M2 - Automated Detection of Known Security Weaknesses

Description

Use an automated tool to identify security weaknesses in source code automatically. 

Courses Where the Module Is Integrated

• Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)

• Mobile Security (Tuskegee University, Spring 2023)

• Information Security Administration (Kennesaw State University, Spring 2023)

Activities

Pre-lab Content Dissemination

In this pre-lab activity, we will understand security weaknesses and how they can be identified using a static analysis tool called Bandit (https://bandit.readthedocs.io/en/latest/). 

A security weakness is also referred to as a security vulnerability. It is a coding pattern that violates the property of confidentiality, integrity, or availability. A security vulnerability is a software bug.

Security weaknesses can be identified using manual inspection by an expert and automated tools. Today, we will use an automated tool called Bandit. Many static analysis tools exist, as listed on the OWASP webpage 

• https://owasp.org/www-community/Source_Code_Analysis_Tools

In-class Hands-on Experience

Install Bandit with pip. Instructions to Install Bandit can be found here: https://bandit.readthedocs.io/en/latest/start.html#installation  

pip install bandit

1. Check installation via bandit -h by going to the terminal

2. Run bandit simple.py located here: https://github.com/paser-group/ALAMOSE-PASER/tree/ALAMOSE/workshops/workshop2-bandit. 

The simple.py content is listed below:

from subprocess_Popen import subprocess as subprocess

subprocess.Popen('touch bad.txt', shell = True)

   3. To run static analysis, we will use bandit that we installed in our previous installation module. To run the static analysis in our code, run this command below

• bandit -r ~directory/project-directory

• example : bandit -r /home/luser/Documents/devops_website_work/workshops/workshop1

Post Lab Experience

1. Run Bandit against all Python files in the workshop1.zip file

2. Extract workshop2.zip, which is located here: https://github.com/paser-group/ALAMOSE-PASER/tree/ALAMOSE/workshops/workshop2-bandit

3. Run Bandit by specifying the extracted directory. You might need the -a, -f, -r, and the -o flag

4. Observe the security weaknesses.

5. Report the names of the three most frequent security weaknesses detected by Bandit in a document.

6. Complete the survey located here: https://auburn.qualtrics.com/jfe/form/SV_3C2YB8CeV2IWlN4.