Python is one of the most widely used languages for web application development today. It’s a dynamic language that is equipped with built-in data structures—which makes it attractive for rapid application development as well as a scripting language. Python’s simple syntax and numerous available open-source packages make it easy for developers to learn and start coding. As a result, Python is widely embraced as a robust and reliable programming language for enterprise-scale applications.
For example, as of August 2019, Python was the most popular programming language based on Google searches. According to the annual Stack Overflow Developer Survey (one of the most comprehensive snapshots of programming language use) Python is the fastest-growing programming language in terms of active developers. At this pace, it could leapfrog Java and C in the next few years in terms of overall language popularity.
DevOps teams that need to rapidly build, deploy, and scale web applications to hundreds of millions of developers code in Python because of how friendly it is to use. Indeed, Python already plays a pivotal role in some of the world's best-known organizations. For example, it is used by Netflix to stream videos to more than 100 million homes worldwide, power the photo-sharing phenomenon Instagram, and aid NASA in space exploration.
Python’s Dynamic Nature Creates Security Challenges
Python developers have particular challenges when it comes to security. Traditional security tools cannot accurately locate security vulnerabilities in enterprise-scale, Python-based applications. And when they do, it happens far later in the software development life cycle—which is much more costly than finding vulnerabilities earlier. These traditional application security tools also remain focused on languages such as Java and .NET, even as more organizations are shifting application development to Python.
The root of the problem comes from the fact that Python is a dynamic language (as opposed to static languages like Java or C). The difference between dynamic and static comes mainly from how variables are assigned. In static languages, variables are assigned types. But because Python is dynamic, variable type is not determined in the application until runtime. Subsequently, for application security to accurately and effectively do its job, Python code needs to be evaluated during runtime. And this is something that traditional testing—such as static application security testing (SAST) and dynamic application security testing (DAST) tools—cannot do.
SAST and DAST Tools Lack Visibility, Accuracy for Python Protection
Both SAST and DAST tools lack the context to accurately and completely identify vulnerabilities in Python applications. SAST tools build and scan hypothetical models of source-code repositories. These tools make a lot of assumptions and mistakes about control flow, data flow, and security defenses. Similarly, DAST tools lack context. They work by sending HTTP requests to an application (as an attacker would attempt to do so). Based on the response, DAST attempts to determine if there is an exploitable vulnerability. However, there is no way to know if the DAST tool has performed the right tests to exploit a Python application. Ultimately, both SAST and DAST provide results that are both incomplete and riddled with false positives.
And while some SAST solutions do support Python (including open-source tools), their accuracy varies—and are most effective when focused on a single rule. But because SAST code checks are based on known threats, unknown and zero-day attacks can get past SAST controls (a problem known as false negatives). SAST results also include numerous false positives, and potential threats that may be capable of actually exploiting the application trigger a general alert. To sort actual threats from the false alarms, security analysts need to spend time researching and verifying each alert instance.
The Risks of Remaining on Python 2
The latest risk for some organizations is the slow transition from Python 2 to Python 3. Since its initial introduction in 2008, Python 3 has shown significant improvements, including fewer inefficiencies compared to Python 2. Despite those benefits (as well as obstacles such as Python 2 compilers and tool chains becoming obsolete), a number of developers have stubbornly stayed with the older version.
But after January 1, 2020, Python 2 is no longer officially supported. Newly reported vulnerabilities are no longer fixed by the maintainers, which makes Python 2 a security risk. While third parties have pledged to provide continued support (for a fee), leaving Python 2 code running in production will be a greater risk as time goes on and as new vulnerabilities emerge.
Contrast Adds Python Support to Its Industry-leading Platform
Dynamic programming languages require modern security tools—which is exactly why Contrast is a perfect match for Python-based web applications. Contrast’s instrumentation-based AppSec platform automates vulnerability identification and remediation verification by testing running applications via data flows. Contrast provides visibility into every application route instead of attempting to analyze code or probe the application from the outside. Contrast’s platform includes:
- Interactive application security testing (IAST), which is run in preproduction, detects vulnerabilities in both custom code and libraries during normal use by gathering data from running code. The Contrast Python agent for Contrast Assess delivers the only IAST solution that offers Python support.
- Software composition analysis (SCA) analyzes libraries to identify potentially vulnerable third-party and open-source components. Python has a big open-source community—and a reported 84% of today’s applications consist of more than half open-source code.
- Runtime application self-protection (RASP) is run in production to validate request inputs and prevent vulnerabilities from being exploited inside the application (both custom code and libraries).
Contrast Assess helps Python application developers find vulnerabilities early in the software development life cycle, when fixes can be made more easily and affordably. The Contrast agent begins securing code by adding sensors to the entire software stack to directly identify vulnerabilities and attacks. Contrast Assess continuously monitors all code (including libraries) for known and unknown vulnerabilities and produces accurate results without dependence on AppSec for manual testing, research, and remediation. Further, because the Contrast platform is version agnostic, it protects both Python 2 and Python 3—enabling developers to continue to make the upgrade transition at their own pace while ensuring that their code is secure (whether Python 2 or 3).
The Path Forward—Scalable, Elastic, and Accurate
Python is predicted to continue a steep upward adoption trajectory. One recent study shows that Python is the most-studied language among developers—27% of respondents spent time learning it in the past year. Nearly half (49%) had used Python in the past 12 months and another 9% planned to integrate it into their workflows at some point. With that in mind, Contrast Assess can help developers keep pace with Python’s increasing prevalence. In fact, Assess supports more languages than any other IAST solution available today—including Java, Node, .NET, Ruby, and Python.
To learn more, we also recently recorded a podcast, “Exploring the Risks of Python in Applications and How to Protect Your Applications from Them,” that further details Contrast’s application security capabilities in support of Python development.