Bandit with Tim Kelsey, Travis McPeak, and Eric Brown

Summary

Making sure that your code is secure is a difficult task. In this episode we spoke to Eric Brown, Travis McPeak, and Tim Kelsey about their work on the Bandit library, which is a static analysis engine to help you find potential vulnerabilities before your application reaches production. We discussed how it works, how to make it fit your use case, and why it was created. Give the show a listen and then go start scanning your projects!

Brief Introduction

• Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
• I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable. For details on how to support the show you can visit our site at pythonpodcast.com
• Linode is sponsoring us this week. Check them out at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for your next project. And they just doubled the RAM for their introductory level servers, so that $20 will get you even more performance.
• We are also sponsored by Sentry this week. Stop hoping your users will report bugs. Sentry’s real-time tracking gives you insight into production deployments and information to reproduce and fix crashes. Check them out at getsentry.com and use the code podcastinit at signup to get a $50 credit!
• Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
• To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
• Join our community! Visit discourse.pythonpodcast.com for your opportunity to find out about upcoming guests, suggest questions, and propose show ideas.
• Your hosts as usual are Tobias Macey and Chris Patti
• Today we’re interviewing Tim Kelsey and Eric Brown about Bandit which is a static analysis engine for finding security vulnerabilities in your Python code.

Interview with Eric Brown, Travis McPeak and Tim Kelsey

• Introductions
• How did you get introduced to Python? – Chris
• What is Bandit and what was the inspiration for creating it? – Tobias
• How did you each get involved with the Bandit project? – Tobias
• At what stage of the development process would you want to use Bandit? – Tobias
• What kinds of analysis does Bandit do on the source code that it is run against? – Tobias
• How does it determine whether a particular segment of code is introducing a vulnerability and what means does it use to determine the severity? – Tobias
• What does the generated report include and what can be done with that information? – Tobias
• What are some of the biggest design and implementation difficulties that have been encountered in the process of creating Bandit? – Tobias
• How does bandit compare to similar tools in other languages such as Ruby’s BrakeMan? – Tobias
• What are some of the most interesting extensions that you have seen for Bandit? – Tobias
• What is on the roadmap for the future of Bandit? – Tobias

Keep In Touch

• OpenStack Security IRC
• OpenStack Security Weekly Meeting
• Tim
  • Twitter



• Travis
  • Twitter

Picks

• Tobias
  • Toggl
    • Listener Review of Toggl

  
  
  • Any.do
  
  
  
  


• Tim
  • IFTTT (If This Then That)



• Eric
  • Slack



• Travis
  • Brilliance Trilogy
  • Uncharted 4
  • Risky Business Podcast

The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA