This is the second post in the 2018 edition of our annual PyCon Must-See Series, which highlights the talks our staff especially loved at PyCon. While there were many great talks, this is our team's shortlist.
I saw a lot of great talks at PyCon 2018, but Ying Li's keynote was one of my favorites. Li is a security engineer at Docker where she works extensively with Python. Her talk focuses on information security, and she suggests that everyone who works in technology and software should care about security.
During her presentation, Li shares an amusing children's book that she’s planning called The Professor of 0's, which describes the journey of a software development team as they learn to properly secure their web application against vulnerabilities. The children’s book illustrates Li’s points on security in a way that’s accessible and enjoyable. The book is a much appreciated, light-hearted approach to a topic that is both serious and important. Be sure to watch the video, to see how the book helps Li to get her points across.
Later in her talk, she also makes an intriguing analogy between how the security community is addressing common security vulnerabilities and how the medical community attempts to prevent SIDS (Sudden Infant Death Syndrome). Li explained that as a new mother, she was educated about a “checklist” of sorts that she could use to help prevent SIDS. She heard the information not just once, but at nearly every interaction with her various healthcare providers. That consistent (and persistent), simple-to-follow message, she argues, has helped to save the lives of thousands of infants.
Just as the medical community created simple guidelines that parents were willing and able to follow, Li sees the security community providing simple tools that developers are willing to use, in order to easily address common security vulnerabilities like CSRF attacks (see the Caktus blog post on common website vulnerabilities for information about CSRF and other common attacks). Those steps are now reaping benefits as CSRF attacks have fallen off the Open Web Application Security Project (OWASP) Top 10 vulnerabilities list for the first time in over a decade. Li attributes this improvement to the fact that frameworks, such as Django, have added tools to prevent CSRF attacks, and to the fact that developers are using those tools. She'd like to see those types outreach and education programs take down the other vulnerabilities on the OWASP Top 10.
Li’s talk inspires me to review our practices at Caktus to see what improvements we can make, which will make hardening our systems simpler without imposing undue work on team members.