I audited an open source Python SDK for firewall management. Auditor Core v2.3 flagged 13 critical findings across 10 production modules — all the same root cause.

Every core module uses Python's native xml.etree.ElementTree parser — the one Python's own documentation recommends replacing.

Affected: 10 core modules across the entire SDK — every file that handles XML parsing in production.

The library's purpose is to parse XML responses from live network devices. Any attacker-influenced response (MitM, compromised appliance, rogue endpoint) gets processed without XXE or Billion Laughs protection.

Second finding: hashlib.sha1() used for value hashing in production logic — with the comment documenting it explicitly in the source. SHA-1 has been broken since 2017.

Both were found using Auditor Core v2.3 — my deterministic security engine that combines SAST, SCA, secrets, and CI/CD analysis with AI validation.

What makes it different from running Bandit or Semgrep directly: → Findings are deduplicated and correlated across detectors (the SHA-1 issue was caught by 3 rules, reported once with full context) → Every finding maps to SOC 2 TSC, CIS Controls v8, and ISO 27001:2022 → Code quality noise is separated from real vulnerabilities before report generation → PDF output is structured for cyber insurance underwriting and SOC 2 readiness

The fix is trivial: replace import xml.etree.ElementTree as ET with import defusedxml.ElementTree as ET in each module. Drop-in compatible.

The broader lesson: libraries defer security hardening of internal parsing, then ship that risk into hundreds of downstream projects.

I'm looking for 2 engineering teams this month — $490, 3-day turnaround, NDA, SOC 2 ready report. If your Python or TypeScript backend hasn't been audited this year, DM me on LinkedIn or email eldorzufarov66@gmail.com.