There are two key tools for assisting with vulnerability discovery in Python – Safety and Bandit. Make sure they’re turned on in your continuous integration. This talk will include the kinds of security problem these tools detect, how to get the most out of them, and what gaps still remain.
This talk is designed to be easy to follow. If you’ve read the elevator pitch, you’ve already learned the main point of the talk! The presentation itself will go into the details of example security vulnerabilities, explain why it’s important to fix them, and show how integrating these two tools into your process will better protect you and your software. Beginners will get an appreciation for the kinds of security problems that can occur, and an introduction to continuous integration workflows. Attendees with an intermediate level of knowledge will get an overview of the strengths and limitations of the tools for detecting issues in both source code and library dependencies (aka supply chain risk). If you’re an attendee experienced in security and know all of this already … that’s awesome! ;)
Watch 'Watch out for Safety Bandits!' on PyCon AU's YouTube account
Tennessee Leeuwenburg is an experienced Python developer and team lead with an interest in quality code, automation, artificial intelligence and open source software. Most recently he has been working on improving security outcomes in the software development lifecycle, and making grand plans for how to extend the capabilities of today’s static analysis tools. He is currently the Head of Secure Coding at the Australian Bureau of Meteorology.