![[OWASP Poland Day] A study of Electron security](https://cdn.slidesharecdn.com/ss_thumbnails/lucacarettonia-study-of-electron-security-171003211450-thumbnail.jpg?width=560&fit=bounds){kind=icon}
![[Wroclaw #9] The purge - dealing with secrets in Opera Software](https://cdn.slidesharecdn.com/ss_thumbnails/presentation3-181117173825-thumbnail.jpg?width=560&fit=bounds)
![[Wroclaw #4] WebRTC & security: 101](https://cdn.slidesharecdn.com/ss_thumbnails/webrtc-161027194925-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Similar to Bandit and Gosec - Security Linters (20)
![No-Java Enterprise Applications: It’s All About JavaScript [DEV5107]](https://cdn.slidesharecdn.com/ss_thumbnails/nojavaentappoow-181129193416-thumbnail.jpg?width=560&fit=bounds)
Ad
Recently uploaded (20)
![Download Wondershare Filmora Crack [2025] With Latest](https://cdn.slidesharecdn.com/ss_thumbnails/neo4j-howkgsareshapingthefutureofgenerativeaiatawssummitlondonapril2024-240426125209-2d9db05d-250419-250428115407-a04afffa-thumbnail.jpg?width=560&fit=bounds)
Ad
Bandit and Gosec - Security Linters
- 1. ©2018 VMware, Inc. Bandit and Gosec – Security Linters All Things Open 2018 Eric Brown Staff Open Source Engineer / Open Source Technology Center October 22nd 2018
- 2. 2©2018 VMware, Inc. Moar Security
- 3. 3©2018 VMware, Inc. Cost to Fix Bugs
- 4. 4©2018 VMware, Inc. Types of Security Bugs Source: National Institute of Standards and Technology
- 5. 5©2018 VMware, Inc. What’s the Struggle? Source: https://www.bleepingcomputer.com/news/security/26-percent-of-companies-ignore-security-bugs-because-they-don-t-have-the-time-to-fix-them/
- 6. 6©2018 VMware, Inc. How to Catch Security Bugs Earlier Education
- 7. 7©2018 VMware, Inc. How to Catch Security Bugs Earlier ● Courses Education
- 8. 8©2018 VMware, Inc. How to Catch Security Bugs Earlier ● Courses ● Books Education
- 9. 9©2018 VMware, Inc. How to Catch Security Bugs Earlier ● Courses ● Books ● Conference talks 😉 Education
- 10. 10©2018 VMware, Inc. How to Catch Security Bugs Earlier Tooling
- 11. 11©2018 VMware, Inc. How to Catch Security Bugs Earlier Tooling ● Unit testing
- 12. 12©2018 VMware, Inc. How to Catch Security Bugs Earlier Tooling ● Unit testing ● Dependency checking
- 13. 13©2018 VMware, Inc. How to Catch Security Bugs Earlier Tooling ● Unit testing ● Dependency checking ●
- 14. 14©2018 VMware, Inc. What is a Linter? ● A.K.A Static Code Analysis (SCA) ● Scans source code statically without running or building the code ● Linters focus on finding common mistakes ● Might make use of a compilers AST (abstract syntax tree) ● Popular examples:
- 15. 15©2018 VMware, Inc. When to Run Linters? ● When coding ● Find linter plugins to your favorite IDE ● Fix as you code ● As part of a CI (continuous integration) system ● Catch mistakes when code is pushed to a repository for review ● Travis-CI, Circle CI, Jenkins, etc
- 16. 16©2018 VMware, Inc. Downsides ● Linters are imperfect ● False positives ● Extra time ● Requires time to interpret the results ● Requires time during CI to scan code
- 17. 17©2018 VMware, Inc. What is Bandit? ● A Python security linter ● Project started early 2015 ● Originally designed for OpenStack but now part of the Python Code Quality Authority ● Python 2.7, 3.5, 3.6, 3.7 compatible ● Runs on Linux and macOS ● Easy to write new plugins ● Low resource requirements ● Runs quickly
- 18. 18©2018 VMware, Inc. Bandit: Issues It Finds ● Finds common security issues in Python code ● Use of assert ● Hardcoded passwords ● Command injection ● Insecure temporary file usage ● Promiscuous file permissions ● Usage of unsafe functions/libraries ● Binding to all interfaces ● Weak cryptography ● Bad SSL versions ● Requests without certificate validation ● Use of insecure protocols
- 19. 19©2018 VMware, Inc. Bandit: Formatters ● Many different output formatters ● CSV ● HTML ● JSON ● Text ● XML ● YAML ● Custom: using predefined tags
- 20. 20©2018 VMware, Inc. Bandit: Other Features ● Customizable filters on severity and confidence levels ● Allows creation of profiles to scan a subset of plugin tests ● Adjust lines of context shown in output ● Group results by file or vulnerability ● Output delta reports of previous scans ● Allows marking false positives using the “# nosec” comment
- 21. 21©2018 VMware, Inc. Bandit: Config
- 22. 22©2018 VMware, Inc. Bandit: Config
- 23. 23©2018 VMware, Inc. Bandit: Dependents
- 24. 24©2018 VMware, Inc. Bandit: Integrations ● SublimeLinter-bandit – Sublime Text linter plugin ● flake8-bandit – Flake8 plugin ● pyreportcard – Report card of Python projects quality ● bandit-plugin- - Hudson/Jenkins plugin ● ● Vim ● Emacs ● Atom Wishlist:
- 25. 25©2018 VMware, Inc. Bandit: Sublime Text Linter
- 26. 26©2018 VMware, Inc. Bandit: Sublime Text Linter
- 27. 27©2018 VMware, Inc. Bandit Alternatives ● Very few Python security linters ● Others: ○ RATS (rough-auditing-tool-for-security) - unmaintained as of 2013 ○ HP Fortify - not free
- 28. 28©2018 VMware, Inc. Bandit in Action
- 29. 29©2018 VMware, Inc. Bandit in Action
- 30. 30©2018 VMware, Inc. Bandit in Action
- 31. 31©2018 VMware, Inc. Contributing to Bandit ● https://github.com/PyCQA/bandit ● Bandit is participating in ● Core maintainers: ● Myself – ericwb ● Ian StapleTon Cordasco – sigmavirus24 ● Gage Hugo – ghugo ● Luke Hinds – lukehinds ● Ideas: ● Documentation could be improved ● More integrations with IDEs
- 32. 32©2018 VMware, Inc. What is Gosec? ● A Golang security linter ● Project started mid 2016 ● Started by one of the creators of Bandit ● Runs on Linux and macOS ● Low resource requirements ● Runs quickly
- 33. 33©2018 VMware, Inc. Gosec: Issues It Finds ● Finds common security issues in Go code ● Hardcoded credentials ● Binding to all interfaces ● SQL injection ● Command injection ● Insecure temporary file usage ● Promiscuous file permissions ● Usage of unsafe functions/libraries ● Weak cryptography ● Bad TLS/SSL versions ● Ignoring host keys
- 34. 34©2018 VMware, Inc. Gosec: Formatters ● Many different output formatters ● CSV ● JSON ● Text ● XML ● YAML
- 35. 35©2018 VMware, Inc. Gosec: Other Features ● Customizable filters on severity and confidence levels ● Allows creation of profiles to scan a subset of plugin tests ● Group results by severity ● Allows marking false positives using the “# nosec” comment ● Tool to generate TLS rules according to Mozilla recommendations ● https://statics.tls.security.mozilla.org/server-side-tls- conf.json
- 36. 36©2018 VMware, Inc. Gosec: Integrations ● SublimeLinter-contrib-gometallinter – Sublime Text linter plugin ● gometallinter – collection of linters ● – via a gometallinter plugin ● Go Report Card ● Vim ● Emacs ● Atom Wishlist:
- 37. 37©2018 VMware, Inc. Gosec: Sublime Text Linter
- 38. 38©2018 VMware, Inc. Gosec: Visual Studio Code
- 39. 39©2018 VMware, Inc. Gosec: Go Report Card
- 40. 40©2018 VMware, Inc. Gosec in Action
- 41. 41©2018 VMware, Inc. Gosec in Action
- 42. 42©2018 VMware, Inc. Gosec: TLS rules
- 43. 43©2018 VMware, Inc. Gosec: Contributing ● https://github.com/securego/gosec ● Ideas: ● Documentation could use some work ● More integrations with IDEs
- 44. 44©2018 VMware, Inc. What is <Yet-To-Be-Named>? ● GitHub App ● Uses the GitHub Checks API ● Currently utilizes these linters: ● Bandit ● Gosec ● Automatically scans Pull Requests
- 45. 45©2018 VMware, Inc. <Yet-To-Be-Named> in Action
- 46. 46©2018 VMware, Inc. <Yet-To-Be-Named> in Action
- 47. 47©2018 VMware, Inc. <Yet-To-Be-Named> in Action
- 48. ©2018 VMware, Inc. Thank You! Please be sure to rate my talk on the All Things Open App Email: [email protected] IRC: browne github.com/ericwb
Editor's Notes
- #3: Saw this on a recent hiking trip. How many locks does it take to secure a gate? Apparently eight.
- #4: By the way these numbers are from 1996. For example, I don’t think anyone codes for just $25
- #10: Anyone happen to attend GitHub Universe? They announced dependency checking for Java and .NET Unfortunately, education is great but I’ve found that it doesn’t always stick or isn’t taken.
- #18: Story: On a whim I happened to attend an OpenStack security meetup that was occurring in San Francisco at Rackspace. That’s where I met some like minded security folks, learned a lot, and learned about a new project Bandit. I helped them integrate it into Git, setup CI, etc, and became fully investing in it from that point on.
- #22: Clever to use tox.ini itself for ini config
- #23: Clever to use tox.ini itself for ini config
- #24: Bandit a dependency in over 1000 other projects on GitHub.
- #27: SublimeLinter-bandit installed over 12,000 times!
- #32: https://hacktoberfest.digitalocean.com/