I heard that the next version of Fortify (might even be released by now) supports Python. Not sure to understand properly the rest of the email but the duck typing isn't a huge problem for static analysis and neither is the fact that it's compiled to bytecode before being executed by a VM...
Romain ________________________________ From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons [mparsons1...@gmail.com] Sent: Monday, April 05, 2010 12:08 PM To: SC-L@securecoding.org Subject: [SC-L] has any one completed a python security code review` Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [cid:image001.jpg@01CAD4AF.CF750B00] [cid:image002.jpg@01CAD4AF.CF750B00]
<<inline: image001.jpg>>
<<inline: image002.jpg>>
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
