Secure Coding Guidelines for Python
Question:
Looking at the CERT Secure Standards (Example: https://www.securecoding.cert.org), there are specific standards, with great examples of what good and bad code looks like, for C, C++, Java, even Perl but not Python. Are there any Python specific standards are guidelines, preferably with examples available?
http://www.pythonsecurity.org/ appears to be focused security concerns in Python itself and on building an alternative Python binary to resolve these. A noble, but not recently active, cause. I’m looking for something that gives guidance to developers on what not to do and what to do instead.
Answers:
You can refer to my blogpost for coding guidelines in python. You need to follow PEP8 coding guidelines. Autopep8 is a tool that automatically formats Python code to conform to the PEP 8 style guide. To run autopep8:
autopep8 TARGET.py
I would recommend using a text editor with a code linter for PEP8, or attempting to learn the PEP8 guidelines themselves. PEP8 lists the style recommendations for Python programmers and is quite comprehensive, which has then been adopted into plugins or directly into editors to ensure code meets these style guidelines.
Python is wonderful in that there are many available code linters, those that recommend proper style based on PEP8.
Great examples of this include Sublime Text with PyLinter or Flake8, or PyCharm without plugins (both freemium, fully-fledged for free use).
I would personally recommend Flake8 or PyCharm over PyLinter if you like to have some “creative liberty”, as PyLinter is quite strict.
Seeing as lot of people are recommending formatting guidelines (PEP8), I have one that is actually for security.
There is a project in OpenStack (very big python based platform), called Bandit. It is a security lint tool.
https://github.com/PyCQA/bandit
You can run this tool against your own code, or if you wish to learn the inners of secure python coding, then take a look at the examples directory.
One place to look at a secure coding standard is
https://vulncat.fortify.com/en
There you have listed coding errors that affect security. It contains many languages, Python being one of those.
I have also been looking for an academic/free secure coding standard for Python. I haven’t yet found a good one. I think that SEI CERT should step up and make such a standard. According to their latest webinar on Secure Coding, they are considering this possibility.
I posted this in another thread, but we recently released a security linter called DevSkim for Visual Studio, VS Code, and Sublime Text. It targets multiple languages, and is focused on finding security vulnerabilities.
CERT was developing a Python Secure Coding standard – but nothing seems to have come from their efforts for a number of years.
https://wiki.sei.cmu.edu/confluence/display/seccode
Several CERT folks state in presentations that the Python Secure Coding v1.0 is “under development”.
Looking at the CERT Secure Standards (Example: https://www.securecoding.cert.org), there are specific standards, with great examples of what good and bad code looks like, for C, C++, Java, even Perl but not Python. Are there any Python specific standards are guidelines, preferably with examples available?
http://www.pythonsecurity.org/ appears to be focused security concerns in Python itself and on building an alternative Python binary to resolve these. A noble, but not recently active, cause. I’m looking for something that gives guidance to developers on what not to do and what to do instead.
You can refer to my blogpost for coding guidelines in python. You need to follow PEP8 coding guidelines. Autopep8 is a tool that automatically formats Python code to conform to the PEP 8 style guide. To run autopep8:
autopep8 TARGET.py
I would recommend using a text editor with a code linter for PEP8, or attempting to learn the PEP8 guidelines themselves. PEP8 lists the style recommendations for Python programmers and is quite comprehensive, which has then been adopted into plugins or directly into editors to ensure code meets these style guidelines.
Python is wonderful in that there are many available code linters, those that recommend proper style based on PEP8.
Great examples of this include Sublime Text with PyLinter or Flake8, or PyCharm without plugins (both freemium, fully-fledged for free use).
I would personally recommend Flake8 or PyCharm over PyLinter if you like to have some “creative liberty”, as PyLinter is quite strict.
Seeing as lot of people are recommending formatting guidelines (PEP8), I have one that is actually for security.
There is a project in OpenStack (very big python based platform), called Bandit. It is a security lint tool.
https://github.com/PyCQA/bandit
You can run this tool against your own code, or if you wish to learn the inners of secure python coding, then take a look at the examples directory.
One place to look at a secure coding standard is
https://vulncat.fortify.com/en
There you have listed coding errors that affect security. It contains many languages, Python being one of those.
I have also been looking for an academic/free secure coding standard for Python. I haven’t yet found a good one. I think that SEI CERT should step up and make such a standard. According to their latest webinar on Secure Coding, they are considering this possibility.
I posted this in another thread, but we recently released a security linter called DevSkim for Visual Studio, VS Code, and Sublime Text. It targets multiple languages, and is focused on finding security vulnerabilities.
CERT was developing a Python Secure Coding standard – but nothing seems to have come from their efforts for a number of years.
https://wiki.sei.cmu.edu/confluence/display/seccode
Several CERT folks state in presentations that the Python Secure Coding v1.0 is “under development”.