Thanks for sharing those results Ben. A number of the issues raised there are also a matter of best practices not being followed (like using non-typed try/except/pass blocks, or calling os.system) so it's good to see them flagged. Also, though it would be really nice to get away from raw SQL and rely more on the ORM, looking through those results I think that the SQL may be the trickiest to remedy. At any rate, a very good roadmap for an initial security update.
Adam On Mon, Dec 17, 2018 at 5:07 PM Ben O'Steen <[email protected]> wrote: > I ran the project through the Bandit 'security linter' which flagged up a > number of small issues https://pypi.org/project/bandit/ I've attached the > result of this in case it is of interest (run on 4.3.1 so obviously run it > against whatever you plan to deploy). > > It is just one tool to use to help gauge the relatively security of an app > though. Fuzzing and django-tailored attacks should also be tried. > > Ben > > > On Mon, 17 Dec 2018 at 14:55, Adam Cox <[email protected]> wrote: > >> Hi John, I have not had a security audit either, and would be very >> interested in the results. I do have a pending deployment for the Bureau of >> Land Management which will most likely require an audit, so I'm expecting >> to do some prep work on Arches for that at some point. >> >> On Mon, Dec 17, 2018 at 5:14 AM Vincent Meijer <[email protected]> >> wrote: >> >>> Hi John, >>> >>> I haven't heard of anyone doing a security audit for Arches, but if so I >>> would also be quite interested in hearing about it. >>> >>> Best, >>> Vincent >>> >>> On Monday, 17 December 2018 10:49:03 UTC+1, John Murphy wrote: >>>> >>>> Good morning everyone! >>>> >>>> I was wondering if has anyone has had to commission a security audit of >>>> Arches yet and, if so, what have your experiences been? Our corporate IT >>>> are going to require one before they allow me to set this loose on our >>>> network and it would be good to know what I need to look out for. >>>> >>>> Many thanks, >>>> >>>> John >>>> >>> -- >>> -- To post, send email to [email protected]. To >>> unsubscribe, send email to [email protected]. >>> For more information, visit >>> https://groups.google.com/d/forum/archesproject?hl=en >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Arches Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> -- To post, send email to [email protected]. To >> unsubscribe, send email to [email protected]. >> For more information, visit >> https://groups.google.com/d/forum/archesproject?hl=en >> --- >> You received this message because you are subscribed to the Google Groups >> "Arches Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- -- To post, send email to [email protected]. To unsubscribe, send email to [email protected]. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
