Security biz Imperva came to this conclusion after looking at GitHub and finding that more than 20 per cent of GitHub repositories for attack tools and proof-of-concept exploits are written in Python.
“In virtually every security-related topic in GitHub, the majority of the repositories are written in Python, including tools such as w3af, Sqlmap, and even the infamous AutoSploit tool,” the company explained on Wednesday in a blog post, adding that hackers enjoy Python’s advantages – easy to learn, easy to read, comprehensive libraries – just like everyone else.
Python shows up not just in GitHub repos but in incidents as well. Imperva claims that in its security incident data, the largest group of the web clients it can identify (~25 per cent) are based on Python.
Looking at Python usage in attacks against sites under Imperva’s protection, the company found that up to 77 per cent were hit by a Python-based tool and that in at least a third of these incidents, the majority of daily attacks could be attributed to Python-written code.
The security biz points to
Requests as the two most popular Python libraries used by attackers, with
asyncio, a relative newcomer, just starting to show signs of adoption. Among the most common attacks involving Python tools, the two most popular in the past two months targeted a PHP-based remote execution flaw in the PHPUnit framework (CVE-2017-9841) and a remote code execution flaw in Joomla (CVE-2015-8562).
Imperva’s observations don’t offer much insight into whether mitigating Python-based attacks is any different from dealing with other kinds of exploits. But the company does note, “Python requires minimal coding skills, making it easy to write a script and exploit a vulnerability.” Presumably, defending against amateurs offers better odds than the alternative.
IBM Fellow Grady Booch told The Register that Imperva’s observations seem reasonable. “I’ve not dug into Imperva’s data or methodology, but it seems correct on many levels: Python is popular for it is used most often at the edge of systems where software is far more disposable (and where there is less risk and therefore less discipline, compared to – for example – the infrastructure of a system),” he said.
Thomas Reed, director of Mac and mobile for security biz Malwarebytes, said he tends to agree with Imperva’s findings. “We’ve seen some malware for the Mac coded in nothing but Python!” he told us, pointing to EvilOSX, Bella, and Pupy. “Python is pretty popular with the white hats too… it’s my scripting language of choice these days, and is popular with many other Mac security pros and admins. There’s even a way to include Objective-C methods in Python scripts, via
pyobjc, for additional power.”