Python is one of the most popular programming languages on the market. What about security? Snyk takes stock.
Python is one of the most popular programming languages on the market. What about the protection of Python-based software development?
Snyk, a security platform for developers, has delivered its analysis on the subject. The American technology company makes the following observation:
A Python-based application development project includes 35 dependencies on average.
In 47% of cases, the dependencies introduce vulnerabilities, 33 on average. Among these security flaws, 10% are considered “critical” (XXS, TLS…) and 26% have a “high” level of danger. The others are of “low” (38%) to “medium” (26%) severity.
The situation is tense, but not desperate. For example, 87% of “known” vulnerabilities can be eliminated by updating the vulnerable package.
From static analysis to well-kept secrets
To strengthen the DevSecOps approach to projects, Snyk makes six recommendations for developers and the broader Python ecosystem:
- Use up-to-date static code analysis (Pylint, Bandit…)
- Clean up data from external sources at the application entry point
- Opt for object-relational mapping (ORM) tools
- Standardize strings with Unicode encoding, if possible UTF-8
- Close your APIs and network connections
- Keep your secrets (logins, API access tokens…), with or without Python
“It is common to see personal information such as usernames, passwords, API tokens, file paths or file names leaking into the source code,” the report authors point out. “A good practice is to keep them in separate files or, better yet, store them confidentially in HashiCorp Vault or AWS Key Management Service, for example.”