On Mon, Apr 5, 2010 at 12:08 PM, Matt Parsons <mparsons1...@gmail.com>
wrote:
> Has anyone completed a python security code review?  What would
> you look for besides inputs, outputs and dangerous functions?
> Do any of the commercial static code analysis vendors scan that
> code?  I would think not because python is not compiled at run
> time like the other languages that static analysis tools can
> scan.  Any help would be greatly appreciated.

Static analysis tools can and do scan dynamic languages like
python, PHP, and Javascript.  Fortify 360 v2.5 can scan Python.
There are also free tools for Python, like pylint, pychecker, and
pyflakes, but none of them is primarily focused on security.
OWASP's Python ESAPI is a good starting point to learn about
potential security flaws in Python.

James Walden
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Reply via email to