Executable Tutorial Proposal - DevSecOps

[einbergisak]

Assignment Proposal

Title

Security Linting in Python using Bandit

Names and KTH ID

• Isak Einberg (ieinberg@kth.se)
• Emil Sjölander (emilsjol@kth.se)

Deadline

• Task 3

Category

• Executable Tutorial

Description

We will demonstrate how to conduct security linting analysis using Bandit for Python, focusing on identifying common security vulnerabilities. The tutorial will be presented through Killerkoda and will cover installation, basic project setup, and usage examples.

Relevance

Security linting is highly relevant for DevSecOps and DevOps because it integrates essential security practices into the development lifecycle. Using Bandit for security linting allows teams to identify/address vulnerabilities early - aligning with the DevSecOps goal of embedding security throughout the development process.

[Deee92]

Sounds good, looking forward to the tutorial.
Please resolve conflicts before I merge, @einbergisak.

[einbergisak]

Thanks @Deee92 , I've resolved the conflict now!

[arejula27]

We need to provide feedback on this assignment, but I couldn't find the link. Could you please share it with me?

[einbergisak]

@Deee92 Due to scheduling conflicts we decided to push back our work on this assignment. It was mentioned during the first lecture that the deadlines were mostly suggestions, but we realize now that they are relevant for the peers giving feedback. I've updated the proposal comment to list "Task 3" instead.

Pinging reviewers @arejula27 @Uqqasha @Alexanderliu2002 so that you are aware of this as well.

Thanks!

[arejula27]

Hi, how is going? maybe you can provide us early access so we can give feedback before the final submission

[monperrus]

@einbergisak the README file in the repo says "deadline 1", is that correct? in any case please provide the link to the tutorial and ping me. thanks!

[einbergisak]

Hi reviewers @arejula27 @Uqqasha @Alexanderliu2002 @ttoma00 !

You can view our tutorial here:
https://killercoda.com/emilsjol/scenario/bandit

Thanks! :)

[einbergisak]

Hi @monperrus !

We had initially decided on task deadline 1, but after trying to schedule some time a few weeks ago to work on it, we decided to instead focus on deadline for task 3. When arejula27 commented, we realized that we had people who wanted to give feedback and thus updated the comment for this PR to list task 3 instead.

We made sure to notify (ping) both the assigned TA @Deee92 and the reviewers so that they were aware of this. You can see this comment earlier in this PR thread.

Our submission is now done, and you can view our tutorial here:
https://killercoda.com/emilsjol/scenario/bandit

And I've created a submission PR here:
#2668

Thank you! :)

[arejula27]

Feedback

by @laullaurado and @arejula27

Disclaimer: We certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

To begin with, this is a well-constructed tutorial. The introduction clearly explains what we are going to learn in the tutorial, as well as its structure. We believe that the tutorial was well-structured overall, allowing the reader to follow the sections smoothly and acquire knowledge incrementally. As a result, we did not encounter any gaps in knowledge between different sections. The first section, explains the importance of Bandit and why it is worth our attention, highlighting its relevance within DevOps. We also appreciate the diagram and the explanation of how it works behind the scenes.

In general, the content is well summarized, it doesn’t repeat concepts and all explanations are relevant. We found it particularly convenient that all explanations included at least one command to execute in the terminal. This interactivity helped us understand Bandit in a practical way. It also includes different use cases and an overview of the available configurations, giving a general idea about the scope of the tool.

As to high-level things that need some work: It is mentioned in the introduction that Bandit can be integrated into the CI/CD pipeline, but it doesn’t explain how or in what step/stage it should be implemented. Despite the tutorial explaining why we should use Bandit and including a command with each explanation, we did not feel that we learned how to use it. After completing the tutorial, we feel that Bandit is a valuable tool to add to our projects; however, it did not give us the confidence to say that we already know how to use it. We would appreciate more interactive elements, such as the ability to write a configuration file.

The tutorial took 8 minutes to complete.

Introduction

• It is good that it mentions the intended learning outcomes and the general structure of the tutorial because it prepares us well before starting.
• Maybe the “Outline” section plus the diagram was a bit much, just one of them would have been enough.

Background and Relevance

• We found the diagram helpful and believe that understanding how the tool works makes the reader more interested in the topic.
• It correctly explains why a user would need to use Bandit, placing special emphasis on DevOps use cases.

Installation and Configuration

• We liked that it gives an overview of the different ways that Bandit can be used and hyped us into learning how to use them later in the tutorial, and also provides further reading material if we want to dive deeper into the usage.
• It would’ve been good to see the implementation of the YAML file configuration since it gives a general idea but we didn’t understand how it could be used, maybe in this section or one new one explaining in depth how to configure it would be nice,

Basic Usage: No Vulnerabilities

• The tutorial makes the reader execute an unnecessary command that creates a file and writes the standard output of an echo command to it. This is not required, as executing only the echo command would have the same effect.
• This section demonstrates how easy it is to use Bandit, while allowing the reader to see the first output. It’s an effective approach that avoids overwhelming the user with excessive configuration and long outputs.

Secrets and Severity

• It is good to see a basic vulnerability scan, and you explain well what the printed results mean, as well as ways to customize the vulnerability scan.
• We didn’t get to see what the file contained.

False Positives

• We believe this section is fundamental to a linter tutorial. In our past projects, we used Black as a linter, and there were many cases where we wanted to avoid errors caused by false positives. Addressing this issue in the tutorial is an important aspect.
• The sentence Open bad_sql.py with vim or any other editor, and add this comment at the end for the query at line 8 was a bit confusing. Although the determiner this refers to the comment in the previous paragraph, it was not immediately clear. We suggest changing the word this to #nosec to improve understanding.

Directory Scanning and Output Formatting

• It is very useful to know how to use the tool to scan many directories as well as how to include the output in a file and the different available formats.
  -We see vulnerabilities that we hadn’t seen before in the tutorial, but we couldn’t really understand what they meant or how to mitigate them.

Outro

• Good wrap-up text.
• We did not find the easter egg, it would be nice to add a small hint at the end of the tutorial, we wanted to watch the racoon video 😭😭.

[einbergisak]

@arejula27 @laullaurado Thank you for your feedback!

Regarding a hint for the easter egg - the big raccoon has the raccoon video! 😉

[Alexanderliu2002]

by @Alexanderliu2002 and @leegrash

Disclaimer: We certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

Thanks for the easy-to-read and digest tutorial. Here is our feedback to you!

General

We find that the tutorial Executable Tutorial Proposal - DevSecOps is overall very nice. There are certainly strengths and weaknesses on some parts however the goals are clearly stated and we believe that it achieves these.

• The tutorial is easy to follow, and the goals for each section are either clearly explained or self-explanatory through the name of the section.
• The grammar throughout the tutorial is consistent and correct (one small error was the only thing we found).
• The tutorial is quite basic in the sense that it gives an understanding of the bare essence of Bandit and its functionality.
• This is delivered in a simple way that leaves the user with few questions regarding past steps which is very good. When introducing a new tool it can be easy to rush into the functionality which we feel isn't the case here.
• The raccoon easter egg was fun!

We do however feel that there are some overall concrete ways to improve it.

• Firstly, the tutorial as a whole gave roughly the same feeling as browsing the storefronts of your favourite toy store when you were a kid - you see all you could do, but can’t do it. The tutorial is short and gives the bare essentials, leaving the user to search for more info regarding wider use cases or solutions to more complex problems.
• We think it would have been nice to give some further reading material or links to more examples, for example how to expand usage of the –outdir option and give concrete examples of what could be the next steps in that case.
• Further, we think it would have been nice to have a short explanation of why Bandit specifically is the tool to use for source code examination. Just look at this list for example, https://linuxsecurity.expert/tools/bandit/alternatives/, there are a wide array of tools that cover the same basic functionality. What is special about Bandit and why should we as Python developers use it specifically?

For a more structured breakdown of our thoughts on each step, see below:

Introduction

The introduction is very clear and gives a good overview of the subject. We liked the structure of this first intro as it both explains what Bandit is and why the reader should be interested in continuing the tutorial. The only point to make on this slide is that the Python abstract syntax tree would have benefited with a bit more explanation (it is a bit technical compared to the rest of the tutorial), maybe a picture of the code that produces this tree would be very helpful!

Installation and Configuration

Not much to say here, the text flows nicely and the structure is intuitive.

Basic Usage: No Vulnerabilities

The simply structure does make it very easy to read and digest, but it depends on which target audience you are looking to present to. For example, for beginners to coding, this is great, but for more experienced programmers the example containing just a simple print() may be too simple. A relatable or real-world example would be much appreciated!

Secrets and Severity

Automatic prevention of security leaks. Now we’re talking! (Coming from a guy who accidentally pushed his secret key to a public repo like an idiot..)
Jokes aside we liked how you went through the potential downsides of Bandit finding false positives and the ease of ignoring any potential problems/sorting them by severity. As somewhat more seasoned programmers we would have loved to see exactly what is defined as a severe issue and how Bandit determines the confidence of flagged issues. Understanding the tool better would make us more likely to use it.

False Positives

Same thing applies here, it seems like a very user-friendly and useful program and you give a clear description of how to use it —but the code examples could be just a little bit more flashy or realistic :).

PS: If the tutorial is made to run through quickly, we would suggest automating the adding of the “#nosec” comment with a function like “sed”. (or providing the code/instruction for opening vim)

Directory Scanning and Output Formatting

Nice and clear explanation of a very useful tool!

Outro

We liked the friendly tone of the tutorial, thanks for teaching us!

[Uqqasha]

Feedback

by @Uqqasha and @lvainio

We certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

General

First of all, let us just say, the overall tutorial experience is engaging, well-structured, and informative. Here are some of the things we especially appreciated:

1. Clarity and Simplicity: The tutorial is written in easy-to-understand language.
2. Flowchart Diagram: The inclusion of a flowchart at the beginning is fantastic.
3. Learning Outcomes: The “Intended Learning Outcomes” section in the start sets the stage for the learner.
4. Easter Egg Surprise: The hidden raccoon video? That’s a fantastic touch! Who doesn’t love a good scavenger hunt while learning. :D

Now, here are some areas where we think the tutorial could benefit from a little tweak:

1. Deeper Explanation: While the tutorial is simple, it skips some valuable technical explanations at some places. For example, Python's abstract syntax tree is only briefly mentioned, similarly the output of the Bandit's commands.
2. Consolidation of Steps: Some steps in the tutorial could be streamlined. For instance, creating and writing to code.py could be done in one command.
3. Explaining Bandit Output: Several times throughout the tutorial, you run Bandit but don’t explain the output. For example, when you run it on code.py and bad_secrets.py, you could include a brief explanation of what learners are seeing in the output.
4. False Positives Explanation: The “False Positives” section could use a bit more detail. While you mention the variable is hard-coded, explaining which variable and why the hard-coding removes the risk would be helpful for the learners.
5. Difficulty Level: The tutorial is quick to complete (approx. 10 mins). While this shows how easy it is to use the tool, but this also leaves out some of the advanced capabilities of the tool such as writing custom rules or integrating Bandit into CI/CD pipelines.

Introduction

The intro does a great job of setting the stage for the tutorial. However, we suggest adding a small section about how Bandit fits into DevOps pipelines, with a brief mention of other tools it could work alongside.

Installation and Configuration

The installation section is very simple. Providing high-level overview of 3 methods of how to configure Bandit along with the installation is interesting. The inclusion of .bandit configuration file example is very helpful, since it is mentioned that this configuration option will not be part of tutorial.

Basic Usage

The basic usage section is clear. The only improvement we would suggest is to combine the commands for creating and populating code.py. Also, after running Bandit, a brief description of what the Bandit output looks like (e.g., what CWE means, what the line numbers represent).

Secrets and Severity

In this section, we really liked the rhetorical question, “But why would one want to skip possible issues?” as it keeps the reader engaged. However, just like in the earlier sections, a bit more detail about the output would be useful.

False Positives

This section is definitely one of the highlights, and I loved that you introduced the # nosec tag, which is such a cool feature of Bandit. However, it would be helpful to clearly explain why this particular SQL query in bad_sql.py is a false positive. You mention “the variable is hard coded”, but it would be beneficial to explain which variable and on which line in the code.

Directory Scanning

The recursive scan feature is well demonstrated, but it would be useful to state how many files are in the directory before running the scan. That way, learners have an idea of what to expect when the scan runs.

Outro

The wrap-up is solid and you briefly summarize what has been covered.

[Deee92]

by @Alexanderliu2002 and @leegrash

Hi @Alexanderliu2002 and @leegrash, could you update your feedback to add the mandatory statement about not having used generative AI? :)

[Alexanderliu2002]

by @Alexanderliu2002 and @leegrash

Hi @Alexanderliu2002 and @leegrash, could you update your feedback to add the mandatory statement about not having used generative AI? :)

Hi @Deee92 , I completely missed to include it, it is added to the comment now, sorry!!