Open Stack

Hi all – as promised in the IRC meeting this week, here’s an update on Bandit.

For those of you who weren’t at the OSSG mid-cycle meetup, Bandit provides a framework for performing analysis against Python source code, utilizing the ast module from the Python standard library.  It was created with security testing in mind and is intended to provide a framework that allows tests to be defined and run against Python source code.  In some cases it may be essentially a glorified grep, but it others it may allow us to write smarter tests that give us more accurate results.  Bandit currently runs as a standalone tool, but it may eventually be integrated into the OpenStack CI gate tests.

Bandit is up on GitHub at https://github.com/chair6/bandit.  Yesterday I updated the README to provide a little more explanation as to how Bandit works, and some basic guidance as to how writing tests might be tackled.

It would be great to get more people looking at, using, and contributing to this tool.  One particular area of focus would be around the set of tests that are included:
 - Look at hacking-based tests written during the OSSG mid-cycle and port into Bandit tests.
 - Consider other recent OpenStack vulnerabilities or common Python security anti-patterns and write new Bandit tests to detect those.

We’ll also be looking at ways to improve the Bandit framework and make it simpler to write tests, so feel free to propose changes or let me know any issues you run into.

Thanks,
Jamie