Code does not lie
Good measurements for cyber security do not have to be technical. From a defence in depth principle it is recommended to have a mix of various technical and non technical measurements. A healthy distrust in security means never trust software and hardware and take as many measurements to mitigate cyber risks to acceptable levels.
Be aware of organisations that claim to fully comply with international standards when evaluating products and services. Transparent audit reports that provide in-depth analysis of both cybersecurity processes and the products used are rare.
Transparency helps to improve cyber security. Security by obscurity is generally a bad security practice. When audit results of cyber processes and used software products are not fully transparent all you can do is have trust. However trust is good but for good security control is needed.
Creating secure software is a difficult process with various complex tasks. This also accounts for security software that should help to mitigate security risks. Too often major security incidents are caused by tools that should save us!
Creating secure software requires good software engineering skills but also an in-depth knowledge and experience of crucial cyber security aspects. Security starts with architecture and design. Communicating an architecture and design can be done by using one of the many proven methods. The most important architecture aspects that should be shared from a security perspective are:
Used principles
Constraints and requirements
Architecture and design decisions
Results of static application security tests(SAST) give an indication for potential security issues but this is not enough. Objective judgement of cyber security risks is only possible when SAST results are evaluated along with the architecture and design that is used as input for creating the software code.
Python Code Audit makes it simple to share SAST results of Python code. Code does not lie. Solid statements on security risks can only be made with additional information about the software’s architecture and its usage context, including how and where it will be used.
For general purpose code, like libraries or frameworks, the bar should be very high. The versatile nature of generic software libraries means they can be deployed in diverse applications, sometimes in unexpected ways.
So when using some general Python module, do not trust that the code is secure because the library has many stars on Github. Github stars are a vanity metric. A good security practice is: trust is good, but verifying is better.
Try Python Code Audit
A modern Python source code analyzer based on distrust.