I heard that the next version of Fortify (might even be released by now) supports Python. Not sure to understand properly the rest of the email but the duck typing isn't a huge problem for static analysis and neither is the fact that it's compiled to bytecode before being executed by a VM...
Romain ________________________________ From: [email protected] [[email protected]] On Behalf Of Matt Parsons [[email protected]] Sent: Monday, April 05, 2010 12:08 PM To: [email protected] Subject: [SC-L] has any one completed a python security code review` Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:[email protected] http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [cid:[email protected]] [cid:[email protected]]
<<inline: image001.jpg>>
<<inline: image002.jpg>>
_______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
