So I wanted to install Python, download Selenium library on it, and combine it with Webdriver to access web-driven accounting software to automate some stuff; mainly downloading reports from the accounting software since there are tones of reports to download every month, which the software does not have automation function for. I don't want to deal with any data.
Senior director and I went to IT for the request to download Python and they declined; they said there is a security risk.
Does anyone know what potential security risks they are referring to? I don't have cs background so I'm not very sure. And is there a way to mitigate those risks?
Videos
What is Python secure coding and why is it important?
Why is Python security important in software development?
How does Binmile ensure the security of Python applications developed for clients?
I recently sent a request to my employer's IT department asking for access to Python 3.6.3. The request was denied with the justification "Python is dangerous to have on a pc. It is a useful attack vector."
Can anyone provide insight on what this might mean? Does simply having Python installed on your computer make you more susceptible to attacks? I can't tell if my employer has a valid concern here or if they are just taking the easy route.
EDIT: Spelling
No, there is nothing inherently insecure about python.
However Python can be used to make a vulnerability. For instance it would be easy to make a web portal that executes anything that is typed in. This is true for any programming language, but python makes it extra easy.
And I know, you would know better, but IT departments see all their users as idiots (often with good reason).
Every Macintosh and a lot of Linux distributions for desktop have Python installed by default. I don't think they are unsafe.
Security through obscurity never works. If you must use a proprietary license, enforce it through the law, not half-baked obfuscation attempts.
If you're worried about them learning your security (e.g. cryptography) algorithm, the same applies. Real, useful, security algorithms (like AES) are secure even though the algorithm is fully known.
Even if you use a compiled language like C# or Java, people can perform reverse engineering if they are motivated and technically competent. Obfuscation is not a reliable protection against this.
You can add prohibition against reverse-engineering to your end-user license agreement for your software. Most proprietary companies do this. But that doesn't prevent violation, it only gives you legal recourse.
The best solution is to offer products and services in which the user's access to read your code does not harm your ability to sell your product or service. Base your business on service provided, or subscription to periodic updates to data, rather than the code itself.
Example: Slashdot actually makes their code for their website available. Does this harm their ability to run their website? No.
Another remedy is to set your price point such that the effort to pirate your code is more costly than simply buying legitimate licenses to use your product. Joel Spolsky has made a recommendation to this effects in his articles and podcasts.