Security breaches can devastate organisations, compromise user data, and destroy trust. As web applications become increasingly central to business operations, secure development practices are not optional – they're essential. This intensive two day courses equips Python developers with both the theoretical understanding and practical skills needed to build secure web applications. From cryptographic fundamentals to real-world implementation patterns, you'll learn how to identify vulnerabilities and implement robust security measures at every layer of your application with a Defence in Depth approach.

The course covers important security principles, and mitigating specific vulnerabilities including The OWASP Top Ten, but is focused on secure Python web application development.

This is a practical and hands on, two day, course. Learn how to use the security tools that come in the Python standard library. Modules covered include:

• hashlib
• hmac
• secrets
• random
• socket
• ssl

Web application frameworks:

• Security features in web application frameworks for API servers and web applications
• How to secure data in Django, Flask and other popular web application frameworks
• Secure deployment practises with containers and application servers (WSGI or ASGI)

Third party libraries for cryptography and secure network access:

• authlib
• cryptography
• httpx and requests
• websocket
• jwt
• OpenZiti for application level zero trust architecture
• certifi for TLS certification verification

Tooling for secure Python development and as part of your CI pipelines:

• uv/pipenv
• pip-audit
• bandit
• ruff
• mypy
• dependabot/renovate
• Security testing

Network security with TLS:

• How, why and when to use TLS
• How TLS works
• mTLS for enhanced security
• Generating self-signed certificates for local development, with the cryptography library

This course is taught by Michael Foord. Michael has been teaching Python for over a decade and has over twenty years industry experience as an application developer. Michael is a Python core developer and the creator of unittest.mock in the Python standard library, and is the author of The Absolute Minimum Every Python Web Application Developer Must Know About Security.

• Security principles and defence in depth strategies with Python frameworks
• Implementing OWASP Top 10 protections in Django, Flask and FastAPI applications
• Security principles and defence in depth strategies
• Principles from The OWASP Web Security Testing Guide
• Threat modelling and the security requirements document
• The principles of least privilege and deny by default
• Zero trust architecture fundamentals
• Building zero trust architecture with OpenZiti's Python SDK

• Hashing, encryption, and digital signatures
• Symmetric encryption and public key encryption
• Secure password storage and management
• Using Python's hashlib and hmac modules for secure hashing
• Using Python's cryptography libraries correctly
• Data encryption at rest and in transit
• Data encryption at rest using Django's encrypted model fields and SQLAlchemy StringEncryptedType

• Secure session management
• OAuth 2.0 and JWT for authentication
• Oauth2 with the Python library authlib
• JWT handling with PyJWT and managing token lifecycles
• Role-based access control (RBAC), plus alternatives
• Multi-factor authentication
• Managing access tokens and permissions

• Proven security with modern cryptography algorithms
• Protection against SQL injection
• Input validation and sanitisation
• Using secrets vs random for cryptographic operations
• Sanitizing logs in Python applications
• Django template escaping and Flask/Jinja2 for XSS prevention
• Preventing timing attacks and token prediction attacks
• Cryptographically secure randomness
• Cross-site scripting (XSS) prevention
• Cross-site request forgery (CSRF) protection
• Secure file handling and upload validation
• Preventing TLS downgrade attacks

• Networking fundamentals
• TLS/SSL implementation and certificate management
• Secure API design and implementation
• WebSocket security
• Network architecture and segmentation
• Firewalls, routers, network interfaces
• Protocols, HTTP & TLS, with the Python standard library
• Application deployment
• Software Defined Networking

• Container security best practices
• Secure deployment patterns
• Network interfaces and routing
• Building DMZ architectures for Python web applications
• Virtual private networks (VPN)

• Static analysis with bandit and ruff
• Dependency scanning using pip-audit
• Automated security testing integration
• Container scanning and runtime protection
• Code review practices for security

• Live security alerts
• Statutory duties around security
• Monitoring Python applications for security issues
• Security patch management for Python applications
• Updating and patching strategies

The course includes practical exercises throughout, with participants implementing secure coding patterns, identifying vulnerabilities in sample code, and building secure components.