1.5. Security in Projects#
1.5.1. Detect Common Security Issues with bandit
#
Do you want to find potential security issues in your Python code?
Try using bandit
.
bandit
is a Python package to find common security issues and known vulnerabilities automatically.
It works by processing files to create an abstract syntax tree, which is then used to run plugins against. It then produces a report on the results.
In the example below, we will try to use the requests
library and ignore verifying the SSL certificate with π―ππ«π’ππ²=π
ππ₯π¬π.
bandit
will immediately identify this line as a security issue.
# bandit_test.py
import requests
data = requests.get("https://www.google.de/", verify=False)
!pip install bandit
!bandit -r bandit_test.py
'''
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.10.8
[node_visitor] WARNING Unable to find qualified name for module: bandit_test.py
Run started:2022-12-23 15:32:44.650893
Test results:
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
Severity: High Confidence: High
CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
Location: bandit_test.py:3:7
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b501_request_with_no_cert_validation.html
2
3 data = requests.get("https://www.google.de/", verify = False)
4 print(data.status_code)
--------------------------------------------------
Code scanned:
Total lines of code: 3
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 1
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 1
Files skipped (0):
'''
1.5.2. Detect vulnerabilities in your Environment#
Do you want to detect vulnerabilities in your Python environment?
Try pip-audit
.
pip-audit
is a CLI tool to detect vulnerabilities in the packages installed in your Python environment.
It checks your packages against the Python Packaging Advisory Database.
The tool also provides suggestions to which version you should upgrade your package.
!pip install pip-audit
!pip-audit
"""
Found 3 known vulnerabilities in 2 packages
Name Version ID Fix Versions
---------- ------- ------------------- ------------
flask 0.5 PYSEC-2019-179 1.0
flask 0.5 PYSEC-2018-66 0.12.3
setuptools 56.0.0 GHSA-r9hx-vwmv-q579 65.5.1
"""
1.5.3. Store Credentials safely with keyring
#
Almost every application needs credentials like password or API keys.
But you should never store them in plain text files. They would be trivially accessible to anybody who has access to the text file.
To store credentials securely, use keyring
.
keyring
provides a Python wrapper around your systemβs password store (macOS Keychain, Windows Credential Locker, etc.), which is safer than a plain text file.
The example below stores and retrieves the password easily, but you can store any of the other fields.
(This can also be done through CLI, since keyring
also comes with a command-line functionality).
!pip install keyring
import keyring
# set your password
keyring.set_password("mydb", "username", "password")
# get your password
keyring.get_password("mydb", "username")