Fantastic Vulnerabilities and Where To Find Them
You might already heard about CVE or Common Vulnerabilities or Exposures, which is an initiative sponsored by DHS (Department of Homeland and Security) and CISA (Cybersecurity and Infrastructure Security Agency), overseen by MITRE Corporation . All CVEs are listed on this website maintained by MITRE. If you want to know more about CVEs, how they are discovered, registered and how they are evaluated and approved, this document from RedHat has one or two words about it. Also, PYPA maintains the advisory-db project, for searching vulnerabilities of Python packages (this is where pip-audit comes into play).
Security is a limitless topic
It's not just about having an armored IPTABLES/Netfilter, and Nginx well configured with HSTS and other secure headers, and tunned Linux Kernel, and your Backend application demanding authenticated requests of 99,9% of your endpoints: from the packages that you download through APT, to PyPi packages that belong to your Python project, one of them could have a vulnerability, or a CVE registered and document.
In terms of security, we can go forever. It's a topic always on the table, from Infrastructure to Software, and it will always be like that.
Before pip-audit
You might be just like me, reviewing package by package from your requirements.txt with 50 different packages on it, searching on CVE listing websites like the one maintained by MITRE or even this one. What a pain, right? To review all packages (one by one) and document the vulnerabilities (if any) on your JIRA card, but, there's no other way. True that some services are available for searching PYSECs, but still not that pragmatic, in my opinion. I always felt more confident on searching CVE lists, manually. If you protect your API endpoints with all that you can, you can't avoid the audit of your project packages. You just can't..
After pip-audit
I think that everyone who cares about security, was craving for something like this. It was announced by Dustin Ingram yesterday, the stable release of pip-audit.
We’ve got a couple additional things planned for pip-audit now that the stable release is out. From time to time, I'm involved in security audits on companies that I work (I was a SysAdmin before being a Software Developer), so I can guarantee, that this comes from heaven: I'm pretty sure that this tool, will become a standard for all of us who develop software or maintain Python projects (open source or not). It's true that there's a great dependency on security at infrastructure level, being from network traffic to webservers and Operating Systems, but it's common to observe Software Developers not being concerned on reviewing security of packages, even though they are really worried about how protected is the API from a variety of vectors.
Your platform is also secure, by having components without vulnerabilities (keep in mind). If you don't audit your packages, it's time to make a change, now being more efficient. Cheers.
You can see our roadmap, submit issues, provide feedback, or contribute on GitHub -- we’d love to hear from you.https://t.co/rC9golQeh6
Final Words