Skip to main content

Introducing Precaution

· 2 min read
Eric Brown
Founder of Secure Sauce

Precaution is a new static application security testing (SAST) tool designed to tightly integrate into your GitHub development workflow. Each time a pull request is opened, Precaution runs its advanced static analysis on the code changes to detect potential security vulnerabilities. Every effort is made to be as accurate as possible to avoid noisy false positives.

Precaution finds issues such as injection, weak hashes, cleartext transmission of data, timing attacks, weak encryption, deserialization of untrusted data, improper certificate validation, and more.

What differentiates Precaution from other SAST tools? Here are few key features that set it apart.

  • It can resolve calls of potential vulnerabiliites that have been imported via wildcards. For example, in the following code the * will import all functions within the yaml module including load. load was never explicitly imported, but Precaution will still detect this insecure usage of yaml.load without loader yaml.SafeLoader.

    from yaml import *


    load("{}")
  • It can detect when a call is missing from a sequence in order to secure a protocol. For example, in the following the connection is insecure without initializing TLS (calling s.starttls()). It's especially worse when the user and password is also sent on this unecncrypted connection.

    import nntplib


    s = nntplib.NNTP("news.gmane.io")
    s.login("user", "password")
    f = open("article.txt", "rb")
    s.post(f)
    s.quit()
  • It checks for comparison operators such as == for conditions that might lead to a timing attack. For example, in the following snippet HMAC digests are compared using the == operator. However, to prevent a potential timing attack hmac.compare_digest() should always be used.

    import hmac


    received_digest = (
    b"\xe2\x93\x08\x19T8\xdc\x80\xef\x87\x90m\x1f\x9d\xf7\xf2"
    b"\xf5\x10>\xdbf\xa2\xaf\xf7x\xcdX\xdf"
    )

    key = b"my-secret-key"
    password = b"pass"
    digest = hmac.digest(key, password, digest="sha224")

    if digest == received_digest:
    print("HMAC match")
  • It ensures a potential vulnerable call is actually imported. For example, in the following code, some SAST tools might detect an insecure usage of the md5 hash. hashlib.md5() was imported but only within the scope of the test_func functino. Instead, a function of the same name defined is the function that is called.

    def md5():
    pass

    def test_func():
    from hashlib import md5

    md5()

These are just some of the features. We encourage you to try it out yourself. Head over to https://precaution.app/ to get started today.