In today’s post I will introduce a few open-source tools, that can help you improve the security of any of your python projects and detect possible vulnerabilities early on.
These tools are quite well known in the python community and used together will provide you with great feedback about common issues and pitfalls.
Safety and Piprot
As I discussed some time ago on a post about managing dependencies and the importance of checking them for known issues, in python there is a tool that compares the items of your
requirements.txt with a database of known vulnerable versions. It is called
safety (repository) and can be used like this:
safety check --full-report -r requirements.txt
If you already use pipenv safety is already incorporated and can be used by running:
pipenv check (more info here).
Since the older the dependencies are, the higher the probability of a certain package containing bugs and issues, another great tool that can help you with this is
It will check all items on your
requirements.txt and tell you how outdated they are.
The next tool in the line is
bandit, which is a static analyzer for python built by the Open Stack Security Project, it checks your codebase for common security problems and programming mistakes that might compromise your application.
It will find cases of hardcoded passwords, bad SSL defaults, usage of
eval, weak ciphers, different “injection” possibilities, etc.
It doesn’t require much configuration and you can easily add it to your project. You can find more on the official repository.
This last one only applies if you are building a web application and requires a little bit more effort to integrate in your project (at its current state).
Python Taint (
pyt) is a static analyzer that tries to find spots were your code might be vulnerable to common types of problems that affect websites and web apps, such as SQL injection, cross site scripting (XSS), etc.
The repository can be found here.
If you are using
Django, after using
pyt you might also want to run the built in
manage.py check command, (as discussed in a previous post) to verify some specific configurations of the framework present on your project.