Full Stack Python Security: Cryptography, TLS, and attack resistance

Full Stack Python Security teaches you everything you’ll need to build secure Python web applications.

Summary
In Full Stack Python Security: Cryptography, TLS, and attack resistance, you’ll learn how to:

Use algorithms to encrypt, hash, and digitally sign data
Create and install TLS certificates
Implement authentication, authorization, OAuth 2.0, and form validation in Django
Protect a web application with Content Security Policy
Implement Cross Origin Resource Sharing
Protect against common attacks including clickjacking, denial of service attacks, SQL injection, cross-site scripting, and more

Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you’ll need to build secure Python web applications. As you work through the insightful code snippets and engaging examples, you’ll put security standards, best practices, and more into action. Along the way, you’ll get exposure to important libraries and tools in the Python ecosystem.

Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.

About the technology
Security is a full-stack concern, encompassing user interfaces, APIs, web servers, network infrastructure, and everything in between. Master the powerful libraries, frameworks, and tools in the Python ecosystem and you can protect your systems top to bottom. Packed with realistic examples, lucid illustrations, and working code, this book shows you exactly how to secure Python-based web applications.

About the book
Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, you’ll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks.

What's inside

Encrypt, hash, and digitally sign data
Create and install TLS certificates
Implement authentication, authorization, OAuth 2.0, and form validation in Django
Protect against attacks such as clickjacking, cross-site scripting, and SQL injection

About the reader
For intermediate Python programmers.

About the author
Dennis Byrne is a tech lead for 23andMe, where he protects the genetic data of more than 10 million customers.

Table of Contents
1 Defense in depth
PART 1 - CRYPTOGRAPHIC FOUNDATIONS
2 Hashing
3 Keyed hashing
4 Symmetric encryption
5 Asymmetric encryption
6 Transport Layer Security
PART 2 - AUTHENTICATION AND AUTHORIZATION
7 HTTP session management
8 User authentication
9 User password management
10 Authorization
11 OAuth 2
PART 3 - ATTACK RESISTANCE
12 Working with the operating system
13 Never trust input
14 Cross-site scripting attacks
15 Content Security Policy
16 Cross-site request forgery
17 Cross-Origin Resource Sharing
18 Clickjacking

Full Stack Python Security: Cryptography, TLS, and attack resistance

59.99 In Stock

Full Stack Python Security: Cryptography, TLS, and attack resistance

Add to Wishlist

Full Stack Python Security: Cryptography, TLS, and attack resistance

Paperback

$59.99

View All Available Formats & Editions

Paperback
$59.99

View All Available Formats & Editions

SHIP THIS ITEM

In stock. Ships in 1-2 days.
PICK UP IN STORE

Your local store may have stock of this item.

Available within 2 business hours

Want it Today?
Check Store Availability

Related collections and offers

Overview

Product Details

ISBN-13:	9781617298820
Publisher:	Manning
Publication date:	08/17/2021
Pages:	306
Product dimensions:	7.38(w) x 9.25(h) x 0.60(d)

About the Author

Dennis Byrne is a tech lead for 23andMe, protecting the genetic data and privacy of more than 10 million customers.

Preface xi

Acknowledgments xiii

About this book xiv

About the author xvii

About the cover illustration xviii

1 Defense in depth 1

1.1 Attack surface 2

1.2 Defense in depth 3

Security standards 4

Best practices 5

Security fundamentals 6

1.3 Tools 8

Staying practical 11

Part 1 Cryptographic Foundations 13

2 Hashing 15

2.1 What is a hash function? 15

Cryptographic hash function properties 17

2.2 Archetypal characters 19

2.3 Data integrity 20

2.4 Choosing a cryptographic hash function 21

Which hash functions are safe? 21

Which hash functions are unsafe? 22

2.5 Cryptographic hashing in Python 23

2.6 Checksum functions 25

3 Keyed hashing 28

3.1 Data authentication 28

Key generation 29

Keyed hashing 32

3.2 HMAC functions 33

Data authentication between parties 35

3.3 Timing attacks 36

4 Symmetric encryption 39

4.1 What is encryption? 39

Package management 40

4.2 The cryptography package 41

Hazardous materials layer 42

Recipes layer 42

Key rotation 44

4.3 Symmetric encryption 45

Block ciphers 45

Stream ciphers 47

Encryption modes 47

5 Asymmetric encryption 51

5.1 Key-distribution problem 51

5.2 Asymmetric encryption 52

RSA public-key encryption 53

5.3 Nonrepudiation 56

Digital signatures 56

RSA digital signatures 57

RSA digital signature verification 58

Elliptic-curve digital signatures 60

6 Transport Layer Security 62

6.1 SSL? TLS? HTTPS? 63

6.2 Man-in-the-middle attack 63

6.3 The TLS handshake 65

Cipher suite negotiation 65

Key exchange 66

Server authentication 68

6.4 HTTP with Django 72

The DEBUG setting 74

6.5 HTTPS with Gunicorn 74

Self-signed public-key certificates 75

The Strict-Transport-Security response header 77

HTTPS redirects 77

6.6 TLS and the requests package 78

6.7 TLS and database connections 79

6.8 TLS and email 80

Implicit TLS 81

Email client authentication 81

SMTP authentication credentials 81

Part 2 Authentication and Authorization 83

7 HTTP session management 85

7.1 What are HTTP sessions? 85

7.2 HTTP cookies 87

Secure directive 87

Domain directive 88

Max-Age directive 88

Browser-length sessions 89

Setting cookies programmatically 89

7.3 Session-state persistence 90

The session serializer 90

Simple cache-based sessions 91

Write-through cache-based sessions 94

Database-based session engine 94

File-based session engine 94

Cookie-based session engine 94

8 User authentication 100

8.1 User registration 101

Templates 104

Bob registers his account 107

8.2 User authentication 108

Built-in Django views 109

Creating a Django app 110

Bob logs into and out of his account 112

8.3 Requiring authentication concisely 114

8.4 Testing authentication 114

9 User password management 117

9.1 Password-change workflow 118

Custom password validation 120

9.2 Password storage 122

Salted hashing 125

Key derivation functions 127

9.3 Configuring password hashing 130

Native password hashers 131

Custom password hashers 131

Argon2 password hashing 132

Migrating password hashers 133

9.4 Password-reset workflow 136

10 Authorization 139

10.1 Application-level authorization 140

Permissions 141

User and group administration 142

10.2 Enforcing authorization 147

The low-level hard way 147

The high-level easy way 149

Conditional rendering 151

Testing authorization 152

10.3 Antipatterns and best practices 153

11 OAuth 2 155

11.1 Grant types 157

Authorization code flow 157

11.2 Bob authorizes Charlie 161

Requesting authorization 162

Granting authorization 162

Token exchange 162

Accessing protected resources 163

11.3 Django OAuth Toolkit 164

Authorization server responsibilities 165

Resource server -responsibilities 168

11.4 Requests-oauthlib 172

OAuth client responsibilities 173

Part 3 Attack Resistance 177

12 Working with the operating system 179

12.1 Filesystem-level authorization 180

Asking for permission 180

Working with temp files 181

Working with filesystem permissions 182

12.2 Invoking external executables 184

Bypassing the shell with internal APIs 185

Using the subprocess module 187

13 Never trust input 190

13.1 Package management with Pipenv 191

13.2 YAML remote code execution 193

13.3 XML entity expansion 195

Quadratic blowup attack 196

Billion laughs attack 196

13.4 Denial of service 198

13.5 Host header attacks 199

13.6 Open redirect attacks 202

13.7 SQL injection 205

Raw SQL queries 205

Database connection queries 206

14 Cross-site scripting attacks 208

14.1 What is XSS? 209

Persistent XSS 209

Reflected XSS 210

DOM-based XSS 211

14.2 Input validation 212

Django form validation 215

14.3 Escaping output 218

Built-in rendering utilities 219

HTML attribute quoting 221

14.4 HTTP response headers 222

Disable JavaScript access to cookies 222

Disable MIME type sniffing 224

The X-XSS-Protection header 225

15 Content Security Policy 227

15.1 Composing a content security policy 228

Fetch directives 230

Navigation and document directives 234

15.2 Deploying a policy with django-csp 234

15.3 Using individualized policies 236

15.4 Reporting CSP violations 238

15.5 Content Security Policy Level 3 240

16 Cross-site request forgery 242

16.1 What is request forgery? 242

16.2 Session ID management 244

16.3 State-management conventions 246

HTTP method validation 247

16.4 Referer header validation 248

Referrer-Polky response header 249

16.5 CSRF tokens 250

POST requests 251

Other unsafe request methods 252

17 Cross-Origin Resource Sharing 254

17.1 Same-origin policy 255

17.2 Simple CORS requests 256

Cross-origin asynchronous requests 257

17.3 CORS with django-cors-headers 257

Configuring Access-Control-Allow-Origin 258

17.4 Preflight CORS requests 259

Sending the preflight request 260

Sending the preflight response 263

17.5 Sending cookies across origins 264

17.6 CORS and CSRF resistance 265

18 Clickjacking 267

18.1 The X-Frame-Options header 270

Individualized responses 270

18.2 The Content-Security-Policy header 271

X-Frame-Options versus CSP 272

18.3 Keeping up with Mallory 272

Index 275

From the B&N Reads Blog

Page 1 of

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Related Subjects

Customer Reviews