- Explore why security is critical when building custom Python tools and how real-world failures happen.
- Learn essential Python secure-coding fundamentals to build safer applications from the start.
- Understand the big three Python threats—injection, unsafe deserialization, and arbitrary code execution—and how to defend against them.
- Apply secure practices for handling, storing, and transferring sensitive data within Python workflows.
- Utilise proper secrets management and modern authentication methods to eliminate risky hard-coding.
- Evaluate dependency risks, environment isolation, and deployment security to avoid supply-chain and packaging threats.
- Enhance your safety posture in Jupyter and other interactive environments by following notebook-specific security best practices.
- Review a practical secure-coding checklist to reinforce learning and guide future Python development.
Highlights
Course Details
Module 1 — Why Security Matters for Desk-Built Python Tools
Key Topics:
- How small quant/analyst scripts create enterprise-level exposure
- Model theft and Model IP protection; Market data and API security including rate limiting
- Real examples of spreadsheet/Python notebook breaches
- Data classification: market data, client data, PII, trading logic
- Regulatory context (e.g., GDPR, FCA, internal audit requirements)
- MiFID II record-keeping requirements, EU DORA ICT Risk Management requirements.
- “Shadow IT” and why Python tools often bypass security controls
- Takeaway
- Learners understand why security applies to them, not just developers.
Module 2 — Python Secure Coding Fundamentals
Key Topics:
- The Least Privilege Principle in code & data access
- Input validation for parameters, files, CSV uploads, API inputs
- Safe error handling and avoiding information leakage
- Creating safe defaults (timeouts, retries, limited file access)
- Logging without exposing sensitive data
- Practical Red Flags
- Printing credentials during debugging
- Exposing stack traces to internal users
- Using “temporary” shortcuts that become permanent in production
Module 3 — The Big Three Python Threats: Injection, Deserialization, Execution
- 1. Injection Attacks
- SQL injection through string formatting
- Safe use of parameterized queries
- Injection through Pandas query() or notebook widgets
- 2. Deserialization Risks
- pickle / joblib loading untrusted data
- Malicious objects executing on load
- Safer alternatives (json, yaml.safe_load, protobuf)
- 3. Arbitrary Code Execution
- Why eval, exec, and dynamic imports are dangerous
- Unsafe shelling-out (os.system, subprocess.Popen)
- How attackers can escalate through seemingly harmless inputs
- Hands-On Exercise
- Fixing vulnerabilities in a short Python example script.
Module 4 — Protecting Data: Secure Handling, Storage, and Movement
- Key Topics
- Handling of client data, trade data, PII
- Preventing data leakage through logs, temp files, notebooks
- Encryption in transit: using HTTPS, certificates
- Avoiding local file dumps and shared drive exposure
- Sanitizing output before sending to business users or clients
- Scenario Discussion
- What happens if a quant tool produces a CSV with unintended sensitive columns?
Module 5 — Secrets Management & Authentication
- Key Topics
- Never hardcoding credentials (API keys, DB passwords)
- Secure use of environment variables
- Using the bank’s secret manager or credential vault
- Key rotation & lifecycle
- Risks of storing secrets in notebooks or git repos
- Practical Red Flags
- Jupyter notebooks uploaded with visible credentials
- Python scripts emailed with embedded tokens
Module 6 — Dependencies, Environments & Deployment Risks
- Key Topics
- Why dependency risks matter even for small Python tools
- Using internal package repositories only
- Pinning versions (requirements.txt, pip freeze)
- Known vulnerabilities (CVE scanning)
- Conda/venv isolation
- Risks of running untrusted open-source packages
- Practical Example
- A popular ML library compromise — how supply-chain vulnerabilities arise.
- Supply Chain Security, Typo squatting attacks and vetting third party libraries.
Module 7 — Jupyter Notebook & Interactive Tool Security
- Key Topics
- Notebooks as attack surfaces
- Removing sensitive output before sharing
- Preventing user-supplied code execution in widgets
- Converting notebooks safely to HTML/PDF
- Output caching and hidden cell risks
- Red Flags
- Notebooks stored on shared drives with embedded datasets
- “Accidental” model dumps containing client identifiers
- Module 8 — Lightweight Threat Modeling for Python Tools (30 min)
- Key Topics
- Identifying what your code connects to (data sources & systems)
- Mapping trust boundaries
- Asking “What could go wrong?” before releasing a tool
- Quick 5-question security check for every script/app
Module 9 — Secure Coding Checklist & Final Review
- Learners receive a Python-specific, desk-friendly checklist:
- Am I accepting untrusted input?
- Am I using any dynamic execution (eval/exec)?
- Are secrets exposed anywhere?
- Does the script access more data than needed?
- Are dependencies safe and version-pinned?
- Could logs or errors leak sensitive information?
- Have I documented known assumptions and risks?
- OPTIONAL: Hands-On Assessment (20–30 min)
- A short secure-code review exercise using a flawed Python script.
Who should attend
- Python Developers
- Software Engineers
- Security Professionals (SecDevOps)
- Software Architects
- Data Scientists & Machine Learning Engineers
- Quality Assurance Engineers
- Developers Transitioning to Security
- Ethical Hackers and Penetration Testers
- Project Managers and Product Owners
Feedback
4.8 out of 5 average
"Our tailored course provided a well rounded introduction and also covered some intermediate level topics that we needed to know. Clive gave us some best practice ideas and tips to take away. Fast paced but the instructor never lost any of the delegates"
Brian Leek, Data Analyst, May 2022
“JBI did a great job of customizing their syllabus to suit our business needs and also bringing our team up to speed on the current best practices. Our teams varied widely in terms of experience and the Instructor handled this particularly well - very impressive”
Brian F, Team Lead, RBS, Data Analysis Course, 20 April 2022