Secure Coding One Stop Shop for Python

ⓘ NOTE: This is a draft. Contributions welcome!
Web: https://best.openssf.org/Secure-Coding-Guide-for-Python/
GitHub: https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python

An initiative by the OpenSSF to provide new Python programmers a resource to study secure coding in CPython >= 3.9 with working code examples.

Documentation is written in academic style to support security researchers while using plain English to cater for an international audience.

Python modules outside of the Python Module Index [Python 2023] are specifically not covered by this document.

Please join us, see contributing

Disclaimer

Content comes WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, as stated in the license text CC-BY-4.0 for documentation and MIT. Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full. Code examples are NOT to be used to cause harm of any kind to anyone or anything.

Introduction

Every person writing code shall study the following:

• OWASP Developer Guide [OWASP dev 2024]
• OWASP Top 10 Report [OWASP 2021]
• CWE Top 25 [MITRE 2024]

Secure Coding Standard for Python

Code examples are written to explain security design with as little code as possible. None of the code examples are intended to be used ‘as is’ for production. Using the code is at your own risk!

Code file naming conventions:

• noncompliantXX.py anti-pattern, bad programming practice.
• compliantXX.py mitigation or removal of ONLY the described risk.
• exampleXX.py to allow understanding the documented behaviour.

It is not production code and requires code-style or python best practices to be added such as:

• Inline documentation
• Custom exceptions
• Full descriptive variable names
• Line length limit
• Proper logging instead of printing to stdout
• Secure coding compliance outside of described issue

01 Introduction	Prominent CVEs	MITRE
pyscg-0040: Trust Boundary Violation	CVE-2023-28597, CVSSv3.0: 7.5, EPSS: 00.11 (05.11.2024)	CWE-501
pyscg-0041: Use of Hardcoded Credentials		CWE-798
pyscg-0042: Operator Precedence Logic Error		CWE-783
pyscg-0055: External Control of Assumed-Immutable Web Parameter		CWE-472
02 Encoding and Strings	Prominent CVEs	MITRE
pyscg-0043: Specify Locale Explicitly		CWE-175
pyscg-0044: Canonicalize Input Before Validating	CVE-2022-26136, CVSSv3.1: 9.8, EPSS: 00.28 (31.12.2025)	CWE-180
pyscg-0045: Enforce Consistent Encoding		CWE-176
03 Numbers	Prominent CVEs	MITRE
pyscg-0001: Control Numeric Precision		CWE-1339
pyscg-0002: Guard Fixed-Width Numbers Against Overflow		CWE-191, CWE-190
pyscg-0003: Use Arithmetic Over Bitwise Operations		CWE-1335
pyscg-0004: Use Integer Loop Counters		CWE-197
pyscg-0005: Specify Rounding for Numeric Conversions		CWE-197
pyscg-0006: Use an Appropriate Comparator for Numbers		CWE-681
pyscg-0007: Use String Literals for Decimal Construction		CWE-681
04 Neutralization	Prominent CVEs	MITRE
pyscg-0047: Use Allow Lists Over Deny Lists		CWE-184
pyscg-0008: Prevent Format String Injection	CVE-2022-27177, CVSSv3.1: 9.8, EPSS: 00.37 (01.12.2023)	CWE-134
pyscg-0009: Prevent OS Command Injection	CVE-2024-43804, CVSSv3.1: 8.8, EPSS: 00.06 (08.11.2024)	CWE-78
pyscg-0010: Prevent SQL Injection	CVE-2019-8600, CVSSv3.1: 9.8, EPSS: 01.43 (18.02.2024)	CWE-89
pyscg-0011: Prevent Type Confusion	CVE-2021-29513, CVSSv3.1: 7.8, EPSS: 00.02 (13.05.2025)	CWE-843
pyscg-0012: Extract Archives Safely	CVE-2019-9674, CVSSv3.1: 7.5, EPSS: 1.2% (10.09.2025)	CWE-409
pyscg-0013: Secure Search Paths	CVE-2015-1326, CVSSv3.0: 8.8, EPSS: 00.20 (23.11.2023)	CWE-426
pyscg-0023: Secure Deserialization	CVE-2018-8021, CVSSv3.0: 9.8, EPSS: 93.54 (05.11.2024)	CWE-502
05 Exception handling	Prominent CVEs	MITRE
pyscg-0014: Declaration of Throws for Generic Exception		CWE-397
pyscg-0015: Improper Handling of Exceptional Conditions	CVE-2024-39560, CVSSv3.1: 6.5, EPSS: 0.04 (01.11.2024)	CWE-755
pyscg-0016: Detection of Error Condition Without Action		CWE-390
pyscg-0017: Improper Handling of Missing Values		CWE-230
pyscg-0018: Improper Check for Unusual or Exceptional Conditions - Float		CWE-754
pyscg-0052: Improper Cleanup on Thrown Exception		CWE-460
06 Logging	Prominent CVEs	MITRE
pyscg-0019: Insertion of Sensitive Information into Log File	CVE-2023-45585, CVSSv3.1: 9.8, EPSS: 0.04 (01.11.2024)	CWE-532
pyscg-0020: Insufficient Logging		CWE-778
pyscg-0021: Active Debug Code	CVE-2018-14649, CVSSv3.1: 9.8, EPSS: 69.64 (12.12.2023)	CWE-489
pyscg-0022: Improper Output Neutralization for Logs		CWE-117
pyscg-0050: Generation of Error Message Containing Sensitive Information		CWE-209
07 Concurrency	Prominent CVE	MITRE
pyscg-0024: Uncontrolled Resource Consumption		CWE-400
pyscg-0025: Insufficient Resource Pool		CWE-410
pyscg-0026: Deadlock		CWE-833
pyscg-0027: Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition')		CWE-362
pyscg-0028: Return inside Finally Block		CWE-584
pyscg-0029: Improper Initialization		CWE-665
pyscg-0030: Missing Report of Error Condition		CWE-392
pyscg-0051: Improper Resource Shutdown or Release		CWE-404
pyscg-0054: Race Condition Within a Thread		CWE-366
08 Coding Standards	Prominent CVE	MITRE
pyscg-0031: Loop Condition Value Update Within the Loop		CWE-1095
pyscg-0032: Use of Same Variable for Multiple Purposes		CWE-1109
pyscg-0033: Comparison of Object References Instead of Object Contents		CWE-595
pyscg-0034: NULL Pointer Dereference		CWE-476
pyscg-0035: Incomplete Cleanup		CWE-459
pyscg-0036: Unchecked Return Value		CWE-252
pyscg-0037: Reachable Assertion		CWE-617
09 Cryptography	Prominent CVE	MITRE
pyscg-0038: Use Sufficiently Random Values	CVE-2020-7548, CVSSv3.1: 9.8, EPSS: 0.22 (12.12.2024)	CWE-330

Biblography

Ref	Detail
[Python 2023]	3.9 Module Index [online], available from https://docs.python.org/3.9/py-modindex.html [accessed Dec 2024]
[mitre.org 2023]	CWE - CWE-1000: Research Concepts [online], available from https://cwe.mitre.org/data/definitions/1000.html [accessed Dec 2024]
[OWASP dev 2024]	OWASP Developer Guide [online], available from https://owasp.org/www-project-developer-guide/release/ [accessed Dec 2024]
[OWASP 2021]	OWASP Top 10 Report 2021 [online], available from https://owasp.org/www-project-top-ten/
[MITRE Pillar 2024]	Pillar Weakness [online], available form https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness [accessed Dec 2024]
[MITRE 2024]	CWE Top 25 [online], available form https://cwe.mitre.org/top25/index.html [accessed Dec 2024]

Contributors

This guide was jointly developed by the following group of awesome contributors:

• Andrew Costello
• Bartlomiej Karas
• David A. Wheeler
• Dean Wiley
• Georg Kunz
• Helge Wehder
• Hubert Daniszewski
• Ketki Davda
• Kyrylo Yatsenko
• Michael Scovetta
• Noah Spahn
• Tom McDermott
• Viktor Szépe

License

• CC-BY 4.0 for documentation
• MIT for code snippets