python
Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.
76 articles
Symmetric vs asymmetric file encryption in Python, done correctly
AES-GCM needs a unique 96-bit nonce every single time — reuse one under the same key and GCM's authentication guarantee collapses entirely, not just confidentiality.
ReDoS in Python and FastAPI: how one regex takes down an event loop
CVE-2024-3772 let a single crafted email string trigger catastrophic backtracking in Pydantic's own validator — the exact code path every FastAPI request body runs through.
A hardening guide to securing Flask applications
Flask ships session cookies with HttpOnly on by default — but Secure, SameSite, CSRF tokens, and every security header are left entirely to you.
Symmetric vs Asymmetric Encryption in Python: A Practical Guide
One key or two? A working comparison of Fernet and RSA in Python's cryptography library — with the OAEP-vs-PKCS1v15 mistake that still causes padding-oracle bugs.
Secrets Management for Python Applications
Hard-coded API keys and .env files committed to git are still the fastest route into a Python app. Here is how to keep secrets out of your code and your history.
Securing Python Virtual Environments
A single sudo pip install can overwrite files an OS package manager owns — PEP 668 exists because that anti-pattern was common enough to break Linux distros.
Securing Your Python Supply Chain on PyPI
Typosquats, dependency confusion, and account takeovers all target the same moment: pip install. Here is how to make that moment trustworthy.
Pickle and Deserialization Security in Python
Unpickling untrusted data is arbitrary code execution, by design. Here is why pickle is dangerous, where it hides, and what to use instead.
Pillow (PIL) Security Guide (2026)
Pillow is the default image library for Python — and because it parses untrusted image bytes and once shipped an eval-based ImageMath, it has a long, real CVE history spanning arbitrary code execution and native buffer overflows.
Preventing Command Injection in Python
Every time Python code shells out with user input, an attacker gets a vote on what the shell runs. The fix is almost always to stop using the shell at all.
pandas Security Guide (2026)
pandas is the backbone of Python data analysis — and while its own CVE record is thin, the read_pickle deserialization risk is real, the query/eval expression engine invites injection, and most 'pandas findings' actually live in its dependency tree.
Preventing SQL Injection in Python
SQL injection is decades old and still ships to production. In Python it almost always comes down to one habit: building query strings instead of passing parameters.