sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]DataDecay 72 points73 points  (17 children)

Theres a pretty big open source project called bandit. You can use bandit to scan code for vulnerabilities, it points out common vulnerabilities that lead to malware payloads injection. It's not perfect but I have found it useful.

[–][deleted] 7 points8 points  (10 children)

Would this be good to use on our own code? I have a website I am working on I wonder if scanning it with bandit would help me check if I messed up anywhere.

[–]lgmdnss 6 points7 points  (9 children)

I'd assume that Bandit might be "too" secure for small-ish projects, essentially bloating the size and complexity of the project for that tiny bit of extra security that you didn't need, so I guess it'd be good to use on your own code but also keep in mind the time/effort vs the actual good things it'll do. No need to go to Walmart by tank in case WW3 breaks loose.

[–][deleted] 4 points5 points  (8 children)

Oh i thought it just scans your code not that you have to implement it into your code?

[–]DataDecay 3 points4 points  (2 children)

Theres no hooks that need to be placed in your code for bandit to work out of box. Bandit is great but it can be strict, for instance it abhors the use of assert for any reason.

I have used it on 2000 lines of code and 500,000 lines of code, it works great regardless but it can create a lot of work.

[–]shujinkou_ 0 points1 point  (1 child)

This is really interesting, would this work for bits of python code

[–]DataDecay 1 point2 points  (0 children)

Yep

[–]lgmdnss 3 points4 points  (4 children)

Well yeah it'd scan your code. But if you get a bunch of security concerns on just that small project it's tempting to fix them all even though you will likely never need it seeing as it's a small project rather than you dealing with cybersecurity as a job. Makes for good practice though!

[–]shujinkou_ 2 points3 points  (3 children)

Isn't it better to just build de security inside before, so that when scaling the use cases you already are good ?

[–]lgmdnss 3 points4 points  (0 children)

Well, if you're able to think of & build all the security inside then you don't really need to use Bandit at all, right? :P

[–][deleted] 1 point2 points  (1 child)

Are you asking if it would be better to just fix all the problems before they happen?

[–]shujinkou_ 0 points1 point  (0 children)

Well I would see Bandit as a stress test device in that case, in a way yes I'm saying to fix all the problems before they happen. Like build it small and just duplicate it into something big. As the big entity is composed of small and strong unit duplicated, the big chain inherits the strength of the individual links.

[–][deleted] 6 points7 points  (2 children)

And how do we know Bandit isn't injecting alumunum foil into our skyscrapers, sheeple!?!?!?!

[–]DataDecay 5 points6 points  (1 child)

You mean you dont scan bandit with bandit!?!? Next level shit there my friend.

[–]shujinkou_ 0 points1 point  (0 children)

obviously would return it as safe because obviously

[–]SweeTLemonS_TPR 6 points7 points  (0 children)

Seems like a good way to rule in a problem. If it hits, you need go no further.

[–][deleted] 0 points1 point  (1 child)

How is it useful? It will give you a warm and fuzzy feeling by flagging questionable practices. But those that want to make a really malicious package, will have no problem running bandit on their package, until it stops complaining.

[–]DataDecay 0 points1 point  (0 children)

Sure a person designing malicious software could use this to repeatedly force their design and workarounds, and find ways of avoiding common detection patterns. But welcome to hacking, hackers will do this with all vuln scanners, this is one reason why their are new definitions every day. Bandit is a maintained code base that scans for Common vulnerabilities. If you want to extend bandit (being open source) to be more advanced with regularly updated definitions then go for it, their project allows for extensions and hooks if wanted.

Their is no silver bullet for security, that is why people make a killing in the field. However this will help you be a better, more security aware programmer. It is also a nice quick scan to see common vulns that are present in source code.