# Secure Coding One Stop Shop for Python > ⓘ NOTE: This is a draft. Contributions welcome!
> Web: [https://best.openssf.org/Secure-Coding-Guide-for-Python/](https://best.openssf.org/Secure-Coding-Guide-for-Python/)
> GitHub: [https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python](https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python) An initiative by the OpenSSF to provide new Python programmers a resource to study secure coding in `CPython >= 3.9` with working code examples. Documentation is written in academic style to support security researchers while using plain English to cater for an international audience. Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are specifically not covered by this document. Please join us, see [contributing](CONTRIBUTING.md) ## Disclaimer Content comes __WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED__, as stated in the license text [CC-BY-4.0](../../LICENSES/CC-BY-4.0.txt) for documentation and [MIT](../../LICENSES/MIT.txt). Following or using the documentation and or code is at your own risk. Code examples are intended purely for educational use and not for products in parts or in full. Code examples are NOT to be used to cause harm of any kind to anyone or anything. ## Introduction Every person writing code shall study the following: * _OWASP Developer Guide_ [[OWASP dev 2024](https://owasp.org/www-project-developer-guide/release/)] * _OWASP Top 10 Report_ [[OWASP 2021](https://owasp.org/Top10/A00_2021_Introduction/)] * _CWE Top 25_ [[MITRE 2024](https://cwe.mitre.org/top25/index.html)] ## Secure Coding Standard for Python Code examples are written to explain security design with as little code as possible. __None__ of the code examples are intended to be used 'as is' for production. Using the code is at your own risk! __Code file naming conventions:__ * `noncompliantXX.py` anti-pattern, bad programming practice. * `compliantXX.py` mitigation or removal of __ONLY__ the described risk. * `exampleXX.py` to allow understanding the documented behaviour. It is __not production code__ and requires code-style or python best practices to be added such as: * Inline documentation * Custom exceptions * Full descriptive variable names * Line length limit * Proper logging instead of printing to `stdout` * Secure coding compliance outside of described issue

01 Introduction	Prominent CVEs	MITRE
pyscg-0040: Use Process Isolation for Trust Zones	CVE-2023-28597, CVSSv3.0: 7.5, EPSS: 00.11 (05.11.2024)	CWE-501
pyscg-0041: Externalize Configuration and Secrets		CWE-798
pyscg-0042: Ensure Correct Operator Precedence		CWE-783
pyscg-0055: Determine Access on Server Side		CWE-472
02 Encoding and Strings	Prominent CVEs	MITRE
pyscg-0043: Specify Locale Explicitly		CWE-175
pyscg-0044: Canonicalize Input Before Validating	CVE-2022-26136, CVSSv3.1: 9.8, EPSS: 00.28 (31.12.2025)	CWE-180
pyscg-0045: Enforce Consistent Encoding		CWE-176
03 Numbers	Prominent CVEs	MITRE
pyscg-0001: Control Numeric Precision		CWE-1339
pyscg-0002: Guard Fixed-Width Numbers Against Overflow		CWE-191, CWE-190
pyscg-0003: Use Arithmetic Over Bitwise Operations		CWE-1335
pyscg-0004: Use Integer Loop Counters		CWE-197
pyscg-0005: Specify Rounding for Numeric Conversions		CWE-197
pyscg-0006: Use an Appropriate Comparator for Numbers		CWE-681
pyscg-0007: Use String Literals for Decimal Construction		CWE-681
04 Neutralization	Prominent CVEs	MITRE
pyscg-0047: Use Allow Lists Over Deny Lists		CWE-184
pyscg-0008: Prevent Format String Injection	CVE-2022-27177, CVSSv3.1: 9.8, EPSS: 00.37 (01.12.2023)	CWE-134
pyscg-0009: Prevent OS Command Injection	CVE-2024-43804, CVSSv3.1: 8.8, EPSS: 00.06 (08.11.2024)	CWE-78
pyscg-0010: Prevent SQL Injection	CVE-2019-8600, CVSSv3.1: 9.8, EPSS: 01.43 (18.02.2024)	CWE-89
pyscg-0011: Prevent Type Confusion	CVE-2021-29513, CVSSv3.1: 7.8, EPSS: 00.02 (13.05.2025)	CWE-843
pyscg-0012: Extract Archives Safely	CVE-2019-9674, CVSSv3.1: 7.5, EPSS: 1.2% (10.09.2025)	CWE-409
pyscg-0013: Secure Search Paths	CVE-2015-1326, CVSSv3.0: 8.8, EPSS: 00.20 (23.11.2023)	CWE-426
pyscg-0023: Secure Deserialization	CVE-2018-8021, CVSSv3.0: 9.8, EPSS: 93.54 (05.11.2024)	CWE-502
05 Exception handling	Prominent CVEs	MITRE
pyscg-0014: Use Specific Exception Types		CWE-397
pyscg-0015: Handle Error Conditions	CVE-2024-39560, CVSSv3.1: 6.5, EPSS: 0.04 (01.11.2024)	CWE-755
pyscg-0016: Propagate Exceptions and Preserve Context		CWE-396
pyscg-0018: Validate Numeric Data Beyond Type Checking		CWE-754
pyscg-0028: Preserve Exceptions in Finally Blocks		CWE-584
pyscg-0052: Ensure Cleanup on Exceptions		CWE-460
06 Logging	Prominent CVEs	MITRE
pyscg-0019: Exclude Sensitive Data From Logs	CVE-2023-45585, CVSSv3.1: 9.8, EPSS: 0.04 (01.11.2024)	CWE-532
pyscg-0020: Implement Informative Event Logging		CWE-778
pyscg-0021: Exclude Developer Tools From the Final Product	CVE-2018-14649, CVSSv3.1: 9.8, EPSS: 69.64 (12.12.2023)	CWE-489
pyscg-0022: Neutralize Untrusted Data in Logs		CWE-117
pyscg-0050: Sanitize Error Output to Prevent Information Disclosure		CWE-209
07 Concurrency	Prominent CVE	MITRE
pyscg-0024: Ensure Thread Pool Tasks Can Be Interrupted		CWE-400
pyscg-0025: Configure Adequate Resource Pools		CWE-410
pyscg-0026: Prevent Deadlocks		CWE-833
pyscg-0027: Prevent Race Conditions		CWE-362
pyscg-0029: Reinitialize Reused Thread Objects		CWE-665
pyscg-0030: Ensure Thread Pool Tasks Do Not Fail Silently		CWE-392
08 Coding Standards	Prominent CVE	MITRE
pyscg-0031: Use Copies When Modifying Iterables		CWE-1095
pyscg-0032: Avoid Redefining Built-in Functions or Standard Library Identifiers		CWE-1109
pyscg-0033: Implement Comparisons by Value Rather Than Reference		CWE-595
pyscg-0034: Check for None Values		CWE-476
pyscg-0035: Complete Resource Cleanup		CWE-459
pyscg-0036: Check Return Values		CWE-252
pyscg-0037: Avoid Assertions In Production		CWE-617
pyscg-0051: Release Unused Resources		CWE-404
09 Cryptography	Prominent CVE	MITRE
pyscg-0038: Use Sufficiently Random Values	CVE-2020-7548, CVSSv3.1: 9.8, EPSS: 0.22 (12.12.2024)	CWE-330

## Biblography |Ref|Detail| |-----|-----| |\[Python 2023\]|3.9 Module Index \[online\], available from [https://docs.python.org/3.9/py-modindex.html](https://docs.python.org/3.9/py-modindex.html) \[accessed Dec 2024\]| |\[mitre.org 2023\]|CWE - CWE-1000: Research Concepts \[online\], available from [https://cwe.mitre.org/data/definitions/1000.html](https://cwe.mitre.org/data/definitions/1000.html) \[accessed Dec 2024\]| |\[OWASP dev 2024\]|OWASP Developer Guide \[online\], available from [https://owasp.org/www-project-developer-guide/release/](https://owasp.org/www-project-developer-guide/release/) \[accessed Dec 2024\]| |\[OWASP 2021\]|OWASP Top 10 Report 2021 \[online\], available from [https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-ten/)| |\[MITRE Pillar 2024\]|_Pillar Weakness_ \[online\], available form [https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) \[accessed Dec 2024\]| |\[MITRE 2024\]|CWE Top 25 \[online\], available form [https://cwe.mitre.org/top25/index.html](https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html) \[accessed Dec 2024\]| ## Contributors This guide was jointly developed by the following group of awesome contributors: * Andrew Costello * Bartlomiej Karas * David A. Wheeler * Dean Wiley * Georg Kunz * Helge Wehder * Hubert Daniszewski * Ketki Davda * Kyrylo Yatsenko * Michael Scovetta * Noah Spahn * Tom McDermott * Viktor Szépe ## License * [CC-BY 4.0](../../LICENSES/CC-BY-4.0.txt) for documentation * [MIT](../../LICENSES/MIT.txt) for code snippets