Top 10 Secrity Hacks and protection in Python

My summary quick draft of a talk given by Jacob on Python and top 10 Security Hacks (https://www.youtube.com/watch?v=sra9x44lXgU)

I really recommend watching the talk. below is my draft which I'm too lazy to even read it :D
I hope it helps you guys to build a secure web applications with Python

1- Injections:

• Attacker may inject an SQL statements into a field
• Attacker may even signup with a username as an SQL statement
• Protection:
• Using ORM
• If you have to write an SQL query (if you really need to write it), do not ever treat it as string, instead use binding (send the parameters and the query separately like  cursor.execute(query, params) and not like cursor.execute(query % params))

2- Session Security:

• Don’t ever share the SECRET_KEY (specially in Github)

3- XSS (Cross-site scripting)

• It means the attacker stick his code into your webpage.
• The way the attacker do this usually similar to SQL Injection.
• Protection:
• Use a template language which usually auto-skip tags like junja2 (Flask, Django, …)

4- Insecure direct object references (Bad URLs)

• Something like blah/blah/myapplication/431882 or blah/blah/myapplication/jackob-2013
• Protection:
• Simply don’t use direct object reference, use a random generator

5-Security Misconfiguration (Debug=True,..)

• Protection:
• Django has a checklist (django-secure) to check for the security before deployment

6- Sensitive data exposure

• Some sites store passwords as plain text, don’t
• Protection:
• Use bcrypt

7- Missing function-level access control

• Attacker access others users data (through direct object references)
• Protection:
• Make sure that user can only access his own info only (usually you have to do it by your-self)

 8- CSRF (Cross-site Request Forgery)

• Tricking a user to click on a button/link (they also style buttons to be invisible ) to sell something,….etc.
• Protection:
• Using an arbitrary/random text when displaying the form and when we get it back we check this arbitrary code if match the sent one (in Django you can use the build it csrf protection).
• Don’t use GET request to for selling for example, or other actions that allow CSRF.
• Protect your SECRET_KEY because the CSRF is based on SECRET_KEY

9- Using components with known vulnerabilities.

• It is a real problem, Often packages release patches or updates that fix security breaches with is announced and known usually after the new update is release
• Protection:
• Always update to newer version and Test suits will help you verify the dependency

10- Un-validated redirects (phishing attacks).

• Attacker hacks the host header and sends a phishing link from your server to a target user through email.
• Protection:
• Flask and Django cannot protect us from this kind of attacks