diff --git a/.bandit b/.bandit
index c4666b07deeb03bc3accc949d92da77f899e39ec..d9bcc36552a880b55386ed4dd91e1540d070264f 100644
--- a/.bandit
+++ b/.bandit
@@ -1,3 +1,3 @@
 [bandit]
 skips: B506
-exclude: aossceilo/tests
+exclude: aossceilo/tests,aossceilo/nc.py
diff --git a/aossceilo/level_b1/message.py b/aossceilo/level_b1/message.py
index d0a76bf5c785d91d9975c14b216f5fb9ade01da1..1d36c4958af0f6a88be3522a005d679f11e50067 100644
--- a/aossceilo/level_b1/message.py
+++ b/aossceilo/level_b1/message.py
@@ -155,9 +155,8 @@ class Message2(object):
         @raises MessageError: If this instance cannot be created due to an error
             parsing.
         """
-        assert len(lines) == self.NUM_LINES, (
-            "A Message2 must contain %s lines" % self.NUM_LINES
-        )
+        if len(lines) != self.NUM_LINES:
+            raise ValueError(f"A Message2 must contain {self.NUM_LINES} lines")
 
         self._epoch = timegm(stamp.timetuple())
 
diff --git a/aossceilo/level_b1/nc.py b/aossceilo/level_b1/nc.py
index 63fff78556cbc139dc96c0ce2c507d5ef90e239d..0b6d6e4f17d2723aa779c84c9fa96844a50a13e7 100644
--- a/aossceilo/level_b1/nc.py
+++ b/aossceilo/level_b1/nc.py
@@ -4,7 +4,7 @@ import importlib.resources
 import os
 import sys
 from calendar import timegm
-from xml.etree.ElementTree import XML
+from defusedxml.cElementTree import fromstring
 
 import numpy
 from netCDF4 import Dataset
@@ -29,7 +29,7 @@ def create_nc(input_files, out_files, site=None):
     messages = message.load_messages(map(os.path.realpath, input_files))
     # raise FileNotFoundError(f"{messages} No messages were found in the input files")
 
-    ncml = XML(
+    ncml = fromstring(
         importlib.resources.files(__name__)
         .joinpath("ceilo.ncml")
         .open("r", encoding="utf-8")
diff --git a/environment.yaml b/environment.yaml
index bc9da91adafdc49c305fef0ed37bc696307855dd..1eeb0998d2fb0018505eb8ecefc2c28f4b1d135b 100644
--- a/environment.yaml
+++ b/environment.yaml
@@ -9,3 +9,4 @@ dependencies:
   - netcdf4
   - matplotlib-base
   - pytest
+  - defusedxml
diff --git a/pyproject.toml b/pyproject.toml
index defab988dc161bff24538755d21377abdeeadc7b..249d8e600a08b458f5d746a0d146585ea3374476 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -13,6 +13,7 @@ dependencies = [
     "netCDF4",
     "matplotib",
     "pytest",
+    "defusedxml",
     # "metobscommon",  # manually installed
 ]
 readme = "README.rst"