https://www.secdev.uk/blog/tags/eval/ Recent content in Eval on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 30 Aug 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-08-30-python-security-pitfalls/ Sat, 30 Aug 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-08-30-python-security-pitfalls/ <p>I&rsquo;ve spent a lot of time reviewing Python codebases, and the language&rsquo;s readability and rapid development cycle are exactly what make it dangerous. Python is the default choice for web services, data pipelines, and automation scripts, and that same ease of use hides security pitfalls that experienced developers walk into regularly. The language&rsquo;s dynamic nature, runtime evaluation, duck typing, implicit conversions, and powerful serialization, creates attack surfaces that simply don&rsquo;t exist in statically typed languages. In this post, I want to cover the Python-specific anti-patterns that lead to real vulnerabilities, from the well-known <code>pickle</code> deserialization trap to the subtle template injection that can survive code review.</p>