KTH / devops-course

Repository of the DevOps course at KTH Royal Institute of Technology DD2482
191 stars 427 forks source link

Executable Tutorial Submission #2668

Closed einbergisak closed 1 month ago

einbergisak commented 1 month ago

Assignment Proposal

Title

Security Linting in Python using Bandit

Names and KTH ID

Deadline

Category

Description

We will demonstrate how to conduct security linting analysis using Bandit for Python, focusing on identifying common security vulnerabilities. The tutorial will be presented through Killerkoda and will cover installation, basic project setup, and usage examples.

The tutorial can be viewed here:

Relevance Security linting is highly relevant for DevSecOps and DevOps because it integrates essential security practices into the development lifecycle. Using Bandit for security linting allows teams to identify/address vulnerabilities early - aligning with the DevSecOps goal of embedding security throughout the development process.

monperrus commented 1 month ago

well received @einbergisak, good work.

SKFrozenCloud commented 1 month ago

Feedback

by Tomi Toma (ttoma) and Sina Khoraman (sinakh)

We certify that generative AI, incl. ChatGPT, has not been used to write this feedback. Using generative AI without permission is considered academic misconduct.

Overall experience

We want to start by thanking you, Emil and Isak for this insightful tutorial. It was a very detailed tutorial with information about Bandit, how to use it and why it is relevant to devops which we liked. It was especially interesting for us who are doing the cybersecurity master to see how devops can be used in cybersecurity and how such statistical analysis tools can make life easier when searching for vulnerabilities in code. You mentioned in the beginning that bandit can be used for github actions, https://dev.to/sre_panchanan/learning-github-actions-in-a-simple-way-4i31 this is a tutorial that shows how that can be used that could be interesting for future projects. We also managed to find the raccoon video and he seemed to enjoy his cotton candy.

High-level strengths

We felt that the tutorial had a very good structure from the beginning to the end. The intro was very clear and informed us what to expect to learn and what we were going to do in this tutorial. You had a very good flow to follow the tutorial and we did not feel that something felt off or out of context when following all the steps. The images made the tutorial more appealing and more engaging and we liked the diagrams and felt that it made it easier for us to understand how the tool works. It was nice that we got to see examples for multiple situations in bandit, when there are no vulnerabilities, where there are vulnerabilities and also it was very good to mention false positives to make the us aware of the issue. It can be very easy to miss that false positives can occur.

High-level weaknesses

We felt that the tutorial could have been more interactive, you had one example where we had to modify the code by adding a comment. We feel that it would have felt more interactive if we did more of that and created the files our sleeves for example. Another thing that also made it feel less interactive was that all the commands that ran on the terminal were just by us clicking on the text. It would have been more interactive if we had to write the commands ourselves and not just click to execute. I think that it also makes it more fun when it is interactive and we get to do a bit more in the tutorial.

Summary

In conclusion we feel that you have done a very good and insightful tutorial where we learned a lot about the tool and how it can be used and what different scenarios can occur when using it. Even though you had a lot of information in the tutorial we did not feel that it was overwhelming and it was pretty easy to follow and execute the different steps which made it a very good learning opportunity. You covered all relevant aspects of the tool and it was very good how you managed to do it and still keep the tutorial easy and simple to follow and not make it too complex.