so I was asked to come up with some automated possibility to check python code (provided by devs) for adherence to crypto best practices according to different recommendations (mostly German BSI). Most of the time this boils down to looking for usage of e.g., MD5, SHA1 or the keylength in RSA and such stuff.
I could do this somehow with regex but this seems a bit cumbersome and tbh I don't know all the necessary libs and how the function calls look like (to create the regex). I do know that the bandit sast tool has rules to find MD5/SHA1/... but these are not really sufficient (although a good start).
What would be a good possibility to identify usage of such insecure functions? Just Regex, writing my own bandit rules or something different?
Thx
You could create a small database or dictionary ('library name' : [method1, method2]) of popular crypto libraries and from those libraries, the methods which are attributed to insecure use cases.
Then you would first search to see if the library (key) is infact being used by the project and if its also using insecure methods (value). You wouldn't need to use regex, just think of how you would search for a single string in a text file. But if you wanted efficiency, it might be recommended :) and something fun to develop, that's just my thoughts.
You could however use Sonarqube and integrate that into your build pipeline, it supports python and I know first hand it checks for weak crypto usage within C# projects, it's free and completely automated so it's perfect for small/large teams :)
https://www.sonarqube.org
Good luck buddy!
First I would like to rephrase. You need static analysis tool that will do some custom checks, like for security problems.
I would start with pylint
, with its extensions. There is sample checker at github. Good point here is that, you can incorporate that into CI/CD tools without much work. Issue here can be that linker can be informed not to treat something as a problem. On one hand that is perfect, since md5 can be used in some areas, but that can lead to having that leak... Looking that way - all you can do is to inform.
Other option is security checker that is able to deal with python code. I'm using lynis at my server. They are using plain Linux shell. In practice you can grep
python code to see if something is fishy there. I would advise to go there and check what they are looking for, and how it is done. If not to go that way - than maybe for inspiration. False-positives should be also addressed here. So question is if you wish to deal with it for your own, or you really on developers...
I would start with some checks - like that md5/sha1, and then expand. Be sure it is clear what is checked, and what is wrong. That looks really tricky, but I would give it a try. Maybe open source extension to pylint
, on github
? That way you can get support from others! If so - let me know :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With