Software development is an amazing job that can sometimes feel like juggling chainsaws. Between maintaining your current code base and releasing new features and projects, it is fairly easy to think of security as Someone Else's Problem--you have enough to deal with.
But there is a major benefit to incorporating security consciousness into your workflow. You can remediate problems faster and even make sure certain problems never see the light of day. Upping your security game can start with a few simple steps.
In that spirit, I would like to present to you 10 Awesome Security Tips for Python Enthusiasts.
- 1. Use Python 3
The time has come. If you have projects in Python 2.7, prioritize upgrading. Python 2 support will officially end on January 1, 2020. If you have not upgraded by then, you leave yourself open to security vulnerabilities, both within the language and within other open source projects that are unlikely to maintain compatibility with Python 2.7 in their latest versions.
- 2. Scan your Code with Bandit
A simple way to find security vulnerabilities within your Python code is to run a scan with Bandit.
Bandit scans each
.pyfile and builds a corresponding abstract syntax tree (AST). Bandit then runs a number of plugins against the AST to find common software security problems. For example, one plugin can detect whether you are using Flask (a micro-framework for Python) with the debug setting equal to True.
Bandit works either as a local tool to be used as you develop, or as part of your CI/CD (continuous integration/ continuous delivery) pipeline.
- 3. Use Pipenv for Environment and Dependency Management
Pipenv is a tool that manages the competing interests of having a predictable environment and having an up-to-date environment. It uses a two-file system that separates abstract dependency declarations from the last tested combination. Pipenv manages your installations and your virtual environment, displays your dependency tree, and can check your dependencies for known vulnerabilities.
- 4. Watch your Import Statements
Python imports are very flexible, but that flexibility has a security cost.
When importing in Python, you can use an absolute import or a relative import. An absolute import uses the entire path (starting at the root directory) of the module that you want to import.A relative import starts at the path of the current module. Python 2 allowed for implicit relative imports, which do not specify a location relative to the current module. If the module is found in the system path it is imported, which could be dangerous. It could be possible to create a malicious module with the same name as a popular module and then smuggle it into a popular open source library. If the malicious module is found in the system path before the real module it is imported instead.
Import statements in Python execute the code in the imported module—this means that an implicit relative import could result in the execution of malicious code. For this reason, implicit relative imports are not supported in Python 3.
If you are using Python 2, eliminate the use of implicit relative imports. This is important for the current security of your project and because it is a necessary step towards upgrading to Python 3. If you are using Python 3, it is still important to keep in mind that import statements execute the code within the target module. Because of this, it makes sense to be careful with your import statements, regardless of the Python version that you are using.
- 5. Be Careful when Downloading Packages
It is easy to install Python packages. Typically developers use the standard package installer for Python (pip), although Pipenv as discussed above is a great alternative. Regardless of whether you use pip or Pipenv, it is important to understand how packages are added to PyPI.
PyPI has a procedure for reporting security concerns. If someone reports a malicious package or a problem within PyPI it will be addressed, but packages added to PyPI do not undergo review—this would be an unrealistic expectation of the volunteers who maintain PyPI.
Therefore it is wise to assume that there are malicious packages within PyPI and behave accordingly. Reasonable steps include doing a bit of research on the package you want to install and ensuring that you carefully spell out the package name (a package named for a common misspelling of a popular package could execute malicious code).
The remaining 5 points are available in my original report here. You will also find a printable and shareable cheat sheet for these 5 tips, and the 5 additional tips in the full report.
Thanks for reading!