top of page

How to Scan Python Code for Security Vulnerabilities


Code Security

As the world is becoming more aware of cybersecurity threats, software developers must also be mindful of the security risks of their coding practices. One risky practice is storing passwords and other secrets in source code. According to the Open Web Application Security Project (OWASP), source code is not a secure place to store your passwords or other secrets. Instead, they should be encrypted and stored in a protected location on a trust system.

Although this may seem like basic knowledge, it is common for developers to store passwords in source code. Such passwords can be easily accessed by attackers who exploit the deployment environment and pose serious application security risks.

One notable cybersecurity incident that resulted from storing passwords in the source code is the Mirai malware in 2016. This malware scanned the Telnet service on Linux-Based IoT boxes for hard-coded passwords, then used them in a brute force attack and compromised more than 400,000 devices without their owner’s knowledge. Another notable breach is the Uber breach resulting in the leaking information of 57 million customers and more than 600,000 drivers.

As such, developers must strive to secure their source code. This article explores how to scan Python code for security vulnerabilities using Bandit.

What is Bandit?

Bandit is a source code security analysis tool that scans for known vulnerabilities in code written in Python. It works by processing files building an abstract syntax tree (AST), and then runs plugins against these nodes. Afterward, it generates a report on the findings.

Check out this how-to-video on Bandit and Secure Code Scanning.



How to Install Bandit on Ubuntu

For this tutorial, I will use the Ubuntu operating system version 20.04.

First, Bandit is written in Python and therefore requires Python to run. If you do not have Python installed, ensure you have it up and running before proceeding.

To install Bandit, type the following command on your terminal


sudo snap install bandit

To confirm that your Bandit was correctly installed, you can test it using the Bandit --help command that will return a list of all commands available in Bandit.


bandit --help

How to Install Bandit on MacOS

If you are coding on a macOS environment, your install process is as follows:

python3 -m venv bandit-env
source bandit-env/bin/activate
pip install bandit

How to Scan Code for Vulnerabilities

Scanning source code in Bandit is a rather simple process. To show it, I will use a simple program written in Python. You can find the file here. In this example, the file hello_world.py file is located on the desktop.

1. Run Bandit using the following command;


bandit hello_world.py

2. Bandit will scan the code and output the results through the terminal.

Bandit Output

From the command above, the result should be as follows;



Bandit outputs the results in three sections; test results, code scanned, and run metrics. The test results identify the issues found, giving the issue number and description of the issue. It also gives the severity and confidence level of the risk that indicate the severity and confidentiality implications of the problems identified. The last section shows the line number and the code itself where the issue was detected.



The code scanned section shows the total number of lines scanned and those that were ignored. Bandit allows the user to specify which lines of code to leave out during the scanning. This is achieved by affixing the comment “# nosec” on the line you wish to skip.

Lastly, the run metrics gives an overview of the whole report, as shown



In this case, Bandit identified two issues that are potential threats. Both cases are a result of hardcoded passwords. One principle for secure coding is that you should never hardcode passwords. Unfortunately, developers often forget this principle. This code is therefore vulnerable and can pose a severe risk. To eliminate this risk, I will remove that passwords from the source code. This is the new output after I scan the same code with no hard-coded passwords.

Another thing to take note of is that the Bandit did not recognize the password stored in the output string shown below:



Bandit only recognizes issues in the actual code syntax and ignores anything under comments or anything saved as a string that is not treated as a password secret.

When the two issues identified above are eliminated, Bandit will return no issues as shown below;



Final Thoughts

As a developer, it is always a good practice to avoid storing passwords in your source code. Instead, you should encrypt and store them in a protected location on a trust system. Tools such as Bandit have been programmed to help secure programmers. However, the real application security will come from the developer performing due diligence and ensuring secure coding.

Want to Learn More about our Cybersecurity API?

HacWare makes it stupid easy for software developers to launch next generation cybersecurity education programs to combat phishing attacks with a few lines of code. To learn more about our powerful security awareness API and developer program, click here to apply .

References

  1. https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf

  2. https://github.com/PyCQA/bandit

  3. https://www.beyondtrust.com/resources/glossary/hardcoded-embedded-passwords

  4. https://www.hacware.com/doc/index.html

bottom of page