According to a study conducted by Snyk, today 43% of all data leaks are directly related to vulnerabilities discovered within applications. As the Python programming language becomes increasingly popular with developers, Snyk examined security issues related to the language and found that while 81 percent of the most popular Python packages work well, about 20 percent of the security weaknesses identified by Snyk Code are related to Python projects.
Python’s success is due in part to its ecosystem of machine learning software libraries like NumPy, Pandas, Google’s TensorFlow and Facebook’s PyTorch. According to the TIOBE index, Python is now the most popular programming language in the world, beating out both Java and C.
In reviewing Python-related threats and vulnerabilities, Snyk found that on average, 60 new Python vulnerabilities are added to Snyk’s vulnerability database each month. Nearly one-third are classified as critical or high severity (5% are critical severity issues, 27% are high severity, 56% are medium severity and 12% are low severity). The study reveals that most of the discovered vulnerabilities could be quickly fixed. In particular, 87% of the vulnerabilities can be fixed by switching to updated packages. Finally, the use of lighter packages can put an end to most container vulnerabilities.
These maintenance actions are necessary in many projects. In more than 60% of Python projects, there are code-related items present in the OWASP TOP 10 2021 issues. These types of issues can lead cybercriminals to inject client-side scripts into websites (XSS). User-supplied strings can be used to construct SQL queries and for SQL injection attacks. In addition, certificate verification is sometimes disabled, which opens the door to Man-in-The-Middle (MiTM) attacks.
“When you look at some of the security issues encountered in Python projects, you’ll find that issues related to interactions with external resources such as file or network flows are only a small portion of the problems identified,” said Daniel Berman, Product Marketing Director at Snyk. “Python developers seem to be a little less disciplined in calling shutdown functions to flush the contents of memory as well as to free all references.”
Dependencies increase the risk of attack
Another point to note is the fact that today, the contents of a Python repository are usually composed of much more than just the Python code written by the developer. The most common elements are open-source packages, container images, as well as configuration files used to provide the infrastructure for their execution. This growing volume of dependencies expands the attack surface of projects over time.
Snyk found, on average, a Python project has about 35 dependencies. Of these, 17 are direct dependencies and 18 are indirect dependencies. In 47 percent of these projects, the dependencies introduce vulnerabilities. An average vulnerable project has 33 known vulnerabilities, of which 10% are critical severity vulnerabilities, 26% are high severity, 26% are medium severity, and 28% are low severity.
“The more complex the applications, the harder they are to secure,” Daniel Berman said. “Cybercriminals have a wide variety of vectors to use when attacking a Python application, whether it’s via known vulnerabilities introduced through direct or indirect dependencies, security uses in the application’s proprietary code, or container vulnerabilities.”
By analyzing the top security issues found in application code, Snyk came up with six tips to help Python developers:
- Use modern static code analysis: Linters like Pylint and scanners like Bandit are good basics. But the most serious problems are cross-file (i.e., problems occur when the application execution moves from one source file to another), and detecting these kinds of problems manually remains nearly impossible.
- Clean up data: Try to clean up data from external sources (including databases) at the application’s entry point.
- ORM: Use modern object-relational mapping (ORM) tools to summarize database interactions and avoid the possibility of SQL injection. If you use packages such as Django or Flask, choose libraries such as Django ORM or SQLAlchemy which are proven to be effective.
- Unicode: If possible, standardize all strings to a single Unicode encoding – we recommend UTF-8. Also, be careful when converting Unicode strings to ASCII.
- Close APIs: Be sure to close your network connections (e.g., external reads and writes). This ensures that the data written to them is stored in their buffers, that the state is stored correctly and it also frees up references in your system.
- Keep your secrets: This is not specific to Python, but it is common to see personal information such as usernames, passwords, API tokens, file paths or file names leaking into the source code. A good practice is to keep them in separate files or, better yet, store them confidentially in HashiCorp Vault or AWS Key Management Service for example.
Translated from Est-ce que Python est sécurisé ?