#545: OWASP Top 10 (2025 List) for Python Devs
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from β#545: OWASP Top 10 (2025 List) for Python Devsβ inside PodZeus.
In this episode of Talk Python to Me, host Michael Kennedy welcomes back Tanya Janka, a leading figure in application security and OWASP Top 10 contributor, to discuss the newly released 2025 OWASP Top 10 list with a strong focus on Python developers. Tanya walks through the updated top 10 risks, emphasizing major shifts such as the expansion of 'Software Supply Chain Failures' to include developer-targeted attacks and malicious dependencies, and the introduction of 'Mishandling of Exceptional Conditions' as a new top 10 item. She highlights how AI-generated code often lacks security best practices due to training on low-quality code, and introduces her free 'Secure Code Prompt Library' to help developers generate and review secure code. The episode also covers practical Python-specific examples, including Django misconfigurations, insecure access control, and the dangers of debug mode in production. Tanya stresses the importance of secure defaults, checklists, and proactive security design over reactive fixes, while advocating for broader awareness and community involvement through OWASP chapters and resources. Key takeaways include: 1) Prioritize secure defaults and developer experience to reduce cognitive load and encourage secure behavior; 2) Use tools like pip-compile and UV to pin dependencies and manage supply chain risks; 3) Always validate input and enforce access control on the server side, not just the frontend; 4) Never run debug mode in production, and always configure security headers like HSTS and Content Security Policy; 5) Use AI responsibly by prompting for security assumptions and running code reviews with secure prompts; 6) Implement proper logging and alerting for security events to enable incident investigation; 7) Adopt a layered defense strategy with multiple security controls; 8) Engage with OWASP resources like cheat sheets and local chapters to stay informed and contribute to a more secure software ecosystem.
Prioritize secure defaults and developer experience to reduce cognitive load and encourage secure behavior
Use tools like pip-compile and UV to pin dependencies and manage supply chain risks
Always validate input and enforce access control on the server side, not just the frontend
Never run debug mode in production, and always configure security headers like HSTS and Content Security Policy
Use AI responsibly by prompting for security assumptions and running code reviews with secure prompts
β¦and 3 more takeaways available in PodZeus
Introducing the 2025 OWASP Top 10 and Tanya Janka's Journey
βThe thing that we're absolutely most famous for is called the OWASP Top 10. And I volunteered in Norway at the OWASP booth at a conference because I gave a talk and then I had nothing else to do. And every person that walked by went top 10. That's awesome.β
The Evolution of Supply Chain Security and Developer Targeting
βIf you get SQL injection in one app, you got into one database and maybe you could read sensitive data. If that database was completely unpatched in a total terrible mess, then maybe you could take over that server. Then if your network's totally not secure and crappy, which is not exactly that common... But you compromise a senior developer, right? And so, yeah, I was really glad when the team agreed that we would do this and then the community supported it. So I was like, yes. win.β
Broken Access Control and Configuration Mismanagement
βI literally did this yesterday, Michael, because someone was like, hey, go get this file from there. And then I go in the folder and it's not there. Like the link wasn't correct. So I just went through the web directory. with that. Like, but they wanted to send me the files. So just to be clear, like, like they sent me and told me to go get it. I wasn't stealing anything. And I didn't end up eventually finding it either. So then they had to send me another link that was correct.β
Cryptographic Failures, Injection, and Insecure Design
Tanya covers cryptographic failures, injection attacks (including SQL and MongoDB injection), and the new 'Insecure Design' category. She stresses the importance of proper password hashing with salt and pepper, using modern algorithms like Argon2, and the critical need for input validation. She introduces the concept of 'insecure design' as a failure to apply security principles during the planning phase, even when code is implemented correctly.
Authentication Failures, Integrity, and Logging
The episode explores authentication failures, software/data integrity failures, and the critical importance of logging and alerting. Tanya warns against custom authentication and emphasizes multi-factor authentication with adaptive risk-based challenges. She discusses the silent danger of integrity failures, using CDN compromises and SolarWinds as examples, and highlights how poor logging can prevent incident investigation and legal action.
βThe AI I think everyone knows is not creating great code. And the reason is it was trained. on not great code. Most code out there is not great code. The code specifically it used was demos, examples, things on GitHub, publicly available demos where there's no security team involved, right? So like if you went and scanned the code inside Microsoft that makes the Microsoft products, you better believe it, that'd probably be pretty darn good code versus some random crap Tanya did five years ago that's on her GitHub. That might be really crappy or it might even be intentionally vulnerable, right? And it doesn't know. And so as a result, we have this thing that's trained that security just it's optional, it's low priority and it's missing.β
βIf you get SQL injection in one app, you got into one database and maybe you could read sensitive data. If that database was completely unpatched in a total terrible mess, then maybe you could take over that server. Then if your network's totally not secure and crappy, which is not exactly that common... But you compromise a senior developer, right? And so, yeah, I was really glad when the team agreed that we would do this and then the community supported it. So I was like, yes. win.β
βWe need to protect the whole thing. And like we were saying earlier, developers themselves are becoming targets and malicious actors. We need to find ways to defend the developer themselves, protect them, make them safer doing their jobs, right? And help them find ways to secure the whole supply chain that's not too painful because they still need flexibility in order to be creative.β
Host
Guest
OWASP
organization
Michael Kennedy
person
Tanya Janka
person
Django
other
Secure Code Prompt Library
other
Temporal
organization
Claude
other
Canada
place
UV
product
Agentic AI Programming for Python Developers
other
#543: Deep Agents: LangChain's SDK for Agents That Plan and Delegate
Talk Python To Me β’ 1h 3m β’ 4/1/2026
#544: Wheel Next + Packaging PEPs
Talk Python To Me β’ 1h 11m β’ 4/10/2026
#546: Self hosting apps for Python people
Talk Python To Me β’ 1h 3m β’ 4/27/2026
#547: Parallel Python at Anyscale with Ray
Talk Python To Me β’ 59m β’ 5/6/2026
#548: Event Sourcing Design Pattern
Talk Python To Me β’ 1h 8m β’ 5/11/2026
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from β#545: OWASP Top 10 (2025 List) for Python Devsβ inside PodZeus.
Start discovering podcast insights today
Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.
No credit card required β’ 7-day trial β’ Cancel anytime