updates and fixes

Author: nocomplexity

donate.md

@@ -4,7 +4,8 @@ To help more people kickstart their Infosec journey, this course is offered on a
 
 Why contribute? Your donations directly fund the ongoing maintenance, updates, and development of new high-quality security resources.
 
-Our Mission: To [simplify cybersecurity](https://simplifysecurity.nocomplexity.com) and ensure high-level training remains a public good, not a gated commodity.
+Our Mission: To [simplify cybersecurity](https://simplifysecurity.nocomplexity.com) and transform elite training into a public good, rather than a gated commodity.
+
 
 If you find this material valuable, please consider supporting our mission.
 

index.md

@@ -19,34 +19,34 @@ The aim of this course is to teach you how to carry out security testing on Pyth
 :::
 
 
-This course is designed for developers and security enthusiasts, taking you from basic code hygiene through to advanced automated security analysis. It focuses on reliable open-source security tools to identify vulnerabilities arising from Python’s dynamic nature and the common pitfalls in its ecosystem.
+This course is designed for developers and security enthusiasts, taking you from basic code hygiene through to advanced security analysis. It focuses on using reliable open-source security tools to identify vulnerabilities arising from Python’s dynamic nature and the common pitfalls in its ecosystem.
 
 :::{note}
 This course assumes a basic familiarity with Python syntax and the command line.
 :::
 
-It is designed to take you from a security novice to a proficient code auditor. Rather than focusing solely on theory, we will take a practical approach—identifying and resolving vulnerabilities in **Python code** using **Static Application Security Testing (SAST)** tools.
+It is designed to take you from a security novice to a proficient security code auditor for Python applications. Rather than focusing solely on theory, we will take a practical approach—identifying and resolving vulnerabilities in **Python code** using **Static Application Security Testing (SAST)** tools.
 
 
 ## Who is this course for?
 
-This course is designed for software security testers who want to improve their knowledge and skills in security testing for Python software.
+This course is designed for security testers who want to improve their knowledge and skills in security testing for Python software.
 
 It is also suitable for DevOps professionals, architects, security professionals, AppSec engineers, software engineers, web application developers, and others interested in learning about security testing for Python software.
 
 The course focuses on practical steps that can be taken — even with limited resources — to build your skills in security testing for Python software and performing security audits on systems that include Python components.
 This is not a beginner’s course that simply teaches you to run tools and follow a checklist.
 To get the most from this course (and to complete it successfully), you should already be familiar with:
 
-- software testing
-- using programs from the command-line interface (CLI) on Unix-like systems (Linux or BSD)
+- Security testing
+- Using programs from the command-line interface (CLI) on Unix-like systems (Linux or BSD)
 
 :::{tip}
 Some prior knowledge and experience with security testing is strongly recommended.
 :::
 
 :::{note}
-This course is **not** a beginner’s course, but aims to **deepen the knowledge of professional security testers** in relation to systems built with (or containing) Python code.
+This course is **not** a beginner’s course, but aims to **deepen the knowledge of professional security testers** in relation to systems built with (or containing) **Python** code.
 :::
 
 ## Course Overview
@@ -60,8 +60,7 @@ Overview of modules:
 
 +++
 
-3. [Module 3](module3/module3_overview): Harnessing Static Application Security Testing (SAST) for Python Code
-Deep coverage of Python Code Audit, the advantages of a SAST for Python code,  and use cases.
+3. [Module 3](module3/module3_overview): Harnessing Static Application Security Testing (SAST) for Python Code and why humans are stil crucial for security testing .
 
 +++
 
@@ -70,7 +69,7 @@ Deep coverage of Python Code Audit, the advantages of a SAST for Python code,  a
 +++
 
 
-5. [Module 5](module5/module5_overview): Detecting and Exploiting Common Python Vulnerabilities with **Python Code Audit**.
+5. [Module 5](module5/module5_overview): Detecting and Exploiting Common Python Vulnerabilities with [**Python Code Audit**](https://nocomplexity.com/codeaudit/).
 
 +++
 

module1/pythonexecutionmodel.md

@@ -60,8 +60,7 @@ Below is an example how you can see how Python code is compiled to bytecode:
 
 ## Memory Abstraction in Python: Security Benefits and Trade-offs
 
-Unlike lower-level languages such as C or C++, Python does not allow developers to directly manipulate memory addresses. There are no pointers that can be arbitrarily dereferenced, and memory allocation and deallocation are handled automatically by the runtime. This abstraction significantly reduces the risk of certain low-level vulnerabilities.
-Reduced Risk: **Buffer Overflows**
+Unlike lower-level languages such as C or C++, Python does not allow developers to directly manipulate memory addresses. There are no pointers that can be arbitrarily dereferenced, and memory allocation and deallocation are handled automatically by the runtime. This abstraction significantly reduces the risk of certain low-level vulnerabilities, like **Buffer Overflows**.
 
 In languages like C, developers must manually manage memory buffers. A common vulnerability is a buffer overflow, where data written beyond the bounds of an allocated buffer overwrites adjacent memory. This can lead to crashes or, in severe cases, arbitrary code execution.
 
@@ -109,7 +108,7 @@ Although this does not corrupt memory, it can allow an attacker to execute arbit
 
 3. **Reliance on Native Extensions**
 
-While Python itself is memory-safe, many performance-critical libraries (e.g. NumPy, cryptographic libraries) are written in `C`. Vulnerabilities in these native extensions can reintroduce classic memory issues such as buffer overflows.
+While Python itself is memory-safe, many performance-critical libraries (e.g. `NumPy`, cryptographic libraries) are written in `C`. Vulnerabilities in these native extensions can reintroduce classic memory issues such as buffer overflows.
 
 Example:
 - A Python application calls a vulnerable C extension.

module1/pythonsecuritymodel.md

@@ -33,7 +33,7 @@ These mechanisms prevent many classic memory exploitation techniques. However, t
 * Denial-of-service risks through excessive object creation
 * Abuse of large in-memory data structures
 
-Python protects against direct memory manipulation, but it does not protect against logic flaws or resource misuse.
+Python protects against direct memory manipulation, but it does **not protect against logic flaws or resource misuse**.
 
 
 
@@ -105,7 +105,7 @@ Protecting against malware therefore requires:
 
 ### No Built-in Sandbox
 
-It is important to understand that Python does not provide a secure sandbox environment for executing untrusted code. Attempts to “restrict” Python by removing certain built-ins or blocking modules are generally insufficient and can often be bypassed.
+It is important to understand that Python **does not** provide a secure sandbox environment for executing untrusted code. Attempts to “restrict” Python by removing certain built-ins or blocking modules are generally insufficient and can often be bypassed.
 
 True isolation must be implemented at the operating system or infrastructure level, for example using:
 
@@ -131,5 +131,9 @@ Understanding Python’s internal execution model, memory handling, and dynamic
 
 
 :::{note} 
-**Strong security in Python is not automatic — it is engineered.**
+**Strong security for Python applications is not automatic — it is engineered.**
+:::
+
+:::{caution}
+Many Python frameworks prioritize ease of use over strict security in their default configurations (e.g., debug mode in Flask/Django). Moving to a "hardened" production state is a manual, engineered process.
 :::

module2/ai_testing.md

@@ -7,10 +7,10 @@ short_title: Security testing and AI
 Many people advocate for the use of AI technology , like AI agents, for Python security testing. 
 
 :::{warning}
-Most are just far from good enough. In the best case scenario, you’ll only be disappointed. But the risk of a false sense of security is enormous.
+Most are just far from good enough. In the best case scenario, you’ll only be disappointed. But the risk of a **false sense of security** is enormous.
 :::
 
-So why should you not use AI powered security test tools for Python?
+So why should you not use or fully trust on AI powered security test tools for Python?
 - **No single tool can judge the context** where a program is used, how it is used and by whom. There is a large difference between using a e.g. a SAST scanner on code from a developer perspective, or to use a SAST scanner as a potential user of some Python software. Based on findings you will and must judge risks differently. Judging risks is always context dependent and can still not be automated. 
 
 +++
@@ -33,4 +33,12 @@ AI and ML technologies can support cyber security, particularly in areas such as
 When AI technology is used, strict reproducibility cannot always be guaranteed due to its probabilistic nature.
 :::
 
-Cyber security professionals should be conservative with adopting new IT hypes for security testing tools. IT hypes like AI-agents and LLMs are not the holy grail for solving our cybersecurity problems. This is because in the end you always pay more for cyber security solutions, but the risks still remain. Cyber security is not a product, but a process.
+Creating security products that ‘learns’ from patterns is not new for security. AI/ML technologies have been applied for many years. For example for HIDS systems and spam-filters. Applying AI for cyber security has been done for many years with variable success and still most AI/ML powered security systems are not mature and can not be fully trusted.
+
+
+Cyber security professionals should be conservative with adopting new IT hypes and innovations for security testing tools. IT hypes like AI-agents and LLMs are not the holy grail for solving our cybersecurity problems. This is because in the end you always pay more for cyber security solutions, but the risks still remain. 
+
+:::{important} 
+Cyber security is not a product, but a process.
+:::
+

module2/fosstestsoftware.md

@@ -16,9 +16,15 @@ Some core benefits of using FOSS software for security testing of Python code in
 * **Easier access to expertise and resources:** Some specialist security testing tools require in-depth knowledge and experience. Many FOSS Python security tools are widely adopted, making expertise more readily available when required.
 
 :::{warning}
-Ensure that the software you use is genuinely open source and distributed under a valid OSI-approved FOSS licence. Avoid tools that claim to be open source in name only.
+Ensure that the test software you use for security testing is genuinely open source and distributed under a valid [OSI-approved](https://opensource.org/) FOSS licence. Avoid using tools that claim to be open source in name only. 
 :::
 
+Open source in name only" (often called OSINO or Openwashing) refers to software that uses the "open source" label for marketing but fails to provide the actual freedoms associated with it—such as the right to modify, redistribute, or use the code without restrictive commercial licenses. Some disadvantages are:
+1. Vendor Lock-In and False Autonomy
+While these tools appear to give you control, they often include "poison pill" clauses or proprietary dependencies. If the vendor changes their pricing, goes bust, or stops supporting the product, you are left with a codebase you cannot legally or practically maintain yourself. You lose the primary benefit of true open source: the ability to "fork" the code and carry on independently.
+2. Sharing e.g. rules for SAST scanning is not allowed or not possible.
+3. The test software itself is not secure and can cause security vulnerabilities.
+
 :::{tip}
 Always consider supporting the developers or foundation behind the product. This may include contributing improvements (code or documentation) and providing financial support to help ensure the long-term sustainability and health of the FOSS project.
 :::

module2/toolselection.md

@@ -7,14 +7,14 @@ short_title: Tool Selection Checklist
 
 Selecting a FOSS (Free and Open Source Software) tool for Python security testing isn't just about finding one that works—it's about ensuring the tool itself meets strict quality, maintenance, and reliability constraints.
 
-A Python security testing tool should meet the following criteria:
+A Python security testing tool should minimal meet the following criteria:
 
-* **FOSS-licensed:** The product must be released under a valid FOSS licence, preferably one approved by the Open Source Initiative (OSI).
+* **FOSS-licensed:** The product must be released under a valid FOSS licence, preferably one approved by the [Open Source Initiative (OSI)](https://opensource.org/).
 * **Local-first deployment:** The tool should run locally or on a server within your own security perimeter. Avoid SaaS-only solutions where you cannot control the execution environment or data handling.
 * **Actively maintained:** The project should be active and demonstrate an acceptable level of quality, including regular updates and issue management.
 * **Public version control repository:** The source code must be publicly accessible in a version-controlled repository with a clear and verifiable URL.
 
-Ideally, projects should also meet the minimum requirements outlined by the [OpenSSF Best Practices Badge](https://www.bestpractices.dev/en) Program. However, despite significant effort from the community, this programme is still not widely recognised or adopted.
+Ideally, projects should also meet the minimum requirements outlined by the [OpenSSF Best Practices Badge](https://www.bestpractices.dev/en) Program. However, despite significant effort from the community, this programme is not widely known and adopted.
 
 In practice, you will use a long list when selecting test software for Python.
 For each tool, you should use a proven checklist that helps you choose a suitable FOSS testing tool for your purpose.

module3/foundation_of_sast.md

@@ -61,5 +61,5 @@ Python Static Application Security Testing (SAST) offers significant advantages
 | Build customer trust & confidence | Loss of reputation and user trust after breaches |
 
 :::{tip}
-While Python is often considered a secure language, also Python applications are susceptible to common security flaws, and **SAST is a crucial, cost-effective method** to address them before deployment.
+While Python is often considered a secure language, also **Python applications are susceptible to common security flaws**, and **SAST is a crucial, cost-effective method** to address them before deployment.
 :::

module4/installation_of_tools.md

@@ -16,7 +16,7 @@ Secure installation of test tools is not optional — it is part of the security
 
 Always install security testing tools in an isolated and controlled environment:
 
-* Use **virtual environments** (`venv`) for project-level isolation.
+* Use **virtual environments** (`venv` or use [`conda`](https://docs.conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html)) for project-level isolation.
 * Prefer **dedicated test machines** or hardened virtual machines.
 * Never install security testing tools directly on production systems.
 * Ensure your operating system and Python interpreter are up to date with security patches.
@@ -121,7 +121,7 @@ This ensures:
 
 ## Document Installed Versions
 
-Never rely on “latest” versions in professional environments. Explicitly specify versions when performing security testing that must be 100% reproducible:
+Never rely on “latest” versions or automatic updates in professional testing environments. Explicitly specify versions when performing security testing that must be 100% reproducible:
 
 ```bash
 pip install toolname==1.4.2

module5/sast_boundaries.md

@@ -3,22 +3,14 @@ title: SAST Boundaries - What Can and Cannot Be Detected?
 short_title: SAST Boundaries 
 ---
 
-Static Application Security Testing (SAST) is one of the core techniques in Python security testing. It analyses source code without executing it, identifying patterns, data flows, and potentially dangerous constructs.
+**Static Application Security Testing (SAST)** is one of the core techniques in Python security testing. It analyses source code without executing it to detect **potentially dangerous constructs**.
 
-However, SAST is not magic.
+However, SAST tools for Python are not magic.
 
-Understanding its capabilities and limitations is critical if you are to use it effectively — or assess its results correctly during an engagement.
+Understanding their capabilities and limitations is critical if you are to use them effectively — or assess their results correctly during an engagement.
 
-## SAST Boundaries: What Can and Cannot Be Detected?
 
-Static Application Security Testing (SAST) is one of the **core techniques in Python security testing**. It analyses source code *without executing it* to detect potentially dangerous constructs.
-
-However, no SAST tool for Python is not magic.
-
-Understanding its **capabilities and limitations** is critical if you are to use it effectively — or assess its results correctly during an engagement.
-
-
-Each works slightly differently, but they all share a fundamental constraint:
+Each SAST tool works slightly differently, but they all share a fundamental constraint:
 
 :::{caution} 
 SAST can only reason about what it can *see in the code*.
@@ -235,9 +227,10 @@ SAST should be treated as:
 * A **triage assistant**
 * A **pattern detector**
 * A **code review accelerator**
-* Not a substitute for human reasoning
 
-Effective workflow:
+**But not as a substitute for human reasoning!**
+
+Effective workflow for SAST testing could be:
 
 1. Run SAST early and often.
 2. Investigate critical sinks manually.
@@ -256,18 +249,16 @@ Effective workflow:
 
 
 
+## Summary
 
-
-# Key Takeaways
-
-SAST is powerful at detecting:
+SAST for Python is powerful at detecting:
 
 * Known dangerous APIs
 * Obvious injection flows
 * Misconfigurations
 * Pattern-based weaknesses
 
-SAST is weak at detecting:
+SAST tools are weak at detecting:
 
 * Business logic flaws
 * Runtime-dependent vulnerabilities