Python — Secure Coding Guidelines

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” ― Stephane Nappo

Secure coding practice is one of the best ways of coding practice, which helps developers to prevent applications from cybersecurity vulnerabilities and exploits. Developers really encouraged to integrate secure coding practice into their day-to-day operations and development lifecycle and it includes Software Security Principles. Below are the comprises of software security principle categories that provide good knowledge,

1. Minimize attack surface area.
2. Establish secure defaults.
3. The principle of Least Privilege
4. The principle of Defense in depth
5. Fail securely
6. Don’t trust services
7. Separation of duties
8. Avoid security by obscurity
9. Keep security simple
10. Fix security issues correctly

One of the largest online community Stack overflow Annual Developer Survey 2018 tells the world most wanted language is Python(25.1%). As per impreva study, more than 20% of Github repositories that have python based attack tools, exploits, and Proof of Concepts. More than 77% of applications are globally attacked by python based tools and It’s really good to know that hackers are well known with python programming.

What if hackers hacked developers code(python based codes)? Maybe open source code or hacked from any other repositories. Easily hackers can read and understands the application’s code and able to find the loopholes from the applications. If developers follow secure coding guidelines, this might prevent applications from various hacking attacks done by hackers.

“ code is communication.” ― unknown

Below are the General coding style guidelines are highly recommended to follow python programmers,

1. PEP-0257 - python officially recommends to follow the high-level docstring conventions. This describes how the classes, functions, and codes should be documented? and how this really helps for code readability?.
2. PEP-3101 - This is the new system for built-in string formatting operations, intended as a replacement for the existing ‘%’ string formatting operator.
3. PEP-0008 - python coding style guidelines which strongly recommend naming conventions, comments, formatting and lot more...
4. GPSG - Google Python Style Guideline talks about do’s and don'ts for python programs and it explains technically with proof and concepts.
5. Python Anti-Patterns - provides anti-pattern with a technical explanation of best practices and it covers anti-pattern for Django framework also.
6. The Hitchhikers Guide to Python - the book written by Kenneth and Tany, I would strongly encourage python programmers to read, this book covers lots of recommended best practices from the section called Writing Great Python Code.

We can get lots of recommended resources and best style guideline practices from the internet. Unfortunately, we have very few resources which talk about Secure coding guidelines.

1. OWASP(Open Web Application Security) - python security is an open source OSWAP project. This project has security concerns in python web applications and also it enables security concerns in python modules and functionalities.
2. Bandit - is a tool designed to find common security issues in Python code and it’s Originally developed by OpenStack Security later it’s moved to PyCQA - (Python Code Quality of Authority).

After lots of research bandit is the tool I found to scan my code, which covers some of the OWASP 10, this project has very clear documentation and proper error code details.

Bandit — Scanning Report

General Coding guidelines and Secure Coding guidelines are really important for programmers to follow.

Thanks for Reading… check out my other blog Ansible — Contributing Python Modules(Part-1).