Description
We all know how important it is to make sure that you see the "secure" padlock icon when paying for something online. It's simple, easy to understand, and automatic.
Is your code the same? How would you start to make sure it is? Let’s dive into those questions in this talk.
First off, the basics: security is based on trust, but trust must be verified. This is especially true in the design of "zero-trust" networks. Knowing who your code trusts, and how you verify that trust, is therefore essential.
This talk will briefly go through some of the basics, such public/private key cryptography, DNS, and x509 certificate signing, before examining some of the wider implementation and regulation of PKI (Public Key Infrastructure) online. We'll look at how python interfaces with this, along with some history, and look towards the future of important integrations like certifi and truststore.
We'll then look at the problems of Supply Chain Attacks and ask how much you should trust your dependencies, before looking at some of the other basic services your code relies on like DNS.
We’ll then see how you can leverage these trust mechanisms to your advantage to make your code as secure as possible, especially when working in your own cloud environment.
Hopefully, this talk will give you a headstart or a refresh on the knowledge required to have genuinely constructive paranoia when coding.
Failing that, at the very least, I promise to make you the go-to expert on how your company's VPN and proxy cause headaches in python and how to fix them securely, rather than giving up and setting a "trusted-host". Hopefully you’ll come away having learned a new swear word that you’ll never type again: pip config set global.verify_ssl false.