Promote secure products by knowing the difference between secure compliant
and non-compliant code with CPython >= 3.9 using modules listed on
Python Module Index [Python 2023].
This page is in initiative by Ericsson to improve secure coding in Python by providing a location for study. Its structure is based on Common Weakness Enamurator (CWE) Pillar Weakness [mitre.org 2023]. It currently contains only the code examples, documentation will follow.
Content comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, as stated in the license text CC-BY-4.0 for documentation and MIT. Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full. Code examples are NOT to be used to cause harm of any kind to anyone or anything.
Every person writing code shall study the following:
Code examples are written to explain security design with as little code as possible demonstrating the issue in the noncompliantXX.py titled Python file.
The compliantXX.py file demonstrates only the mitigation or removal of the described risk.
None of the code examples are intendet to be used ‘as is’ for production. Using the code is at your own risk.
It is not production code and requires code-style or python best practices to be added such as:
stdout| CWE-693: Protection Mechanism Failure | Prominent CVE |
|---|---|
| CWE-184: Incomplete List of Disallowed Input | |
| CWE-330: Use of Insufficiently Random Values | |
| CWE-798: Use of hardcoded credentials |
| CWE-710: Improper Adherence to Coding Standards | Prominent CVE |
|---|---|
| CWE-1095: Loop Condition Value Update within the Loop | |
| CWE-1109: Use of Same Variable for Multiple Purposes |
| Ref | Detail |
|---|---|
| [Python 2023] | 3.9 Module Index |
| [mitre.org 2023] | CWE - CWE-1000: Research Concepts |
| [OWASP 2022] | Secure Coding Practices-Quick Reference Guide |
| [OWASP 2022] | OWASP Top 10 Report 2022 |
| [MITRE 2023] | CWE Top 25 2022 |