DEV Community

Vickie Li for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

Static Analysis of Python Applications

We are pleased to announce that we have updated NG SAST to use the CPG deep analyzer for the analysis of Python applications!

Python applications and the vulnerabilities they contain

As of 2020, Python was the third most popular programming language in use. Python was originally released in 1991, and since then, Python’s been used in machine learning, business intelligence, natural language processing, web development, and more.

Python is used by companies both small and large, and while this language isn’t known for causing security issues the way C or C++ is, Python applications still come with their fair share of security vulnerabilities (just as any other programming language would!).

Detecting vulnerabilities in Python applications with a SAST solution

SAST solutions are useful for detecting the presence of vulnerabilities in an application. They are less expensive than having a security engineer manually review your code, but they’re more comprehensive than a bug bounty program.

The downside, however, is that many tools present unacceptably high levels of false positives (findings that are presented as security vulnerabilities when they’re not) and false negatives (security vulnerabilities that aren’t identified). This is typically a result of only looking at the source code of a program at a superficial level.

Improving SAST results

SAST programs can improve the results it presents by looking at multiple aspects of a program. By storing multiple representations of an application in a data structure, a SAST solution can gain additional information about what’s present and what’s not. Traditionally, there have been three data structures commonly used for static code analysis:

  1. Abstract syntax trees: encodes the general structure of a program
  2. Control-flow graphs: encodes the paths of execution in a program
  3. Data-flow graphs: encodes the flow of data from one part of the program to another

ShiftLeft CORE leverages all three, combining them into a single data structure called the Code Property Graph.

The Code Property Graph (CPG) is a data structure that’s designed for vulnerability discovery. It stores multiple representations of the same program, all of which contribute to the precise detection of security flaws, minimizing false positives and false negatives.

Getting Started

Ready to see how secure (or not) your Python application is? Sign up for a free account and get started with ShiftLeft CORE today!


Discussion (0)