Do you have an API?
Do you accept input from users? Do you accept it in XML? What about YAML? Or maybe JSON? How safe are you?
Are you sure?
It’s not in the OWASP Top 10, but you don’t have to look far to hear stories of security vulnerabilities involving deserialization of user input. Why do they keep happening?
In this talk I’ll go over what the threat is, how you are making yourself vulnerable and how to mitigate the problem. I’ll cover the features (not bugs, features) of formats like XML, YAML, and JSON that make them surprisingly dangerous, and how to protect your code from them.
Because here’s the thing: If you are using, say, a compliant, properly implemented XML parser to parse your XML, you are NOT safe. Possibly quite the opposite.
Tom is a senior Python developer and technical lead for Catalyst IT, New Zealand's largest company specialising in open source. Prior to that he worked as a developer and system administrator for the University of Otago Faculty of Medicine and as a Computer Science tutor for same.
Tom is also the director of this year's Kiwi PyCon, and will be spending significant amounts of time trying to convince you all to fly to Wellington for more Python fun five weeks after PyCon AU has concluded!
