1.5. Security in Projects#

1.5.1. Detect Common Security Issues with bandit#

Do you want to find potential security issues in your Python code?

Try using bandit.

bandit is a Python package to find common security issues and known vulnerabilities automatically.

It works by processing files to create an abstract syntax tree, which is then used to run plugins against. It then produces a report on the results.

In the example below, we will try to use the requests library and ignore verifying the SSL certificate with 𝐯𝐞𝐫𝐒𝐟𝐲=π…πšπ₯𝐬𝐞.

bandit will immediately identify this line as a security issue.

# bandit_test.py
import requests

data = requests.get("https://www.google.de/", verify=False)

!pip install bandit

!bandit -r bandit_test.py

'''
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.10.8
[node_visitor]  WARNING Unable to find qualified name for module: bandit_test.py
Run started:2022-12-23 15:32:44.650893
Test results:
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
   Severity: High   Confidence: High
   CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)     
   Location: bandit_test.py:3:7
   More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html
2
3       data = requests.get("https://www.google.de/", verify = False) 
4       print(data.status_code)
--------------------------------------------------
Code scanned:
        Total lines of code: 3
        Total lines skipped (#nosec): 0
Run metrics:
        Total issues (by severity):
                Undefined: 0
                Low: 0
                Medium: 0
                High: 1
        Total issues (by confidence):
                Undefined: 0
                Low: 0
                Medium: 0
                High: 1
Files skipped (0):
'''

1.5.2. Detect vulnerabilities in your Environment#

Do you want to detect vulnerabilities in your Python environment?

Try pip-audit.

pip-audit is a CLI tool to detect vulnerabilities in the packages installed in your Python environment.

It checks your packages against the Python Packaging Advisory Database.

The tool also provides suggestions to which version you should upgrade your package.

!pip install pip-audit

!pip-audit

"""
Found 3 known vulnerabilities in 2 packages
Name       Version ID                  Fix Versions
---------- ------- ------------------- ------------
flask      0.5     PYSEC-2019-179      1.0
flask      0.5     PYSEC-2018-66       0.12.3
setuptools 56.0.0  GHSA-r9hx-vwmv-q579 65.5.1
"""

1.5.3. Store Credentials safely with keyring#

Almost every application needs credentials like password or API keys.

But you should never store them in plain text files. They would be trivially accessible to anybody who has access to the text file.

To store credentials securely, use keyring.

keyring provides a Python wrapper around your system’s password store (macOS Keychain, Windows Credential Locker, etc.), which is safer than a plain text file.

The example below stores and retrieves the password easily, but you can store any of the other fields.

(This can also be done through CLI, since keyring also comes with a command-line functionality).

!pip install keyring

import keyring

# set your password
keyring.set_password("mydb", "username", "password")

# get your password
keyring.get_password("mydb", "username")