelf, things that you can either either open source projects or free stuff, or even paid stuff that can try to attack a test server or something to see if you’ve got any security problems?

00:18:15 Yeah, absolutely.

00:18:17 Most of it’s commercial.

00:18:20 So there are basically two different types of code. If you look at code analysis in particular and there’s basically two different categories, there’s static code analysis and dynamic code analysis, just as you would have with code analysis tools for complexity or any other thing like performance, for example, static code analysis tools range from the simple free ones you can get online to.

00:18:49 You could be spending $100,000 upwards on a decent coding platform.

00:18:56 These have got a lot more kind of expertise built into them, huge databases of common vulnerabilities and stuff like that.

00:19:05 So you can absolutely have a tool that’s going to scan things for you.

00:19:10 For Python, I mean, there’s Bandit, which came from the Open Stack Foundation, actually, and then moved into the Python code quality authority. So it’s kind of part of the Python free libraries you can get online. Bandit is a free tool. My Python plugin is a free tool. It only has a small number of tests. At the moment. It’s only got about 13 checks, but I’m adding new ones all the time. Whereas if you buy like a commercial static code analysis tool, they have thousands and thousands of tests in them, but it will also raise a lot of false positives. So you pretty much need somebody who’s going to babysit the system to manage that stuff.

00:19:55 So is Bandit a static analysis tool?

00:19:58 Yeah, it’s a static analysis tool. Okay.

00:20:01 I think it’s probably got about 60 or 70 tests in it.

00:20:06 So yeah, it definitely doesn’t cover everything or anywhere close to, but it’s a good minimum viable product. I’d say.

00:20:15 Okay.

00:20:15 And now are there things that you can point at your live site and try to attack it?

00:20:26 Yeah, I guess the testing is split into two parts. One is the application testing, which you can do offline by either statically looking at the code. So looking at it as a text file or dynamic code analysis, where you look at it as like a running application and you try and you try and manipulate it that way.

00:20:48 There’s also like the environment. So where if you deploy the application to or where is it running and is that environment secure? So in some cases, if it was a web application and it’s running on a web server, is that web server secure? So I don’t know. Is SSH lockdown?

00:21:06 Does it have an admin page? If so, what’s the admin password? Is it password? One, two, three, just really simple stuff like that.

00:21:16 You mentioned WordPress before the chat if you’ve ever looked at web server logs. So you can see like all the URLs and stuff people are trying to get to on your web application, like Wpadmin or WordPress Admin.

00:21:34 Even if you don’t have WordPress on your web server, a random IPS from all over the Internet will be constantly trying to hit WordPress admin 24 hours a day because WordPress is such an careful what I say here. Wordpress historically has been such an easy thing to hack into.

00:21:54 That bot will just sit there looking for WordPress servers and just hacking into them and then deploying code on them.

00:22:01 So you catch that in environment testing?

00:22:04 Yeah.

00:22:05 And I didn’t think that as just a lowly blog that I’d have a problem with that.

00:22:11 But I did get notified once that something like that had happened and all of my links were redirecting to a porn site somewhere.

00:22:22 That was not what I intended.

00:22:24 So yes, so I’m not even using my WordPress site right now, but I want to migrate it to something like Pelican, which I know I have to pay attention to JavaScript security still, but at least it’s got less vulnerabilities on the back end. And I’d like it to, I guess.

00:22:47 So it’s still up, but I just go on like once a month and make sure everything’s updated. And it’s annoying to have to do that anyway.

00:22:56 Yeah.

00:22:57 There’s both free and paid tools you can use to scan environments, and the free ones are basically the same tools that the hackers use.

00:23:07 So there’s quite a few of those out there.

00:23:09 Things like Nessus, for example, will scan an IP address and see if it has a web server. If it has a web server, then it will check all the known applications and stuff like that.

00:23:23 And there’s commercial products you can buy as well, which will do just as thorough, if not a more thorough job. One example would be Qualis, which a few times, which is very expensive.

00:23:38 You can basically say like this is our staging environment or this is our production environment and it will just sit there all day trying to hack it.

00:23:46 So quality as an example is like a good way of looking at environment testing, because otherwise you’d have to go and manually do it every month, which would be pretty cumbersome. And also you wouldn’t know what you were looking for necessarily, right?

00:24:05 Yeah, there’s the application stuff, but like I said, once you deploy it somewhere, you’re deploying it to an environment. And let’s say I’ve got static analysis running like I’ll stick Bandit and a couple of these other things in my continuous integration to look at all my stuff to make sure it’s always secure. I’ll put your plugin in place and recommend that everybody that’s writing code for my app uses this plugin so they have hints so that we can catch things while we’re writing instead of after the fact. And then what put in place, like before we do major changes, try to we have to look at the environment to make sure our environment is secure.

00:24:52 I’m guessing some of the real stuff is the secrets that we really want to are liable for if we release things like credit cards and people’s addresses and things like that, making sure that those are encrypted all the way down to the database so that we’re not actually dealing with clear text secrets at all. So secret management is the thing. Is that part of security testing as well?

00:25:23 Yeah. So if you’re storing or handling credit card data, luckily there is actually a standard that you need to meet the PCI DSS standard, which has basically got a list of security requirements in it. So things like environment testing, for example, and having a firewall and having a password policy, is that all requirements before the payment card industry will even let you take and store credit cards.

00:25:56 So thankfully, because there is that standard, then credit card information doesn’t get stolen from the Internet, but in reality that is scratching the surface.

00:26:10 So credit cards. Absolutely.

00:26:12 If you need to handle credit cards that don’t try and do that yourself.

00:26:17 Meeting PCI like DSS is an expensive task.

00:26:22 If you can offload that to a third party, then do so.

00:26:26 Even in, like in the post GDPR world, even if I just have somebody’s name and email address, I have to care about keeping that a secret, though.

00:26:34 Yeah, absolutely.

00:26:37 Do you recommend using secret management and encryption with things like that as well?

00:26:43 Yeah, that’s one of the things I’ve been looking at in the plugin is basically the different hashing algorithms which are in Python, in the standard library, as probably about a third of them, if not half of them that come bundled with Python are cryptographically weak. Let’s say, like you could crack them with enough compute power and it doesn’t have to be a lot these days.

00:27:14 So even with the hashing algorithms that come with a standard library, you have to be quite careful.

00:27:19 So one of the checks I’ve got in the plugin will actually say, okay, you’re using this particular algorithm. Don’t use that for storing anything that you wouldn’t want. Reverse hashed, basically. Okay.

00:27:33 It’s one thing if you’re doing secret management, then don’t try and write that yourself. There’s libraries to do this off the shelf.

00:27:42 Yeah. And also there’s ways to push it down to the database as fast as possible. So you don’t actually deal with it most of the time. Anyway.

00:27:51 One of the things that some applications do is I don’t actually have to sign up for account with them. I get to use my GitHub account or my Google account or something to sign in somewhere. Does that make it more secure or increase the security problem?

00:28:09 Yeah, that’s a good question.

00:28:11 I did actually make a list of notes the other day on ways that I would look to hack into a Django application if I was evil.

00:28:23 And one of them was to do with authentication modules, basically. So in Django, it’s got a plug of authentication system, and if you wanted to bring in like an Author and open ID plugin. So if you wanted to let people log in using Facebook or Google or GitHub or something, then there’s modules you can download and install into Django, or there’s ones that you can run in your Python application to enable that.

00:28:51 Does that make the application more secure?

00:28:55 It means you don’t have to handle the inputs of the password. And also in a lot of cases, users would get two factor authentication. So if you’ve got two FA on GitHub, for example, then that means your users get two factor authentication as part of that, which is great.

00:29:13 But these modules, the configuration is a bit complicated and people can make mistakes in the config. I think that’s probably the biggest issue is that people pulling these modules that do a water open ID and they don’t really understand the configuration and they make a mistake and they’ve left a security hole in the application.

00:29:35 Okay, now remind me what two factor authentication is.

00:29:44 Two factor means there’s basically another thing that you need to have other than the password.

00:29:51 So it could be anything. It could be like a phone, for example. So if you’ve got an app on your phone that generates keys, or it could be one of those little key fobs, or it could be a text message or something. So two factor authentication, which you should have enabled on GitHub if you don’t already, means that if you want to log into GitHub, you need to have an app installed on your phone. You have to type in the extra code as well as the password.

00:30:19 Okay. But then they somehow often store that information. So I don’t have to do it every time. Is that via cookies or do you know how that’s done?

00:30:31 It’s five cookies.

00:30:33 So you have a session cookie which has got an expiry time on it. Okay. So you don’t have to log in every time.

00:30:40 So if I’m really being a paranoid person and running like all the security stuff on Firefox, I just have to do two factor authentication on everything all the time.

00:30:50 Yeah. That’s why I know there’s cookies, because I’m one of those people.

00:30:55 Okay, well, cool.

00:30:59 So I think I’m actually breaking this up into things like I need to care about the environment, I need to care about my application, I definitely need to care about my database and that security because we didn’t talk about that. But I’m guessing somebody could spoof your application and pretend to be the app talking to the database. So you want to make sure that that doesn’t work.

00:31:24 Yeah, there’s a lot there, but it’s not terribly unmanned. At least it’s still kind of daunting. But there’s some places to get started, so that’s good.

00:31:35 Yeah.

00:31:36 And one additional action, I say people is especially part of the developers, if you want to kind of practice your security techniques a bit more. So once you’ve done that, do some training online.

00:31:50 There’s plenty of places where you can either pay to do the training, like Plural site, for example. It’s got lots of training modules and application security. There’s some free stuff out there as well of mixed quality. I mean, you do get what you pay for, but once you’ve done that, then check out HackTheBox EU, which is basically a website where you’ve got a series of challenges. It’s really fun.

00:32:20 And you have to basically like reverse engineer applications, crack cryptography algorithms, hack servers, break applications. So if you’re learning this stuff, the problem is that there’s not many places where you can practice to see if what you’re learning is correct. So Hack the boxes are really cool without obviously breaking the law.

00:32:43 Yeah, hacks legal places to do that.

00:32:48 So Hack the box is a cool legal place.

00:32:52 The thing I really love about it is that there is no registration page because you have to hack the website to register.

00:33:03 Okay.

00:33:05 So if you’re listening to this and you go onto the website, it’s basically a barrier to stop who don’t have it’s actually quite tricky to hack into it to register.

00:33:20 If you get stuck, just Ping me and I’ll give you some clues.

00:33:26 But yeah, you got in.

00:33:28 Yeah.

00:33:31 If you spend time in the JavaScript console, basically you can kind of look at the login page and figure out what it’s doing and then generate yourself an invite code.

00:33:43 Okay, cool.

00:33:45 Yeah, there’s ways in, but there’s some fun stuff in there, and it’s pretty much all Python as well. So the challenges in there that I’ve really enjoyed is they’re reversing in crypto stuff.

00:33:55 And the crypto ones, they’re pretty much all in Python. So you’re basically writing Python scripts to try and crack crypto.

00:34:03 Okay, now I have to admit I’m a little embarrassed to admit this, but I actually thought people that said that they were into Pen testing actually were testing ballpoint pens or something for a small amount of time.

00:34:23 But pen testing is short for penetration testing, right?

00:34:28 Yeah.

00:34:31 So penetration testing is definitely something that you should look at if you’ve got the budget.

00:34:37 They are quite expensive.

00:34:40 Providers also vary greatly in quality and you get what you pay for. Again, some Pen testing companies will run the same tools you can download for free on the Internet.

00:34:53 So there’s some of the stuff that I mentioned. Basically they’ll just run that and charge you $50,000 for it and put it all in a nice PDF report at the end.

00:35:03 If you find a good firm, then you can actually have onsite Pen testing and stuff like that.

00:35:11 For people that I’ve worked within the past Pen testers, they’ve actually taught me a lot.

00:35:16 For example, they showed me this really cool USB key you can get.

00:35:23 But yes, you can make your own. It’s really quite simple. And Windows puts the password check mechanism into Ram.

00:35:36 And basically using this USB key, you can plug it into pretty much any machine that has a USB Port. Open Firewise got the same vulnerability as well.

00:35:48 And you can log in, just type in the username and the password can be whatever password. One, two, three. It doesn’t have to actually match the password of the user and it just lets you in.

00:36:03 Okay, I was working with a Pen tester and we’re doing on site testing and I was like, oh, what’s on the USB stick? And they told me the software and on marketer, I’m not going to share the name of it, but it’s easily Googleable.

00:36:19 And I was like, wow, that’s pretty cool if you think your machine is locked down because you have a secure password. Like you just plug in this USB stick and it just bypasses the password check.

00:36:32 That’s why I put tape over my USB ports.

00:36:36 Some sticky tape. Yeah, that’ll do it.

00:36:38 Yeah. Like I have it over my camera. No, I bring it up. It’s just because I was taking a look at the HackTheBox EU site.

00:36:47 Essentially, this is for you to practice Pen testing on those boxes, right?

00:36:53 Yeah. It’s something that Pen testers use as a training ground, basically.

00:36:59 Okay. Yeah. Interesting. Cool. Well, thanks so much for teaching me all about this. Before we let you go, though, I want to ask you about this book that you’re working on. Right. You’re writing a book on C Python, correct?

00:37:17 Yeah. So I’m writing a book on CPython internals.

00:37:21 So it’s basically covering the sort of technical aspects of C Python, like how it’s built, how the software is laid out, how bytecodes work, how the compiler works, how the evaluation loop works, how memory management works, the testing libraries.

00:37:44 It’s pretty much there, I guess, if you were to join a team and there was like an internal Dev guide for new developers. Okay, here’s all the stuff you need to read in order to join as a developer is basically of the missing manual for that. There is a Dev guide on the Python site, but this is goes into like a whole new level of level of detail. It’s fairly advanced, but for complicated stuff, for example, like the compiler and the Byte code evaluation loop, I’ve really tried to break it down into small pieces and use lots of diagrams and illustrations to explain it simply. So it’s not an academic I’ve really tried not to make it like an academic book to try and explain things. And the goal is as well that people can read this book and then feel like they got good enough understanding to start to contribute to see Python or they’ve basically improved their knowledge of the fundamentals of the language and also the runtime, which will be useful for big applications or more complex apps.

00:38:57 You’re even getting into details like how to configure your editor and stuff like that.

00:39:02 Yeah. So I’ve kind of approached this with a perspective that a lot of people will be using Windows, and the developer tool chain for CPython is very targeted to Linux users in particular.

00:39:20 I think a lot of the core Dev team use Linux or Mac, but a lot of people obviously use Windows.

00:39:28 The C Python, Windows team use Windows.

00:39:31 But if you’re using Windows and you just want to work on the code at the moment, there’s a lot of things you can’t do. So what I’ve been doing is basically looking at ideas like Visual Studio code, PyCharm, Sea Lion, which is made by JetBrains as well. It’s like the CC Plus Plus version of PyCharm.

00:39:54 I’m really excited about that because I’ve actually wanted to try that on some C Code, but I haven’t yet.

00:40:00 Yeah. So Sealant is actually really cool.

00:40:04 I really got on well with it. It’s got the same visual debugger as PyCharm.

00:40:09 Okay.

00:40:09 But for C and C Plus Plus, you can stick breakpoints in and I kind of explain how to do this in the book because C Python doesn’t use CMake, which is the newer version of the make tools.

00:40:27 So yeah, there’s some workarounds to basically get that working. But yeah, you can do debugging visual debugging in Cline as well.

00:40:37 So I got to admit, I’m probably not going to read the whole thing, but I’m totally going to buy the book and I’m going to use it as actually the way I use most textbooks is I’ll read a couple of chapters and then jump in and try to get started and then use the book to help me as a tutor is where I get stuck.

00:40:58 I’m totally excited to jump on board, but I read super slow, so I don’t know how long your book is so far.

00:41:06 When it’s finished, it will be about 400 pages.

00:41:08 Okay. I’m so looking forward to it, and I’m glad you’re working on it. I think it’s something that definitely was needed, and even if I didn’t contribute it, Python is such a widely used thing that I think it’s a good example of a large, long living project that people can use to just practice their ability to navigate large code bases and stuff.

00:41:33 I’ve heard people before say there’s no excuse for not having experience with a large code device because, like the Linux kernel is available for anybody to play with. But oh my gosh, I don’t really want to play with the Linux kernel. I might want to play with. You’ve done it before. I think it was you. Didn’t you add some operator to Python that you knew was going to get rejected or was that somebody else?

00:41:59 Yeah, that was me. I added an inplace increment operator. So if you use C and C plus plus, you would say if I as a number, then you say I plus plus and it just means that number plus one. So you famously can’t do that in Python because Greedo doesn’t like it. And the reason why it’s actually in the Zen of Python, if you look really closely, it’s like a hidden it’s a hint when it says there should be one and preferably one.

00:42:35 The first time it has the minus minus at the end, and the second time it has the minus minus before.

00:42:41 And it’s actually a hint because the post incremental decrement operator in C can be before or after the variable name and it also has different behaviors and it confuses people.

00:42:56 And when they were designing the language, they didn’t like that so much so that they first of all make sure that you couldn’t do that in Python, it’s not even an operator. And then secondly, they put it into the Zen of Python as a joke. So if you go and read the Zena Python again, you’ll notice that those two hyphens are actually a reference to that.

00:43:16 I’ll definitely do that in the book.

00:43:18 What I’ve been doing is for each chapter basically building on an example. So the example is adding an almost equals operator. So in Python you can do equals equals or not equals or less than equal or greater than equals.

00:43:34 For example, I was curious about that because I saw you tweeting about it and I’m like is there an almost equal operator in Python?

00:43:41 No, there isn’t. So in the book, each chapter as it builds into the different levels, we carry through the same example. So it’s a Tilder which is like the squiggly line, squiggly line equals. So we basically add it as grammar and compile it into C Python and then as we go through the different object types and stuff, then we add support for it. So I’ve been doing for like floating point integers. So almost equals means 1.01 is pretty much the same as 1.0.

00:44:16 Well, Pi test has an approximate yeah, I’m assuming you’re kind of doing something like that.

00:44:21 Yeah. And I’ve been adding support and strings as well, so it doesn’t ignores case, for example.

00:44:27 That’s cool.

00:44:30 I’m like, okay, does it matter if they got a capital letter or not? And then just fine. I’ve been looking at emojis as well. So saying like a smiley face and a grinning face are approximately equal and then a koala bear is not approximately equal to a bear because it’s not bare for strings.

00:44:46 Is trailing spaces. Are you ignoring those?

00:44:51 Actually, I’m keeping those into account. Maybe we could add that in. That’s a good idea.

00:44:56 Anyway, I like it. Now you’ve convinced me I’m going to have to read the whole thing so I’m just not going to sleep for like four months. Thanks.

00:45:04 I’ve got to finish it first. So the goal is to have it ready and published and physical books available for Python us this year.

00:45:13 Okay, well, I have a goal of publishing this episode before then as well. No, it should be long before then. Hey, we’re running long, mostly because you and I are friends and I could talk to you for hours, but we should probably wrap it up. So thanks a ton for coming on the show and talking to us about security, keeping us updated on your book and good luck with finishing that.

00:45:36 Yeah, thanks, Brian. It’s been fun.

00:45:40 Thank you to Anthony for all of that great security info. Thank you to Patreon supporters for continuing to support the show. Join them by going to support.

00:45:51 Thank you to Oxylabs for sponsoring this episode. Find out about all they do, including NextGen residentialproxies at oxolabsncode. That link is also in the show notes at Texas slash one on one. That’s all for now. Now go out and test something.