Secure Coding Guidelines for Python

Question

Looking at the CERT Secure Standards (Example: https://www.securecoding.cert.org), there are specific standards, with great examples of what good and bad code looks like, for C, C++, Java, even Perl but not Python. Are there any Python specific standards are guidelines, preferably with examples available?

http://www.pythonsecurity.org/ appears to be focused security concerns in Python itself and on building an alternative Python binary to resolve these. A noble, but not recently active, cause. I'm looking for something that gives guidance to developers on what not to do and what to do instead.

pep8 is what you are looking for i think :P (although its guidelines in general not necessarily security specific) — Joran Beasley, Aug 28 '15 at 20:08
[OWASP](https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide) has a good general guide on secure coding practices; I can't recommend any python-specific guides, though. — F. Stephen Q, Aug 28 '15 at 20:09
most of the perl items are likely applicable to python as well (no user input in format strings??) — Joran Beasley, Aug 28 '15 at 20:11

decodebytes · Accepted Answer · 2023-02-01T12:28:17.047

8

Seeing as lot of people are recommending formatting guidelines (PEP8), I have one that is actually for security.

There is a project in OpenStack (very big python based platform), called Bandit. It is a security lint tool.

https://github.com/PyCQA/bandit

You can run this tool against your own code, or if you wish to learn the inners of secure python coding, then take a look at the examples directory.

edited Feb 01 '23 at 12:28

answered Mar 05 '16 at 17:03

decodebytes

411
4
16

For posterity, as of now, the tool is no longer maintained. – Yennefer Sep 14 '20 at 10:39
1

Now maintained at https://github.com/PyCQA/bandit. – yclian Nov 29 '21 at 15:24
That is incorrect @Yennefer, I can see numerous merges just prior to and after you comment. – decodebytes Dec 23 '21 at 14:56
@devnull the link posted says the project is no longer maintained. I do not have the knowledge to pickup a valid fork. Do you know a valid alternative? – Yennefer Dec 23 '21 at 15:49
1

@Yennefer https://github.com/PyCQA/bandit – decodebytes Feb 01 '23 at 12:28

score 3 · Answer 2 · edited Aug 29 '17 at 09:19

One place to look at a secure coding standard is

https://vulncat.fortify.com/en

There you have listed coding errors that affect security. It contains many languages, Python being one of those.

I have also been looking for an academic/free secure coding standard for Python. I haven't yet found a good one. I think that SEI CERT should step up and make such a standard. According to their latest webinar on Secure Coding, they are considering this possibility.

score 1 · Answer 3 · answered Aug 29 '15 at 02:21

I would recommend using a text editor with a code linter for PEP8, or attempting to learn the PEP8 guidelines themselves. PEP8 lists the style recommendations for Python programmers and is quite comprehensive, which has then been adopted into plugins or directly into editors to ensure code meets these style guidelines.

Python is wonderful in that there are many available code linters, those that recommend proper style based on PEP8.

Great examples of this include Sublime Text with PyLinter or Flake8, or PyCharm without plugins (both freemium, fully-fledged for free use).

I would personally recommend Flake8 or PyCharm over PyLinter if you like to have some "creative liberty", as PyLinter is quite strict.

PEP8 is simply a code style guide. It is not a standard for _secure_ coding practices. What's _really_ needed is a Python entry in the [SEI CERT Coding Standards](https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards), but this was already mentioned by OP. — code_dredd, Apr 20 '18 at 00:20

score 1 · Answer 4 · answered Feb 15 '17 at 02:55

1

I posted this in another thread, but we recently released a security linter called DevSkim for Visual Studio, VS Code, and Sublime Text. It targets multiple languages, and is focused on finding security vulnerabilities.

answered Feb 15 '17 at 02:55

Scovetta

3,112
1
14
13

score 0 · Answer 5 · answered May 25 '20 at 18:06

CERT was developing a Python Secure Coding standard - but nothing seems to have come from their efforts for a number of years.

https://wiki.sei.cmu.edu/confluence/display/seccode

Several CERT folks state in presentations that the Python Secure Coding v1.0 is "under development".

score -2 · Answer 6 · answered Aug 28 '15 at 20:33

-2

You can refer to my blogpost for coding guidelines in python. You need to follow PEP8 coding guidelines. Autopep8 is a tool that automatically formats Python code to conform to the PEP 8 style guide. To run autopep8:

autopep8 TARGET.py

answered Aug 28 '15 at 20:33

Bhavani A B

22
2

2

pep8 is great for identifying style issues, but I'm looking for issues affecting application security. Things like failure to clean input before passing it onto eval or SQL statements. (Cross Site Scripting, SQL Injection, etc.) – rtphokie Aug 31 '15 at 20:17
@rtphokie did you got any solution to your problem as I have also ran into similar problem. – Prashant Shukla Feb 09 '16 at 12:06
Nothing definitive, no. – rtphokie Feb 10 '16 at 16:15

Secure Coding Guidelines for Python

6 Answers6