Safeguard
Tag

python

Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.

76 articles

Best Practices

Symmetric vs asymmetric file encryption in Python, done correctly

AES-GCM needs a unique 96-bit nonce every single time — reuse one under the same key and GCM's authentication guarantee collapses entirely, not just confidentiality.

Jul 8, 20267 min read
Application Security

ReDoS in Python and FastAPI: how one regex takes down an event loop

CVE-2024-3772 let a single crafted email string trigger catastrophic backtracking in Pydantic's own validator — the exact code path every FastAPI request body runs through.

Jul 8, 20266 min read
Application Security

A hardening guide to securing Flask applications

Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.

Jul 8, 20266 min read
Best Practices

Symmetric vs Asymmetric Encryption in Python: A Practical Guide

One key or two? A working comparison of Fernet and RSA in Python's cryptography library — with the OAEP-vs-PKCS1v15 mistake that still causes padding-oracle bugs.

Jul 8, 20267 min read
Security Guides

Secrets Management for Python Applications

Hard-coded API keys and .env files committed to git are still the fastest route into a Python app. Here is how to keep secrets out of your code and your history.

Jul 7, 20265 min read
Application Security

Securing Python Virtual Environments

A single sudo pip install can overwrite files an OS package manager owns — PEP 668 exists because that anti-pattern was common enough to break Linux distros.

Jul 7, 20267 min read
Security Guides

Securing Your Python Supply Chain on PyPI

Typosquats, dependency confusion, and account takeovers all target the same moment: pip install. Here is how to make that moment trustworthy.

Jul 6, 20265 min read
Security Guides

Pickle and Deserialization Security in Python

Unpickling untrusted data is arbitrary code execution, by design. Here is why pickle is dangerous, where it hides, and what to use instead.

Jul 5, 20265 min read
Security Guides

Pillow (PIL) Security Guide (2026)

Pillow is the default image library for Python — and because it parses untrusted image bytes and once shipped an eval-based ImageMath, it has a long, real CVE history spanning arbitrary code execution and native buffer overflows.

Jul 4, 20266 min read
Security Guides

Preventing Command Injection in Python

Every time Python code shells out with user input, an attacker gets a vote on what the shell runs. The fix is almost always to stop using the shell at all.

Jul 4, 20265 min read
Security Guides

pandas Security Guide (2026)

pandas is the backbone of Python data analysis — and while its own CVE record is thin, the read_pickle deserialization risk is real, the query/eval expression engine invites injection, and most 'pandas findings' actually live in its dependency tree.

Jul 3, 20266 min read
Security Guides

Preventing SQL Injection in Python

SQL injection is decades old and still ships to production. In Python it almost always comes down to one habit: building query strings instead of passing parameters.

Jul 3, 20265 min read
python (Page 2) — Safeguard Blog