The utility can identify insecure code in production from third-party packages as well as original code.
Threat Stack announced Python support for its Application Security Monitoring product, providing runtime security monitoring for applications. Given the popularity of using third-party libraries in programs, the potential for malicious or insecure code to be exploited on production systems is decently high. Likewise, programming errors made in custom code by programmers on your own team could open the door to exploitation.
Threat Stack's offering is intended to surface vulnerabilities in both scenarios, with an e-learning component for "helping developers learn secure coding practices," as well as identifying and blocking attacks, including cross-site scripting (XSS) and SQL injections, in real time. The company touts the ability of their product to "[put] the application in context with the rest of the stack, allowing users to navigate in a single click from application to the container or host where it is deployed for deeper forensics," in the event an attack is detected, as a key differentiator from other products.
SEE: Getting started with Python: A list of free resources (TechRepublic)
While Python's package library has not been subject to the tumult of NPM, the preeminent package manager for Node.js, there have been noticeable problems over the past year, with three packages identified that contained a backdoor that activates when installed on Linux systems. One year ago, when 12 packages were identified in PyPI with malicious code, this attack relied on typosquatting -- using names such as diango, djago, dajngo, and djanga in place of Django, a popular framework -- to dupe unsuspecting programmers into importing the wrong package.
Given these security issues, and the burgeoning popularity of Python, the need for this type of solution is clear.
For more on Python, check out "Migrating from Python 2 to Python 3: A guide to preparing for the 2020 deadline" and "Python programming language: A cheat sheet" at TechRepublic.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)