Re: [python-security] Fortify for Python

[Mat Caughron]

hi Geoff:

As a former Fortify consultant, I recommend that you peruse the python section of VulnCat at:

      http://www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html

I would not describe the python support as mature.

The only four areas for python-specific potential findings are: Cody Quality, Encapsulation, Input Validation/Representation, and Security Features

Code Quality

Portability Flaw: File Separator

Encapsulation

HTML5: Overly Permissive CORS Policy

System Information Leak

Input Validation and Representation

Command Injection

Cross-Site Scripting: Persistent

Cross-Site Scripting: Poor Validation

Cross-Site Scripting: Reflected

Header Manipulation

Log Forging

Open Redirect

Path Manipulation

Resource Injection

SQL Injection

Security Features

Insecure Randomness

Password Management: Hardcoded Password

Password Management: Password in Comment

Weak Cryptographic Hash

On Fri, Mar 8, 2013 at 2:08 PM, Geoff Dillon <geoffd...@gmail.com> wrote:

Anyone have any experience running Fortify on Python code?   I'm mainly wondering what rules they are applying and how I could verify that its actually looking at my code.  So far I've run it and found very little of interest, just a few Low priority items like using the word "Password" inside a comment.

--
You received this message because you are subscribed to the Google Groups "Python Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-securi...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.