On 05/28/2014 11:55 PM, Bhandaru, Malini K wrote: > Hello Everyone! > > Can you think of a security anti-pattern? Share them and help make OpenStack more secure. > > Below is an excerpt from the wiki under development -- https://wiki.openstack.org/wiki/Security/OpenStack_Security_Impact_Checks > Thank you Malini! I added some classic anti-pattern to the list. Now I wonder how to verify those automatically. I'm afraid grep won't be enough, we might want to look at a simple ast representation that we can use to inspect dangerous function call. Would a PoC that highlight subprocess call with shell=True still be useful or do we already have something in mind ? Best regards, Tristan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 555 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140529/0677d832/attachment.sig>