Jump to: navigation, search

Security/Projects/Bandit

< Security‎ | Projects
Revision as of 19:46, 3 March 2015 by Travis McPeak (talk | contribs) (TODO)

Overview

Bandit provides a framework for performing security analysis of Python source code, utilizing the ast module from the Python standard library.

The ast module is used to convert source code into a parsed tree of Python syntax nodes. Bandit allows users to define custom tests that are performed against those nodes. At the completion of testing, a report is generated that lists security issues identified within the target source code.

Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. As it matures and is proven to be useful, we see it being a possible addition to OpenStack CI gate tests with non-voting and eventually voting capabilities.

Bandit can be obtained by cloning the repository at https://git.openstack.org/stackforge/bandit.git. The README.md file contains documentation regarding installation, usage, and configuration.

Contributing

Bandit makes use of the OpenStack CI infrastructure provided through StackForge:


An easy way to contribute is to write a plugin/test that will allow Bandit to identify more security issues. Extensions and improvements to the underlying framework are also welcomed, although we'll be attempting to maintain stability in the interface that is presented to plugins.

See Development Workflow for information on the general contribution/review workflow.

TODO

Note: TODO is moving to Launchpad, here: https://launchpad.net/bandit

Further development of Bandit framework:

  • Fix bug with recognizing strings in docstrings.
  • DONE -- Consider reworking test decorator naming. At present, @checks_functions is used to label tests against Call nodes rather than FunctionDef nodes, which is somewhat misleading. Potentially line decorator names up with AST node types, for example @checks_FunctionDef, @checks_Call, @checks_Str, etc. Tradeoff abstracting away from complexity of underlying AST, vs. alignment with AST.
  • Address case where an imported model or function is aliased to a different variable name with an = statement.
  • Extend 'context' object to allow tests to be defined against more than just the currently-visited AST node. Add a 'previous' node pointer, track and provide access to additional state information, etc?
  • Investigate whether 'symtable' module can be used as another layer of analysis.
  • Build out support for additional AST node types
  • Consider additional helper functions that could make writing tests simpler

Existing tests:

  • Review for accuracy or possible improvements.
  • Expand on test documentation - add explanation or link to external pointers about security vulnerabilities being identified.


Possible new tests:

  • Hardcoded passwords
  • Logging sensitive information
  • SQL commands into SQL Alchemy
  • sudo calls
  • De-serializing (Pickle? YAML? JSON?)
  • Taint checking / lack of input validation (e.g. object returned by requests.get()/.post() has headers, content, text, json attributes) - this will likely get complicated, and likely relies on building a more complete 'context' object as noted under framework above.
  • Others?

Team

Bandit is a project from the OpenStack Security Group.

Core project team:

  • Jamie Finnigan (chair6)
  • Travis McPeak (tmcpeak)
  • Nathan Kinder (nkinder)
  • Tim Kelsey (tkelsey)
  • Lucas Fisher (ljfisher)