Finding Vulnerabilities with Bandit Talk

Security is tough. It’s so easy to forget something or get a couple of things wrong. The stakes have also never been higher - announcements about a company getting hacked come out weekly. So what can we do?

One part of the solution is tooling. OpenStack’s security team created Bandit to help them solve the problem of doing security reviews on 18+ projects. It’s an open source tool that we can use to scan our code and find out if we’re calling insecure or deprecated functions.

In these slides, I cover some of my findings from running Bandit on 16 popular open-source Python projects as well as some of the potential security flaws that Bandit can identify.

I originally gave this talk at a SoCal Python meetup.

Slides

Additional Reading

• Dangerous Python Functions, Part 1
• Dangerous Python Functions, Part 2

Referenced Resources

• 22 Million Affected by OPM Hack, Officials Say
• OPM says 5.6 million fingerprints stolen in cyberattack
• Ashley Madison’s members by the numbers
• Almost None of the Women in the Ashley Madison Database Ever Used the Site
• IRS Revises Tax Return Hack Numbers, Says Over 300,000 Accounts Were Hacked
• Hackers Remotely Kill a Jeep on the Highway – with Me in It
• Anthem: Hacked Database Included 78.8 Million People
• TSA Master Keys