The python core code is secure, but third-party modules, the way you have developed an application may not be, and that’s why you need a security scanner to find vulnerabilities if any. There are many comprehensive online security scanners to test for online threats, but they may not be able to detect platform specific weakness like Python, Node.js. etc. Let’s take a look at the following scanner to find security risk in Python application.
PYT (Python Taint)
An open source static analysis tool to detect command injection, cross-site scripting, SQL injection, directory transversal attacks in Python web applications. PYT is based on the theoretical foundation, and if you would like to contribute, then you can join their slack group.
Bandit
Bandit is an Open Stack’s initiative to find common security risk in python code. It processes each file to build AST and generate a report. You can get it installed using pip. The usage of Bandit can be customized. For an ex, by default test is done against all the profile, however, if you want to check just ShellInjection then you can try below. You may also instruct to report based on severity (Low, Medium or High) level.
Pyntch
Pyntch support only Python 2.x, a static code analyzer to detect possible runtime error. It’s not exactly to find risk but will be useful to see runtime exception which can leak sensitive information sometimes. It’s fast and capable of scanning thousands of lines in a minute.
Spaghetti
A python based open-source scanner on finding misconfiguration, insecure files and supporting web frameworks like CherryPy, CakePHP, etc. Spaghetti is capable of discovering various attacks including the following.
Brute forceCredit card, email, IP disclosureHTML/SQL/LDAP/XPATH/XSS injectionShellShock, Crime, Struts-shockAnonymous cipher
RATS (Rough Auditing Tools for Security)
RATS perform a rough analysis of Python, PHP, Perl, C++ code and highlight security related errors like below.
Time of CheckTime of UseBuffer overflows
Acunetix
A comprehensive vulnerability scanning platform to test network & web applications. Acunetix checks your website for more than 5000 vulnerabilities and provides a detailed report with remediation guidelines. If your Python web application is exposed to the Internet and looking for in-depth security analysis, then give a try to Acunetix.
Requires
Not a scanner but Requires.io monitor Python dependencies security and notify you when found outdated or vulnerable. You can configure to get notified by adding badges, email or GitHub pull.
Safety
A python dependencies checker, Safety can scan the local virtual environment, requirements file, stdin inputs for security issues.
PyUp
Keep your Python application up-to-date, compliant, and secure with PyUp’s Python Dependency Security. It helps you secure your code from thousands of security vulnerabilities in Python dependencies that can breach your Python code. Instead of spending your time manually updating and tracking each dependency, you can get PyUp to automate tasks. It fixes new vulnerabilities automatically and allows you to stay away from known vulnerabilities to boost your confidence in your code. Furthermore, PyUp maintains a database of vulnerabilities, and to date, it has recorded 393,800 Python dependencies. Its scanners are built for solving complex environments and scanning your files for outdated and insecure requirements. These scanners are also highly configurable according to your needs, and their safety CI catches vulnerabilities before the code goes to production. Integrate command-line tools in your CI workflows. Get unlimited public and private repositories at $99/month and avail dependency licenses, CVSS, API key, and safety CI. You can also take a 7-day free trial with the plan you select.
Conclusion
I hope the above-listed tools help you to find security risk in Python application.
