In today’s digital world, security remains a critical concern. This applies equally to Python software.Python is the most widely used programming language worldwide.
To use a Python SAST scanner (Static Application Security Testing Tool) effectively, it is vital to understand the difference between a weakness and a vulnerability:
Security Weakness
A security weakness is a flaw, design choice or implementation issue that could potentially lead to a security problem, but is not necessarily exploitable on its own.
Examples in Python:
- Using eval() on user input This is a weakness because it allows arbitrary code execution if misused.
- Hardcoding credentials in code (e.g. password = “admin123”) This is a weakness because it exposes sensitive data.
Security Vulnerability
A security vulnerability is a weakness that can actually be exploited to compromise a system’s security. A vulnerability can be targeted intentionally by an attacker or triggered incidentally by a user or administrator (e.g. to execute malware, escalate privileges, leak data accidentally, or make the system unavailable).
Key Rule: All vulnerabilities are weaknesses, but not all weaknesses are vulnerabilities.
Python Static Application Security Testing (SAST )Scanners
Effective Python Static Application Security Testing (SAST) scanners identify weaknesses by monitoring the use of Python library calls known to lead to vulnerabilities. Unfortunately, many scanners only implement a very limited selection of potential weaknesses within the Python Standard Library (PSL) modules.
Examples:
- A Python application using eval(input()) where an attacker can inject Python code to run arbitrary commands.
The weakness (eval use) has become a vulnerability because it’s exploitable. - Using assert statements in production code. The weakness (assert use) can become a vulnerability because assert statements can be disabled during runtime.
| Concept | Definition | Exploitability | Example |
| Weakness | Flaw that could lead to a security issue | Not necessarily exploitable | Using eval() on input |
| Vulnerability | A weakness that can be exploited | Exploitable | Attacker injects code via eval(input()) |
Risk Mitigation by using SAST testing
Static Application Security Testing (SAST) plays a critical role in a secure software development lifecycle (SSDLC) for Python software:
- Prevention: SAST helps prevent security risks by alerting developers to weaknesses early in development—before code reaches production.
- Awareness: It promotes a culture of secure coding by making developers aware of risky patterns.
- Remediation: While secure design and architecture are essential, systematically fixing identified weaknesses remains one of the most effective ways to reduce overall security risk.
Most commercial Python Static Application Security Testing Tools (SAST) scanners leave the difficult task of defining validation up to the user. Python Code Audit has however implemented the largest collection of possible security risks with the use of the Python Standard Library by default.
Never trust, always validate!
You should validate any Python program or Python module before using. This can be done with one simple command:
codeaudit filescan <package-name|directory|filename> [reportname.html]So you check a PyPI.org package, local directory or a single Python file with just one simple command. You may specify a custom name for the HTML report that will be created, but this is not necessary. Python Code Audit does not install the program; it analyses the Python code safely by making use of Python’s AST (Abstract Syntax Tree) technology.
Before running the codeaudit command a prerequisite is that you have Python Code Audit installed. This can be done with a single command:
pip install -U codeauditPython Code Audit is an advanced open source SAST tool that automates the review of Python source code to identify potential security vulnerabilities.