Every time you type pip install -r requirements.txt, you are putting your web application and user data at risk. Modern web applications are using dozens of 3rd party components, that are totally out of your control. You’ve already learned you should test your code, but I’ll do my best to convince you that you should test external code for the security vulnerabilities too.
In January, two biggest vulnerabilities, Meltdown and Spectre, were publicly disclosed. Those are the most known ones, but smaller vulnerabilities are published nearly every day. And all of them can be exploited and used to abuse your application. The attacker might try to take your application out, steal your user’s data or take advantage of your computer power.
Since vulnerabilities are disclosed, they can be also mitigated. There are multiple vendors dealing with security testing and I’ll focus on the solutions for PyPI package scans. During the talk, I’ll show you how a vulnerability can be exploited, where and how it is reported (you’ll learn what the CVE is) and how you can secure your application using “GitHub’s security alerts for vulnerable dependencies” and Snyk.io on various levels (repository integration, CI server, CLI integration).