diff --git a/oslo_vmware/image_util.py b/oslo_vmware/image_util.py
index 46546f0f..3585a468 100644
--- a/oslo_vmware/image_util.py
+++ b/oslo_vmware/image_util.py
@@ -13,7 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from lxml import etree  # nosec (bandit bug 1582516)
+from defusedxml.lxml import parse
 
 
 def _get_vmdk_name_from_ovf(root):
@@ -27,4 +27,4 @@ def _get_vmdk_name_from_ovf(root):
 
 def get_vmdk_name_from_ovf(ovf_handle):
     """Get the vmdk name from the given ovf descriptor."""
-    return _get_vmdk_name_from_ovf(etree.parse(ovf_handle).getroot())
+    return _get_vmdk_name_from_ovf(parse(ovf_handle).getroot())
diff --git a/oslo_vmware/service.py b/oslo_vmware/service.py
index 89ed2219..5e03ab5a 100644
--- a/oslo_vmware/service.py
+++ b/oslo_vmware/service.py
@@ -102,7 +102,7 @@ class Response(io.BytesIO):
         self.status = status
         self.headers = headers or {}
         self.reason = requests.status_codes._codes.get(
-            status, [''])[0].upper().replace('_', ' ')
+            status, [''])[0].upper().replace('_', ' ')  # nosec
         io.BytesIO.__init__(self, stream)
 
     @property
diff --git a/requirements.txt b/requirements.txt
index 924e1d68..e49cf0cc 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -14,6 +14,7 @@ oslo.utils>=3.33.0 # Apache-2.0
 PyYAML>=3.13 # MIT
 
 lxml>=4.5.0 # BSD
+defusedxml>=0.7.1 # BSD
 suds-community>=0.6 # LGPLv3+
 eventlet!=0.18.3,!=0.20.1,>=0.18.2 # MIT
 requests>=2.14.2 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index c5fb6345..d32e4d99 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -13,7 +13,7 @@ stestr>=2.0.0 # Apache-2.0
 #  [testenv:cover]
 #  deps = {[testenv]deps} coverage
 coverage!=4.4,>=4.0 # Apache-2.0
-bandit>=1.6.0,<1.7.0 # Apache-2.0
+bandit>=1.7.0,<1.8.0 # Apache-2.0
 ddt>=1.0.1 # MIT
 oslo.context>=2.19.2 # Apache-2.0