How to perform security testing using Bandit in Python
When you are developing any application, you need to take the proper precautions regarding security issues that might occur when you deploy your application to production.
If all the security issues in your application are not addressed properly, anyone can hack your application and tamper with the data. Before moving an application to production, you should perform a security testing of the application to ensure that all security-related aspects are properly handled within our application.
What is Bandit?
Bandit is a Python tool for security testing. It will help you to find the common security issues in your application.
First install this by running the following command:
pip install bandit
Now, you can run the following command to the Bandit tool to perform the security testing:
bandit -r /path/to/code.py
For example, we would use the requests module to hit Educative and run the security testing for that code.
Let’s take a look at the code now:
import requestsdata = requests.get("https://www.educative.io/")print(data.status_code)
Explanation:
- In line 1, we import the package.
- In line 3, we hit Educative.
- In line 4, we print the status code.
- When you run the file, you can see that there are no security issues in this file. (You might get some warnings, but these can be ignored.)
Now, let’s disable the SSL verification while hitting the Educative website. Take a look at the code below.
import requestsdata = requests.get("https://www.educative.io/", verify = False)print(data.status_code)
Explanation:
- The only difference is in line 3, where we set the parameter
verify = Falseand disabled the SSL verification. - When you run the above code, you can see that Bandit found a security issue.
This was just a small example, but it will become very helpful when you run security testing on a full-fledged application.
