Feb. 8, 2023 · 4 min read
Security is a concern in almost every project. It is a must even if it is not mentioned in any requirement. It is also a very wide and multidisciplinary topic that involves all the company. Managing security the wrong way can hurt your business and your customers a lot.
Focusing only on source code, trusting in developers' quality is not enough. We can be smart, but scale is against us in every possible way:
One of the best ways to handle scale problems is automating with tools. If you read Software Engineering at Google, they solve or improve most of their scalability issues with tools. Of course, we are not Google, but we can also use (a different set of) tools to improve security at (our) scale.
Since Python is one of the most used languages at APSL, we will focus on its ecosystem.
Bandit is a tool designed to find common security issues in Python code. It is very easy to start using it:
Return to the APSL blog
pip install bandit[toml]
[tool.bandit]
exclude_dirs = [
"node_modules",
"static",
"templates",
"locale"
]
bandit -c pyproject.toml -r . and you will see the security report:$ bandit -c pyproject.toml -r .
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO using config: pyproject.toml
[main] INFO running on Python 3.9.16
Run started:2022-12-29 16:20:29.853137
Test results:
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
Location: ./main/settings.py:155:45
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b108_hardcoded_tmp_directory.html
154
155 MEDIA_ROOT = opts.get("TEST_MEDIA_ROOT", "/tmp/appname-media_test")
156
--------------------------------------------------
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: ./make_all_messages.py:21:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html
20 if os.path.exists("locale"):
21 os.system(f"python ..{os.path.sep}manage.py makemessages -a")
22 os.chdir(f"..{os.path.sep}")
--------------------------------------------------
Code scanned:
Total lines of code: 252
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 1
High: 1
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 1
High: 1
Files skipped (0):
Our source code usually doesn't work alone, it needs other libraries and frameworks. Scanning them all, reporting its issues or fixing them is not approachable.
Trivy is one of the world’s most popular vulnerability and misconfiguration scanner. It can track security issues in your project's dependencies, OS packages, IaC, software licenses, etc.
Starting to use it is very easy with Docker Compose
docker-compose.yml file:services:
trivy:
image: aquasec/trivy:0.35.0
volumes:
- ./:/project
entrypoint: [""]
command: trivy --quiet fs --severity HIGH,CRITICAL /project
docker compose run --rm trivy and you will see the security report:$ docker-compose run --rm trivy
Pipfile.lock (pipenv)
Total: 11 (HIGH: 7, CRITICAL: 4)
┌─────────┬────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ django │ CVE-2021-35042 │ CRITICAL │ 3.2.3 │ 3.1.13, 3.2.5 │ django: potential SQL injection via unsanitized │
│ │ │ │ │ │ QuerySet.order_by() input │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-35042 │
│ ├────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-28346 │ │ │ 4.0.4, 3.2.13, 2.2.28 │ Django: SQL injection in QuerySet.annotate(),aggregate() and │
│ │ │ │ │ │ extra() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28346 │
│ ├────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-28347 │ │ │ │ Django: SQL injection via QuerySet.explain(options) on │
│ │ │ │ │ │ PostgreSQL │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28347 │
│ ├────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-34265 │ │ │ 3.2.14, 4.0.6 │ python-django: Potential SQL injection via Trunc(kind) and │
│ │ │ │ │ │ Extract(lookup_name) arguments │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-34265 │
│ ├────────────────┼──────────┤ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-33571 │ HIGH │ │ 2.2.24, 3.1.12, 3.2.4 │ django: Possible indeterminate SSRF, RFI, and LFI attacks │
│ │ │ │ │ │ since validators accepted leading... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-33571 │
│ ├────────────────┤ │ ├────────────────────────┼──────────────────────────────────────────────────────────────┤
...
This is only the most basic usage, it has many options to configure it to fit your needs.
Using these tools while you develop on your laptop is great. Having a git pre-commit hook is even better. But the real advantage is to integrate them in your CI/CD pipeline. This will prevent deploying your software with known security issues.
For Bandit, you can add the command to your test stage. For Trivy, it has good documentation about how to integrate it with Github Actions, Gitlab CI and more.
Using a few code security tools is only the beginning, but according to Pareto principle, we will avoid a significant number of potential security issues with very little effort.
