On Mon, Apr 5, 2010 at 12:08 PM, Matt Parsons <mparsons1...@gmail.com> wrote: > Has anyone completed a python security code review? What would > you look for besides inputs, outputs and dangerous functions? > Do any of the commercial static code analysis vendors scan that > code? I would think not because python is not compiled at run > time like the other languages that static analysis tools can > scan. Any help would be greatly appreciated.
Static analysis tools can and do scan dynamic languages like python, PHP, and Javascript. Fortify 360 v2.5 can scan Python. There are also free tools for Python, like pylint, pychecker, and pyflakes, but none of them is primarily focused on security. OWASP's Python ESAPI is a good starting point to learn about potential security flaws in Python. James Walden
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________