Python vulnerabilities document ready for ISO/IEC balloting

We have been working throughout the pandemic to develop ISO/IEC 24772-4 Programming languages – Programming language vulnerabilities – Vulnerabilities for the programming language Python. This document is essentially ready to go to ISO for Draft International Standard balloting. Before we initiate that step, however, we want the Python community to review it and provide feedback. I will review feedback on this forum or anyone interested can send me comments at stephen.michell@maurya.on.ca.

Thank you.

Where can people view this document?

I found a draft with editing markup here: https://www.open-std.org/JTC1/SC22/WG23/docs/ISO-IECJTC1-SC22-WG23_N0754-tr24772-4-draft-python-help-from-experts-20171018.pdf

To peek at the end result you’d be helping produce, here’s the Ada equivalent: ISO/IEC TR 24772-2:2020 - Programming languages — Guidance to avoiding vulnerabilities in programming languages — Part 2: Ada. Only 173CHF (~196USD).

2 Likes

cc @sethmlarson

@effigies Thanks for sharing the link to draft, in the docs folder multiple versions were available for review. As a consultant working in Software as a Medical Device (SaMD) with a focus on cybersecurity, I’ve reviewed some of the documents and had some thoughts on its Python-specific guidance.

While the document does a decent job addressing language-level vulnerabilities, many of Python’s real-world security risks arise in application domains like web development, where challenges align closely with the OWASP Top 10. Given the prevalence of these use cases, it might be beneficial to see guidance that reflects the types of vulnerabilities developers are likely to encounter when deploying Python-based software.

In my experience, teaching foundational security practices is often more achievable than teaching developers how to program Python more effectively, at least as a consultant. From this perspective, the Python-specific standard may be more useful to less experienced developers by highlighting language-specific risks and pitfalls.

I expect that the intent is for developers to follow both the Python specific standard and the general standard (ISO/IEC 24772-1) together. I personally prefer the general standard as it covers foundational security practices that are easily overlooked in real-world Python applications. You may follow all the points from the Python specific standard and still have created a very vulnerable application.

I’m curious to hear what kind of feedback you’re specifically after

3 Likes

The document that we are finalizing for ballot is available at

www.open-std.org/jtc1/sc22/wg23/docs/ISO-IECJTC1-SC22-WG23_N1429-24772-4-python-vulnerabilities-after-meeting-20241023.pdf.

There are still editing markups in the document, but it is essentially complete. The ISO balloting process could result in some changes, and comments from the Python community can impact the document.

Stephen Michell
Maurya Software
Convenor ISO/IEC/JTC1/SC22/WG 23 Programming Language Vulnerabilities
Tel: 613 299 9047
email: stephen dot michell at maurya dot on dot ca

I read that import modulename copies all attributes from the ‘modulename’ module into the importing program. Could you elaborate on this?

Also, what vulnerabilities does modular programming have in general, and specifically when using import modulename?

Dear Stephen,

This link appears to be 404 for me.

A

https://www.open-std.org/jtc1/sc22/wg23/docs/ISO-IECJTC1-SC22-WG23_N1429-24772-4-python-vulnerabilities-after-meeting-20241023.docx

Thank you for this research. In general, I am happy when this work is done but would be even more excited if the results of this work was contributed to a place that doesn’t require people writing Python to read this document. There’s the unknown-unknowns problem (do I need to care about security?), discoverability problem (where to look? which article?), reading and understanding, and finally the long-term “solution” requiring every developer who contributes code to go through this cycle. This is not an efficient use of time by developers, especially to cover the scope of secure coding practices.

My recommendation is to contribute these findings to an automated source code analysis tool in Python, such as Bandit, so that we evangelizing Python security have a much easier job to do: telling people “you should use Bandit!”

Secondly, the OpenSSF Best Practices working group has a project happening now that intersects quite heavily with your work, creating a list of known insecure Python code patterns and alternatives. I’ve given them the same feedback that I’ve given you about contributing to an automated tool. Hopefully these links and advice are of use :slight_smile:

5 Likes