diff --git a/test-requirements.txt b/test-requirements.txt
index 5e90e4bf..dc18ef3e 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -2,6 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 # Hacking already pins down pep8, pyflakes and flake8
+bandit>=1.1.0  # Apache-2.0
 hacking<0.12,>=0.11.0 # Apache-2.0
 Babel>=2.3.4 # BSD
 coverage>=4.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index 8125f05f..0b6e85fb 100644
--- a/tox.ini
+++ b/tox.ini
@@ -22,11 +22,19 @@ commands =
   nosetests --with-coverage --cover-package=monasca_common/. --cover-erase
 
 [testenv:pep8]
-commands = flake8 monasca_common
+deps =
+  {[testenv]deps}
+commands =
+  {[testenv:flake8]commands}
+  {[bandit]commands}
 
 [testenv:venv]
 commands = {posargs}
 
+[testenv:flake8]
+commands =
+    flake8 monasca_common
+
 [flake8]
 max-complexity = 50
 max-line-length = 120
@@ -37,3 +45,9 @@ show-source = True
 # All of the below ignores are caused by the forked kafka-python library
 # so when monasca migrates to pykafka, the below line can be removed.
 ignore = E121,E126,E127,E128,E131,E221,E226,E241,E251,E261,E302,E303,E501,E701,F401,H101,H102,H301,H304,H306,H404,H405
+
+[bandit]
+commands =
+  # B101(assert_ussed) - Validation uses asserts because of performance reasons
+  # monasca_common/kafka_lib is a clone of kafka-python and will be deleted in the future
+  bandit -r monasca_common -n5 -s B101 -x monasca_common/tests -x monasca_common/kafka_lib