Hello and welcome to the Friday, January 23rd, 2006 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

And this episode is brought you by the sands.edu created certificate program in

industrial control system security. And I mentioned it yesterday, but we are currently looking

for people to fill in our SOC survey. So if you haven't gotten around to it yet, a link to it can

be found on the Internet Storm Center's homepage.

Well, Xavier today looked at a new tool. Bandit. Bandit is a tool that allows you to a static code analysis of Python scripts. Xavier writes a lot of Python and lately also a lot of Python with

AI. And there's, of course, a lot of issues that people run into

when they are using AI for coding. And this particular case, it's a script that Xavi wrote. It's

about a thousand or so lines long. So a pretty good size for a Python script. And he looked at Bandit to give an idea whether or not

the script is reasonably secure. Well, it turned out it was actually reasonably secure. I had some

minor issues, but then of course all depends, as Xavier points out, how the particular script is used, whether or not these issues matter.

A lot of the static code analysis is sometimes a little bit mechanical in that sense.

It comes to using AI tools, like to wipe coding, as it's often referred to.

One of the important things, first of all, is that you design your prompt correctly.

And Xavier gives you some hints there in how to do that and what to look for here.

And in my personal experience, it also helps a lot if you actually know how to code

and use AI sort of more as an assistant

versus having it code all of the code by itself.

That way, sort of do a little bit of review anyway as you're checking what the AI tool

created for you.

And that also usually helps with a lot of logic flow issues and such,

...