Description:

Software development is increasingly turning into an industrialised mechanical process. With the abundance of low code/no code software solutions and magical APIs it has become more convenient than ever to create beautiful applications that deliver the right business logic. Building on top of existing standard libraries or accepted industry standards is the norm instead of re-building things from scratch. However, during all this rush towards building the next big app we are somewhere forgetting data privacy.

Slapping long privacy policy documents only leads to false acceptance on the user’s end without really ever going through the policy document. And even when these documents are made easy to understand, we’ve always looked at data privacy from a DLP perspective. We look at all the databases we have, we lock them down and build RBACs around them. However, we forget to look at the root cause of the problem. The very code that power our applications. Now, imagine applications that have privacy built-in. Imagine detecting and mitigating all the privacy violations pre-deployment. In this research, we are going to discuss DevPrivOps with an open source software that does just that.

As Python developers we love meaning-ful exceptions, errors, and logs. We want to make sure we understand if something goes wrong then why exactly it is going wrong and where it is going wrong. Another reason we love to Python is because of the sheer number of libraries availablef or virutall any task.

Deep learning? Tensorflow, Pytorch, ChatGPT APIs Databases? Almost every major database under the sun

However, when deadlines are close and features have to be released ASAP, we sometimes cut corners with privacy and security. While there are several solutions for security in CI/CD pipelines. Let's talk about privacy in pre-deployment checks today.

What's the point? What's this talk about? The talk is about enabling privacy of Django/Flask/FastAPI Python applications using modern Privacy Engineering tools. The end goal of this talk is to ensure YOU can write your Python applications without the fear of leaking user data. modern privacy engineering is all about pushing left aka static code analysis. This will allow us to detect leaky logs, API calls, database queries, and other third party connections before the applction is deployed.

Flow of the Talk 1. Why do we have data leaks? (2.5 minutes) 2. What kind of data is being targeted? (2.5 minutes) 3. Patching the pipeline (5 minutes) 4. Tools of the Trade (5 minutes) 5. Live demo (15 minutes)

    - Loading sample python application in Joern and running graph queries
    - Running privado scan on the application
    - Modifying scanner policies/writing custom policies
    - Patching application code
    - Scanning the application code again post-changes

Prerequisites:

• Basic python
• Basic understanding of static code analysis
• Basic understanding of CI/CD pipelines

Content URLs:

1. https://arxiv.org/abs/2108.00927
2. https://en.wikipedia.org/wiki/Code_property_graph
3. https://petsymposium.org/popets/2023/popets-2023-0046.pdf
4. https://github.com/Privado-Inc/privado-core
5. Presentation Link

Speaker Info:

Gaurav works in Security R&D space @Privado. His interests are in shift-left security, forensics, and malware analysis. He completed his master’s degree in “Digital Forensics” from Gujarat Forensic Sciences University (now National Forensic Sciences University). He has delivered talks in conferences like Nullcon Goa 2022, Google Cloud Community Days. In his free time, he likes watching anime and exploring new food cuisines.

Speaker Links:

1. https://linkedin.com/in/gaurav-gogia
2. https://github.com/gaurav-gogia
3. https://aoiflux.xyz
4. Presentation Link