Stenobird

Episode

#545: OWASP Top 10 (2025 List) for Python Devs

Podcast
Talk Python To Me
Published
Apr 16, 2026
Duration seconds
3963
Processing state
processed
Canonical source
https://talkpython.fm/episodes/show/545/owasp-top-10-2025-list-for-python-devs
Audio
https://talkpython.fm/episodes/download/545/owasp-top-10-2025-list-for-python-devs.mp3
JSON
/v1/public/podcasts/talk-python-to-me/episodes/545-owasp-top-10-2025-list-for-python-devs
Markdown
/podcast/talk-python-to-me/545-owasp-top-10-2025-list-for-python-devs.md

Actions

  • POST https://stenobird.com/v1/public/podcasts/talk-python-to-me/episodes/545-owasp-top-10-2025-list-for-python-devs/transcription-requests
    Idempotently request low-priority transcript generation for this episode.
  • GET https://stenobird.com/podcast/talk-python-to-me/545-owasp-top-10-2025-list-for-python-devs.md
    Read the agent-friendly Markdown representation of this episode resource.

Summary

Explore the critical updates in the 2025 OWASP Top 10, focusing on new threats like supply chain attacks and improper exception handling. The discussion features a live demonstration of using Claude Code to identify vulnerabilities in real-world Python projects.

Topics

  • OWASP Top 10
  • Python Security
  • Software Supply Chain
  • Docker Networking
  • AI Coding Agents
  • Vulnerability Assessment
  • Cybersecurity Best Practices

Highlights

  • Main idea: The 2025 OWASP update introduces significant shifts in how we categorize threats, specifically regarding supply chain integrity
  • Failure mode: Relying on UFW (Uncomplicated Firewall) in Docker environments can create a false sense of security, as Docker bypasses many standard iptables rules
  • Practical takeaway: When using AI coding agents, you must provide explicit security requirements rather than just asking for 'secure code' to avoid critical vulnerabilities
  • Main idea: Software supply chain security extends beyond libraries to include your entire development environment, including browsers and plugins
  • Practical takeaway: Use OWASP cheat sheets for specific implementation details like authentication and authorization to ensure standardized security

Chapters

  1. 10:55 The 2025 OWASP Top 10 Evolution: An overview of the recent updates to the OWASP Top 10 and the community feedback process that shaped the new list.
  2. 15:40 The Danger of Outdated Components: A case study on how an outdated media player vulnerability led to a full-scale network compromise and credential theft.
  3. 30:30 The Docker Firewall Trap: A deep dive into why standard Linux firewalls like UFW often fail to protect exposed database ports in Dockerized environments.
  4. 35:40 Securing the Software Supply Chain: Defining the modern attack surface, including the tools, browsers, and packages used in the development lifecycle.
  5. 40:50 The Shift in Update Best Practices: Why the 'always auto-update to latest' strategy is no longer the gold standard for security.
  6. 1:00:55 AI Agents as Security Auditors: Testing Claude Code on a vulnerable project to see how AI can identify and help remediate security flaws.