



This question is for learning purposes. Suppose I am writing a simple SQL admin console using CGI and Python. At, this admin console should allow me to modify a SQL database (i.e., create and modify tables, and create and modify records) using an ordinary form.

  1. In the least secure case, anybody can access and modify the database.
  2. You can password protect But once you start using the admin console, information is still transmitted in plain text.
  3. So then you use HTTPS to secure the transmitted data.


  1. To describe to a learner, how would you incrementally add security to the least secure environment in order to make it most secure? How would you modify/augment my three (possibly erroneous) steps above?
  2. What basic tools in Python make your steps possible?
  3. Optional: Now that I understand the process, how do sophisticated libraries and frameworks inherently achieve this level of security?
+2  A: 

Non-specific to Python, but any administrative features that offer that level of control over a system should be protected with both SSL and an Authentication and Authorization mechanism (login) at the very least.

+3  A: 

Security is not a patch job, it's a holistic approach.

Incrementally adding security is not a good idea. You should integrate security in your application from the ground up.

The best advice I can give you is to try to think like an attacker. Think to yourself: "If I wanted to do something I'm not supposed to be able to do, how would I do it?"

If you're designing an application which uses a database, we careful not to allow SQL Injections. You should also be aware of some of the most popular web vulnerabilities if you're making a web app.

Ben S
Thank you for the suggestion. That second link was really useful. Without much experience, it's hard for me to think like an attacker because I don't know my options, but that link make those options quite apparent.
+2  A: 

The very first concern I have is protecting against CSRF vulnerabilities. Next i would be concerned with Broken Authentication and Session Management. Most importantly in order to maintain a secure session you must use https throughout the entire life of the session. If you where to spill a password or session id or even a sql query in plain text that would be a bad thing.
