Explore the world of Python code security in this 26-minute conference talk from BSidesSF 2017. Dive into Bandit, an open-source tool for discovering common security flaws in Python code. Learn how Bandit works, its origins in OpenStack, and its widespread adoption beyond. Discover how to customize Bandit for different workflows, create a Security CI pipeline, and extend its capabilities. Follow along as Travis McPeak, a core Bandit developer, guides you through detecting critical security issues like command injection, SQL injection, insecure temporary file usage, and more. Gain insights into essential workflows, bug removal, and building security gates. Explore topics such as user input handling, TLS implementation, weak cryptography, file permissions, and hardcoded credentials. Conclude with next steps, metrics, secure development guidance, and Bandit documentation to enhance your Python code security practices.
Overview
Syllabus
Intro
Bandit
Command Injection
User Input
Temp Paths
TLS
Weak cryptography
promiscuous file permissions
hardcoded credentials
tempfile
run bandit against ansible
ansible prompt
raw input
essential workflow
removing a bug
build a gate
Next steps
Metrics
Secure Development Guidance
Bandit Documentation
Questions
Taught by
Security BSides San Francisco
