Presentation

[mvondracek]

Notes for final presentation of our secure development project:

• development guidelines (CONTRIBUTING.md)
• master and dev branches are protected and require 2 approving pull request reviews

[mvondracek]

• limitations for type checking, what isinstance can check, matching type but when programmed overrides/replaces methods.

[mvondracek]

• ShellCheck - A shell script static analysis tool https://github.com/koalaman/shellcheck used for scripts with for radamsa, later it should be used for other tests with shell

[mvondracek]

Validation of internal resources, testing with mocking ResourceManager. 064bad28e8ebd6fb93ba8493a0a8aa5ab53e58d0

[mvondracek]

Fuzzing mnemonic, seed, entropy, password with radamsa

[mvondracek]

• Documentation generated directly from sources
• Doctests for testing code examples in documentation
• Doctests tested on Travis CI, too // #61

[mvondracek]

• Testing with reference implementation (package and CLI tool)
• Reference testing is tested on Travis CI, too. Number of iterations with random inputs can be configured using environment variable (default set to 10). // #63 (second part)

[mvondracek]

Testing divided to: doctest, unit tests, integration tests, reference tests. + fuzzing

[mvondracek]

Code analysis tools incorporated to our CI pipeline:

• Bandit https://github.com/PyCQA/bandit Bandit is a tool designed to find common security issues in Python code.
• FIXME https://github.com/codeclimate/codeclimate-fixme Finds FIXME, TODO, HACK, etc. comments.
• markdownlint https://github.com/markdownlint/markdownlint markdownlint is a tool designed to check markdown files and flag style issues.
• pep8 https://github.com/codeclimate/pep8 Pep8 provides feedback on Python code style following the rules outlined in the PEP 8 style guide.
• Radon https://github.com/rubik/radon Radon provides Cyclomatic Complexity checks on both Python 2 and Python 3 code.
• SonarPython https://www.sonarsource.com/products/codeanalyzers/sonarpython.html Over 50 checks for bugs, vulnerabilities, and code smells in Python code.
• ShellCheck https://github.com/koalaman/shellcheck A static analysis tool for shell scripts.

Code coverage analysis:

• Coveralls https://coveralls.io/
• coverage.py https://github.com/nedbat/coveragepy

[mvondracek]

Python package with installation, package data, and CLI tool.

[mvondracek]

Validation of inputs (maybe taint analysis?) using instantiation. After reading from user/files and until instantiation of our classes, data are consideres insecure. Later, when we are dealing with instances of our classes, data are considered secure.

[mvondracek]

Example of package usage (API) from generated docs (sphinx). Example, how our typechecking is more like better UX for programmers, but in Python, programmer could always create broken instance inherited from our class, which would sys.exit(1) after any our method gets called.

[mvondracek]

• secure comparison of Seed objects