OpenStack Summit May 2015 Vancouver

Security consistently ranks as the #1 concern when talking with decision makers about cloud adoption.  According to a recent count, OpenStack has 1.6 million lines of Python code.  The success of OpenStack is closely tied to the security of the OpenStack code base. 

Bandit is a Python AST-based code security analyzer from the OpenStack Security Group, designed to pinpoint security issues within Python code bases.  Bandit helps sift through large volumes of code efficiently, rapidly identifying potential flaws - for example, unsafe function calls or the usage of outdated/unsafe libraries.  Bandit also makes it easy to extend capabilities to scan for additional vulnerabilities. 

In this presentation, we’ll go over the design and implementation of Bandit.  We’ll discuss some security vulnerabilities that have been already identified, and how new tests can be contributed.  We’ll also discuss how OpenStack projects can start using Bandit immediately, as well as plans for integration into OpenStack gate tests for the automated security scanning of code submissions.