Terri Oda


Detecting Known Vulnerability

  • CVE: database with known software vulnerability
  • Tools
    • safety
      • Free db: update monthly
      • Paid db: update realtime
    • pipenv check
  • Safety vs Pipenv: Which one is better?
    • Neither! They use the same database

Code Quality

  • pylint
    • Security Value: Low
  • bandit
    • Goal: find security issues
    • Security Value: High
    • Sometimes you don't want to fix all your Bandit warnings
    • Use them as a way to focus code review instead

Code Quality - some anti-patterns

Use these tools

  1. CI
  2. During code review
  3. Before release

How do I secure python?

  • Check for known vulnerabilities
    • safety check or pipenv check
  • Check for code quality
    • pylint for basic linting
    • bandit for security linting
    • other static analysis for more
  • Review secure coding guidelines for python to improve code reviews

Share on: TwitterFacebookEmail



PyCon US 2019