Secure Coding Guidelines for Python

J

5

Looking at the CERT Secure Standards (Example: https://www.securecoding.cert.org), there are specific standards, with great examples of what good and bad code looks like, for C, C++, Java, even Perl but not Python. Are there any Python specific standards are guidelines, preferably with examples available?

http://www.pythonsecurity.org/ appears to be focused security concerns in Python itself and on building an alternative Python binary to resolve these. A noble, but not recently active, cause. I'm looking for something that gives guidance to developers on what not to do and what to do instead.

Jamilla answered 28/8, 2015 at 20:6 Comment(3)

pep8 is what you are looking for i think :P (although its guidelines in general not necessarily security specific) – Philipps 28/8, 2015 at 20:8

OWASP has a good general guide on secure coding practices; I can't recommend any python-specific guides, though. – Bashaw 28/8, 2015 at 20:9

most of the perl items are likely applicable to python as well (no user input in format strings??) – Philipps 28/8, 2015 at 20:11

A

8

Seeing as lot of people are recommending formatting guidelines (PEP8), I have one that is actually for security.

There is a project in OpenStack (very big python based platform), called Bandit. It is a security lint tool.

https://github.com/PyCQA/bandit

You can run this tool against your own code, or if you wish to learn the inners of secure python coding, then take a look at the examples directory.

Aweigh answered 5/3, 2016 at 17:3 Comment(5)

For posterity, as of now, the tool is no longer maintained. – Basipetal 14/9, 2020 at 10:39

Now maintained at github.com/PyCQA/bandit. – Jambalaya 29/11, 2021 at 15:24

That is incorrect @Yennefer, I can see numerous merges just prior to and after you comment. – Aweigh 23/12, 2021 at 14:56

@devnull the link posted says the project is no longer maintained. I do not have the knowledge to pickup a valid fork. Do you know a valid alternative? – Basipetal 23/12, 2021 at 15:49

@Basipetal github.com/PyCQA/bandit – Aweigh 1/2, 2023 at 12:28

C

3

One place to look at a secure coding standard is

https://vulncat.fortify.com/en

There you have listed coding errors that affect security. It contains many languages, Python being one of those.

I have also been looking for an academic/free secure coding standard for Python. I haven't yet found a good one. I think that SEI CERT should step up and make such a standard. According to their latest webinar on Secure Coding, they are considering this possibility.

Crural answered 19/8, 2016 at 10:49 Comment(0)

U

1

I posted this in another thread, but we recently released a security linter called DevSkim for Visual Studio, VS Code, and Sublime Text. It targets multiple languages, and is focused on finding security vulnerabilities.

Unclad answered 15/2, 2017 at 2:55 Comment(0)

G

0

CERT was developing a Python Secure Coding standard - but nothing seems to have come from their efforts for a number of years.

https://wiki.sei.cmu.edu/confluence/display/seccode

Several CERT folks state in presentations that the Python Secure Coding v1.0 is "under development".

Garaway answered 25/5, 2020 at 18:6 Comment(0)

E

-2

You can refer to my blogpost for coding guidelines in python. You need to follow PEP8 coding guidelines. Autopep8 is a tool that automatically formats Python code to conform to the PEP 8 style guide. To run autopep8:

autopep8 TARGET.py

Expostulatory answered 28/8, 2015 at 20:33 Comment(3)

pep8 is great for identifying style issues, but I'm looking for issues affecting application security. Things like failure to clean input before passing it onto eval or SQL statements. (Cross Site Scripting, SQL Injection, etc.) – Jamilla 31/8, 2015 at 20:17

@Jamilla did you got any solution to your problem as I have also ran into similar problem. – Siret 9/2, 2016 at 12:6

Nothing definitive, no. – Jamilla 10/2, 2016 at 16:15

Recommended topics

Hot tags