1. Use Python 3 6.

Handle requests safely

What version of Python are you using? The end of Understand how the requests library utilizes certain security
Python 2 is near—January 1, 2020. If you are using practices so you can get the most out of them. Keep your version of
Python 2 past that date, you leave yourself open to certifi up to date—the requests library uses it to verify certificates.
any emerging security vulnerabilities.

7. Be careful with string formatting

2. Scan your code with Bandit
Bandit is an open source security scanner for Python code. It
can be run locally or as part of your CI/CD pipeline.
3. Use Pipenv for environment and dependency
There are multiple ways to format strings in Python. When
formatting strings from user input, extra care is needed to
avoid things like injection or code execution. The Template
class in the string module is a more secure way to format
strings with user input.

Python management
8. Be careful with string formatting

Security Best
Deterministic builds are important for predictable behavior
in production. However, pinning your dependencies to
Understand the different types of open source licenses and
achieve this leaves you open to security vulnerabilities.
adhere to their terms. Be wary of any project that does not

Practices
Pipenv helps you manage your environment and
have a license; you may not like the terms of the license they
dependencies in a predictable, secure way.
eventually adopt. Over 10% of packages on PyPI fall into this
category.

Cheat Sheet 4. Watch your import statements

Python import statements are flexible but can be exploited. 9. Deserialize selectively
Implicit relative imports (deprecated as of Python 3) leave
Do not deserialize data from an untrusted source. Python’s pickle
your code vulnerable to malicious code execution. Whatever
module allows for this using pickle.load. Deserializing from an
import method you use, remember be sure you trust the
untrusted source can result in arbitrary code execution.
module--importing executes code!

10. Keep up-to-date on vulnerabilities

5. Download packages with care
Assume that there are malicious packages available on PyPI.
When installing, be sure to spell the package name
correctly--you don’t want to install a malicious package that
is named for a common misspelling of a popular package.
Just because your app is secure today does not mean it will be
secure tomorrow. Stay up to date on new vulnerabilities by using
the Pipenv safety package or consider trying Snyk’s tools, which
can alert you when a new vulnerability is found in a package that
you are using.

www.snyk.io