# #545: OWASP Top 10 (2025 List) for Python Devs

Page: https://stenobird.com/podcast/talk-python-to-me/545-owasp-top-10-2025-list-for-python-devs
Text version: https://stenobird.com/podcast/talk-python-to-me/545-owasp-top-10-2025-list-for-python-devs.md
Podcast: [Talk Python To Me](https://stenobird.com/podcast/talk-python-to-me)
Published: 2026-04-16T20:24:50+00:00
Episode link: https://talkpython.fm/episodes/show/545/owasp-top-10-2025-list-for-python-devs
Audio file: https://talkpython.fm/episodes/download/545/owasp-top-10-2025-list-for-python-devs.mp3
Processing state: processed
JSON: https://stenobird.com/v1/public/podcasts/talk-python-to-me/episodes/545-owasp-top-10-2025-list-for-python-devs
Duration seconds: 3963

## Resource

Explore the critical updates in the 2025 OWASP Top 10, focusing on new threats like supply chain attacks and improper exception handling. The discussion features a live demonstration of using Claude Code to identify vulnerabilities in real-world Python projects.

## Highlights
- Main idea: The 2025 OWASP update introduces significant shifts in how we categorize threats, specifically regarding supply chain integrity
- Failure mode: Relying on UFW (Uncomplicated Firewall) in Docker environments can create a false sense of security, as Docker bypasses many standard iptables rules
- Practical takeaway: When using AI coding agents, you must provide explicit security requirements rather than just asking for 'secure code' to avoid critical vulnerabilities
- Main idea: Software supply chain security extends beyond libraries to include your entire development environment, including browsers and plugins
- Practical takeaway: Use OWASP cheat sheets for specific implementation details like authentication and authorization to ensure standardized security

## Topics

OWASP Top 10, Python Security, Software Supply Chain, Docker Networking, AI Coding Agents, Vulnerability Assessment, Cybersecurity Best Practices

## Chapters
- 10:55 — The 2025 OWASP Top 10 Evolution: An overview of the recent updates to the OWASP Top 10 and the community feedback process that shaped the new list.
- 15:40 — The Danger of Outdated Components: A case study on how an outdated media player vulnerability led to a full-scale network compromise and credential theft.
- 30:30 — The Docker Firewall Trap: A deep dive into why standard Linux firewalls like UFW often fail to protect exposed database ports in Dockerized environments.
- 35:40 — Securing the Software Supply Chain: Defining the modern attack surface, including the tools, browsers, and packages used in the development lifecycle.
- 40:50 — The Shift in Update Best Practices: Why the 'always auto-update to latest' strategy is no longer the gold standard for security.
- 1:00:55 — AI Agents as Security Auditors: Testing Claude Code on a vulnerable project to see how AI can identify and help remediate security flaws.

## Actions

- request_transcript: `POST https://stenobird.com/v1/public/podcasts/talk-python-to-me/episodes/545-owasp-top-10-2025-list-for-python-devs/transcription-requests` — Idempotently request low-priority transcript generation for this episode.
- read_markdown: `GET https://stenobird.com/podcast/talk-python-to-me/545-owasp-top-10-2025-list-for-python-devs.md` — Read the agent-friendly Markdown representation of this episode resource.

A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed.

## Transcript

Full transcripts are not published on public pages unless there is a clear rights basis.