How Python can be used by Cyber Security analysts or DevSecOps personnel for cyber security incident responses, to help identify, diagnose, triage and manage potential security weaknesses and threats within a modern computer environment.
You may see the title of this blog and quite reasonably ask "Say what now?" ...We are not talking about security issues within Python itself here, nor Third Party Python libraries ...or indeed how to avoid security issues within Python applications or scripts (all of which are interesting relevant topics in their own right).
No, what we are considering here is how Python can be used by Cyber Security Analysts or DevSecOps
personnel for cyber security incident responses, to help identify, diagnose, triage and manage potential security weaknesses and threats within a modern computer environment.
By incident response we mean:
Python can be crucial in supporting each of these steps.
Perhaps the first question to consider is ‘Where can Python be used in a Cyber Security scenario?’.
Python is of course just a programming language, albeit one with very many, many additional libraries available that allow it to accomplish very many different tasks. In the context of cyber security, Python applications and scripts offer a great number of tools and techniques to detect, mitigate and defend against risks:
Vulnerability Testing / Analysis
Analysing vulnerabilities involves identifying potential weaknesses in a system, for example, checking a web application for known vulnerabilities such as those presented in the OWASP Top 10 Web Application Security Risks (including Injection attacks, Identification and Authentication Failures and Server-Side Request Forgery).
Network Scanning
This allows the detection of active hosts and services running on them.
Network Monitoring (and modification)
This involves monitoring the packets (data) being sent across a network. An example of a Python library for network monitoring is PyShark. It may also involve modification of these packets using tools such as Scapy.
Cryptography
There are several Python cryptography modules available (such as pycrypto) that support encrypting and decrypting data and implementing cryptography within an application.
Intrusion Detection
As well as direct security or cryptography libraries, Python has several very well-respected data analysis and machine learning libraries available (such as Pandas, Polars, PyTorch and SciKitLearn). These can be used to build network intrusion detection systems to analyse traffic patterns and detect anomalies.
Web Scraping
Information can be gathered from web pages using web scraping tools such as Beautiful Soup. These make it very easy to analyse the contents of a web page etc.
Malware Analysis
Python can be used to disassemble and reverse engineer files suspected of containing malware such as Viruses, worms, trojans or ransom ware. An example of such tools Yara.
Secure File Transfers
Python can be used to automate secure file transfers using SFTP via modules such as Paramiko.
General Automation Tasks
Python can of course be used in general to automate any process and thus is a general purpose automation tool.
At this point you may be wondering ‘So what do I need to know to use Python for Cyber Security?’. The short answer is to learn the basics of Python and experiment with the most popular modules / libraries available.
For a deeper dive, you would do well if you learn:
OWASP stands for the Open Worldwide Application Security Project. It is a non-profit foundation that works to improve the security of software. It provides many resources, in many different programming languages, that can be used to improve your Cyber Security skills, stay abreast of current Cyber Security threats; there are forums to allow for discussions, local chapters for local groups, tools and projects to try out your skills on.
The OWASP Defectdojo is a Vulnerability Management Platform design to allow for end-to-end security testing, vulnerability tracking, remediation and reporting. It was started back in 2013 and was open sourced in 2015. It is written in Python using Django. It allows data for more than 200 different security tools to be integrated, aggregated and viewed in a single system.
Using this tool teams can use python to help manage and mitigate cyber incidents and to respond to them in a timely fashion. In addition, as it is written in Python it can be extended as required easily and without the need to learn multiple different libraries or programming languages.
It is perhaps appropriate at this point to introduce a word of caution to the proceedings. There are very, very many third-party Python libraries out there. Many of them will provide exactly what you want and will make your applications better and significantly benefit your productivity.
However, there have been cases where malware has been hidden in such libraries so that unsuspecting developers have unknowingly introduced back doors, or other vulnerabilities into their applications.
Most well-established software houses and security-oriented organisations will have some process for vetting libraries before use. This attempts to ensure that infected libraries are identified before use. However, this is still no absolute guarantee that a library is secure.
In addition, it may be necessary to update libraries that are already in use to the latest version to fix weaknesses or vulnerabilities in otherwise well-known modules as they are identified or discovered.
Both of the above activities can be time consuming and often tedious but are extremely important to ensure the security of any Python application.
Python is an extremely useful tool for anyone working within the Cyber Security domain, particularly for those in a DevSecOps style role. Not only is the core language simple, flexible and easy to learn; the numerous third-party libraries extend the core functionality to provide a powerful, yet flexible, development environment.
Take a look at some of our instructor-led Python training courses:
